lowRISC · jwnrt · Dec 13, 2024 · Dec 10, 2024 · Dec 11, 2024 · Dec 12, 2024
@@ -87,10 +87,28 @@ runs:
     # This can't be Workload Identity Federation because Bazel performance using WIF is terrible.
     # This needs access to secrets and thus doesn't work for pull request.
     - uses: google-github-actions/auth@v2
+      id: google_auth
       if: github.event_name != 'pull_request'
       with:
         credentials_json: '${{ inputs.service_account_json }}'
 
+    # The above action creates a credential file in workspace and it doesn't provide a way to configure
+    # it. This influences with a few scripts that assume clean workspace, and introduce security risk
+    # that it may be exposed when uploading to buckets.
+    - name: Move Google credentials out from workspace
+      if: github.event_name != 'pull_request'
+      run: |
+        SOURCE=${{ steps.google_auth.outputs.credentials_file_path }}
+        TARGET=${{ runner.temp }}/$(basename "$SOURCE")
+        mv $SOURCE $TARGET
+        echo "CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE=$TARGET" >> $GITHUB_ENV
+        echo "GOOGLE_APPLICATION_CREDENTIALS=$TARGET" >> $GITHUB_ENV
+        echo "GOOGLE_GHA_CREDS_PATH=$TARGET" >> $GITHUB_ENV
+      shell: bash
+
+    - uses: google-github-actions/setup-gcloud@v2
+      if: github.event_name != 'pull_request'
+
     - name: Configure ~/.bazelrc
       if: inputs.configure-bazel == 'true'
       run: |

@@ -44,9 +44,6 @@ runs:
         # In case this is from a re-run
         overwrite: true
 
-    - uses: google-github-actions/setup-gcloud@v2
-      if: inputs.bucket-destination != ''
-
     - name: Upload report to Google Cloud
       if: inputs.bucket-destination != ''
       shell: bash

@@ -106,8 +106,6 @@ jobs:
       - name: DV software images
         run: ./ci/scripts/check_dv_sw_images.sh
         continue-on-error: true
-      - name: Build documentation
-        run: ./ci/scripts/build-docs.sh
       - name: Generated files
         run: ./ci/scripts/check-generated.sh
         env:
@@ -123,6 +121,48 @@ jobs:
       - name: Verible FPV
         run: ./ci/scripts/verible-lint.sh fpv
 
+  build_docs:
+    name: Build documentation
+    runs-on: ubuntu-22.04
+    needs: quick_lint
+    env:
+      BUCKET: gold-hybrid-255313-prod
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Bitstream cache requires all commits.
+      - name: Prepare environment
+        uses: ./.github/actions/prepare-env
+        with:
+          service_account_json: '${{ secrets.BAZEL_CACHE_CREDS }}'
+      - name: Build documentation
+        run: util/site/build-docs.sh build
+      - name: Upload files
+        if: ${{ github.event_name != 'pull_request' && github.ref_name == 'earlgrey_1.0.0' }}
+        run: |
+          echo "::group::Upload all uncompressed files"
+          gcloud storage cp -R --gzip-in-flight=js,css,html "build-site/*" gs://$BUCKET/earlgrey_1.0.0
+          echo "::endgroup::"
+
+          # This script compresses the searchindex files, replacing the originals in-place.
+          # (This is how 'content-encoding'-tagged files should be uploaded to gcloud buckets)
+          util/site/post-build.sh compress_br
+
+          search_indexes=$(find build-site/ -type f -name '*searchindex.json')
+          for f in $search_indexes; do
+              echo "Uploading compressed file ${f}"
+              # Get directory of file, relative to the build directory.
+              # - var=${var#*//} # removes stuff from the begining up to //
+              dir=$(dirname "${f#*build-site/}")
+              # When serving from gcloud buckets, file should be uploaded with an identical name as the
+              # original, but compressed and with the matching 'content-encoding' and 'content-type' tags applied.
+              gcloud storage cp \
+                     --content-encoding=br \
+                     --content-type=application/json \
+                     -R \
+                     "$f" "gs://$BUCKET/earlgrey_1.0.0/${dir}/"
+          done
+
   airgapped_build:
     name: Airgapped build
     runs-on: ubuntu-22.04
@@ -358,7 +398,6 @@ jobs:
             --stamp-file $PWD/bazel-out/volatile-status.txt \
             --out $PWD/build-bin/bitstream-cache \
             $PWD/build-bin/**/manifest.json
-      - uses: google-github-actions/setup-gcloud@v2
       - name: Upload bitstreams to GCP bucket
         run: |
           BUCKET_URI=gs://opentitan-bitstreams/${{ github.ref_name }}

@@ -32,13 +32,11 @@ jobs:
           fetch-depth: 0 # Required for the bitstream cache to work.
           ref: ${{ inputs.branch || 'earlgrey_1.0.0' }} # Schedule only work on the default branch, but we want to run on a different branch.
 
