mirror of https://github.com/CrimsonTome/tldr.git
feat/ci: add support for attesting release assets (#12851)
* feat: add support for attesting release assets --------- Signed-off-by: K.B.Dharun Krishna <kbdharunkrishna@gmail.com> Co-authored-by: Lena <126529524+acuteenvy@users.noreply.github.com> Co-authored-by: Sebastiaan Speck <12570668+sebastiaanspeck@users.noreply.github.com>pull/28/head
K.B.Dharun Krishna
GitHub
parent
e90697af1e
commit
862591ca18
|
|
@ -2,14 +2,14 @@ name: CI
|
||||||
|
|
||||||
on: ['push', 'pull_request']
|
on: ['push', 'pull_request']
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: write # to upload assets to releases
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
ci:
|
ci:
|
||||||
runs-on: ubuntu-latest
|
|
||||||
|
|
||||||
name: CI
|
name: CI
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: write # to upload assets to releases
|
||||||
|
attestations: write # to upload assets attestation for build provenance
|
||||||
|
id-token: write # grant additional permission to attestation action to mint the OIDC token permission
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
|
|
@ -53,3 +53,53 @@ jobs:
|
||||||
env:
|
env:
|
||||||
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
|
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
|
- name: Check for generated files
|
||||||
|
if: github.repository == 'tldr-pages/tldr' && github.ref == 'refs/heads/main'
|
||||||
|
id: check-files
|
||||||
|
run: |
|
||||||
|
if [[ -n $(find language_archives -name "*.zip" -print -quit) ]]; then
|
||||||
|
echo "zip_exists=true" >> $GITHUB_ENV
|
||||||
|
else
|
||||||
|
echo "zip_exists=false" >> $GITHUB_ENV
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -n $(find scripts/pdf -name "*.pdf" -print -quit) ]]; then
|
||||||
|
echo "pdf_exists=true" >> $GITHUB_ENV
|
||||||
|
else
|
||||||
|
echo "pdf_exists=false" >> $GITHUB_ENV
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -f tldr.sha256sums ]]; then
|
||||||
|
echo "checksums_exist=true" >> $GITHUB_ENV
|
||||||
|
else
|
||||||
|
echo "checksums_exist=false" >> $GITHUB_ENV
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: Construct subject-path for attest
|
||||||
|
if: github.repository == 'tldr-pages/tldr' && github.ref == 'refs/heads/main'
|
||||||
|
id: construct-subject-path
|
||||||
|
run: |
|
||||||
|
subject_path=""
|
||||||
|
if [[ ${{ env.zip_exists }} == 'true' ]]; then
|
||||||
|
zip_files=$(find language_archives -name '*.zip' -printf '%p,')
|
||||||
|
subject_path+="${zip_files::-1}"
|
||||||
|
fi
|
||||||
|
if [[ ${{ env.pdf_exists }} == 'true' ]]; then
|
||||||
|
if [[ -n $subject_path ]]; then subject_path+=","; fi
|
||||||
|
pdf_files=$(find scripts/pdf -name '*.pdf' -printf '%p,')
|
||||||
|
subject_path+="${pdf_files::-1}"
|
||||||
|
fi
|
||||||
|
if [[ ${{ env.checksums_exist }} == 'true' ]]; then
|
||||||
|
if [[ -n $subject_path ]]; then subject_path+=","; fi
|
||||||
|
subject_path+='tldr.sha256sums'
|
||||||
|
fi
|
||||||
|
echo "subject_path=$subject_path" >> $GITHUB_ENV
|
||||||
|
|
||||||
|
- name: Attest generated files
|
||||||
|
if: github.repository == 'tldr-pages/tldr' && github.ref == 'refs/heads/main'
|
||||||
|
id: attest
|
||||||
|
uses: actions/attest-build-provenance@v1
|
||||||
|
continue-on-error: true # prevent failing when no pages are modified
|
||||||
|
with:
|
||||||
|
subject-path: ${{ env.subject_path }}
|
||||||
|
|
|
||||||
|
|
@ -4,28 +4,50 @@ on:
|
||||||
release:
|
release:
|
||||||
types: published
|
types: published
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: write
|
|
||||||
|
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
release:
|
release:
|
||||||
name: Copy assets to the new release
|
name: Copy release assets
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: write # to upload assets to releases
|
||||||
|
attestations: write # to upload assets attestation for build provenance
|
||||||
|
id-token: write # grant additional permission to attestation action to mint the OIDC token permission
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v4
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|
||||||
- name: Download and upload
|
- name: Set tag names
|
||||||
run: |
|
run: |
|
||||||
LATEST="$(git describe --tags --abbrev=0)"
|
echo "LATEST=$(git describe --tags --abbrev=0)" >> $GITHUB_ENV
|
||||||
PREVIOUS="$(git describe --tags --abbrev=0 "$LATEST"^)"
|
echo "PREVIOUS=$(git describe --tags --abbrev=0 $(git describe --tags --abbrev=0)^)" >> $GITHUB_ENV
|
||||||
|
|
||||||
|
- name: Download assets
|
||||||
|
run: |
|
||||||
mkdir release-assets && cd release-assets
|
mkdir release-assets && cd release-assets
|
||||||
|
|
||||||
gh release download "$PREVIOUS"
|
gh release download "$PREVIOUS"
|
||||||
gh release upload "$LATEST" -- *
|
|
||||||
|
- name: Construct subject-path for attest
|
||||||
|
if: github.repository == 'tldr-pages/tldr'
|
||||||
|
id: construct-subject-path
|
||||||
|
run: |
|
||||||
|
zip_files=$(find release-assets -name '*.zip' -printf '%p,')
|
||||||
|
pdf_files=$(find release-assets -name '*.pdf' -printf '%p,')
|
||||||
|
subject_path="${zip_files::-1},${pdf_files::-1},release-assets/tldr.sha256sums"
|
||||||
|
echo "subject_path=$subject_path" >> $GITHUB_ENV
|
||||||
|
|
||||||
|
- name: Attest copied assets
|
||||||
|
if: github.repository == 'tldr-pages/tldr'
|
||||||
|
id: attest
|
||||||
|
uses: actions/attest-build-provenance@v1
|
||||||
|
with:
|
||||||
|
subject-path: ${{ env.subject_path }}
|
||||||
|
|
||||||
|
- name: Upload assets
|
||||||
|
if: github.repository == 'tldr-pages/tldr'
|
||||||
|
working-directory: release-assets
|
||||||
|
run: gh release upload "$LATEST" -- *
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue