-
-
Notifications
You must be signed in to change notification settings - Fork 30
186 lines (162 loc) · 5.55 KB
/
version.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
name: Version
on:
workflow_dispatch:
inputs:
files:
description: 'File(s) to run action against'
required: true
pull_request:
branches: ["master"]
push:
branches: ["master"]
paths:
- '*.txt'
- '*.json'
- '*.png'
env:
PYTHON_VERSION: "3.10"
COSIGN_VERSION: "v2.0.2"
SIGNED_FILES: "apparmor.txt apparmor_beta.txt apparmor_dev.txt apparmor_stable.txt beta.json dev.json stable.json"
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v3
- name: Lint with JQ
uses: home-assistant/actions/helpers/jq@master
prepare:
name: Prepare
needs: ["lint"]
runs-on: ubuntu-latest
outputs:
files: ${{ steps.changed_files.outputs.files }}
steps:
- name: Checkout the repository
uses: actions/checkout@v3
- name: Get changed files for push
if: github.event_name == 'push'
id: changed_files_push
uses: jitterbit/get-changed-files@v1
- name: Get changed files
id: changed_files
run: |
if [[ ${{ github.event_name }} == "push" ]]; then
echo "files=${{ steps.changed_files_push.outputs.all }}" >> $GITHUB_OUTPUT
else
echo "files=${{ github.event.inputs.files }}" >> $GITHUB_OUTPUT
fi
signing:
name: Sign ${{ matrix.path }}
needs: ["prepare"]
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
strategy:
matrix:
path:
- stable.json
- beta.json
- dev.json
- apparmor.txt
- apparmor_stable.txt
- apparmor_beta.txt
- apparmor_dev.txt
steps:
- name: Check
id: check
run: |
if [[ "${{ needs.prepare.outputs.files }}" =~ ${{ matrix.path }} ]]; then
echo "sign=yes" >> $GITHUB_OUTPUT
fi
- name: Checkout the repository
if: steps.check.outputs.sign == 'yes'
uses: actions/checkout@v3
- name: Login to GitHub Container Registry
if: steps.check.outputs.sign == 'yes'
uses: docker/[email protected]
with:
registry: ghcr.io
username: home-assistant
password: ${{ secrets.GITHUB_TOKEN }}
- uses: sigstore/cosign-installer@main
if: steps.check.outputs.sign == 'yes'
with:
cosign-release: ${{ env.COSIGN_VERSION }}
- name: Setup Python version ${{ env.PYTHON_VERSION }}
if: steps.check.outputs.sign == 'yes'
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install AWS CLI
if: steps.check.outputs.sign == 'yes'
run: pip install awscli
- name: Sign CAS
if: steps.check.outputs.sign == 'yes'
uses: home-assistant/actions/helpers/codenotary@master
with:
source: ${{ matrix.path }}
token: ${{ secrets.CAS_TOKEN }}
- name: Upload file
if: steps.check.outputs.sign == 'yes'
run: |
cosign upload blob -f ${{ matrix.path }} ghcr.io/home-assistant/version/${{ matrix.path }}
- name: Sign Cosign
if: steps.check.outputs.sign == 'yes'
run: |
cosign sign --yes ghcr.io/home-assistant/version/${{ matrix.path }}
cosign sign-blob --yes ${{ matrix.path }} --bundle ${{ matrix.path }}.sig
- name: Upload signature
if: steps.check.outputs.sign == 'yes'
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
aws s3 sync . s3://version.home-assistant.io --exclude "*" --include "${{ matrix.path }}.sig"
upload:
name: Upload
needs: ["signing", "prepare"]
if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v3
- name: Setup Python version ${{ env.PYTHON_VERSION }}
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install AWS CLI
run: pip install awscli
- name: Upload files
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
for file in ${{ needs.prepare.outputs.files }}; do
if [[ "$file" =~ \.txt|\.json|\.png ]]; then
aws s3 sync . s3://version.home-assistant.io --exclude "*" --include "$file"
fi
done
- name: Gather files for cache flush
id: flush
run: |
declare -a files
for file in ${{ needs.prepare.outputs.files }}; do
if [[ "$file" =~ \.txt|\.json ]]; then
files+=("\"https:\/\/version.home-assistant.io\/$file\", ")
if [[ "${{ env.SIGNED_FILES }}" =~ $file ]]; then
files+=("\"https:\/\/version.home-assistant.io\/$file.sig\", ")
fi
fi
done
echo "files=[$(echo ${files[@]} | rev | cut -c 2- | rev)]" >> $GITHUB_OUTPUT
- name: Flush CloudFlare cache
run: |
curl --silent --show-error --fail -X POST \
"https://api.cloudflare.com/client/v4/zones/${{ secrets.CF_ZONE }}/purge_cache" \
-H "Authorization: Bearer ${{ secrets.CF_TOKEN }}" \
-H "Content-Type: application/json" \
--data '{"files": ${{ steps.flush.outputs.files }}}'