Perform releases on the Oxide colo

Also add an attestation for use later
oxidecomputer · Sep 30, 2024 · a149a9e · a149a9e
1 parent 39fccf8
commit a149a9e
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 10 deletions.
diff --git a/.github/workflows/build-one.yml b/.github/workflows/build-one.yml
@@ -25,6 +25,9 @@ on:
 
 jobs:
   build-one:
+     permissions:
+       id-token: write
+       attestations: write
      name: "${{ inputs.app_name }}/${{ inputs.app_toml}}"
      runs-on: ${{ inputs.os }}
      env:
@@ -60,19 +63,18 @@ jobs:
 
       - name: Fetch Humility
         uses: dsaltares/fetch-gh-release-asset@master
-        if: inputs.os == 'ubuntu-latest'
+        if: inputs.os == 'ubuntu-latest' || inputs.os == 'oxide-colo-builder-hubris'
         with:
           repo: "oxidecomputer/humility"
           version: "59047694"
           file: "humility"
           target: "target/release/humility"
-          token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Test Humility manifest
         # we need to chmod because all artifacts are marked as non-executable
-        if: inputs.os == 'ubuntu-latest'
+        if: inputs.os == 'ubuntu-latest' || inputs.os == 'oxide-colo-builder-hubris'
         run: |
-          sudo apt-get update && sudo apt-get install libusb-1.0-0-dev libftdi1-dev
+          sudo apt-get update && sudo apt-get install -y libusb-1.0-0-dev libftdi1-dev
           sudo chmod +x target/release/humility
           for image in `echo ${{ inputs.image }} | tr "," "\n"`; do \
               mv target/${{ inputs.app_name }}/dist/$image/build-${{ inputs.app_name }}-image-$image.zip target/${{ inputs.app_name }}/dist/; \
@@ -84,10 +86,17 @@ jobs:
         run: |
           cargo xtask clippy ${{ inputs.app_toml}} -- --deny warnings
 
+      - name: Attestation
+        uses: actions/attest-build-provenance@v1
+        # Only attest if we're doing a colo build 
+        if: inputs.os == 'oxide-colo-builder-hubris'
+        with:
+          subject-path: target/${{ inputs.app_name }}/dist/build-${{ inputs.app_name }}-image-*.zip
+
       # upload the output of our build
       - name: Upload build archive
         uses: actions/upload-artifact@v4
-        if: inputs.os == 'ubuntu-latest'
+        if: inputs.os == 'ubuntu-latest' || inputs.os == 'oxide-colo-builder-hubris'
         with:
           name: dist-${{ inputs.os }}-${{ inputs.app_name }}
           path: target/${{ inputs.app_name }}/dist/build-${{ inputs.app_name }}-image-*.zip
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,12 +11,12 @@ jobs:
   do-build:
     uses: ./.github/workflows/build-boards.yml
     with:
-       os: ubuntu-latest
+       os: oxide-colo-builder-hubris
        board-set: ${{ inputs.board-set }}
 
   release-build:
     needs: do-build
-    runs-on: ubuntu-latest
+    runs-on: oxide-colo-builder-hubris
     steps:
     - name: grab binary
       id: grab
@@ -25,12 +25,10 @@ jobs:
         path: out
     - name: prep
       run: |
-        VERSION=$(cut -d/ -f3- <<< "$GITHUB_REF")
-        VERSION=`echo $VERSION | awk -F- '{print $NF}'`
         OUT=${{ steps.grab.outputs.download-path }}
         for build in `ls $OUT`; do
            for f in `ls $OUT/$build`; do
-              mv $OUT/$build/$f $OUT/`basename $f .zip`-$VERSION.zip
+              mv $OUT/$build/$f $OUT/$f
            done
         done
 
@@ -39,5 +37,6 @@ jobs:
       with:
         name: "${{ inputs.board-set }} release"
         fail_on_unmatched_files: true
+        body: "These are UNVERSIONED hubris artifacts"
         files: |
           ${{ steps.grab.outputs.download-path }}/*.zip