From a149a9ece1e0d470b125619ae6a41bdc46d7af56 Mon Sep 17 00:00:00 2001 From: Laura Abbott Date: Thu, 19 Sep 2024 16:07:38 -0400 Subject: [PATCH] Perform releases on the Oxide colo Also add an attestation for use later --- .github/workflows/build-one.yml | 19 ++++++++++++++----- .github/workflows/release.yml | 9 ++++----- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-one.yml b/.github/workflows/build-one.yml index 8c25f7ba7..90810c957 100644 --- a/.github/workflows/build-one.yml +++ b/.github/workflows/build-one.yml @@ -25,6 +25,9 @@ on: jobs: build-one: + permissions: + id-token: write + attestations: write name: "${{ inputs.app_name }}/${{ inputs.app_toml}}" runs-on: ${{ inputs.os }} env: @@ -60,19 +63,18 @@ jobs: - name: Fetch Humility uses: dsaltares/fetch-gh-release-asset@master - if: inputs.os == 'ubuntu-latest' + if: inputs.os == 'ubuntu-latest' || inputs.os == 'oxide-colo-builder-hubris' with: repo: "oxidecomputer/humility" version: "59047694" file: "humility" target: "target/release/humility" - token: ${{ secrets.GITHUB_TOKEN }} - name: Test Humility manifest # we need to chmod because all artifacts are marked as non-executable - if: inputs.os == 'ubuntu-latest' + if: inputs.os == 'ubuntu-latest' || inputs.os == 'oxide-colo-builder-hubris' run: | - sudo apt-get update && sudo apt-get install libusb-1.0-0-dev libftdi1-dev + sudo apt-get update && sudo apt-get install -y libusb-1.0-0-dev libftdi1-dev sudo chmod +x target/release/humility for image in `echo ${{ inputs.image }} | tr "," "\n"`; do \ mv target/${{ inputs.app_name }}/dist/$image/build-${{ inputs.app_name }}-image-$image.zip target/${{ inputs.app_name }}/dist/; \ @@ -84,10 +86,17 @@ jobs: run: | cargo xtask clippy ${{ inputs.app_toml}} -- --deny warnings + - name: Attestation + uses: actions/attest-build-provenance@v1 + # Only attest if we're doing a colo build + if: inputs.os == 'oxide-colo-builder-hubris' + with: + subject-path: target/${{ inputs.app_name }}/dist/build-${{ inputs.app_name }}-image-*.zip + # upload the output of our build - name: Upload build archive uses: actions/upload-artifact@v4 - if: inputs.os == 'ubuntu-latest' + if: inputs.os == 'ubuntu-latest' || inputs.os == 'oxide-colo-builder-hubris' with: name: dist-${{ inputs.os }}-${{ inputs.app_name }} path: target/${{ inputs.app_name }}/dist/build-${{ inputs.app_name }}-image-*.zip diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 01a37b8c4..97ece888f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -11,12 +11,12 @@ jobs: do-build: uses: ./.github/workflows/build-boards.yml with: - os: ubuntu-latest + os: oxide-colo-builder-hubris board-set: ${{ inputs.board-set }} release-build: needs: do-build - runs-on: ubuntu-latest + runs-on: oxide-colo-builder-hubris steps: - name: grab binary id: grab @@ -25,12 +25,10 @@ jobs: path: out - name: prep run: | - VERSION=$(cut -d/ -f3- <<< "$GITHUB_REF") - VERSION=`echo $VERSION | awk -F- '{print $NF}'` OUT=${{ steps.grab.outputs.download-path }} for build in `ls $OUT`; do for f in `ls $OUT/$build`; do - mv $OUT/$build/$f $OUT/`basename $f .zip`-$VERSION.zip + mv $OUT/$build/$f $OUT/$f done done @@ -39,5 +37,6 @@ jobs: with: name: "${{ inputs.board-set }} release" fail_on_unmatched_files: true + body: "These are UNVERSIONED hubris artifacts" files: | ${{ steps.grab.outputs.download-path }}/*.zip