Skip to content

Attempt to fix build pipeline (slsa) #27

Attempt to fix build pipeline (slsa)

Attempt to fix build pipeline (slsa) #27

Workflow file for this run

name: Build
on:
workflow_dispatch:
push:
branches:
- master
tags:
- v*
jobs:
package-sources:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
env:
ARTIFACT_ZIP: src.zip
ARTIFACT_TAR: src.tar.gz
steps:
- uses: actions/checkout@v4
- name: Package sources
run: |
git archive -o $ARTIFACT_ZIP HEAD
git archive -o $ARTIFACT_TAR HEAD
- name: Generate hashes
id: hash
run: |
# sha256sum generates sha256 hash for all artifacts.
# base64 -w0 encodes to base64 and outputs on a single line.
# sha256sum artifact1 artifact2 ... | base64 -w0
echo "hashes=$(sha256sum $ARTIFACT_ZIP $ARTIFACT_TAR | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
path: |
${{env.ARTIFACT_ZIP}}
${{env.ARTIFACT_TAR}}
if-no-files-found: error
build-win:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
runs-on: windows-2019
env:
SOLUTION: Windows\supercan.sln
MSBUILD_OPTIONS: -noLogo -m -t:Build -p:Configuration=Release
ResourcesExtraDefines: SC_BUILD_NUMBER=$(GITHUB_RUN_NUMBER)
VCVARS32: C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Auxiliary\Build\vcvars32.bat
VCVARS64: C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Auxiliary\Build\vcvars64.bat
SC_BUILD_QT_PLUGIN: 0
ARTIFACT_7z: supercan-win.7z
ARTIFACT_INSTALLER: supercan_inst.exe
steps:
- uses: actions/checkout@v4
- uses: microsoft/[email protected]
- name: Build
id: build
shell: cmd
run: appveyor\windows.cmd
# run: |
# set
# echo 1 >supercan-win.7z
# echo 2 >supercan_inst.exe
- name: Generate hashes
shell: bash
id: hash
run: |
# sha256sum generates sha256 hash for all artifacts.
# base64 -w0 encodes to base64 and outputs on a single line.
# sha256sum artifact1 artifact2 ... | base64 -w0
echo "hashes=$(sha256sum $ARTIFACT_7z $ARTIFACT_INSTALLER | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
path: |
${{env.ARTIFACT_7z}}
${{env.ARTIFACT_INSTALLER}}
if-no-files-found: error
build-firmware:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-20.04
env:
DEBIAN_FRONTEND: noninteractive
ARTIFACT_FIRMWARE: supercan-firmware.tar.xz
steps:
- uses: actions/checkout@v4
- name: Setup
run: |
sudo apt-get update && sudo apt-get install -y dfu-util gcc-arm-none-eabi pixz python3
git submodule update --init --depth 1 --recursive
- name: Build
id: build
run: |
env
$GITHUB_WORKSPACE/Boards/examples/device/supercan/build.sh
mv $GITHUB_WORKSPACE/Boards/examples/device/supercan/firmware/supercan-firmware.tar.xz $GITHUB_WORKSPACE
# run: |
# set
# echo 1 >supercan-firmware.tar.xz
- name: Generate hashes
id: hash
run: |
# sha256sum generates sha256 hash for all artifacts.
# base64 -w0 encodes to base64 and outputs on a single line.
# sha256sum artifact1 artifact2 ... | base64 -w0
echo "hashes=$(sha256sum $ARTIFACT_FIRMWARE | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
path: ${{ env.ARTIFACT_FIRMWARE }}
if-no-files-found: error
build-linux:
runs-on: ubuntu-latest
env:
DEBIAN_FRONTEND: noninteractive
steps:
- uses: actions/checkout@v4
- name: Setup
run: |
sudo apt-get update && sudo apt-get install -y dkms
git submodule update --init --recursive Linux
- name: Build
id: build
run: |
uname -a
export SUPERCAN_DIR=$(find "$GITHUB_WORKSPACE/Linux" -type d -name 'supercan_usb-*' | head)
env
$GITHUB_WORKSPACE/Linux/dkms-init.sh
make V=1 KERNELRELEASE=$(uname -r) -C /lib/modules/$(uname -r)/build M=$SUPERCAN_DIR
collect:
needs: [build-win, build-firmware, package-sources]
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.sum.outputs.hashes }}
steps:
- name: Collect hashes
id: sum
run: |
echo ${{needs.package-sources.outputs.hashes}} | base64 -d >>${{ runner.temp }}/hashes
echo ${{needs.build-win.outputs.hashes}} | base64 -d >>${{ runner.temp }}/hashes
echo ${{needs.build-firmware.outputs.hashes}} | base64 -d >>${{ runner.temp }}/hashes
echo "hashes=$(cat ${{ runner.temp }}/hashes | base64 -w0)" >> "$GITHUB_OUTPUT"
provenance:
needs: [collect]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.collect.outputs.hashes }}"
# Upload provenance to a new release
upload-assets: false
provenance-name: supercan.intoto.jsonl
latest:
needs: [provenance]
runs-on: ubuntu-latest
# if: startsWith(github.ref, 'refs/heads/')
steps:
- name: Download artifacts
id: download
uses: actions/download-artifact@v3
- name: Debugging
run: |
find ${{ steps.download.outputs.download-path }}
- name: Upload artifacts to release
uses: softprops/action-gh-release@v1
with:
tag_name: latest-master
files: |
${{ steps.download.outputs.download-path }}/artifact/*
${{ steps.download.outputs.download-path }}/supercan.intoto.jsonl/supercan.intoto.jsonl
release:
needs: [provenance]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Download artifacts
id: download
uses: actions/download-artifact@v3
- name: Debugging
run: |
find ${{ steps.download.outputs.download-path }}
echo ${{ github.ref }}
echo ${{ github.ref_name }}
- name: Create release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
with:
tag_name: ${{ github.ref }}
release_name: SuperCAN ${{ github.ref }}
draft: true
prerelease: true
- name: Upload firmware asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ github.token }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ${{ steps.download.outputs.download-path }}/artifact/supercan-firmware.tar.xz
asset_name: supercan-firmware.tar.xz
asset_content_type: application/x-xz
- name: Upload Windows binaries asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ github.token }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ${{ steps.download.outputs.download-path }}/artifact/supercan-win.7z
asset_name: supercan-win.7z
asset_content_type: application/x-7z-compressed
- name: Upload Windows installer asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ github.token }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ${{ steps.download.outputs.download-path }}/artifact/supercan_inst.exe
asset_name: supercan_inst.exe
asset_content_type: application/vnd.microsoft.portable-executable
- name: Upload SLSA provenance
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ github.token }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ${{ steps.download.outputs.download-path }}/supercan.intoto.jsonl/supercan.intoto.jsonl
asset_name: supercan.intoto.jsonl
asset_content_type: application/octet-stream