Publish SP releases with Brussels

.github/workflows/build-boards.yml

@@ -122,8 +122,7 @@ jobs:
         run: |
           sudo apt-get update && sudo apt-get install -y libusb-1.0-0-dev libftdi1-dev
           for image in ${images}; do
-              mv "target/${name}/dist/${image}/build-${name}-image-${image}.zip" "target/${name}/dist/";
-              target/release/humility -a "target/${name}/dist/build-${name}-image-${image}.zip" manifest;
+              target/release/humility -a "target/${name}/dist/${image}/build-${name}-image-${image}.zip" manifest;
           done
         env:
           name: ${{ matrix.app_name }}
@@ -136,13 +135,25 @@ jobs:
 
       - name: Attestation
         uses: actions/attest-build-provenance@v1
+        id: attest
         if: inputs.attest
         with:
-          subject-path: target/${{ matrix.app_name }}/dist/build-${{ matrix.app_name }}-image-*.zip
+          subject-path: target/${{ matrix.app_name }}/dist/*/build-${{ matrix.app_name }}-image-*.zip
+          show-summary: false
+
+      - name: Prepare artifacts for upload
+        id: prepare-upload
+        if: inputs.upload-artifacts
+        run: |
+          path="$(cargo xtask gha-prepare-artifacts $APP_TOML $ATTESTATION)"
+          echo "path=$path" >> $GITHUB_OUTPUT
+        env:
+          APP_TOML: ${{ matrix.app_toml }}
+          ATTESTATION: ${{ inputs.attest && steps.attest.outputs.bundle-path || '' }}
 
       - name: Upload build archive
         uses: actions/upload-artifact@v4
         if: inputs.upload-artifacts
         with:
           name: dist-${{ inputs.os }}-${{ matrix.app_name }}
-          path: target/${{ matrix.app_name }}/dist/build-${{ matrix.app_name }}-image-*.zip
+          path: ${{ steps.prepare-upload.outputs.path }}

.github/workflows/release.yml

@@ -20,7 +20,7 @@ concurrency:
 jobs:
   init:
     name: Initialize the release
-    runs-on: ubuntu-24.04
+    runs-on: oxide-colo-builder-hubris
     permissions:
       contents: read
       id-token: write
@@ -42,7 +42,7 @@ jobs:
         name: Download Brussels
         run: |
           if [[ "${BRUSSELS_RUN_ID}" == "" ]]; then
-            gh release download -R oxidecomputer/brussels -p brussels v0.2.0
+            gh release download -R oxidecomputer/brussels -p brussels v0.3.0
           else
             gh run download "${BRUSSELS_RUN_ID}" -R oxidecomputer/brussels -n prebuilt-binary
           fi
@@ -80,6 +80,32 @@ jobs:
 
   release:
     name: Publish the release
+    if: github.event.inputs.group == 'all-sp'
+    needs:
+      - init
+      - build
+    runs-on: oxide-colo-builder-hubris
+    permissions:
+      contents: write # Publish the release
+      id-token: write # Authenticate with oidcx
+      actions: read # Download artifacts
+    steps:
+      - *brussels-token
+      - *download-brussels
+
+      # TODO: pin this somehow
+      - name: Retrieve the Sigstore trusted roots
+        run: gh attestation trusted-root > trusted-root.jsonl
+
+      - name: Publish the release with Brussels
+        run: brussels publish --trusted-root=trusted-root.jsonl $run_id
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          run_id: ${{ github.run_id }}
+
+  release-legacy:
+    name: Publish the release (legacy)
+    if: github.event.inputs.group == 'rot'
     needs:
       - init
       - build
@@ -93,7 +119,7 @@ jobs:
         merge-multiple: true
 
     - name: Publish the release
-      uses: softprops/action-gh-release@v1
+      uses: softprops/action-gh-release@v2
       with:
         target_commitish: ${{ needs.init.outputs.commit_sha1 }}
         tag_name: ${{ needs.init.outputs.tag_name }}

Cargo.toml

@@ -49,6 +49,7 @@ anyhow = { version = "1.0.31", default-features = false, features = ["std"] }
 array-init = { version = "2.1.0" }
 arrayvec = { version = "0.7.4", default-features = false }
 atty = { version = "0.2", default-features = false }
+base64 = "0.22.1"
 bitfield = { version = "0.13", default-features = false }
 bitflags = { version = "2.5.0", default-features = false }
 bstringify = { version = "0.1.2", default-features = false }

brussels.toml

@@ -6,6 +6,11 @@
 
 version = 1 # Schema version of this file.
 
+[sigstore-claims]
+issuer = "https://token.actions.githubusercontent.com"
+workflow-file = ".github/workflows/release.yml"
+runner-environment = "self-hosted"
+
 [groups.all-sp]
 tag-bump = "patch"
 tag-prefix = "all-sp-v"
@@ -16,6 +21,13 @@ hubris-app-dirs = [
     "app/cosmo/",
 ]
 
+release-title = "SP release {version}"
+release-description = """
+These are the final artifacts for **release {version}** of Oxide's Service Processor images.
+
+This release has been published automatically, and no changelog is available.
+"""
+
 [groups.all-sp.boards]
 gimlet-b = {}
 gimlet-b-lab = {}
@@ -45,6 +57,13 @@ tag-bump = "patch"
 tag-prefix = "oxide-rot-1-v"
 hubris-app-dirs = ["app/oxide-rot-1/"]
 
+release-title = "RoT release {version}"
+release-description = """
+These are the final artifacts for **release {version}** of Oxide's Root of Trust images.
+
+This release has been published automatically, and no changelog is available.
+"""
+
 [groups.rot.boards]
 oxide-rot-1 = { images = ["a", "b"] }
 oxide-rot-1-selfsigned = { images = ["a", "b"] }

build/xtask/Cargo.toml

@@ -44,6 +44,10 @@ walkdir = { workspace = true }
 zerocopy = { workspace = true }
 zip = { workspace = true }
 
+# for gha-prepare-artifact
+base64 = { workspace = true }
+sha2 = { workspace = true }
+
 gnarle = { path = "../../lib/gnarle", features = ["std"] }
 abi.path = "../../sys/abi"
 build-fpga-regmap.path = "../../build/fpga-regmap"