-      - name: Install dependencies
+      - name: Prepare environment
         uses: ./.github/actions/prepare-env
         with:
           service_account_json: '${{ secrets.BAZEL_CACHE_CREDS }}'
 
-      - uses: google-github-actions/setup-gcloud@v2
-
       - name: Update hyperdebug
         # We run the update command twice to workaround an issue with udev on the container.
         # Where rusb cannot dynamically update its device list in CI (udev is not completely
@@ -101,13 +99,11 @@ jobs:
           fetch-depth: 0 # Required for the bitstream cache to work.
           ref: ${{ inputs.branch || 'earlgrey_1.0.0' }} # Schedule only work on the default branch, but we want to run on a different branch.
 
-      - name: Install dependencies
+      - name: Prepare environment
         uses: ./.github/actions/prepare-env
         with:
           service_account_json: '${{ secrets.BAZEL_CACHE_CREDS }}'
 
-      - uses: google-github-actions/setup-gcloud@v2
-
       - name: Update hyperdebug
         # We run the update command twice to workaround an issue with udev on the container.
         # Where rusb cannot dynamically update its device list in CI (udev is not completely
@@ -170,13 +166,11 @@ jobs:
           fetch-depth: 0 # Required for the bitstream cache to work.
           ref: ${{ inputs.branch || 'earlgrey_1.0.0' }} # Schedule only work on the default branch, but we want to run on a different branch.
 
-      - name: Install dependencies
+      - name: Prepare environment
         uses: ./.github/actions/prepare-env
         with:
           service_account_json: '${{ secrets.BAZEL_CACHE_CREDS }}'
 
-      - uses: google-github-actions/setup-gcloud@v2
-
       - name: Update hyperdebug
         # We run the update command twice to workaround an issue with udev on the container.
         # Where rusb cannot dynamically update its device list in CI (udev is not completely

@@ -17,11 +17,11 @@ use cryptotest_commands::aes_commands::{
 use cryptotest_commands::commands::CryptotestCommand;
 
 use opentitanlib::app::TransportWrapper;
+use opentitanlib::console::spi::SpiConsoleDevice;
 use opentitanlib::execute_test;
 use opentitanlib::test_utils::init::InitializeTest;
 use opentitanlib::test_utils::rpc::{ConsoleRecv, ConsoleSend};
 use opentitanlib::uart::console::UartConsole;
-use opentitanlib::console::spi::SpiConsoleDevice;
 
 #[derive(Debug, Parser)]
 struct Opts {

@@ -14,11 +14,11 @@ use cryptotest_commands::commands::CryptotestCommand;
 use cryptotest_commands::drbg_commands::{CryptotestDrbgInput, CryptotestDrbgOutput};
 
 use opentitanlib::app::TransportWrapper;
+use opentitanlib::console::spi::SpiConsoleDevice;
 use opentitanlib::execute_test;
 use opentitanlib::test_utils::init::InitializeTest;
 use opentitanlib::test_utils::rpc::{ConsoleRecv, ConsoleSend};
 use opentitanlib::uart::console::UartConsole;
-use opentitanlib::console::spi::SpiConsoleDevice;
 
 #[derive(Debug, Parser)]
 struct Opts {

@@ -17,11 +17,11 @@ use cryptotest_commands::ecdh_commands::{
     CryptotestEcdhPrivateKey,
 };
 use opentitanlib::app::TransportWrapper;
+use opentitanlib::console::spi::SpiConsoleDevice;
 use opentitanlib::execute_test;
 use opentitanlib::test_utils::init::InitializeTest;
 use opentitanlib::test_utils::rpc::{ConsoleRecv, ConsoleSend};
 use opentitanlib::uart::console::UartConsole;
-use opentitanlib::console::spi::SpiConsoleDevice;
 use p256::elliptic_curve::scalar::ScalarPrimitive as ScalarPrimitiveP256;
 use p256::U256;
 use p384::elliptic_curve::scalar::ScalarPrimitive as ScalarPrimitiveP384;
@@ -234,7 +234,13 @@ fn test_ecdh(opts: &Opts, transport: &TransportWrapper) -> Result<()> {
         for ecdh_test in &ecdh_tests {
             test_counter += 1;
             log::info!("Test counter: {}", test_counter);
-            run_ecdh_testcase(ecdh_test, opts, &spi_console_device, &mut fail_counter, &mut failures)?;
+            run_ecdh_testcase(
+                ecdh_test,
+                opts,
+                &spi_console_device,
+                &mut fail_counter,
+                &mut failures,
+            )?;
         }
     }
     assert_eq!(

@@ -29,11 +29,11 @@ use cryptotest_commands::ecdsa_commands::{
 };
 
 use opentitanlib::app::TransportWrapper;
+use opentitanlib::console::spi::SpiConsoleDevice;
 use opentitanlib::execute_test;
 use opentitanlib::test_utils::init::InitializeTest;
 use opentitanlib::test_utils::rpc::{ConsoleRecv, ConsoleSend};
 use opentitanlib::uart::console::UartConsole;
-use opentitanlib::console::spi::SpiConsoleDevice;
 
 #[derive(Debug, Parser)]
 struct Opts {
@@ -449,7 +449,8 @@ fn run_ecdsa_testcase(
     .send(spi_console)?;
     let success = match operation {
         CryptotestEcdsaOperation::Sign => {
-            let mut output_signature = CryptotestEcdsaSignature::recv(spi_console, opts.timeout, false)?;
+            let mut output_signature =
+                CryptotestEcdsaSignature::recv(spi_console, opts.timeout, false)?;
             // Truncate signature values to correct size for curve and convert to big-endian
             output_signature.r.truncate(output_signature.r_len);
             output_signature.s.truncate(output_signature.s_len);

@@ -17,11 +17,11 @@ use cryptotest_commands::hash_commands::{
 };
 
 use opentitanlib::app::TransportWrapper;
+use opentitanlib::console::spi::SpiConsoleDevice;
 use opentitanlib::execute_test;
 use opentitanlib::test_utils::init::InitializeTest;
 use opentitanlib::test_utils::rpc::{ConsoleRecv, ConsoleSend};
 use opentitanlib::uart::console::UartConsole;
-use opentitanlib::console::spi::SpiConsoleDevice;
 
 #[derive(Debug, Parser)]
 struct Opts {

@@ -16,11 +16,11 @@ use cryptotest_commands::hmac_commands::{
 };
 
 use opentitanlib::app::TransportWrapper;
+use opentitanlib::console::spi::SpiConsoleDevice;
 use opentitanlib::execute_test;
 use opentitanlib::test_utils::init::InitializeTest;
 use opentitanlib::test_utils::rpc::{ConsoleRecv, ConsoleSend};
 use opentitanlib::uart::console::UartConsole;
-use opentitanlib::console::spi::SpiConsoleDevice;
 
 #[derive(Debug, Parser)]
 struct Opts {

@@ -17,11 +17,11 @@ use cryptotest_commands::kmac_commands::{
 };
 
 use opentitanlib::app::TransportWrapper;
+use opentitanlib::console::spi::SpiConsoleDevice;
 use opentitanlib::execute_test;
 use opentitanlib::test_utils::init::InitializeTest;
 use opentitanlib::test_utils::rpc::{ConsoleRecv, ConsoleSend};
 use opentitanlib::uart::console::UartConsole;
-use opentitanlib::console::spi::SpiConsoleDevice;
 
 #[derive(Debug, Parser)]
 struct Opts {

@@ -18,11 +18,11 @@ use cryptotest_commands::sphincsplus_commands::{
 };
 
 use opentitanlib::app::TransportWrapper;
+use opentitanlib::console::spi::SpiConsoleDevice;
 use opentitanlib::execute_test;
 use opentitanlib::test_utils::init::InitializeTest;
 use opentitanlib::test_utils::rpc::{ConsoleRecv, ConsoleSend};
 use opentitanlib::uart::console::UartConsole;
-use opentitanlib::console::spi::SpiConsoleDevice;
 
 #[derive(Debug, Parser)]
 struct Opts {
@@ -139,7 +139,12 @@ fn test_sphincsplus(opts: &Opts, transport: &TransportWrapper) -> Result<()> {
         for sphincsplus_test in &sphincsplus_tests {
             test_counter += 1;
             log::info!("Test counter: {}", test_counter);
-            run_sphincsplus_testcase(sphincsplus_test, opts, &spi_console_device, &mut fail_counter)?;
+            run_sphincsplus_testcase(
+                sphincsplus_test,
+                opts,
+                &spi_console_device,
+                &mut fail_counter,
+            )?;
         }
     }
     assert_eq!(

diff --git a/util/site/site-builder/README.md b/util/site/site-builder/README.md
diff --git a/util/site/site-builder/cloudbuild-deploy-docs.yaml b/util/site/site-builder/cloudbuild-deploy-docs.yaml