From aea16eec99fec61d49e42a1e99f1b929687fcedf Mon Sep 17 00:00:00 2001 From: Tiziano Santoro Date: Tue, 23 Apr 2024 15:55:08 +0000 Subject: [PATCH] Upload binary and provenance to GCS Change-Id: I4c277283400a26a95d21b4cb9bd46da5aad88f86 --- .github/workflows/provenance.yaml | 1 + .github/workflows/reusable_provenance.yaml | 44 ++++++++++++++++++++-- 2 files changed, 42 insertions(+), 3 deletions(-) diff --git a/.github/workflows/provenance.yaml b/.github/workflows/provenance.yaml index 0a2becb5cdb..4272c38fe21 100644 --- a/.github/workflows/provenance.yaml +++ b/.github/workflows/provenance.yaml @@ -55,3 +55,4 @@ jobs: ENT_API_KEY: ${{ secrets.ENT_API_KEY }} # Secret key corresponding to `ent-public-key` above, used to sign Ent tags. ENT_SECRET_KEY: ${{ secrets.ENT_SECRET_KEY }} + GCP_SERVICE_ACCOUNT_KEY_JSON: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} diff --git a/.github/workflows/reusable_provenance.yaml b/.github/workflows/reusable_provenance.yaml index 67079d71e6a..53d284cc3fd 100644 --- a/.github/workflows/reusable_provenance.yaml +++ b/.github/workflows/reusable_provenance.yaml @@ -19,6 +19,8 @@ on: # of a binary to its provenance. ENT_SECRET_KEY: required: true + GCP_SERVICE_ACCOUNT_KEY_JSON: + required: true jobs: get_inputs: @@ -38,7 +40,7 @@ jobs: steps: - name: Mount main branch - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Parse build config id: parse-build-config @@ -101,6 +103,23 @@ jobs: pull-requests: write steps: + - name: 'Authenticate to Google Cloud' + uses: 'google-github-actions/auth@v2' + with: + credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} + + - name: 'Set up Google Cloud SDK' + uses: 'google-github-actions/setup-gcloud@v2' + + - name: 'Google Cloud info' + run: | + set -o errexit + set -o nounset + set -o xtrace + set -o pipefail + gcloud --version + gsutil --version + # See https://github.com/google/ent - name: Download Ent CLI if: steps.cache-ent.outputs.cache-hit != 'true' @@ -139,7 +158,7 @@ jobs: path: downloads - name: Debug step - Display structure of downloaded files - run: ls -R + run: ls --recursive working-directory: downloads - name: Upload binary, provenance, signed tag to Ent @@ -154,6 +173,9 @@ jobs: set -o nounset set -o xtrace set -o pipefail + + bucket_name=oak-bins + provenance_file="attestation.intoto" if [[ "${{ github.event_name }}" != "pull_request" ]]; then provenance_file="${provenance_file}.build.slsa" @@ -169,6 +191,22 @@ jobs: --label="provenance_${GITHUB_SHA}_${package_name}" \ --target=${provenance_digest} + gsutil cp "${binary_file}" "gs://${bucket_name}/binary/${GITHUB_SHA}/${package_name}/$(basename ${binary_file})" + binary_url="https://storage.googleapis.com/${bucket_name}/${destination}/${base_file_name}" + curl --fail \ + --request POST \ + --header 'Content-Type: application/json' \ + --data "{ \"url\": \"${binary_url}\" }" \ + https://api.static.space/v1/snapshot + + gsutil cp "${provenance_file}" "gs://${bucket_name}/provenance/${GITHUB_SHA}/${package_name}/$(basename ${provenance_file})" + provenance_url="https://storage.googleapis.com/${bucket_name}/${destination}/${base_file_name}" + curl --fail \ + --request POST \ + --header 'Content-Type: application/json' \ + --data "{ \"url\": \"${provenance_url}\" }" \ + https://api.static.space/v1/snapshot + # Debug step similar to `upload_provenance`, but runs on pull-request events. # Differs from `upload_provenance` in that it does not publish the binary # and its provenance into Ent and that it does not post a comment on the PR. @@ -192,7 +230,7 @@ jobs: path: downloads - name: Display structure after downloading the files (debug step) - run: ls -R + run: ls --recursive working-directory: downloads - name: Print binary digest