Fix GCB config (#199)

transparency-dev · Feb 28, 2024 · 22dd4fc · 22dd4fc
1 parent d0ddcd3
commit 22dd4fc
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 25 deletions.
diff --git a/release/cloudbuild_ci.yaml b/release/cloudbuild_ci.yaml
@@ -136,7 +136,7 @@ steps:
           \"bucket\": \"${_LOG_NAME}\",
           \"kmsKeyName\": \"ft-log-ci\",
           \"kmsKeyRing\": \"firmware-release-ci\",
-          \"kmsKeyVersion\": \"${_KEY_VERSION}\",
+          \"kmsKeyVersion\": ${_KEY_VERSION},
           \"kmsKeyLocation\": \"global\",
           \"noteKeyName\": \"transparency.dev-aw-ftlog-ci-${_KEY_VERSION}\",
           \"checkpointCacheControl\": \"${_CHECKPOINT_CACHE}\"
@@ -154,7 +154,7 @@ steps:
           "bucket": "${_LOG_NAME}",
           "kmsKeyName": "ft-log-ci",
           "kmsKeyRing": "firmware-release-ci",
-          "kmsKeyVersion": "${_KEY_VERSION}",
+          "kmsKeyVersion": ${_KEY_VERSION},
           "kmsKeyLocation": "global",
           "noteKeyName": "transparency.dev-aw-ftlog-ci-${_KEY_VERSION}",
           "checkpointCacheControl": "${_CHECKPOINT_CACHE}"
@@ -169,19 +169,23 @@ steps:
         gcloud storage rm \
         gs://${_LOG_NAME}/${_ENTRIES_DIR}/$(sha256sum output/trusted_os_manifest_both | cut -f1 -d" ")/trusted_os_manifest_both
 substitutions:
+  # Note that to be a valid CloudBuild config these MUST all be strings.
+  # Without explicit quotes, some things may be interpreted as other types since
+  # this is a YAML file, so to avoid future tears let's keep these all quoted.
+  #
   # Build-related.
-  _FIRMWARE_BUCKET: armored-witness-firmware-ci-2
+  _FIRMWARE_BUCKET: 'armored-witness-firmware-ci-2'
   _TAMAGO_VERSION: '1.21.5'
   # Log-related.
-  _ENTRIES_DIR: firmware-log-sequence
+  _ENTRIES_DIR: 'firmware-log-sequence'
   # This must correspond with the trailing number on the _FIRMWARE_BUCKET, _ORIGIN, _LOG_NAME values.
   _KEY_VERSION: '2'
-  _ORIGIN: transparency.dev/armored-witness/firmware_transparency/ci/2
-  _LOG_NAME: armored-witness-firmware-log-ci-2
-  _LOG_PUBLIC_KEY: transparency.dev-aw-ftlog-ci-2+f77c6276+AZXqiaARpwF4MoNOxx46kuiIRjrML0PDTm+c7BLaAMt6
-  _APPLET_PUBLIC_KEY: transparency.dev-aw-applet-ci+3ff32e2c+AV1fgxtByjXuPjPfi0/7qTbEBlPGGCyxqr6ZlppoLOz3
-  _OS_PUBLIC_KEY1: transparency.dev-aw-os1-ci+7a0eaef3+AcsqvmrcKIbs21H2Bm2fWb6oFWn/9MmLGNc6NLJty2eQ
-  _OS_PUBLIC_KEY2: transparency.dev-aw-os2-ci+af8e4114+AbBJk5MgxRB+68KhGojhUdSt1ts5GAdRIT1Eq9zEkgQh
+  _ORIGIN: 'transparency.dev/armored-witness/firmware_transparency/ci/2'
+  _LOG_NAME: 'armored-witness-firmware-log-ci-2'
+  _LOG_PUBLIC_KEY: 'transparency.dev-aw-ftlog-ci-2+f77c6276+AZXqiaARpwF4MoNOxx46kuiIRjrML0PDTm+c7BLaAMt6'
+  _APPLET_PUBLIC_KEY: 'transparency.dev-aw-applet-ci+3ff32e2c+AV1fgxtByjXuPjPfi0/7qTbEBlPGGCyxqr6ZlppoLOz3'
+  _OS_PUBLIC_KEY1: 'transparency.dev-aw-os1-ci+7a0eaef3+AcsqvmrcKIbs21H2Bm2fWb6oFWn/9MmLGNc6NLJty2eQ'
+  _OS_PUBLIC_KEY2: 'transparency.dev-aw-os2-ci+af8e4114+AbBJk5MgxRB+68KhGojhUdSt1ts5GAdRIT1Eq9zEkgQh'
   _BEE: '1'
   _DEBUG: '1'
   _CHECKPOINT_CACHE: 'public, max-age=30'

diff --git a/release/cloudbuild_presubmit.yaml b/release/cloudbuild_presubmit.yaml
@@ -81,14 +81,18 @@ steps:
       - cat
       - output/trusted_os_manifest_unsigned.json
 substitutions:
+  # Note that to be a valid CloudBuild config these MUST all be strings.
+  # Without explicit quotes, some things may be interpreted as other types since
+  # this is a YAML file, so to avoid future tears let's keep these all quoted.
