diff --git a/.github/workflows/artifacts.yml b/.github/workflows/artifacts.yml index 3d848e6c..f4e4f293 100644 --- a/.github/workflows/artifacts.yml +++ b/.github/workflows/artifacts.yml @@ -25,3 +25,34 @@ jobs: shell: 'script -q -e -c "bash {0}"' run: | make -j$(nproc) + reproduce: + name: reproduce artifacts + runs-on: + group: ubuntu-runners + strategy: + matrix: + host: [144.76.154.76] + steps: + - name: Checkout sources + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Run `make` + run: | + mkdir -p ~/.ssh/ + chmod 700 ~/.ssh + echo "${{ secrets.REPROS_KEY }}" > ~/.ssh/repros.key + chmod 600 ~/.ssh/repros.key + cat >>~/.ssh/config <<-END + Host $${{matrix.host}} + HostName ${{matrix.host}} + User git + IdentityFile ~/.ssh/repros.key + StrictHostKeyChecking no + END + echo "Using key: ~/.ssh/repros.key" + ssh-keygen -l -f /home/runner/.ssh/repros.key + ssh-keyscan -H ${{matrix.host}} >> ~/.ssh/known_hosts + git remote add repros-lance git@${{matrix.host}}:qos + ssh-agent sh -c " \ + ssh-add ~/.ssh/repros.key \ + && git push repros-lance HEAD \ + " diff --git a/.repros/config.yml b/.repros/config.yml new file mode 100644 index 00000000..8551fad9 --- /dev/null +++ b/.repros/config.yml @@ -0,0 +1,15 @@ +build: + command: make +sign: + files: + - out/qos_client/index.json + - out/qos_enclave/index.json + - out/qos_host/index.json + - out/digests.txt + format: raw + method: ssh + backing: disk +storage: + method: git + location: git@github.com:tkhq/repros-sigs.git + path: /qos diff --git a/Makefile b/Makefile index 91e4dac9..0d11badd 100644 --- a/Makefile +++ b/Makefile @@ -3,7 +3,10 @@ include src/macros.mk REGISTRY := local .DEFAULT_GOAL := .PHONY: default -default: \ +default: out/digests.txt + +.PHONY: all +all: \ out/qos_client/index.json \ out/qos_host/index.json \ out/qos_enclave/index.json @@ -39,6 +42,9 @@ shell: out/.common-loaded qos-local/common:latest \ /bin/bash +out/digests.txt: all + @$(call digests) > $@ + out/nitro.pcrs: out/qos_enclave.tar @$(call run,/src/scripts/extract_oci_file.sh qos_enclave.tar nitro.pcrs) diff --git a/src/macros.mk b/src/macros.mk index 5bd31ce1..1566866c 100644 --- a/src/macros.mk +++ b/src/macros.mk @@ -13,6 +13,18 @@ define run /bin/sh -c "set -eu; $(1)" endef +define digests + find out -iname "index.json" \ + | awk -F/ '{print $$2}' \ + | sort \ + | while IFS= read -r package; do \ + jq \ + -jr '.manifests[].digest | sub ("sha256:";"")' \ + out/$${package}/index.json; \ + printf " %s\n" "$${package}"; \ + done +endef + define build_context $$( \ self=$(1); \