Skip to content

kbs-protocol: apply for version 0.6.0 #1

kbs-protocol: apply for version 0.6.0

kbs-protocol: apply for version 0.6.0 #1

name: Publish artifacts with ORAS
on:
push:
branches:
- main
env:
RUST_TOOLCHAIN: 1.83.0
jobs:
publish-aa:
permissions:
contents: read
packages: write
id-token: write
attestations: write
strategy:
matrix:
platform: [
{ tee: none, arch: x86_64, libc: musl },
{ tee: none, arch: s390x, libc: gnu },
{ tee: none, arch: aarch64, libc: gnu },
{ tee: amd, arch: x86_64, libc: musl },
{ tee: az-cvm-vtpm, arch: x86_64, libc: gnu },
{ tee: tdx, arch: x86_64, libc: gnu },
{ tee: cca, arch: x86_64, libc: musl },
{ tee: cca, arch: aarch64, libc: gnu },
{ tee: se, arch: s390x, libc: gnu },
]
runs-on: ${{ matrix.platform.arch == 's390x' && 's390x' || 'ubuntu-24.04' }}
env:
TEE_PLATFORM: ${{ matrix.platform.tee }}
LIBC: ${{ matrix.platform.libc }}
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
RUST_TARGET: ${{ matrix.platform.arch }}-unknown-linux-${{ matrix.platform.libc }}
steps:
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: oras-project/setup-oras@v1
with:
version: 1.2.0
if: matrix.platform.arch != 's390x'
- uses: actions/checkout@v4
- uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: ${{ env.RUST_TOOLCHAIN }}
target: ${{ env.RUST_TARGET }}
override: true
- name: Install tpm dependencies
if: matrix.platform.tee == 'az-cvm-vtpm'
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends libtss2-dev
- uses: ./.github/actions/install-intel-dcap
with:
ubuntu-version: noble
if: matrix.platform.tee == 'tdx'
- uses: actions/checkout@v4
- name: Build
env:
ARCH: ${{ matrix.platform.arch }}
run: make ./target/${{ env.RUST_TARGET }}/release/attestation-agent
- name: Publish with ORAS
id: publish
env:
OCI_ARCH: ${{ matrix.platform.arch == 'x86_64' && 'amd64' || matrix.platform.arch == 'aarch64' && 'arm64' || matrix.platform.arch }}
run: |
mkdir oras
cd oras
cp ../target/${{ env.RUST_TARGET }}/release/attestation-agent .
tar cJf attestation-agent.tar.xz attestation-agent
arch_tag="${{ github.sha }}-${{ matrix.platform.tee }}_${{ matrix.platform.arch }}"
image="${REGISTRY}/${IMAGE_NAME}/attestation-agent"
tag="${{ github.sha }}-${{ matrix.platform.tee }}"
oras push "${image}:${arch_tag}" attestation-agent.tar.xz
# We need to create the platform annotations with docker, since oras 1.2 doesn't support
# pushing with platform yet.
docker manifest create "${image}:${tag}" --amend "${image}:${arch_tag}"
docker manifest annotate --arch "$OCI_ARCH" --os linux "${image}:${tag}" "${image}:${arch_tag}"
docker manifest push "${image}:${tag}"
# add image and digest to output for attestation
echo "image=${image}" >> "$GITHUB_OUTPUT"
digest="$(oras manifest fetch "${image}:${arch_tag}" --descriptor | jq -r .digest)"
echo "digest=${digest}" >> "$GITHUB_OUTPUT"
- uses: actions/attest-build-provenance@v2
with:
subject-name: ${{ steps.publish.outputs.image }}
subject-digest: ${{ steps.publish.outputs.digest }}
push-to-registry: true
publish-cdh-and-asr:
permissions:
contents: read
packages: write
id-token: write
attestations: write
strategy:
matrix:
arch:
- x86_64
- s390x
- aarch64
include:
- arch: x86_64
libc: musl
- arch: s390x
libc: gnu
- arch: aarch64
libc: gnu
runs-on: ${{ matrix.arch == 's390x' && 's390x' || 'ubuntu-24.04' }}
env:
LIBC: ${{ matrix.libc }}
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
RUST_TARGET: ${{ matrix.arch }}-unknown-linux-${{ matrix.libc }}
steps:
- name: Log in to the Container registry
uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: oras-project/setup-oras@v1
with:
version: 1.2.0
if: matrix.arch != 's390x'
- uses: actions-rust-lang/setup-rust-toolchain@v1
with:
toolchain: ${{ env.RUST_TOOLCHAIN }}
target: ${{ env.RUST_TARGET }}
override: true
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y --no-install-recommends \
libdevmapper-dev \
protobuf-compiler
- uses: actions/checkout@v4
- name: Build CDH
env:
ARCH: ${{ matrix.arch }}
run: make ./target/${{ env.RUST_TARGET }}/release/confidential-data-hub
- name: Build ASR
env:
ARCH: ${{ matrix.arch }}
run: make ./target/${{ env.RUST_TARGET }}/release/api-server-rest
- name: Publish CDH + ASR with ORAS
id: publish
run: |
tag="${{ github.sha }}-${{ matrix.arch }}"
mkdir oras
cd oras
cp ../target/${{ env.RUST_TARGET }}/release/{confidential-data-hub,api-server-rest} .
tar cJf confidential-data-hub.tar.xz confidential-data-hub
image="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/confidential-data-hub"
oras push "${image}:${tag}" confidential-data-hub.tar.xz
echo "cdh-image=${image}" >> "$GITHUB_OUTPUT"
digest="$(oras manifest fetch "${image}:${tag}" --descriptor | jq -r .digest)"
echo "cdh-digest=${digest}" >> "$GITHUB_OUTPUT"
tar cJf api-server-rest.tar.xz api-server-rest
image="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/api-server-rest"
oras push "${image}:${tag}" api-server-rest.tar.xz
echo "asr-image=${image}" >> "$GITHUB_OUTPUT"
digest="$(oras manifest fetch "${image}:${tag}" --descriptor | jq -r .digest)"
echo "asr-digest=${digest}" >> "$GITHUB_OUTPUT"
- uses: actions/attest-build-provenance@v2
with:
subject-name: ${{ steps.publish.outputs.cdh-image }}
subject-digest: ${{ steps.publish.outputs.cdh-digest }}
push-to-registry: true
- uses: actions/attest-build-provenance@v2
with:
subject-name: ${{ steps.publish.outputs.asr-image }}
subject-digest: ${{ steps.publish.outputs.asr-digest }}
push-to-registry: true