forked from secureblue/secureblue
-
Notifications
You must be signed in to change notification settings - Fork 0
201 lines (174 loc) · 6.29 KB
/
Copy pathpr_build.yml
File metadata and controls
201 lines (174 loc) · 6.29 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
# SPDX-FileCopyrightText: Copyright 2025-2026 The Secureblue Authors
#
# SPDX-License-Identifier: Apache-2.0
name: build-pullrequest
permissions: {}
on:
workflow_call:
inputs:
recipe:
required: true
type: string
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}-${{ inputs.recipe }}
cancel-in-progress: true
jobs:
bluebuild:
name: PR build
runs-on: ubuntu-24.04
permissions:
contents: read # Needed to pull the repo for the build
packages: read # Needed to read base image manifests
steps:
- name: Enable egress auditing
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: block
allowed-endpoints: >
# ubuntu packages
_https._tcp.archive.ubuntu.com:443
archive.ubuntu.com:443
_https._tcp.security.ubuntu.com:443
security.ubuntu.com:443
_https._tcp.packages.microsoft.com:443
packages.microsoft.com:443
_https._tcp.motd.ubuntu.com:443
motd.ubuntu.com:443
_https._tcp.esm.ubuntu.com:443
esm.ubuntu.com:443
# cosign installation
github.com:443
# slsa-verifier installation
tuf-repo-cdn.sigstore.dev:443
rekor.sigstore.dev:443
# pulling base images
quay.io:443
cdn01.quay.io:443
# Trivalent SLSA
release-assets.githubusercontent.com:443
# pulling secureblue images
ghcr.io:443
pkg-containers.githubusercontent.com:443
# bluebuild schema validation
schema.blue-build.org:443
# Install packages from our COPR repos
copr.fedorainfracloud.org:443
download.copr.fedorainfracloud.org:443
# Docker installation
production.cloudflare.docker.com:443
registry-1.docker.io:443
auth.docker.io:443
# Negativo packages installation
negativo17.org:443
# Trivalent installation
repo.secureblue.dev:443
# Fedora archive
fedoraproject-updates-archive.fedoraproject.org:443
# Pull various cosign pubkeys
raw.githubusercontent.com:443
# Install brew
formulae.brew.sh:443
# Install the tailscale repo
pkgs.tailscale.com:443
# Install nvidia container toolkit repo
nvidia.github.io:443
# Pull gpg keys
keyserver.ubuntu.com:443
# Fedora mirrors
# https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-43&arch=x86_64&protocol=https
abqix.mm.fcix.net:443
cfhcable.mm.fcix.net:443
codingflyboy.mm.fcix.net:443
cofractal-ewr.mm.fcix.net:443
cofractal-sea.mm.fcix.net:443
coresite-atl.mm.fcix.net:443
coresite.mm.fcix.net:443
d2lzkl7pfhq30w.cloudfront.net:443
dfw.mirror.rackspace.com:443
dl.fedoraproject.org:443
download-cc-rdu01.fedoraproject.org:443
download-ib01.fedoraproject.org:443
fedora-mirror-atl.gigsouth.com:443
fedora.mirror.constant.com:443
forksystems.mm.fcix.net:443
ftp2.osuosl.org:443
ftp-chi.osuosl.org:443
ftp-nyc.osuosl.org:443
ftp-osl.osuosl.org:443
gigsouth.mm.fcix.net:443
iad.mirror.rackspace.com:443
insect.mm.fcix.net:443
irltoolkit.mm.fcix.net:443
ix-denver.mm.fcix.net:443
lesnet.mm.fcix.net:443
lolhost.mm.fcix.net:443
mirror.cpsc.ucalgary.ca:443
mirror.csclub.uwaterloo.ca:443
mirror.cs.princeton.edu:443
mirror.cs.siue.edu:443
mirror.dst.ca:443
mirror.fcix.net:443
mirror.lstn.net:443
mirror.math.princeton.edu:443
mirror.servaxnet.com:443
mirrors.fedoraproject.org:443
mirrors.mit.edu:443
mirrors.xmission.com:443
mirror.us.mirhosting.net:443
mirror.web-ster.com:443
mirror.xenyth.net:443
muug.ca:443
na.edge.kernel.org:443
nnenix.mm.fcix.net:443
nocix.mm.fcix.net:443
ohioix.mm.fcix.net:443
opencolo.mm.fcix.net:443
ord.mirror.rackspace.com:443
paducahix.mm.fcix.net:443
paducahix.mm.fcix.net:443
pubmirror1.math.uh.edu:443
pubmirror2.math.uh.edu:443
pubmirror3.math.uh.edu:443
ryamer.mm.fcix.net:443
sjc.mirror.rackspace.com:443
solidrock.mm.fcix.net:443
southfront.mm.fcix.net:443
stix.mm.fcix.net:443
us.mirrors.cicku.me:443
volico.mm.fcix.net:443
yxeix.mm.fcix.net:443
yycix.mm.fcix.net:443
ziply.mm.fcix.net:443
- name: Checkout repo
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Runner setup
id: runner_setup
uses: ./.github/workflows/shared-runner-setup
with:
recipe: ${{ inputs.recipe }}
- name: Set up test keys
id: test_keys
shell: bash
run: |
cp ./.github/workflows/public_key.der.test ./files/system/etc/pki/akmods/certs/akmods-secureblue.der
{
echo 'kernel_privkey<<EOF'
cat ./.github/workflows/private_key.priv.test
echo 'EOF'
} >> "${GITHUB_OUTPUT}"
- name: Build secureblue
uses: blue-build/github-action@24d146df25adc2cf579e918efe2d9bff6adea408 # v1.11.1
env:
KERNEL_PRIVKEY: ${{ steps.test_keys.outputs.kernel_privkey }}
with:
cli_version: v0.9.32
recipe: ${{ inputs.recipe }}
push: false
registry_token: ${{ github.token }}
pr_event_number: ${{ github.event.number }}
maximize_build_space: true
squash: true
skip_checkout: true
verify_install: true