Fix icing search tests #1791
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and attest all | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| # See https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
| cancel-in-progress: true | |
| jobs: | |
| build_attest_all: | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| buildconfig: | |
| - buildconfigs/key_xor_test_app.sh | |
| - buildconfigs/oak_client_android_app.sh | |
| - buildconfigs/oak_containers_agent.sh | |
| - buildconfigs/oak_containers_kernel.sh | |
| - buildconfigs/oak_containers_orchestrator.sh | |
| - buildconfigs/oak_containers_stage1.sh | |
| - buildconfigs/oak_containers_syslogd.sh | |
| - buildconfigs/oak_containers_system_image.sh | |
| - buildconfigs/oak_containers_nvidia_system_image.sh | |
| - buildconfigs/oak_echo_enclave_app.sh | |
| - buildconfigs/oak_echo_raw_enclave_app.sh | |
| - buildconfigs/oak_functions_enclave_app.sh | |
| - buildconfigs/oak_functions_insecure_enclave_app.sh | |
| - buildconfigs/oak_logcabin_endorser_enclave_app.sh | |
| - buildconfigs/oak_orchestrator.sh | |
| - buildconfigs/oak_restricted_kernel_simple_io_channel.sh | |
| - buildconfigs/private_memory_server.sh | |
| - buildconfigs/stage0_bin.sh | |
| - buildconfigs/stage0_bin_tdx.sh | |
| permissions: | |
| actions: read | |
| id-token: write | |
| attestations: write | |
| contents: read | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| # Needed for GCS upload. | |
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} | |
| # Needed for GCS upload. | |
| - name: Setup Google Cloud | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Mount main branch | |
| uses: actions/checkout@v4 | |
| # The runner comes with all this software pre-installed: | |
| # https://github.com/actions/runner-images/blob/main/images/ubuntu/Ubuntu2004-Readme.md | |
| # To avoid failures due to lack of disk space, we delete some large packages | |
| # which are irrelevant for building. Sources: | |
| # https://github.com/jens-maus/RaspberryMatic/blob/ea6b8ce0dd2d53ea88b2766ba8d7f8e1d667281f/.github/workflows/ci.yml#L34-L40 | |
| # https://github.com/actions/runner-images/issues/2875 | |
| # https://github.com/actions/runner-images/issues/10386 | |
| - name: Free disk space | |
| run: | | |
| set -o errexit | |
| set -o xtrace | |
| df --human-readable | |
| sudo apt-get remove --yes \ | |
| '^dotnet-.*' '^llvm-.*' 'php.*' \ | |
| '^haskell-.*' '^ghc-.*' '^cabal-.*' \ | |
| google-chrome-stable firefox microsoft-edge-stable \ | |
| azure-cli powershell | |
| df --human-readable | |
| sudo apt-get autoremove --yes | |
| df --human-readable | |
| sudo apt clean | |
| df --human-readable | |
| sudo rm --recursive --force "${AGENT_TOOLSDIRECTORY}" | |
| df --human-readable | |
| sudo rm --recursive --force /usr/local/.ghcup | |
| df --human-readable | |
| sudo rm --recursive --force /opt/ghc | |
| df --human-readable | |
| sudo rm --recursive --force /usr/share/dotnet | |
| df --human-readable | |
| dpkg --list | |
| # Keeps two versions of SUBJECT_PATHS, with space resp. comma as | |
| # path separator. Both are needed in later steps. | |
| - name: Parse buildconfig | |
| id: parse | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| source ${{ matrix.buildconfig }} | |
| echo "package-name=${PACKAGE_NAME}" >> "${GITHUB_OUTPUT}" | |
| paths="${SUBJECT_PATHS[@]}" | |
| echo "subject-paths=${paths}" >> "${GITHUB_OUTPUT}" | |
| echo "subject-paths-commas=${paths// /,}" >> "${GITHUB_OUTPUT}" | |
| - name: Show values | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| gsutil --version | |
| echo "package_name: ${{ steps.parse.outputs.package-name }}" | |
| echo "subject_paths: ${{ steps.parse.outputs.subject-paths }}" | |
| echo "subject_paths_commas: ${{ steps.parse.outputs.subject-paths-commas }}" | |
| echo "GITHUB_SHA: ${GITHUB_SHA}" | |
| - name: Build | |
| id: build | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| source ${{ matrix.buildconfig }} | |
| KOKORO_JOB_TYPE=CONTINUOUS_INTEGRATION | |
| source kokoro/helpers/common.sh | |
| configure_common_env | |
| configure_bazelrc | |
| scripts/docker_pull | |
| scripts/docker_run "${BUILD_COMMAND[@]}" | |
| - name: Show build artifacts | |
| run: | | |
| echo "${{ steps.parse.outputs.subject-paths }}" | |
| ls -la ${{ steps.parse.outputs.subject-paths }} | |
| for output in ${{ steps.parse.outputs.subject-paths }} | |
| do | |
| sha256sum "$output" | |
| done | |
| - name: Attest | |
| id: attest | |
| uses: actions/attest-build-provenance@v1.1.1 | |
| with: | |
| subject-path: ${{ steps.parse.outputs.subject-paths-commas }} | |
| - name: Show bundle | |
| run: | | |
| echo "${{ steps.attest.outputs.bundle-path }}" | |
| ls -la "${{ steps.attest.outputs.bundle-path }}" | |
| cat "${{ steps.attest.outputs.bundle-path }}" | |
| # Upload binary and provenance to GCS. | |
| - name: Upload | |
| id: upload | |
| run: | | |
| set -o errexit | |
| set -o nounset | |
| set -o pipefail | |
| set -o xtrace | |
| package_name=${{ steps.parse.outputs.package-name }} | |
| subject_paths=( ${{ steps.parse.outputs.subject-paths }} ) | |
| binary_path="${subject_paths[0]}" | |
| provenance_path=${{ steps.attest.outputs.bundle-path }} | |
| scripts/publish \ | |
| "${binary_path}" \ | |
| "${provenance_path}" \ | |
| "sha1:${GITHUB_SHA}" \ | |
| "${package_name}" |