-
Notifications
You must be signed in to change notification settings - Fork 0
81 lines (70 loc) · 3.01 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
name: Release
on:
push:
tags:
- 'v*'
jobs:
release:
name: Release
runs-on: large
permissions:
contents: write
packages: write
id-token: write
attestations: write
steps:
- uses: actions/checkout@v4
- name: Install build dependencies
run: |
sudo apt install -y pipx ubuntu-keyring debian-archive-keyring make jq
pipx install git+https://github.com/systemd/mkosi.git
pipx install sev-snp-measure
- name: Build image
run: |
mkosi --image-version ${{ github.ref }}
mkdir upload
mv tinfoilcvm.raw upload/tinfoil-cvm-base-${{ github.ref_name }}.img
sha256sum upload/tinfoil-cvm-base-${{ github.ref_name }}.img > upload/tinfoil-cvm-base-${{ github.ref_name }}.img.sha256
- name: Fetch OVMF
run: |
LATEST_OVMF_TAG=$(curl -s "https://api.github.com/repos/tinfoilanalytics/AMDSEV/releases/latest" | jq -r .tag_name)
wget https://github.com/tinfoilanalytics/AMDSEV/releases/download/$LATEST_OVMF_TAG/OVMF.fd
- name: Measure image
run: |
make measure > upload/tinfoil-cvm-base-${{ github.ref_name }}.measurement.json
- name: Attest
uses: actions/attest@v1
id: attest
with:
subject-path: upload/tinfoil-cvm-base-${{ github.ref_name }}.img
predicate-type: https://tinfoil.sh/predicate/amd-sev-snp-measurements/v1
predicate-path: upload/tinfoil-cvm-base-${{ github.ref_name }}.measurement.json
- name: Upload artifact
uses: ryand56/r2-upload-action@latest
with:
r2-account-id: ${{ secrets.R2_IMAGES_ACCOUNT_ID }}
r2-access-key-id: ${{ secrets.R2_IMAGES_ACCESS_KEY_ID }}
r2-secret-access-key: ${{ secrets.R2_IMAGES_SECRET_ACCESS_KEY }}
r2-bucket: ${{ secrets.R2_IMAGES_BUCKET }}
source-dir: upload
destination-dir: ./
- name: Generate release notes
id: generate-release-notes
run: |
RELEASE_NOTES=$(cat << EOF
AMD SEV-SNP Measurement: \`$(jq -r '.measurement' upload/tinfoil-cvm-base-${{ github.ref_name }}.measurement.json)\`
Transparency Log Entry: https://search.sigstore.dev?logIndex=$(jq -r ".verificationMaterial.tlogEntries[0].logIndex" ${{ steps.attest.outputs.bundle-path }})
CVM image: https://images.tinfoil.sh/tinfoil-cvm-base-${{ github.ref_name }}.img
CVM image hash: \`$(cat upload/tinfoil-cvm-base-${{ github.ref_name }}.img.sha256)\`
EOF
)
echo "release-notes<<EOF" >> "$GITHUB_OUTPUT"
echo "${RELEASE_NOTES}" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
- name: Create release
uses: softprops/action-gh-release@v2
with:
files: |
upload/tinfoil-cvm-base-${{ github.ref_name }}.measurement.json
upload/tinfoil-cvm-base-${{ github.ref_name }}.img.sha256
body: ${{ steps.generate-release-notes.outputs.release-notes }}