Merge branch 'dev'

richardfan1126 · May 11, 2024 · fd48b19 · fd48b19
2 parents 0d9c21e + 40c543a
commit fd48b19
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -34,6 +34,7 @@ steps:
       eif-file-name: enclave.eif
       eif-info-file-name: enclave-info.json
       artifact-tag: latest
+      save-pcrs-in-annotation: true
       github-token: ${{ secrets.GITHUB_TOKEN }}
 ```
 
@@ -51,7 +52,7 @@ If `enable-ghcr-push` is `true`, the following permission is required for the wo
 
 ### Inputs
 
-* `docker-build-context-path`
+* `docker-build-context-path` (**Required**)
 
     The path of the Docker build context. Usually, it is the directory containing your `Dockerfile`.
 
@@ -97,13 +98,21 @@ If `enable-ghcr-push` is `true`, the following permission is required for the wo
 
     This must be set if `enable-ghcr-push` is `true`.
 
+* `save-pcrs-in-annotation`
+
+    (Default: `false`)
+
+    Set to `true` to add PRC values of the EIF (PCR0, PCR1 and PCR2) as artifact annotation.
+
+    Read ORAS documentation for more detail: https://oras.land/docs/how_to_guides/manifest_annotations
+
+    If this input is `true`, `enable-ghcr-push` must also set to `true`.
+
 * `github-token`
 
-    The token used to sign in to ghcr
+    (Default: `${{ github.token }}`)
 
-    This must be set if `enable-ghcr-push` is `true`.
-
-    Suggest to use `${{ secrets.GITHUB_TOKEN }}`
+    The token used to sign in to ghcr
 
 ### Outputs
 

diff --git a/action.yaml b/action.yaml
@@ -31,9 +31,14 @@ inputs:
   artifact-tag:
     description: "The tag of the pushed artifact on ghcr. (Required when enable-ghcr-push is true)"
     required: false
+  save-pcrs-in-annotation:
+    description: "Whether to save PCR values as Oras annotation (Allowed values: 'true', 'false')"
+    required: true
+    default: "false"
   github-token:
     description: "The Github token used to login ghcr. (Required when enable-ghcr-push is true)"
     required: false
+    default: ${{ github.token }}
 
 outputs:
   eif-file-path:
@@ -77,6 +82,7 @@ runs:
         EIF_FILE_NAME: ${{ inputs.eif-file-name }}
         EIF_INFO_FILE_NAME: ${{ inputs.eif-info-file-name }}
         ARTIFACT_TAG: ${{ inputs.artifact-tag }}
+        SAVE_PCRS_IN_ANNOTATION: ${{ inputs.save-pcrs-in-annotation }}
         GITHUB_TOKEN: ${{ inputs.github-token }}
       run: |
         if [[ "${ENABLE_GHCR_PUSH}" != "true" && "${ENABLE_GHCR_PUSH}" != "false" ]]; then
@@ -89,11 +95,21 @@ runs:
           exit 1
         fi
 
+        if [[ "${SAVE_PCRS_IN_ANNOTATION}" != "true" && "${SAVE_PCRS_IN_ANNOTATION}" != "false" ]]; then
+          echo "::error title=⛔ error hint::save-pcrs-in-annotation should be 'true' or 'false'"
+          exit 1
+        fi
+
         if [[ "${ENABLE_ARTIFACT_SIGN}" == "true" && "${ENABLE_GHCR_PUSH}" != "true" ]]; then
           echo "::error title=⛔ error hint::enable-ghcr-push must be true when enable-artifact-sign is true"
           exit 1
         fi
 
+        if [[ "${SAVE_PCRS_IN_ANNOTATION}" == "true" && "${ENABLE_GHCR_PUSH}" != "true" ]]; then
+          echo "::error title=⛔ error hint::enable-ghcr-push must be true when save-pcrs-in-annotation is true"
+          exit 1
+        fi
+
         if [[ "${ENABLE_GHCR_PUSH}" == "true" ]]; then
           if [[ -z "${EIF_FILE_NAME}" || -z "${EIF_INFO_FILE_NAME}" || -z "${ARTIFACT_TAG}" || -z "${GITHUB_TOKEN}" ]]; then
             echo "::error title=⛔ error hint::eif-file-name, eif-info-file-name, artifact-tag and github-token must be specified when enable-ghcr-push is true"
@@ -148,6 +164,7 @@ runs:
         EIF_FILE_NAME: ${{ inputs.eif-file-name }}
         EIF_INFO_FILE_NAME: ${{ inputs.eif-info-file-name }}
         ARTIFACT_TAG: ${{ inputs.artifact-tag }}
+        SAVE_PCRS_IN_ANNOTATION: ${{ inputs.save-pcrs-in-annotation }}
       run: |
         WORKDIR="${{ github.action_path }}/artifact-push/"
 
@@ -159,12 +176,27 @@ runs:
 
         mkdir tmp/
 
-        oras push \
-          --export-manifest tmp/manifest.json \
-          "ghcr.io/${{ github.repository }}:${ARTIFACT_TAG}" \
-          "${EIF_FILE_NAME}" \
-          "${EIF_INFO_FILE_NAME}"
-        
+        if [[ "${SAVE_PCRS_IN_ANNOTATION}" == "true" ]]; then
+          PCR0=$(jq -r ".Measurements.PCR0" ${WORKDIR}/${EIF_INFO_FILE_NAME})
+          PCR1=$(jq -r ".Measurements.PCR1" ${WORKDIR}/${EIF_INFO_FILE_NAME})
+          PCR2=$(jq -r ".Measurements.PCR2" ${WORKDIR}/${EIF_INFO_FILE_NAME})
+
+          oras push \
+            --export-manifest tmp/manifest.json \
+            --annotation "PCR0=${PCR0}" \
+            --annotation "PCR1=${PCR1}" \
+            --annotation "PCR2=${PCR2}" \
+            "ghcr.io/${{ github.repository }}:${ARTIFACT_TAG}" \
+            "${EIF_FILE_NAME}" \
+            "${EIF_INFO_FILE_NAME}"
+        else
+          oras push \
+            --export-manifest tmp/manifest.json \
+            "ghcr.io/${{ github.repository }}:${ARTIFACT_TAG}" \
+            "${EIF_FILE_NAME}" \
+            "${EIF_INFO_FILE_NAME}"
+        fi
+
         DIGEST=$(sha256sum tmp/manifest.json | cut -d " " -f 1)
 
         echo "digest=${DIGEST}" >> "${GITHUB_OUTPUT}"