Merge pull request #2 from monzo/ci-checks

add gha CI check
monzo · Feb 23, 2024 · 9b6786f · 9b6786f
2 parents f38ad55 + 16b8c9c
commit 9b6786f
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 0 deletions.
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -0,0 +1,21 @@
+name: Check
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ "*" ]
+
+jobs:
+
+  flake-check:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: cachix/install-nix-action@6ed004b9ccb68dbc28e7c85bee15fa93dbd214ac
+      with:
+        nix_path: nixpkgs=channel:nixos-23.11
+        github_access_token: ${{ secrets.GITHUB_TOKEN }}
+
+    - uses: DeterminateSystems/magic-nix-cache-action@eeabdb06718ac63a7021c6132129679a8e22d0c7
+
+    - run: nix flake check
diff --git a/flake.nix b/flake.nix
@@ -202,6 +202,36 @@
             checks = {
               # make sure we can build the eif-cli
               inherit (packages) eif-cli;
+
+              # build a simple (non-bootable) EIF image for ARM64 as part of checks
+              test-make-eif = lib.mkEif {
+                arch = "x86_64";
+                name = "test";
+                ramdisks = [
+                  (lib.mkSysRamdisk { init = self.lib.x86_64-linux.blobs.init; nsmKo = self.lib.x86_64-linux.blobs.nsmKo; })
+                  (lib.mkUserRamdisk { entrypoint = "none"; env = ""; rootfs = pkgs.writeTextDir "etc/file" "hello world!"; })
+                ];
+                kernel = self.lib.x86_64-linux.blobs.kernel;
+                kernelConfig = self.lib.x86_64-linux.blobs.kernelConfig;
+              };
+
+              # check the PCR for this simple EIF is reproduced
+              test-eif-PCRs-match = pkgs.stdenvNoCC.mkDerivation {
+                buildInputs = [ pkgs.jq ];
+                name = "test-eif-PCRs-match";
+                src = checks.test-make-eif;
+                dontBuild = true;
+                doCheck = true;
+                checkPhase = ''
+                  PCR0=$(jq -r < ./pcr.json ' .PCR0 ')
+                  if echo "$PCR0" | grep -qv 'f585cae40c5d5d640a60d3c7f8c5dcf7276364c49f7d7fa8d08800b35c45825099688c2acc02bb2373ebfbd8a5ba10b4'
+                  then
+                    echo "PCR0 did not match, got instead:" $PCR0
+                    exit -1
+                  fi
+                '';
+                installPhase = "mkdir $out";
+              };
             };
           }
         ))