Merge pull request #10433 from mkulke/mkulke/add-provenance-attestation-for-agent-builds

ci: add provenance attestation for agent artifact
This commit is contained in:
Magnus Kulke 2024-10-18 15:00:18 +02:00 committed by GitHub
commit 9a33a3413b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 92 additions and 40 deletions

View File

@ -24,6 +24,11 @@ on:
jobs:
build-asset:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
id-token: write
attestations: write
strategy:
matrix:
asset:
@ -83,11 +88,16 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Build ${{ matrix.asset }}
id: build
run: |
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
# export oci name and digest for attestation
oci_image="$(<"${build_dir}/${KATA_ASSET}-oci-image")"
echo "oci-name=${oci_image%@*}" >> $GITHUB_OUTPUT
echo "oci-digest=${oci_image#*@}" >> $GITHUB_OUTPUT
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
@ -98,6 +108,26 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
- uses: oras-project/setup-oras@v1
if: (matrix.asset == 'agent') && (inputs.push-to-registry == 'yes')
with:
version: "1.2.0"
# for pushing attestations to the registry
- uses: docker/login-action@v3
if: (matrix.asset == 'agent') && (inputs.push-to-registry == 'yes')
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/attest-build-provenance@v1
if: (matrix.asset == 'agent') && (inputs.push-to-registry == 'yes')
with:
subject-name: ${{ steps.build.outputs.oci-name }}
subject-digest: ${{ steps.build.outputs.oci-digest }}
push-to-registry: true
- name: store-artifact ${{ matrix.asset }}
if: ${{ matrix.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }}
uses: actions/upload-artifact@v4

View File

@ -24,6 +24,11 @@ on:
jobs:
build-asset:
runs-on: s390x
permissions:
contents: read
packages: write
id-token: write
attestations: write
strategy:
matrix:
asset:
@ -60,11 +65,16 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
- name: Build ${{ matrix.asset }}
id: build
run: |
make "${KATA_ASSET}-tarball"
build_dir=$(readlink -f build)
# store-artifact does not work with symlink
mkdir -p kata-build && cp "${build_dir}"/kata-static-${KATA_ASSET}*.tar.* kata-build/.
# export oci name and digest for attestation
oci_image="$(<"${build_dir}/${KATA_ASSET}-oci-image")"
echo "oci-name=${oci_image%@*}" >> $GITHUB_OUTPUT
echo "oci-digest=${oci_image#*@}" >> $GITHUB_OUTPUT
env:
KATA_ASSET: ${{ matrix.asset }}
TAR_OUTPUT: ${{ matrix.asset }}.tar.gz
@ -75,6 +85,21 @@ jobs:
TARGET_BRANCH: ${{ inputs.target-branch }}
RELEASE: ${{ inputs.stage == 'release' && 'yes' || 'no' }}
# for pushing attestations to the registry
- uses: docker/login-action@v3
if: (matrix.asset == 'agent') && (inputs.push-to-registry == 'yes')
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/attest-build-provenance@v1
if: (matrix.asset == 'agent') && (inputs.push-to-registry == 'yes')
with:
subject-name: ${{ steps.build.outputs.oci-name }}
subject-digest: ${{ steps.build.outputs.oci-digest }}
push-to-registry: true
- name: store-artifact ${{ matrix.asset }}
if: ${{ inputs.stage != 'release' || (matrix.asset != 'agent' && matrix.asset != 'coco-guest-components' && matrix.asset != 'pause-image') }}
uses: actions/upload-artifact@v4

View File

@ -1173,51 +1173,48 @@ handle_build() {
echo "Pushing ${build_target} with tags: ${tags[*]}"
normalized_tags=""
for tag in "${tags[@]}"; do
# tags can only contain lowercase and uppercase letters, digits, underscores, periods, and hyphens
# and limited to 128 characters, so filter out non-printable characers, replace invalid printable
# characters with underscode and trim down to leave enough space for the arch suffix
tag_length_limit=$(expr 128 - $(echo "-$(uname -m)" | wc -c))
tag=("$(echo ${tag} | tr -dc '[:print:]' | tr -c '[a-zA-Z0-9\_\.\-]' _ | head -c ${tag_length_limit})-$(uname -m)")
case ${build_target} in
kernel-nvidia-gpu)
oras push \
${ARTEFACT_REGISTRY}/kata-containers/cached-artefacts/${build_target}:${tag} \
${final_tarball_name} \
"kata-static-${build_target}-headers.tar.xz" \
${build_target}-version \
${build_target}-builder-image-version \
${build_target}-sha256sum
;;
kernel-nvidia-gpu-confidential)
oras push \
${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:${tag} \
${final_tarball_name} \
"kata-static-${build_target}-modules.tar.xz" \
"kata-static-${build_target}-headers.tar.xz" \
${build_target}-version \
${build_target}-builder-image-version \
${build_target}-sha256sum
;;
kernel*-confidential)
oras push \
${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:${tag} \
${final_tarball_name} \
"kata-static-${build_target}-modules.tar.xz" \
${build_target}-version \
${build_target}-builder-image-version \
${build_target}-sha256sum
;;
*)
oras push \
${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:${tag} \
${final_tarball_name} \
${build_target}-version \
${build_target}-builder-image-version \
${build_target}-sha256sum
;;
esac
tag_length_limit="$(expr 128 - $(echo "-$(uname -m)" | wc -c))"
normalized_tag="$(echo "${tag}" \
| tr -dc '[:print:]' \
| tr -c '[a-zA-Z0-9\_\.\-]' _ \
| head -c "${tag_length_limit}" \
)-$(uname -m)"
normalized_tags="${normalized_tags},${normalized_tag}"
done
declare -a files_to_push=(
"${final_tarball_name}"
"${build_target}-version"
"${build_target}-builder-image-version"
"${build_target}-sha256sum"
)
oci_image="${ARTEFACT_REGISTRY}/${ARTEFACT_REPOSITORY}/cached-artefacts/${build_target}:${normalized_tags}"
case ${build_target} in
kernel-nvidia-gpu)
files_to_push+=(
"kata-static-${build_target}-headers.tar.xz"
)
;;
kernel-nvidia-gpu-confidential)
files_to_push+=(
"kata-static-${build_target}-modules.tar.xz"
"kata-static-${build_target}-headers.tar.xz"
)
;;
kernel*-confidential)
files_to_push+=(
"kata-static-${build_target}-modules.tar.xz"
)
;;
*)
;;
esac
oci_sha="$(oras push "${oci_image}" "${files_to_push[@]}" --format go-template='{{.reference}}' --no-tty)"
echo "${oci_sha}" > "${build_target}-oci-image"
oras logout "${ARTEFACT_REGISTRY}"
fi