mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-01 07:47:15 +00:00
Merge pull request #10433 from mkulke/mkulke/add-provenance-attestation-for-agent-builds
ci: add provenance attestation for agent artifact
This commit is contained in:
commit
9a33a3413b
@ -24,6 +24,11 @@ on:
|
||||
jobs:
|
||||
build-asset:
|
||||
runs-on: ubuntu-22.04
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
id-token: write
|
||||
attestations: write
|
||||
strategy:
|
||||
matrix:
|
||||
asset:
|
||||
@ -83,11 +88,16 @@ jobs:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: Build ${{ matrix.asset }}
|
||||
id: build
|
||||
run: |
|
||||
make "${KATA_ASSET}-tarball"
|
||||
build_dir=$(readlink -f build)
|
||||
# store-artifact does not work with symlink
|
||||
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
|
||||
# export oci name and digest for attestation
|
||||
oci_image="$(<"${build_dir}/${KATA_ASSET}-oci-image")"
|
||||
echo "oci-name=${oci_image%@*}" >> $GITHUB_OUTPUT
|
||||
echo "oci-digest=${oci_image#*@}" >> $GITHUB_OUTPUT
|
||||
env:
|
||||
KATA_ASSET: ${{ matrix.asset }}
|
||||
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
|
||||
@ -98,6 +108,26 @@ jobs:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
|
||||
|
||||
- uses: oras-project/setup-oras@v1
|
||||
if: (matrix.asset == 'agent') && (inputs.push-to-registry == 'yes')
|
||||
with:
|
||||
version: "1.2.0"
|
||||
|
||||
# for pushing attestations to the registry
|
||||
- uses: docker/login-action@v3
|
||||
if: (matrix.asset == 'agent') && (inputs.push-to-registry == 'yes')
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- uses: actions/attest-build-provenance@v1
|
||||
if: (matrix.asset == 'agent') && (inputs.push-to-registry == 'yes')
|
||||
with:
|
||||
subject-name: ${{ steps.build.outputs.oci-name }}
|
||||
subject-digest: ${{ steps.build.outputs.oci-digest }}
|
||||
push-to-registry: true
|
||||
|
||||
- name: store-artifact ${{ matrix.asset }}
|
||||
if: ${{ matrix.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }}
|
||||
uses: actions/upload-artifact@v4
|
||||
|
@ -24,6 +24,11 @@ on:
|
||||
jobs:
|
||||
build-asset:
|
||||
runs-on: s390x
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
id-token: write
|
||||
attestations: write
|
||||
strategy:
|
||||
matrix:
|
||||
asset:
|
||||
@ -60,11 +65,16 @@ jobs:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
|
||||
- name: Build ${{ matrix.asset }}
|
||||
id: build
|
||||
run: |
|
||||
make "${KATA_ASSET}-tarball"
|
||||
build_dir=$(readlink -f build)
|
||||
# store-artifact does not work with symlink
|
||||
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
|
||||
# export oci name and digest for attestation
|
||||
oci_image="$(<"${build_dir}/${KATA_ASSET}-oci-image")"
|
||||
echo "oci-name=${oci_image%@*}" >> $GITHUB_OUTPUT
|
||||
echo "oci-digest=${oci_image#*@}" >> $GITHUB_OUTPUT
|
||||
env:
|
||||
KATA_ASSET: ${{ matrix.asset }}
|
||||
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
|
||||
@ -75,6 +85,21 @@ jobs:
|
||||
TARGET_BRANCH: ${{ inputs.target-branch }}
|
||||
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
|
||||
|
||||
# for pushing attestations to the registry
|
||||
- uses: docker/login-action@v3
|
||||
if: (matrix.asset == 'agent') && (inputs.push-to-registry == 'yes')
|
||||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.actor }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- uses: actions/attest-build-provenance@v1
|
||||
if: (matrix.asset == 'agent') && (inputs.push-to-registry == 'yes')
|
||||
with:
|
||||
subject-name: ${{ steps.build.outputs.oci-name }}
|
||||
