From b297190d22952c1b23a2e91f2e346eae92a479bc Mon Sep 17 00:00:00 2001 From: Tom Binder Date: Tue, 14 May 2024 12:06:20 +0000 Subject: [PATCH] with buildconfig --- .github/workflows/provenance4.yaml | 5 ++- .github/workflows/provenance5.yaml | 46 +++++++++++++----------- buildconfigs/key_xor_test_app.sh | 18 ++++++++++ buildconfigs/oak_echo_raw_enclave_app.sh | 18 ++++++++++ 4 files changed, 65 insertions(+), 22 deletions(-) create mode 100644 buildconfigs/key_xor_test_app.sh create mode 100644 buildconfigs/oak_echo_raw_enclave_app.sh diff --git a/.github/workflows/provenance4.yaml b/.github/workflows/provenance4.yaml index a2d09e431e7..668b62c4563 100644 --- a/.github/workflows/provenance4.yaml +++ b/.github/workflows/provenance4.yaml @@ -31,7 +31,10 @@ jobs: - name: Parse buildconfig id: parse run: | - set -euo pipefail + set -o errexit + set -o nounset + set -o xtrace + set -o pipefail source ./scripts/common artifact_path="$(tail -1 ${{ matrix.buildconfig }} | grep -oP 'artifact_path = \K(.*)')" package_name="$(basename ${{ matrix.buildconfig }} .toml)" diff --git a/.github/workflows/provenance5.yaml b/.github/workflows/provenance5.yaml index c65a7b705e1..a86d75f6bff 100644 --- a/.github/workflows/provenance5.yaml +++ b/.github/workflows/provenance5.yaml @@ -1,4 +1,4 @@ -name: MatrixBuild Provenance +name: Provenance5 on: push: @@ -14,8 +14,8 @@ jobs: fail-fast: false matrix: buildconfig: - - buildconfigs/key_xor_test_app.toml - - buildconfigs/oak_echo_raw_enclave_app.toml + - buildconfigs/key_xor_test_app.sh + - buildconfigs/oak_echo_raw_enclave_app.sh permissions: actions: read @@ -31,51 +31,55 @@ jobs: - name: Parse buildconfig id: parse run: | - set -euo pipefail - source ./scripts/common - artifact_path="$(tail -1 ${{ matrix.buildconfig }} | grep -oP 'artifact_path = \K(.*)')" - package_name="$(basename ${{ matrix.buildconfig }} .toml)" - builder_digest="$(echo "${DOCKER_IMAGE_REPO_DIGEST}" | cut -d'@' -f2)" - echo "artifact-path=${artifact_path}" >> $GITHUB_OUTPUT + set -o errexit + set -o nounset + set -o xtrace + set -o pipefail + source ${{ matrix.buildconfig }} echo "package-name=${package_name}" >> $GITHUB_OUTPUT - echo "builder-digest=${builder_digest}" >> $GITHUB_OUTPUT + echo "binary-path=${binary_path}" >> $GITHUB_OUTPUT + echo "subject-path=${subject_path}" >> $GITHUB_OUTPUT - name: Show values run: | - echo "${{ steps.parse.outputs.artifact-path }}" + set -euo pipefail echo "${{ steps.parse.outputs.package-name }}" - echo "${{ steps.parse.outputs.builder-digest }}" + echo "${{ steps.parse.outputs.binary-path }}" + echo "${{ steps.parse.outputs.subject-path }}" - name: Pretend build id: pretend run: | set -euo pipefail - dir="$(dirname ${{ steps.parse.outputs.artifact-path }})" - base="$(basename ${{ steps.parse.outputs.artifact-path }})" + dir="$(dirname ${{ steps.parse.outputs.binary-path }})" + base="$(basename ${{ steps.parse.outputs.binary-path }})" mkdir -p $dir - echo "${base}" > ${{ steps.parse.outputs.artifact-path }} + echo "${base}" > ${{ steps.parse.outputs.binary-path }} - name: Build id: build run: | - set -euo pipefail + set -o errexit + set -o nounset + set -o xtrace + set -o pipefail + source ${{ matrix.buildconfig }} export RUST_BACKTRACE=1 export RUST_LOG=debug export XDG_RUNTIME_DIR=/var/run scripts/docker_pull - scripts/docker_run nix develop .#rust --command env --chdir=enclave_apps/key_xor_test_app cargo build --release + scripts/docker_run "${build_command[@]}" - name: Show build artifact run: | - echo "${{ steps.parse.outputs.artifact-path }}" - ls -la "${{ steps.parse.outputs.artifact-path }}" - ls -la enclave_apps/target/x86_64-unknown-none/release/key_xor_test_app + echo "${{ steps.parse.outputs.binary-path }}" + ls -la "${{ steps.parse.outputs.binary-path }}" - name: Attest id: attest uses: actions/attest-build-provenance@v1.1.1 with: - subject-path: ${{ steps.parse.outputs.artifact-path }} + subject-path: ${{ steps.parse.outputs.subject-path }} - name: Show Bundle run: | diff --git a/buildconfigs/key_xor_test_app.sh b/buildconfigs/key_xor_test_app.sh new file mode 100644 index 00000000000..c9f3a34cac6 --- /dev/null +++ b/buildconfigs/key_xor_test_app.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +package_name=key_xor_test_app + +declare -a build_command=( + nix + develop + .#rust + --command + env + --chdir=enclave_apps/key_xor_test_app + cargo + build + --release +) + +binary_path=enclave_apps/target/x86_64-unknown-none/release/key_xor_test_app +subject_path="${binary_path}" diff --git a/buildconfigs/oak_echo_raw_enclave_app.sh b/buildconfigs/oak_echo_raw_enclave_app.sh new file mode 100644 index 00000000000..4fa3a5f54ef --- /dev/null +++ b/buildconfigs/oak_echo_raw_enclave_app.sh @@ -0,0 +1,18 @@ +#!/bin/sh + +package_name=oak_echo_enclave_app + +declare -a build_command=( + nix + develop + .#rust + --command + env + --chdir=enclave_apps/oak_echo_enclave_app + cargo + build + --release +) + +binary_path=enclave_apps/target/x86_64-unknown-none/release/oak_echo_enclave_app +subject_path="${binary_path}"