Skip to content

Commit

Permalink
verifiable build (#9)
Browse files Browse the repository at this point in the history
  • Loading branch information
brittcyr authored Aug 26, 2024
1 parent 28927aa commit d3e48f9
Showing 1 changed file with 76 additions and 0 deletions.
76 changes: 76 additions & 0 deletions .github/workflows/ci-verifiable-build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
name: Verifiable Build
on:
push:
tags:
- 'program-v*'
workflow_dispatch:

env:
MANIFEST_NAME: manifest
WRAPPER_NAME: wrapper

jobs:
build:
name: Build Verifiable Artifact
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Setup solana-verify
run: |
cargo install solana-verify
- name: Verifiable build manifest
run: |
solana-verify build --library-name ${{ env.MANIFEST_NAME }}
- name: Get hash manifest
run: |
solana-verify get-executable-hash target/deploy/${{ env.MANIFEST_NAME }}.so
- name: Generate checksum manifest
run: |
echo "MANIFEST_CHECKSUM=$(sha256sum ./target/deploy/${{ env.MANIFEST_NAME }}.so | head -c 64)" >> $GITHUB_ENV
- name: Generate SBOM manifest
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'cyclonedx'
output: '${{ env.MANIFEST_NAME }}-${{ github.ref_name }}-sbom.json'

- name: Verifiable build wrapper
run: |
solana-verify build --library-name ${{ env.WRAPPER_NAME }}
- name: Get hash wrapper
run: |
solana-verify get-executable-hash target/deploy/${{ env.WRAPPER_NAME }}.so
- name: Generate Checksum wrapper
run: |
echo "CHECKSUM_WRAPPER=$(sha256sum ./target/deploy/${{ env.WRAPPER_NAME }}.so | head -c 64)" >> $GITHUB_ENV
- name: Generate SBOM wrapper
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'cyclonedx'
output: '${{ env.WRAPPER_NAME }}-${{ github.ref_name }}-sbom.json'

- name: Create Release wrapper
id: create_release
uses: softprops/action-gh-release@v1
with:
tag_name: ${{ github.ref_name }}
name: ${{ github.ref_name }}
body: |
manifest sha256 checksum: ${{ env.MANIFEST_CHECKSUM }}
wrapper sha256 checksum: ${{ env.WRAPPER_CHECKSUM }}
github commit: ${{ github.sha }}
files: |
./target/deploy/${{ env.MANIFEST_NAME }}.so
./${{ env.MANIFEST_NAME }}-${{ github.ref_name }}-sbom.json
./target/deploy/${{ env.WRAPPER_NAME }}.so
./${{ env.WRAPPER_NAME }}-${{ github.ref_name }}-sbom.json

0 comments on commit d3e48f9

Please sign in to comment.