subject-digest: ${{ steps.build.outputs.oci-digest }}
|
||||
push-to-registry: true
|
||||
|
||||
- name: store-artifact ${{ matrix.asset }}
|
||||
if: ${{ inputs.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }}
|
||||
uses: actions/upload-artifact@v4
|
||||
|
@ -1173,51 +1173,48 @@ handle_build() {
|
||||
|
||||
echo "Pushing ${build_target} with tags: ${tags[*]}"
|
||||
|
||||
normalized_tags=""
|
||||
for tag in "${tags[@]}"; do
|
||||
# tags can only contain lowercase and uppercase letters, digits, underscores, periods, and hyphens
|
||||
# and limited to 128 characters, so filter out non-printable characers, replace invalid printable
|
||||
# characters with underscode and trim down to leave enough space for the arch suffix
|
||||
tag_length_limit=$(expr 128 - $(echo "-$(uname -m)" | wc -c))
|
||||
tag=("$(echo ${tag} | tr -dc '[:print:]' | tr -c '[a-zA-Z0-9\_\.\-]' _ | head -c ${tag_length_limit})-$(uname -m)")
|
||||
case ${build_target} in
|
||||
kernel-nvidia-gpu)
|
||||
oras push \
|
||||
${ARTEFACT_REGISTRY}/kata-containers/cached-artefacts/${build_target}:${tag} \
|
||||
${final_tarball_name} \
|
||||
"kata-static-${build_target}-headers.tar.xz" \
|
||||
${build_target}-version \
|
||||
${build_target}-builder-image-version \
|
||||
${build_target}-sha256sum
|
||||
;;
|
||||
kernel-nvidia-gpu-confidential)
|
||||
oras push \
|
||||
${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:${tag} \
|
||||
${final_tarball_name} \
|
||||
"kata-static-${build_target}-modules.tar.xz" \
|
||||
"kata-static-${build_target}-headers.tar.xz" \
|
||||
${build_target}-version \
|
||||
${build_target}-builder-image-version \
|
||||
${build_target}-sha256sum
|
||||
;;
|
||||
kernel*-confidential)
|
||||
oras push \
|
||||
${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:${tag} \
|
||||
${final_tarball_name} \
|
||||
"kata-static-${build_target}-modules.tar.xz" \
|
||||
${build_target}-version \
|
||||
${build_target}-builder-image-version \
|
||||
${build_target}-sha256sum
|
||||
;;
|
||||
*)
|
||||
oras push \
|
||||
${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:${tag} \
|
||||
${final_tarball_name} \
|
||||
${build_target}-version \
|
||||
${build_target}-builder-image-version \
|
||||
${build_target}-sha256sum
|
||||
;;
|
||||
esac
|
||||
tag_length_limit="$(expr 128 - $(echo "-$(uname -m)" | wc -c))"
|
||||
normalized_tag="$(echo "${tag}" \
|
||||
| tr -dc '[:print:]' \
|
||||
| tr -c '[a-zA-Z0-9\_\.\-]' _ \
|
||||
| head -c "${tag_length_limit}" \
|
||||
)-$(uname -m)"
|
||||
normalized_tags="${normalized_tags},${normalized_tag}"
|
||||
done
|
||||
declare -a files_to_push=(
|
||||
"${final_tarball_name}"
|
||||
"${build_target}-version"
|
||||
"${build_target}-builder-image-version"
|
||||
"${build_target}-sha256sum"
|
||||
)
|
||||
oci_image="${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:${normalized_tags}"
|
||||
case ${build_target} in
|
||||
kernel-nvidia-gpu)
|
||||
files_to_push+=(
|
||||
"kata-static-${build_target}-headers.tar.xz"
|
||||
)
|
||||
;;
|
||||
kernel-nvidia-gpu-confidential)
|
||||
files_to_push+=(
|
||||
"kata-static-${build_target}-modules.tar.xz"
|
||||
"kata-static-${build_target}-headers.tar.xz"
|
||||
)
|
||||
;;
|
||||
kernel*-confidential)
|
||||
files_to_push+=(
|
||||
"kata-static-${build_target}-modules.tar.xz"
|
||||
)
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
oci_sha="$(oras push "${oci_image}" "${files_to_push[@]}" --format go-template='{{.reference}}' --no-tty)"
|
||||
echo "${oci_sha}" > "${build_target}-oci-image"
|
||||
oras logout "${ARTEFACT_REGISTRY}"
|
||||
fi
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user