-
Notifications
You must be signed in to change notification settings - Fork 79
55 lines (54 loc) · 1.96 KB
/
sgx-report.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
name: Create New SGX Report
on: push
jobs:
build_and_generate_report:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
attestations: write
defaults:
run:
shell: bash
working-directory: ./notary-server
name: install Gramine
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.ref }}
- name: add gramine key
run: |
sudo curl -fsSLo /usr/share/keyrings/gramine-keyring.gpg https://packages.gramineproject.io/gramine-keyring.gpg
echo "deb [arch=amd64 signed-by=/usr/share/keyrings/gramine-keyring.gpg] https://packages.gramineproject.io/ $(lsb_release -sc) main" | sudo tee /etc/apt/sources.list.d/gramine.list
- uses: awalsh128/cache-apt-pkgs-action@latest
with:
packages: rustc cargo gramine cmake clang gramine
version: 1.1
execute_install_scripts: true
- name: Set PATH
run: echo "export PATH=\$PATH:/usr/local/bin:/usr/bin" >> $GITHUB_ENV
- name: generate manifest and sig
run: |
make
/usr/bin/gramine-sgx-gen-private-key -f
/usr/bin/gramine-sgx-sign -v --manifest notary-server.manifest --output notary-server.sgx
- name: capture sig
id: sigstruct
run: |
sigview=`/usr/bin/gramine-sgx-sigstruct-view notary-server.sig`
{
echo 'SGX_REPORT<<EOF'
echo "$sigview"
echo EOF
} >> "$GITHUB_ENV"
echo "$sigview"
- name: upload artifact
- run: mkdir -p /attestations
- run: echo ${{ env.SGX_REPORT }} > /attestations
- uses: actions/upload-artifact@v4
with:
path: /attestations/notary-server.sig
- name: get github to sign our measurement
uses: actions/attest-build-provenance@v1
with:
subject-path: /attestations/notary-server.sig