cryptos/Taskfile.yml at main · CryptOS-PKI/cryptos · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
version: '3'

# Task targets for the CryptOS-PKI cryptos/ module.
# Requires on PATH: go, golangci-lint, golic.

tasks:
  default:
    desc: Show available tasks
    cmds:
      - task --list

  fmt:
    desc: Format Go sources
    cmds:
      - gofmt -w cmd internal

  lint:
    desc: Run golangci-lint
    cmds:
      - golangci-lint run ./...

  vet:
    desc: Run go vet
    cmds:
      - go vet ./...

  test:
    desc: Run unit tests
    cmds:
      - go test ./...

  build:
    desc: Build the init, cryptosctl, cryptos-install, and cryptos-sbkey binaries to bin/
    cmds:
      - go build -o bin/init ./cmd/init
      - go build -o bin/cryptosctl ./cmd/cryptosctl
      - go build -o bin/cryptos-install ./cmd/cryptos-install
      - go build -o bin/cryptos-sbkey ./cmd/cryptos-sbkey

  tidy:
    desc: Tidy the Go module
    cmds:
      - go mod tidy

  license:
    desc: Inject Apache 2.0 license headers via golic
    cmds:
      - golic inject -t apache2 -c "2026 Shane"

  ci:
    desc: Full local validation chain (fmt + lint + vet + test + build)
    cmds:
      - task: fmt
      - task: lint
      - task: vet
      - task: test
      - task: build

  # ---- Image build (Linux host only; see build/README.md) ----
  # DRAFT recipes — not yet executed. Require a Linux toolchain
  # (kernel build, mksquashfs, ukify, sbsign, cpio). ARCH defaults to amd64.

  kernel:build:
    desc: "[Linux] Fetch + build the pinned hardened kernel"
    cmds:
      - bash build/kernel/build.sh {{.ARCH | default "amd64"}}

  cryptsetup:build:
    desc: "[Linux] Build the static cryptsetup from source (Docker + Alpine/musl)"
    cmds:
      - bash build/cryptsetup/build.sh {{.ARCH | default "amd64"}}

  rootfs:build:
    desc: "[Linux] Assemble the rootfs tree + pack the SquashFS"
    cmds:
      - bash build/squashfs/build.sh {{.ARCH | default "amd64"}}

  uki:assemble:
    desc: "[Linux] Assemble the unsigned UKI (PROFILE=prod|qemu-dev)"
    cmds:
      - bash build/uki/assemble.sh {{.ARCH | default "amd64"}} {{.PROFILE | default "prod"}}

  uki:sign:
    desc: "[Linux] Secure Boot-sign the UKI (needs SB_KEY/SB_CERT)"
    cmds:
      - bash build/uki/sign.sh {{.ARCH | default "amd64"}}

  image:
    desc: "[Linux] Full prod image build (kernel + cryptsetup + rootfs + UKI + sign)"
    cmds:
      - task: kernel:build
      - task: cryptsetup:build
      - task: rootfs:build
      - task: uki:assemble
      - task: uki:sign

  image:debug:
    desc: "[Linux] Debug UKI (qemu-dev cmdline); never published"
    cmds:
      - task: kernel:build
      - task: cryptsetup:build
      - task: rootfs:build
      - task: uki:assemble
        vars: {PROFILE: qemu-dev}

  qemu:run:
    desc: "[Linux] Boot the debug image in QEMU + swtpm (interactive)"
    cmds:
      - bash build/ci/qemu-run.sh {{.ARCH | default "amd64"}}

  test:integration:
    desc: "[Linux] Phase 1 QEMU + swtpm end-to-end acceptance (needs the toolchain; see test/integration)"
    cmds:
      - go test -tags=integration -count=1 -v ./test/integration/...