From 7e0fbbb27f5501a8d6c4aef7067e45734d799b76 Mon Sep 17 00:00:00 2001 From: aquint-zama Date: Tue, 27 Aug 2024 14:30:19 +0200 Subject: [PATCH 1/4] chore: add slsa support for tfhe-zk-pok --- .github/workflows/make_release_zk_pok.yml | 58 ++++++++++++++++++++++- 1 file changed, 56 insertions(+), 2 deletions(-) diff --git a/.github/workflows/make_release_zk_pok.yml b/.github/workflows/make_release_zk_pok.yml index 9ec6d181d6..b02c181176 100644 --- a/.github/workflows/make_release_zk_pok.yml +++ b/.github/workflows/make_release_zk_pok.yml @@ -13,22 +13,76 @@ env: ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} jobs: + package: + runs-on: ubuntu-latest + outputs: + hash: ${{ steps.hash.outputs.hash }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + - name: Prepare package + run: | + cargo package -p tfhe-zk-pok + - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + with: + name: crate-zk-pok + path: target/package/*.crate + - name: generate hash + id: hash + run: cd target/package && echo "hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + if: ${{ !inputs.dry_run }} + needs: [package] + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + permissions: + # Needed to detect the GitHub Actions environment + actions: read + # Needed to create the provenance via GitHub OIDC + id-token: write + # Needed to upload assets/artifacts + contents: write + with: + # SHA-256 hashes of the Crate package. + base64-subjects: ${{ needs.package.outputs.hash }} + + publish_release: name: Publish tfhe-zk-pok Release + needs: [package] # for comparing hashes runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: fetch-depth: 0 - + - name: Download artifact + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: crate-zk-pok + path: target/package - name: Publish crate.io package env: CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} DRY_RUN: ${{ inputs.dry_run && '--dry-run' || '' }} run: | cargo publish -p tfhe-zk-pok --token ${{ env.CRATES_TOKEN }} ${{ env.DRY_RUN }} - + - name: Verify hash + id: published_hash + run: cd target/package && echo "pub_hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" + - name: Slack notification (hashes comparison) + if: ${{ needs.package.outputs.hash != steps.published_hash.outputs.pub_hash }} + continue-on-error: true + uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 + env: + SLACK_COLOR: failure + SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} + SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png + SLACK_MESSAGE: "SLSA tfhe-zk-pok crate - hash comparison failure: (${{ env.ACTION_RUN_URL }})" + SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - name: Slack Notification if: ${{ failure() }} continue-on-error: true From 6f3471a5bc44a2f3fd54b782b393428b56f6c374 Mon Sep 17 00:00:00 2001 From: aquint-zama Date: Tue, 27 Aug 2024 14:51:32 +0200 Subject: [PATCH 2/4] chore: add slsa support for tfhe-cuda-backend --- .github/workflows/make_release_cuda.yml | 59 +++++++++++++++++++++++-- 1 file changed, 55 insertions(+), 4 deletions(-) diff --git a/.github/workflows/make_release_cuda.yml b/.github/workflows/make_release_cuda.yml index e75dfd5a2c..f11abf3dc4 100644 --- a/.github/workflows/make_release_cuda.yml +++ b/.github/workflows/make_release_cuda.yml @@ -38,10 +38,11 @@ jobs: backend: aws profile: gpu-build - publish-cuda-release: - name: Publish CUDA Release - needs: setup-instance + package: + needs: [setup-instance] runs-on: ${{ needs.setup-instance.outputs.runner-name }} + outputs: + hash: ${{ steps.hash.outputs.hash }} strategy: fail-fast: false # explicit include-based build matrix, of known valid options @@ -54,7 +55,7 @@ jobs: CUDA_PATH: /usr/local/cuda-${{ matrix.cuda }} steps: - name: Checkout - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 with: fetch-depth: 0 @@ -87,7 +88,41 @@ jobs: echo "CUDAHOSTCXX=/usr/bin/g++-${{ matrix.gcc }}"; echo "HOME=/home/ubuntu"; } >> "${GITHUB_ENV}" + - name: Prepare package + run: | + cargo package -p tfhe-cuda-backend + - name: generate hash + id: hash + run: cd target/package && echo "hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + if: ${{ !inputs.dry_run }} + needs: [package] + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + permissions: + # Needed to detect the GitHub Actions environment + actions: read + # Needed to create the provenance via GitHub OIDC + id-token: write + # Needed to upload assets/artifacts + contents: write + with: + # SHA-256 hashes of the Crate package. + base64-subjects: ${{ needs.package.outputs.hash }} + publish-cuda-release: + name: Publish CUDA Release + needs: [package, setup-instance] # for comparing hashes + runs-on: ${{ needs.setup-instance.outputs.runner-name }} + strategy: + fail-fast: false + # explicit include-based build matrix, of known valid options + matrix: + include: + - os: ubuntu-22.04 + cuda: "12.2" + gcc: 9 + steps: - name: Publish crate.io package if: ${{ inputs.push_to_crates }} env: @@ -96,6 +131,22 @@ jobs: run: | cargo publish -p tfhe-cuda-backend --token ${{ env.CRATES_TOKEN }} ${{ env.DRY_RUN }} + - name: Generate hash + id: published_hash + run: cd target/package && echo "pub_hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" + + - name: Slack notification (hashes comparison) + if: ${{ needs.package.outputs.hash != steps.published_hash.outputs.pub_hash }} + continue-on-error: true + uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 + env: + SLACK_COLOR: failure + SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} + SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png + SLACK_MESSAGE: "SLSA tfhe cuda backend crate - hash comparison failure: (${{ env.ACTION_RUN_URL }})" + SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + - name: Slack Notification if: ${{ failure() }} continue-on-error: true From b962ccfae0e6e6170d5f391894d3ded4a6ac58b8 Mon Sep 17 00:00:00 2001 From: aquint-zama Date: Tue, 27 Aug 2024 14:55:44 +0200 Subject: [PATCH 3/4] chore: add slsa support for concrete-csprng --- .../make_release_concrete_csprng.yml | 56 ++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/.github/workflows/make_release_concrete_csprng.yml b/.github/workflows/make_release_concrete_csprng.yml index ea024a2dbe..c9cdb6a2ab 100644 --- a/.github/workflows/make_release_concrete_csprng.yml +++ b/.github/workflows/make_release_concrete_csprng.yml @@ -12,21 +12,75 @@ env: ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} jobs: + package: + runs-on: ubuntu-latest + outputs: + hash: ${{ steps.hash.outputs.hash }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + - name: Prepare package + run: | + cargo package -p concrete-csprng + - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + with: + name: crate-concrete-csprng + path: target/package/*.crate + - name: generate hash + id: hash + run: cd target/package && echo "hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + if: ${{ !inputs.dry_run }} + needs: [package] + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + permissions: + # Needed to detect the GitHub Actions environment + actions: read + # Needed to create the provenance via GitHub OIDC + id-token: write + # Needed to upload assets/artifacts + contents: write + with: + # SHA-256 hashes of the Crate package. + base64-subjects: ${{ needs.package.outputs.hash }} + publish_release: name: Publish concrete-csprng Release + needs: [package] # for comparing hashes runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: fetch-depth: 0 - + - name: Download artifact + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: crate-concrete-csprng + path: target/package - name: Publish crate.io package env: CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} DRY_RUN: ${{ inputs.dry_run && '--dry-run' || '' }} run: | cargo publish -p concrete-csprng --token ${{ env.CRATES_TOKEN }} ${{ env.DRY_RUN }} + - name: Generate hash + id: published_hash + run: cd target/package && echo "pub_hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" + - name: Slack notification (hashes comparison) + if: ${{ needs.package.outputs.hash != steps.published_hash.outputs.pub_hash }} + continue-on-error: true + uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 + env: + SLACK_COLOR: failure + SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} + SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png + SLACK_MESSAGE: "SLSA concrete csprng - hash comparison failure: (${{ env.ACTION_RUN_URL }})" + SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} - name: Slack Notification if: ${{ failure() }} From c3d784d3d75ca93847711ef1e5778a535eb1eb17 Mon Sep 17 00:00:00 2001 From: aquint-zama Date: Tue, 27 Aug 2024 15:03:58 +0200 Subject: [PATCH 4/4] chore: add slsa support for tfhe-versionable --- ...make_release_concrete_tfhe_versionable.yml | 140 +++++++++++++++++- 1 file changed, 138 insertions(+), 2 deletions(-) diff --git a/.github/workflows/make_release_concrete_tfhe_versionable.yml b/.github/workflows/make_release_concrete_tfhe_versionable.yml index 04473b3a40..9f3d4f20f5 100644 --- a/.github/workflows/make_release_concrete_tfhe_versionable.yml +++ b/.github/workflows/make_release_concrete_tfhe_versionable.yml @@ -7,22 +7,158 @@ env: ACTION_RUN_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} jobs: - publish_release: + package-derive: + runs-on: ubuntu-latest + outputs: + hash: ${{ steps.hash.outputs.hash }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + - name: Prepare package + run: | + cargo package -p tfhe-versionable-derive + - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + with: + name: crate-tfhe-versionable-derive + path: target/package/*.crate + - name: generate hash + id: hash + run: cd target/package && echo "hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance-derive: + needs: [package-derive] + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + permissions: + # Needed to detect the GitHub Actions environment + actions: read + # Needed to create the provenance via GitHub OIDC + id-token: write + # Needed to upload assets/artifacts + contents: write + with: + # SHA-256 hashes of the Crate package. + base64-subjects: ${{ needs.package-derive.outputs.hash }} + + publish_release-derive: name: Publish tfhe-versionable Release + needs: [package-derive] # for comparing hashes runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 with: fetch-depth: 0 - + - name: Download artifact + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: crate-tfhe-versionable-derive + path: target/package - name: Publish crate.io package env: CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} run: | cargo publish -p tfhe-versionable-derive --token ${{ env.CRATES_TOKEN }} + + - name: Generate hash + id: published_hash + run: cd target/package && echo "pub_hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" + + - name: Slack notification (hashes comparison) + if: ${{ needs.package-derive.outputs.hash != steps.published_hash.outputs.pub_hash }} + continue-on-error: true + uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 + env: + SLACK_COLOR: failure + SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} + SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png + SLACK_MESSAGE: "SLSA tfhe-versionable-derive - hash comparison failure: (${{ env.ACTION_RUN_URL }})" + SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + + - name: Slack Notification + if: ${{ failure() }} + continue-on-error: true + uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 + env: + SLACK_COLOR: ${{ job.status }} + SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} + SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png + SLACK_MESSAGE: "tfhe-versionable-derive release finished with status: ${{ job.status }}. (${{ env.ACTION_RUN_URL }})" + SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + + package: + runs-on: ubuntu-latest + outputs: + hash: ${{ steps.hash.outputs.hash }} + steps: + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 + with: + fetch-depth: 0 + - name: Prepare package + run: | + cargo package -p tfhe-versionable + - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 + with: + name: crate-tfhe-versionable + path: target/package/*.crate + - name: generate hash + id: hash + run: cd target/package && echo "hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + needs: [package] + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + permissions: + # Needed to detect the GitHub Actions environment + actions: read + # Needed to create the provenance via GitHub OIDC + id-token: write + # Needed to upload assets/artifacts + contents: write + with: + # SHA-256 hashes of the Crate package. + base64-subjects: ${{ needs.package.outputs.hash }} + + publish_release: + name: Publish tfhe-versionable Release + needs: [package] # for comparing hashes + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 + with: + fetch-depth: 0 + - name: Download artifact + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: crate-tfhe-versionable + path: target/package + - name: Publish crate.io package + env: + CRATES_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} + run: | cargo publish -p tfhe-versionable --token ${{ env.CRATES_TOKEN }} + - name: Generate hash + id: published_hash + run: cd target/package && echo "pub_hash=$(sha256sum ./*.crate | base64 -w0)" >> "${GITHUB_OUTPUT}" + + - name: Slack notification (hashes comparison) + if: ${{ needs.package.outputs.hash != steps.published_hash.outputs.pub_hash }} + continue-on-error: true + uses: rtCamp/action-slack-notify@4e5fb42d249be6a45a298f3c9543b111b02f7907 + env: + SLACK_COLOR: failure + SLACK_CHANNEL: ${{ secrets.SLACK_CHANNEL }} + SLACK_ICON: https://pbs.twimg.com/profile_images/1274014582265298945/OjBKP9kn_400x400.png + SLACK_MESSAGE: "SLSA tfhe-versionable - hash comparison failure: (${{ env.ACTION_RUN_URL }})" + SLACK_USERNAME: ${{ secrets.BOT_USERNAME }} + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} + - name: Slack Notification if: ${{ failure() }} continue-on-error: true