GCS upload

project-oak · May 14, 2024 · 2fbb99b · 2fbb99b
1 parent 1e35660
commit 2fbb99b
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 4 deletions.
diff --git a/.github/workflows/provenance4.yaml b/.github/workflows/provenance4.yaml
@@ -31,10 +31,7 @@ jobs:
       - name: Parse buildconfig
         id: parse
         run: |
-          set -o errexit
-          set -o nounset
-          set -o xtrace
-          set -o pipefail
+          set -euo pipefail
           source ./scripts/common
           artifact_path="$(tail -1 ${{ matrix.buildconfig }} | grep -oP 'artifact_path = \K(.*)')"
           package_name="$(basename ${{ matrix.buildconfig }} .toml)"

diff --git a/.github/workflows/provenance5.yaml b/.github/workflows/provenance5.yaml
@@ -26,6 +26,14 @@ jobs:
     runs-on: ubuntu-20.04
 
     steps:
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
+
+      - name: Setup Google Cloud
+        uses: google-github-actions/setup-gcloud@v2
+
       - name: Mount main branch
         uses: actions/checkout@v4
 
@@ -48,6 +56,7 @@ jobs:
           echo "package_name: ${{ steps.parse.outputs.package-name }}"
           echo "binary_path: ${{ steps.parse.outputs.binary-path }}"
           echo "subject_path: ${{ steps.parse.outputs.subject-path }}"
+          echo "GITHUB_SHA: ${GITHUB_SHA}"
 
       - name: Build
         id: build
@@ -77,3 +86,37 @@ jobs:
         run: |
           echo "${{ steps.attest.outputs.bundle-path }}"
           ls -la "${{ steps.attest.outputs.bundle-path }}"
+
+      # Upload binary and provenance to GCS and index via http://static.space
+      # so that, regardless of the GCS bucket and path, it can easily be
+      # located by its digest.
+      - name: Upload
+        id: upload
+        run: |
+          set -o errexit
+          set -o nounset
+          set -o pipefail
+
+          bucket=oak-bins
+          package_name=${{ steps.parse.outputs.package-name }}
+          binary_path=${{ steps.parse.outputs.binary-path }}
+          provenance_path=${{ steps.attest.outputs.bundle-path }}
+
+          gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/$(basename ${binary_path})"
+          gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/$(basename ${provenance_path})"
+          binary_url="https://storage.googleapis.com/${bucket}/${binary_path}"
+          provenance_url="https://storage.googleapis.com/${bucket}/${provenance_path}"
+
+          gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}"
+          gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}"
+
+          curl --fail \
+            --request POST \
+            --header 'Content-Type: application/json' \
+            --data "{ \"url\": \"${binary_url}\" }" \
+            https://api.static.space/v1/snapshot
+          curl --fail \
+            --request POST \
+            --header 'Content-Type: application/json' \
+            --data "{ \"url\": \"${provenance_url}\" }" \
+            https://api.static.space/v1/snapshot