-
Notifications
You must be signed in to change notification settings - Fork 1
175 lines (149 loc) · 5.61 KB
/
boot-dvd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
name: Boot DVD CI
on:
pull_request: {}
push:
branches:
- main
schedule:
# Run weekly (02:09 AM UTC on Tuesdays) without caches, to catch issues
# with gathering inputs, reproducibility, or other external changes.
- cron: '09 02 * * 2'
workflow_dispatch: {}
jobs:
main:
name: Build
runs-on: ubuntu-22.04
defaults:
run:
# Note: does not apply to actions.
working-directory: boot-dvd
steps:
- name: Check out sources
uses: actions/checkout@v4
with:
token: ${{ secrets.ACCESS_TOKEN }}
- name: Set up Git
run: |
# Configures the global `git` CLI to be able to access private repos.
git config --global url.'https://github.com/'.insteadOf 'git@github.com:'
# Copy the encoded auth token from local config that actions/checkout configured.
git config --global http.'https://github.com/'.extraHeader "$(git config --local http.'https://github.com/'.extraHeader)"
- name: Run shellcheck
run: |
shellcheck --version
shellcheck *.sh internal/*.sh internal/bashrc tests/*.sh
- name: Check entrust.ps1 hashes
run: ./tests/check-entrust-ps1-hashes.py
- name: Split inputs hashes
run: |
grep -E ' \./inputs/apt/' sha256sum.inputs.txt > sha256sum.inputs-apt.txt
grep -E ' \./inputs/(crates/|juicebox-hsm-realm\.tar$)' sha256sum.inputs.txt > sha256sum.inputs-code.txt
grep -E ' \./inputs/rust-.*\.tar\.xz$' sha256sum.inputs.txt > sha256sum.inputs-rust.txt
- name: Restore apt cache
if: github.event_name != 'schedule'
uses: actions/cache/restore@v3
id: restore-apt-cache
with:
path: boot-dvd/inputs/apt
key: apt-${{ runner.os }}-${{ hashFiles(
'boot-dvd/sha256sum.inputs-apt.txt',
'boot-dvd/get-debs.sh',
'boot-dvd/internal/make-cache-dir.sh'
) }}
- name: Download apt files
# This is done unconditionally since it's fast if cached. It doesn't
# download anything if the files in 'inputs/apt' exist.
run: ./get-debs.sh
env:
SNAPSHOT_SERVER_ONLY: '1'
- name: Check apt files
run: |
find ./inputs/apt -type f | \
LC_ALL=C sort | \
xargs sha256sum | \
diff -u sha256sum.inputs-apt.txt -
- name: Save apt cache
if: steps.restore-apt-cache.outputs.cache-hit != 'true'
uses: actions/cache/save@v3
with:
path: boot-dvd/inputs/apt
key: ${{ steps.restore-apt-cache.outputs.cache-primary-key }}
- name: Download Rust
run: ./get-rust.sh
- name: Check Rust downloads
run: |
sha256sum ./inputs/rust-*-linux-*.tar.xz ./inputs/rust-src-*.tar.xz | \
diff -u sha256sum.inputs-rust.txt -
- name: Restore code/crates cache
if: github.event_name != 'schedule'
uses: actions/cache/restore@v3
id: restore-code-cache
with:
path: |
boot-dvd/inputs/crates/
boot-dvd/inputs/juicebox-hsm-realm.tar
key: code-${{ runner.os }}-${{ hashFiles(
'boot-dvd/sha256sum.inputs-code.txt',
'boot-dvd/sha256sum.inputs-rust.txt',
'boot-dvd/get-code.sh',
'boot-dvd/get-crates.sh',
'boot-dvd/internal/get-crates-inner.sh',
'boot-dvd/internal/make-cache-dir.sh',
'boot-dvd/internal/vars.sh'
) }}
- name: Package/download code
# This is done unconditionally since it's fast if cached. It doesn't
# download anything if 'inputs/juicebox-hsm-realm.tar' exists.
run: ./get-code.sh
- name: Download crates
if: steps.restore-code-cache.outputs.cache-hit != 'true'
run: ./get-crates.sh
- name: Check code/crates inputs
run: |
find ./inputs/crates ./inputs/juicebox-hsm-realm.tar -type f | \
LC_ALL=C sort | \
xargs sha256sum | \
diff -u sha256sum.inputs-code.txt -
- name: Save code/crates cache
if: steps.restore-code-cache.outputs.cache-hit != 'true'
uses: actions/cache/save@v3
with:
path: |
boot-dvd/inputs/crates/
boot-dvd/inputs/juicebox-hsm-realm.tar
key: ${{ steps.restore-code-cache.outputs.cache-primary-key }}
- name: Check all inputs
run: |
find ./inputs -type f | \
LC_ALL=C sort | \
xargs sha256sum | \
diff -u sha256sum.inputs.txt -
- name: Build ISO
run: ./build.sh
- name: Dockerize root filesystem
run: ./tests/iso-to-docker.sh
- name: Run tool build and tests
run: |
docker run --interactive --net none --rm ceremony-root sh -c \
'ceremony meta paths && cd /root/ceremony/tool && cargo test'
- name: Run juicebox-hsm-realm build and unit tests
run: |
docker run --interactive --net none --rm ceremony-root sh -c \
'cd /root/juicebox-hsm-realm && cargo build && cargo test --lib'
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
credentials_json: '${{ secrets.GCP_SERVICE_ACCOUNT }}'
- name: Download Codesafe from Google Cloud Storage
working-directory: vendor-dvd
run: |
set -x
mkdir -p inputs
gcloud storage cp \
'gs://ncipher-nshield-firmware/2023-08 v13.4 codesafe firmware secworld/Codesafe_Lin64-13.4.3.iso.zip' \
inputs/
grep Codesafe sha256sum.inputs.txt > sha256sum.codesafe.txt
sha256sum ./inputs/Codesafe_Lin64-13.4.3.iso.zip | \
diff -u sha256sum.codesafe.txt -
- name: Run tests needing Codesafe
run: ./tests/test-codesafe.sh