This GitHub Action use kaniko and Amazon Linux container with nitro-cli to build a reproducible AWS Nitro Enclaves EIF file and its information.
This actions has an optional feature to upload the EIF file and its info the ghcr registry.
There is another optional feature to use SigStore and the Github actions token to sign the upload artifact.
To enable these feature, set the input enable-ghcr-push
(For artifact upload) and enable-artifact-sign
(For artifact signing) to true
Read this on downloading and verifying the signed artifact
Example
# The following permissions are required when "enable-ghcr-push" is true
permissions:
packages: write
id-token: write
steps:
- name: Build EIF
id: build-eif
uses: richardfan1126/nitro-enclaves-eif-build-action@v1
with:
docker-build-context-path: app/
dockerfile-path: Dockerfile
enable-ghcr-push: true
enable-artifact-sign: true
eif-file-name: enclave.eif
eif-info-file-name: enclave-info.json
artifact-tag: latest
save-pcrs-in-annotation: true
github-token: ${{ secrets.GITHUB_TOKEN }}
See richardfan1126/nitro-enclaves-cosign-sandbox for sample use case.
This action only runs on x64 Linux runner.
If enable-ghcr-push
is true
, the following permission is required for the workflow:
-
packages: write
-
id-token: write
-
docker-build-context-path
(Required)The path of the Docker build context. Usually, it is the directory containing your
Dockerfile
.This path is relative to your GitHub project root directory.
-
dockerfile-path
(Default:
Dockerfile
)The path of the Dockerfile used to build the EIF file.
This path is relative to
docker-build-context-path
-
enable-ghcr-push
(Default:
false
)Set to
true
to upload artifacts into ghcr. -
enable-artifact-sign
(Default:
false
)Set to
true
to use SigStore to sign the uploaded artifact on ghcr.If this input is
true
,enable-ghcr-push
must also set totrue
. -
eif-file-name
The filename of the EIF file uploaded to ghcr
This must be set if
enable-ghcr-push
istrue
. -
eif-info-file-name
The filename of the EIF info text file uploaded to ghcr
This must be set if
enable-ghcr-push
istrue
. -
artifact-tag
The tag of the artifact uploaded to ghcr
This must be set if
enable-ghcr-push
istrue
. -
save-pcrs-in-annotation
(Default:
false
)Set to
true
to add PRC values of the EIF (PCR0, PCR1 and PCR2) as artifact annotation.Read ORAS documentation for more detail: https://oras.land/docs/how_to_guides/manifest_annotations
If this input is
true
,enable-ghcr-push
must also set totrue
. -
github-token
(Default:
${{ github.token }}
)The token used to sign in to ghcr
-
eif-file-path
The path of the built EIF file
-
eif-info-path
The path of the text file containing the EIF information
Example of the file content:
{ "EifVersion": 4, "Measurements": { "HashAlgorithm": "Sha384 { ... }", "PCR0": "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef", "PCR1": "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef", "PCR2": "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef" }, "IsSigned": false, "CheckCRC": true, "ImageName": "1111111111111", "ImageVersion": "1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef", "Metadata": { "BuildTime": "2020-01-01T00:00:00.000000000+00:00", "BuildTool": "nitro-cli", "BuildToolVersion": "1.0.0", "OperatingSystem": "Linux", "KernelVersion": "4.0.0", "DockerInfo": { "Architecture": "amd64", "Author": "", "Comment": "", "Config": { "AttachStderr": false, "AttachStdin": false, "AttachStdout": false, "Cmd": [ "/bin/sh", "-c", "/app" ], "Domainname": "", "Entrypoint": null, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "ARCH=x86_64" ], "ExposedPorts": null, "Hostname": "", "Image": "sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef", "Labels": null, "OnBuild": null, "OpenStdin": false, "StdinOnce": false, "Tty": false, "User": "", "WorkingDir": "/app" }, "Created": "0001-01-01T00:00:00Z", "DockerVersion": "", "Id": "sha256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef", "Os": "linux", "Parent": "", "RepoDigests": [], "RepoTags": [ "1111111111111:latest" ], "Size": 9999999, "VirtualSize": 9999999 } } }
-
ghcr-artifact-digest
The digest of the pushed ghcr artifact.
Only applicable when
enable-ghcr-push
istrue
. -
ghcr-artifact-path
The full path of the pushed ghcr artifact.
Only applicable when
enable-ghcr-push
istrue
. -
rekor-log-index
The Rekor transparency log index of the signing.
It can be used to find the signing log on Rekor Search
Only applicable when
enable-ghcr-push
istrue
.
In this Github Action, the artifact is uploaded to ghcr by ORAS and signed by SigStore cosign.
The uploaded artifact path is in the output ghcr-artifact-path
, you can use the following command to pull it:
oras pull ghcr.io/username/repo:tag@sha256:<digest>
The artifact signing is recorded in Rekor transparency log.
With the Log index in output rekor-log-index
, you can find the signing log on Rekor Search
To verify the uploaded artifact against the signature, you can use the following command:
Replace <username>
with your Github username and <repo>
with the Github repository name
cosign verify ghcr.io/username/repo:tag \
--certificate-identity-regexp https://github.com/<username>/<repo>/ \
--certificate-oidc-issuer https://token.actions.githubusercontent.com