+  #
   # Build-related.
-  _FIRMWARE_BUCKET: armored-witness-firmware-ci-1
+  _FIRMWARE_BUCKET: 'armored-witness-firmware-ci-1'
   _TAMAGO_VERSION: '1.21.5'
   # This must correspond with the trailing number on the _FIRMWARE_BUCKET, _ORIGIN values.
   _KEY_VERSION: '1'
-  _ORIGIN: transparency.dev/armored-witness/firmware_transparency/ci/1
-  _LOG_PUBLIC_KEY: transparency.dev-aw-ftlog-ci+f5479c1e+AR6gW0mycDtL17iM2uvQUThJsoiuSRirstEj9a5AdCCu
-  _APPLET_PUBLIC_KEY: transparency.dev-aw-applet-ci+3ff32e2c+AV1fgxtByjXuPjPfi0/7qTbEBlPGGCyxqr6ZlppoLOz3
-  _OS_PUBLIC_KEY1: transparency.dev-aw-os1-ci+7a0eaef3+AcsqvmrcKIbs21H2Bm2fWb6oFWn/9MmLGNc6NLJty2eQ
-  _OS_PUBLIC_KEY2: transparency.dev-aw-os2-ci+af8e4114+AbBJk5MgxRB+68KhGojhUdSt1ts5GAdRIT1Eq9zEkgQh
+  _ORIGIN: 'transparency.dev/armored-witness/firmware_transparency/ci/1'
+  _LOG_PUBLIC_KEY: 'transparency.dev-aw-ftlog-ci+f5479c1e+AR6gW0mycDtL17iM2uvQUThJsoiuSRirstEj9a5AdCCu'
+  _APPLET_PUBLIC_KEY: 'transparency.dev-aw-applet-ci+3ff32e2c+AV1fgxtByjXuPjPfi0/7qTbEBlPGGCyxqr6ZlppoLOz3'
+  _OS_PUBLIC_KEY1: 'transparency.dev-aw-os1-ci+7a0eaef3+AcsqvmrcKIbs21H2Bm2fWb6oFWn/9MmLGNc6NLJty2eQ'
+  _OS_PUBLIC_KEY2: 'transparency.dev-aw-os2-ci+af8e4114+AbBJk5MgxRB+68KhGojhUdSt1ts5GAdRIT1Eq9zEkgQh'
   _DEBUG: '1'
diff --git a/release/cloudbuild_withsecure_signature.yaml b/release/cloudbuild_withsecure_signature.yaml
@@ -59,7 +59,7 @@ steps:
           "bucket": "${_LOG_NAME}",
           "kmsKeyName": "ft-log-ci",
           "kmsKeyRing": "firmware-release-ci",
-          "kmsKeyVersion": "${_KEY_VERSION}",
+          "kmsKeyVersion": ${_KEY_VERSION},
           "kmsKeyLocation": "global",
           "noteKeyName": "transparency.dev-aw-ftlog-ci",
           "checkpointCacheControl": "${_CHECKPOINT_CACHE}"
@@ -78,24 +78,28 @@ steps:
           "bucket": "${_LOG_NAME}",
           "kmsKeyName": "ft-log-ci",
           "kmsKeyRing": "firmware-release-ci",
-          "kmsKeyVersion": "${_KEY_VERSION}",
+          "kmsKeyVersion": ${_KEY_VERSION},
           "kmsKeyLocation": "global",
           "noteKeyName": "transparency.dev-aw-ftlog-ci",
           "checkpointCacheControl": "${_CHECKPOINT_CACHE}"
         }
 substitutions:
+  # Note that to be a valid CloudBuild config these MUST all be strings.
+  # Without explicit quotes, some things may be interpreted as other types since
+  # this is a YAML file, so to avoid future tears let's keep these all quoted.
+  #
   # TODO(jayhou): do not use CI bucket when we flip this trigger to prod.
-  _FIRMWARE_BUCKET: armored-witness-firmware-ci-1
-  _FIRMWARE_COMPONENT: trusted-os
-  _WITHSECURE_DIR: release/withsecure
+  _FIRMWARE_BUCKET: 'armored-witness-firmware-ci-1'
+  _FIRMWARE_COMPONENT: 'trusted-os'
+  _WITHSECURE_DIR: 'release/withsecure'
   # TODO(jayhou): remove this when we flip this trigger to prod.
-  _TEST_TAG_NAME: withsecure_v0.1.2
+  _TEST_TAG_NAME: 'withsecure_v0.1.2'
   # Log-related.
-  _ENTRIES_DIR: firmware-log-sequence
+  _ENTRIES_DIR: 'firmware-log-sequence'
   # TODO(jayhou): switch to prod origin.
-  _ORIGIN: transparency.dev/armored-witness/firmware_transparency/ci/1
+  _ORIGIN: 'transparency.dev/armored-witness/firmware_transparency/ci/1'
   # TODO(jayhou): do not use CI bucket when we flip this trigger to prod.
-  _LOG_NAME: armored-witness-firmware-log-ci-1
+  _LOG_NAME: 'armored-witness-firmware-log-ci-1'
   # This must correspond with the trailing number on the _FIRMWARE_BUCKET, _ORIGIN, _LOG_NAME values.
   _KEY_VERSION: '1'
   _CHECKPOINT_CACHE: 'public, max-age=30'