-
-
Notifications
You must be signed in to change notification settings - Fork 30
173 lines (151 loc) · 5.63 KB
/
version.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
name: Version
on:
workflow_dispatch:
inputs:
files:
description: 'File(s) to run action against (space separated)'
required: true
pull_request:
branches: ["master"]
push:
branches: ["master"]
paths:
- '*.txt'
- '*.json'
- '*.png'
- '.github/workflows/version.yml'
env:
PYTHON_VERSION: "3.10"
COSIGN_VERSION: "v2.2.3"
SIGNED_FILES: "apparmor.txt apparmor_beta.txt apparmor_dev.txt apparmor_stable.txt beta.json dev.json stable.json"
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- name: Lint with JQ
uses: home-assistant/actions/helpers/jq@master
prepare:
name: Prepare
needs: ["lint"]
runs-on: ubuntu-latest
outputs:
files: ${{ steps.calc_file_list.outputs.changed_files }}
sign_matrix: ${{ steps.calc_file_list.outputs.result }}
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- name: Get changed files for push
if: github.event_name == 'push'
id: changed_files_push
uses: masesgroup/retrieve-changed-files@v3.0.0
with:
format: 'json'
- name: Calculate files to sign and push
uses: actions/github-script@v7
id: calc_file_list
with:
script: |
const signed_files = "${{ env.SIGNED_FILES }}".split(' ')
if ("${{ github.event_name }}" === "push") {
changed_files = JSON.parse('${{ steps.changed_files_push.outputs.all }}')
// Sign all files in case this workflow changes.
if (changed_files.includes(".github/workflows/version.yml")) {
changed_files = [...new Set([...changed_files, ...signed_files])]
}
core.setOutput("changed_files", changed_files.join(' '))
return changed_files.filter(value => signed_files.includes(value))
} else {
input_files = "${{ github.event.inputs.files }}".split(' ')
core.setOutput("changed_files", input_files.join(' '))
return input_files.filter(value => signed_files.includes(value))
}
signing:
name: Sign ${{ matrix.path }}
needs: ["prepare"]
if: ${{ (github.event_name == 'push' || github.event_name == 'workflow_dispatch') && needs.prepare.outputs.sign_matrix != '[]' }}
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
strategy:
matrix:
path: ${{ fromJson(needs.prepare.outputs.sign_matrix) }}
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- name: Login to GitHub Container Registry
uses: docker/login-action@v3.3.0
with:
registry: ghcr.io
username: home-assistant
password: ${{ secrets.GITHUB_TOKEN }}
- uses: sigstore/cosign-installer@main
with:
cosign-release: ${{ env.COSIGN_VERSION }}
- name: Setup Python version ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install AWS CLI
run: pip install awscli
- name: Upload file
run: |
cosign upload blob -f ${{ matrix.path }} ghcr.io/home-assistant/version/${{ matrix.path }}
- name: Sign Cosign
run: |
cosign sign --yes ghcr.io/home-assistant/version/${{ matrix.path }}
cosign sign-blob --yes ${{ matrix.path }} --bundle ${{ matrix.path }}.sig
- name: Upload signature
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
aws s3 sync . s3://version.home-assistant.io --exclude "*" --include "${{ matrix.path }}.sig"
upload:
name: Upload
needs: ["signing", "prepare"]
# Make sure to run this job even if signing has been skipped.
if: ${{ !failure() && !cancelled() && (github.event_name == 'push' || github.event_name == 'workflow_dispatch') }}
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- name: Setup Python version ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v5
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install AWS CLI
run: pip install awscli
- name: Upload files
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
for file in ${{ needs.prepare.outputs.files }}; do
if [[ "$file" =~ \.txt|\.json|\.png ]]; then
aws s3 sync . s3://version.home-assistant.io --exclude "*" --include "$file"
fi
done
- name: Gather files for cache flush
id: flush
run: |
declare -a files
for file in ${{ needs.prepare.outputs.files }}; do
if [[ "$file" =~ \.txt|\.json ]]; then
files+=("\"https:\/\/version.home-assistant.io\/$file\", ")
if [[ "${{ env.SIGNED_FILES }}" =~ $file ]]; then
files+=("\"https:\/\/version.home-assistant.io\/$file.sig\", ")
fi
fi
done
echo "files=[$(echo ${files[@]} | rev | cut -c 2- | rev)]" >> $GITHUB_OUTPUT
- name: Flush CloudFlare cache
run: |
curl --silent --show-error --fail -X POST \
"https://api.cloudflare.com/client/v4/zones/${{ secrets.CF_ZONE }}/purge_cache" \
-H "Authorization: Bearer ${{ secrets.CF_PURGE_TOKEN }}" \
-H "Content-Type: application/json" \
--data '{"files": ${{ steps.flush.outputs.files }}}'