Skip to content

Commit

Permalink
CI: publish artifacts via ORAS
Browse files Browse the repository at this point in the history 
Pushing artifacts as binaries to the project's GHCR. The build job is
split between AA and CDH+ASR. AA has specific build and runtime
requirements depending on the TEE, while the CDH+ASR are generic per
arch.

Hence $AA is tagged with $sha-$tee ($arch is implicit in $tee) while
CDH+ASR are tagged with $sha-$arch.

Signed-off-by: Magnus Kulke <magnuskulke@microsoft.com>
  • Loading branch information
@mkulke
mkulke committed Sep 29, 2024
1 parent a1b889b commit b4bc527
Show file tree
Hide file tree
Showing 2 changed files with 176 additions and 4 deletions.
174 changes: 174 additions & 0 deletions .github/workflows/publish-artifacts.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,174 @@
name: Publish artifacts to ORAS

on:
push:
branches:
- main

env:
RUST_TOOLCHAIN: 1.80.0

jobs:
publish-aa:
permissions:
contents: read
packages: write
id-token: write
strategy:
matrix:
tee:
- none
- amd
- az-cvm-vtpm
- tdx
- se
- cca
include:
- tee: none
libc: musl
arch: x86_64
- tee: amd
libc: musl
arch: x86_64
- tee: az-cvm-vtpm
libc: gnu
arch: x86_64
- tee: tdx
libc: gnu
arch: x86_64
- tee: se
libc: gnu
arch: s390x
- tee: cca
libc: musl
arch: x86_64
runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-22.04' }}
env:
TEE_PLATFORM: ${{ matrix.tee }}
LIBC: ${{ matrix.libc }}
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
steps:
- name: Take a pre-action for self-hosted runner
if: matrix.arch == 's390x'
run: |
if [ -f "${HOME}/script/pre_action.sh" ]; then
"${HOME}/script/pre_action.sh" cc-guest-components
fi
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- uses: oras-project/setup-oras@v1
with:
version: 1.0.0

- uses: actions/checkout@v4

- uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: ${{ env.RUST_TOOLCHAIN }}
target: ${{ matrix.arch }}-unknown-linux-${{ matrix.libc }}
override: true
components: rustfmt, clippy

- name: Install tpm dependencies
if: matrix.tee == 'az-cvm-vtpm'
run: |
sudo apt-get install -y --no-install-recommends libtss2-dev
- name: Install tdx dependencies
if: matrix.tee == 'tdx'
run: |
sudo curl -sL https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | sudo gpg --dearmor --output /usr/share/keyrings/intel-sgx.gpg
sudo echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/intel-sgx.gpg] https://download.01.org/intel-sgx/sgx_repo/ubuntu jammy main' | sudo tee /etc/apt/sources.list.d/intel-sgx.list
sudo apt-get update
sudo apt-get install -y --no-install-recommends libtdx-attest-dev
- uses: actions/checkout@v4

- name: Build
run: make ./target/${{ matrix.arch }}-unknown-linux-${{ matrix.libc}}/release/attestation-agent

- name: Publish to ORAS
run: |
mkdir oras
cd oras
cp ../target/${{ matrix.arch }}-unknown-linux-${{ matrix.libc}}/release/attestation-agent .
tar cJf attestation-agent.tar.xz attestation-agent
oras push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/attestation-agent:${{ github.sha }}-${{ matrix.tee }} attestation-agent.tar.xz
publish-cdh-and-asr:
permissions:
contents: read
packages: write
id-token: write
strategy:
matrix:
arch:
- x86_64
- s390x
include:
- arch: x86_64
libc: musl
- arch: s390x
libc: gnu
runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-22.04' }}
env:
LIBC: ${{ matrix.libc }}
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
steps:
- name: Take a pre-action for self-hosted runner
if: matrix.arch == 's390x'
run: |
if [ -f "${HOME}/script/pre_action.sh" ]; then
"${HOME}/script/pre_action.sh" cc-guest-components
fi
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- uses: oras-project/setup-oras@v1
with:
version: 1.0.0

- uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: ${{ env.RUST_TOOLCHAIN }}
target: ${{ matrix.arch }}-unknown-linux-${{ matrix.libc }}
override: true
components: rustfmt, clippy

- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
libdevmapper-dev \
protobuf-compiler
- uses: actions/checkout@v4

- name: Build CDH
run: make ./target/${{ matrix.arch }}-unknown-linux-${{ matrix.libc}}/release/confidential-data-hub

- name: Build ASR
run: make ./target/${{ matrix.arch }}-unknown-linux-${{ matrix.libc}}/release/api-server-rest

- name: Publish to ORAS
run: |
mkdir oras
cd oras
cp ../target/${{ matrix.arch }}-unknown-linux-${{ matrix.libc}}/release/{confidential-data-hub,api-server-rest} .
tar cJf confidential-data-hub.tar.xz confidential-data-hub
tar cJf api-server-rest.tar.xz api-server-rest
oras push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/confidential-data-hub:${{ github.sha }}-${{ matrix.arch }} confidential-data-hub.tar.xz
oras push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/api-server-rest:${{ github.sha }}-${{ matrix-arch }} api-server-rest.tar.xz
6 changes: 2 additions & 4 deletions Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ else ifeq ($(TEE_PLATFORM), fs)
ATTESTER = none
else ifeq ($(TEE_PLATFORM), tdx)
ATTESTER = tdx-attester
else ifeq ($(TEE_PLATFORM), az-tdx-vtpm)
ATTESTER = az-tdx-vtpm-attester
else ifeq ($(TEE_PLATFORM), az-cvm-vtpm)
ATTESTER = az-snp-vtpm-attester,az-tdx-vtpm-attester
else ifeq ($(TEE_PLATFORM), sev)
ATTESTER = none
ifeq ($(NO_RESOURCE_PROVIDER), true)
Expand All @@ -32,8 +32,6 @@ else ifeq ($(TEE_PLATFORM), sev)
endif
else ifeq ($(TEE_PLATFORM), snp)
ATTESTER = snp-attester
else ifeq ($(TEE_PLATFORM), az-snp-vtpm)
ATTESTER = az-snp-vtpm-attester
else ifeq ($(TEE_PLATFORM), se)
ATTESTER = se-attester
else ifeq ($(TEE_PLATFORM), all)
Expand Down

0 comments on commit b4bc527

Please sign in to comment.