From d1de3421e3f20aecd1c94a9b14142f3fcb1a016a Mon Sep 17 00:00:00 2001 From: aquint-zama Date: Tue, 27 Aug 2024 14:55:44 +0200 Subject: [PATCH] chore: add slsa support for tfhe-csprng --- .../make_release_concrete_csprng.yml | 49 --------- .../workflows/make_release_tfhe_csprng.yml | 103 ++++++++++++++++++ 2 files changed, 103 insertions(+), 49 deletions(-) delete mode 100644 .github/workflows/make_release_concrete_csprng.yml create mode 100644 .github/workflows/make_release_tfhe_csprng.yml diff --git a/.github/workflows/make_release_concrete_csprng.yml b/.github/workflows/make_release_concrete_csprng.yml deleted file mode 100644 index f3bdab40a2..0000000000 --- a/.github/workflows/make_release_concrete_csprng.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: Publish tfhe-csprng release - -on: - workflow_dispatch: - inputs: - dry_run: - description: "Dry-run" - type: boolean - default: true - -env: - ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} - -jobs: - verify_tag: - uses: ./.github/workflows/verify_tagged_commit.yml - secrets: - RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }} - READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }} - - publish_release: - name: Publish tfhe-csprng Release - needs: verify_tag - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - with: - fetch-depth: 0 - token: ${{ secrets.FHE_ACTIONS_TOKEN }} - - - name: Publish crate.io package - env: - CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} - DRY_RUN: ${{ inputs.dry_run && '--dry-run' || '' }} - run: | - cargo publish -p tfhe-csprng --token ${{ env.CRATES_TOKEN }} ${{ env.DRY_RUN }} - - - name: Slack Notification - if: ${{ failure() }} - continue-on-error: true - uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 - env: - SLACK_COLOR: ${{ job.status }} - SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} - SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png - SLACK_MESSAGE: "tfhe-csprng release finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" - SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} - SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} diff --git a/.github/workflows/make_release_tfhe_csprng.yml b/.github/workflows/make_release_tfhe_csprng.yml new file mode 100644 index 0000000000..8a30c8ceaa --- /dev/null +++ b/.github/workflows/make_release_tfhe_csprng.yml @@ -0,0 +1,103 @@ +name: Publish concrete-csprng release + +on: + workflow_dispatch: + inputs: + dry_run: + description: "Dry-run" + type: boolean + default: true + +env: + ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} + +jobs: + verify_tag: + uses: ./.github/workflows/verify_tagged_commit.yml + secrets: + RELEASE_TEAM: ${{ secrets.RELEASE_TEAM }} + READ_ORG_TOKEN: ${{ secrets.READ_ORG_TOKEN }} + + package: + runs-on: ubuntu-latest + outputs: + hash: ${{ steps.hash.outputs.hash }} + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + - name: Prepare package + run: | + cargo package -p tfhe-csprng + - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + with: + name: crate-tfhe-csprng + path: target/package/*.crate + - name: generate hash + id: hash + run: cd target/package && echo "hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" + + + provenance: + if: ${{ !inputs.dry_run }} + needs: [package] + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + permissions: + # Needed to detect the GitHub Actions environment + actions: read + # Needed to create the provenance via GitHub OIDC + id-token: write + # Needed to upload assets/artifacts + contents: write + with: + # SHA-256 hashes of the Crate package. + base64-subjects: ${{ needs.package.outputs.hash }} + + + publish_release: + name: Publish tfhe-csprng Release + needs: [verify_tag, package] + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + token: ${{ secrets.FHE_ACTIONS_TOKEN }} + - name: Download artifact + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: crate-tfhe-csprng + path: target/package + - name: Publish crate.io package + env: + CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} + DRY_RUN: ${{ inputs.dry_run && '--dry-run' || '' }} + run: | + cargo publish -p tfhe-csprng --token ${{ env.CRATES_TOKEN }} ${{ env.DRY_RUN }} + - name: Generate hash + id: published_hash + run: cd target/package && echo "pub_hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" + - name: Slack notification (hashes comparison) + if: ${{ needs.package.outputs.hash != steps.published_hash.outputs.pub_hash }} + continue-on-error: true + uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # v2.3.2 + env: + SLACK_COLOR: failure + SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} + SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png + SLACK_MESSAGE: "SLSA tfhe-csprng - hash comparison failure: (${{ env.ACTION_RUN_URL }})" + SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + - name: Slack Notification + if: ${{ failure() }} + continue-on-error: true + uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # v2.3.2 + env: + SLACK_COLOR: ${{ job.status }} + SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} + SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png + SLACK_MESSAGE: "tfhe-csprng release finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}