cantina-os/.gitlab-ci.yml at main · osservatorionessuno/cantina-os · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
variables:
  STMGR_VERSION: v0.6.6

stages:
  - build/1
  - build/2
  - boot

build-example-os:
  stage: build/1
  tags:
    - longrunning
  image: debian:bookworm-backports
  before_script:
    - apt-get -qq update
    - apt-get install -qqy golang-1.23-go ca-certificates make cpio mmdebstrap libsystemd-shared
    - |
      export GOBIN="${PWD}"/.go/bin; mkdir -p "$GOBIN"
      export PATH="${PATH}":/usr/lib/go-1.23/bin:"${GOBIN}"
    - go install system-transparency.org/stmgr@"${STMGR_VERSION}"
  script:
    - echo stimages > config/example/pw.root # Default root password in OS image
    - make stimage
    - cat /dev/null > keys/key.pem     # Don't publish keys
    - cat /dev/null > keys/rootkey.pem # Don't publish keys
  artifacts:
    paths:
      - build/stimage.*
      - keys/

# Depends on build-example-os for keys/rootcert.pem which is built
# into the stboot binary.
build-stboot:
  stage: build/2
  image: debian:bookworm-backports
  before_script:
    - apt-get -qq update
    - apt-get install -qqy golang-1.23-go ca-certificates pigz make cpio
    - |
      export GOBIN="${PWD}"/.go/bin; mkdir -p "$GOBIN"
      export PATH="${PATH}":/usr/lib/go-1.23/bin:"${GOBIN}"
    - go install system-transparency.org/stmgr@"${STMGR_VERSION}"
  script:
    - make stboot
  artifacts:
    paths:
      - build/stboot.*

# NOTE: Boot is failing with "Not enough valid signatures: 1 found, 0
# valid, 1 required", most likely because stboot doesn't build with
# the correct trust root, cf. https://git.glasklar.is/system-transparency/core/stimages/-/issues/11
boot-example:
  stage: boot
  allow_failure: true
  tags:
    - longrunning
  image: debian:bookworm-backports
  before_script:
    - apt-get -qq update
    - apt-get install -qqy make qemu-system-x86 ovmf ncat
  script:
    - cp /usr/share/OVMF/OVMF_VARS.fd guest_nvram
    - (for e in json zip; do nc -lc "printf 'HTTP/1.1 200 OK\n\n'; cat build/stimage.$e" 0.0.0.0 8080; done) &
    - test/boot.sh ./boot-qemu.sh build/stboot.iso guest_nvram
  artifacts:
    when: always
    paths:
      - qemu.log
      - guest_nvram