Skip to content

Bump dependencies to address GHSA-q6cp-qfwq-4gcv #137

Bump dependencies to address GHSA-q6cp-qfwq-4gcv

Bump dependencies to address GHSA-q6cp-qfwq-4gcv #137

Workflow file for this run

name: Build Release
on:
push:
branches:
- main
tags:
- v*
jobs:
build-release-binaries:
strategy:
matrix:
include:
- target: 'x86_64-unknown-linux-musl'
host: 'ubuntu-latest'
uses_musl: true
extra_cargo_args: '--features=run_enclave,odyn'
- target: 'aarch64-unknown-linux-musl'
host: 'ubuntu-latest'
uses_musl: true
extra_cargo_args: '--features=run_enclave,odyn'
- target: 'x86_64-apple-darwin'
host: 'macos-latest'
- target: 'aarch64-apple-darwin'
host: 'macos-latest'
runs-on: ${{ matrix.host }}
steps:
- uses: actions/checkout@v3
- uses: actions-rs/toolchain@v1
with:
toolchain: stable
target: ${{ matrix.target }}
default: true
- uses: Swatinem/rust-cache@v2
with:
workspaces: "enclaver -> target"
key: ${{ matrix.target }}
- name: Build Release Binaries (native cargo)
if: ${{ !matrix.uses_musl }}
run: |
cargo build \
--target ${{ matrix.target }} \
--manifest-path enclaver/Cargo.toml \
--release \
${{ matrix.extra_cargo_args }}
- name: Build Release Binaries (cargo-zigbuild)
if: ${{ matrix.uses_musl }}
uses: ./.github/actions/cargo-zigbuild
with:
args: |
--target ${{ matrix.target }}
--manifest-path enclaver/Cargo.toml
--release
${{ matrix.extra_cargo_args }}
- name: Upload Artifacts
uses: actions/upload-artifact@v3
with:
name: ${{ matrix.target }}
path: |
enclaver/target/${{ matrix.target }}/release/enclaver
enclaver/target/${{ matrix.target }}/release/enclaver-run
enclaver/target/${{ matrix.target }}/release/odyn
publish-images:
if: github.repository == 'edgebitio/enclaver' && (github.ref == 'refs/heads/main' || github.ref_type == 'tag')
needs: build-release-binaries
runs-on: ubuntu-latest
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: Download Binaries
uses: actions/download-artifact@v3
# Putting the binaries into a path whose name exactly matches Docker's
# architecture naming conventions makes it easy for the Dockerfiles to
# COPY architecture-specific files into the image in a nice, cacheable
# way.
- name: Re-Arrange Binaries
shell: bash
run: |
mv x86_64-unknown-linux-musl amd64
mv aarch64-unknown-linux-musl arm64
chmod 755 amd64/odyn amd64/enclaver-run arm64/odyn arm64/enclaver-run
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Authenticate to Google Cloud
uses: 'google-github-actions/auth@v0'
with:
workload_identity_provider: 'projects/77991489452/locations/global/workloadIdentityPools/gh-actions-identity-pool/providers/gh-actions-identity-provider'
service_account: 'github-actions-service-account@edgebit-containers.iam.gserviceaccount.com'
- name: Configure GCP Docker Auth
run: |
gcloud auth configure-docker us-docker.pkg.dev
- name: Authenticate to AWS
uses: aws-actions/configure-aws-credentials@v1-node16
with:
aws-region: us-east-1
role-to-assume: arn:aws:iam::970625735569:role/GitHubActionsECRPush
- name: Configure AWS Docker Auth
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
with:
registry-type: public
- name: Generate Odyn Image Metadata
id: odyn-metadata
uses: docker/metadata-action@v4
with:
images: |
us-docker.pkg.dev/edgebit-containers/containers/odyn
public.ecr.aws/p0s1m1r8/odyn
tags: |
type=sha,
type=semver,pattern=v{{major}}
type=semver,pattern=v{{major}}.{{minor}}
type=semver,pattern=v{{major}}.{{minor}}.{{patch}}
type=raw,value=latest,enable=${{ github.ref_type == 'tag' }}
- name: Build Odyn Image
uses: docker/build-push-action@v3
with:
context: "{{defaultContext}}:build/dockerfiles"
build-contexts: artifacts=.
file: odyn-release.dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.odyn-metadata.outputs.tags }}
- name: Generate Runtime Base Image Metadata
id: wrapper-base-metadata
uses: docker/metadata-action@v4
with:
images: |
us-docker.pkg.dev/edgebit-containers/containers/enclaver-wrapper-base
public.ecr.aws/p0s1m1r8/enclaver-wrapper-base
tags: |
type=sha,
type=semver,pattern=v{{major}}
type=semver,pattern=v{{major}}.{{minor}}
type=semver,pattern=v{{major}}.{{minor}}.{{patch}}
type=raw,value=latest,enable=${{ github.ref_type == 'tag' }}
- name: Build Runtime Base Image
uses: docker/build-push-action@v3
with:
context: "{{defaultContext}}:build/dockerfiles"
build-contexts: artifacts=.
file: runtimebase.dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.wrapper-base-metadata.outputs.tags }}
upload-release-artifact:
if: github.repository == 'edgebitio/enclaver' && github.ref_type == 'tag'
needs: build-release-binaries
runs-on: ubuntu-latest
strategy:
matrix:
include:
- target: 'x86_64-unknown-linux-musl'
release_name: 'enclaver-linux-x86_64'
- target: 'aarch64-unknown-linux-musl'
release_name: 'enclaver-linux-aarch64'
- target: 'x86_64-apple-darwin'
release_name: 'enclaver-macos-x86_64'
- target: 'aarch64-apple-darwin'
release_name: 'enclaver-macos-aarch64'
steps:
- name: Download Binaries
uses: actions/download-artifact@v3
- name: Construct Release Artifact
shell: bash
run: |
release_dir="${{ matrix.release_name }}-${{ github.ref_name }}"
mkdir ${release_dir}
mv ${{ matrix.target }}/enclaver ${release_dir}/enclaver
chmod 755 ${release_dir}/enclaver
tar -czf ${release_dir}.tar.gz ${release_dir}
sha256sum ${release_dir}.tar.gz > ${release_dir}.tar.gz.sha256
- name: Upload Artifact to GH Release
uses: softprops/action-gh-release@v1
with:
draft: true
tag_name: ${{ github.ref_name }}
files: |
${{ matrix.release_name }}-${{ github.ref_name }}.tar.gz
${{ matrix.release_name }}-${{ github.ref_name }}.tar.gz.sha256