Skip to content

Commit

Permalink
Update release.yaml
Browse files Browse the repository at this point in the history
  • Loading branch information
@Ludy87
Ludy87 committed Jan 17, 2025
1 parent a3dd6fa commit 1cfce43
Showing 1 changed file with 131 additions and 68 deletions.
199 changes: 131 additions & 68 deletions .github/workflows/release.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,87 +72,150 @@ jobs:
cd ${{ github.workspace }}/custom_components/xplora_watch
zip -r xplora_watch.zip ./
- name: Generate artifact attestation
- name: Upload build artifacts
if: steps.checkTag.outputs.exists == 'false'
id: attestation
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
subject-path: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip
retention-days: 1
if-no-files-found: error
name: xplora_watch-binaries
path: |
${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip
- name: Debug attestation output
- name: Download build artifacts
if: steps.checkTag.outputs.exists == 'false'
run: |
echo "Bundle path: ${{ steps.attestation.outputs.bundle-path }}"
ls -l "${{ steps.attestation.outputs.bundle-path }}"
- name: Copy attestation
if: steps.checkTag.outputs.exists == 'false'
run: |
cp "${{ steps.attestation.outputs.bundle-path }}" ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.intoto.jsonl
- name: Import GPG key
if: steps.checkTag.outputs.exists == 'false'
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
run: |
mkdir -p ~/.gnupg
chmod 700 ~/.gnupg
echo "$GPG_PRIVATE_KEY" | gpg --batch --import
echo "use-agent" > ~/.gnupg/gpg.conf
echo "allow-loopback-pinentry" >> ~/.gnupg/gpg.conf
gpg --list-keys
- name: Debug Passphrase
if: steps.checkTag.outputs.exists == 'false'
run: |
if [ -z "$PASSPHRASE" ]; then
echo "Passphrase is empty!"
exit 1
else
echo "Passphrase is set."
fi
env:
PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: xplora_watch-binaries

- name: Sign ZIP file
- name: Display structure of downloaded files
if: steps.checkTag.outputs.exists == 'false'
env:
PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
run: |
gpg --detach-sign --batch --yes --pinentry-mode loopback --passphrase "$PASSPHRASE" \
-o ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.asc \
${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip
run: ls -R

- name: Upload zip to release
- name: Install Cosign
if: steps.checkTag.outputs.exists == 'false'
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip
asset_name: xplora_watch.zip
tag: ${{ steps.version.outputs.version }}
overwrite: true
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

- name: Upload zip to release
- name: Generate key pair
if: steps.checkTag.outputs.exists == 'false'
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.asc
asset_name: xplora_watch.zip.asc
tag: ${{ steps.version.outputs.version }}
overwrite: true
run: cosign generate-key-pair

- name: Upload zip to release
- name: Sign and generate attestations
if: steps.checkTag.outputs.exists == 'false'
uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
run: |
cosign sign-blob \
--key ./cosign.key \
--yes \
--output-signature ./xplora_watch.zip.sig \
./xplora_watch.zip
cosign attest-blob \
--predicate - \
--key ./cosign.key \
--yes \
--output-attestation ./xplora_watch.zip.intoto.jsonl \
./xplora_watch.zip
cosign verify-blob \
--key ./cosign.pub \
--signature ./xplora_watch.zip.sig \
./xplora_watch.zip
- name: Display structure of downloaded files
run: ls -R

- name: Upload signed artifacts
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.intoto.jsonl
asset_name: xplora_watch.zip.intoto.jsonl
tag: ${{ steps.version.outputs.version }}
overwrite: true
retention-days: 1
if-no-files-found: error
name: xplora_watch-signed
path: |
xplora_watch.zip
xplora_watch.zip.*
!cosign.*
# - name: Generate artifact attestation
# if: steps.checkTag.outputs.exists == 'false'
# id: attestation
# uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
# with:
# subject-path: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip

# - name: Debug attestation output
# if: steps.checkTag.outputs.exists == 'false'
# run: |
# echo "Bundle path: ${{ steps.attestation.outputs.bundle-path }}"
# ls -l "${{ steps.attestation.outputs.bundle-path }}"

# - name: Copy attestation
# if: steps.checkTag.outputs.exists == 'false'
# run: |
# cp "${{ steps.attestation.outputs.bundle-path }}" ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.intoto.jsonl

# - name: Import GPG key
# if: steps.checkTag.outputs.exists == 'false'
# env:
# GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
# PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
# run: |
# mkdir -p ~/.gnupg
# chmod 700 ~/.gnupg
# echo "$GPG_PRIVATE_KEY" | gpg --batch --import
# echo "use-agent" > ~/.gnupg/gpg.conf
# echo "allow-loopback-pinentry" >> ~/.gnupg/gpg.conf
# gpg --list-keys

# - name: Debug Passphrase
# if: steps.checkTag.outputs.exists == 'false'
# run: |
# if [ -z "$PASSPHRASE" ]; then
# echo "Passphrase is empty!"
# exit 1
# else
# echo "Passphrase is set."
# fi
# env:
# PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

# - name: Sign ZIP file
# if: steps.checkTag.outputs.exists == 'false'
# env:
# PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
# run: |
# gpg --detach-sign --batch --yes --pinentry-mode loopback --passphrase "$PASSPHRASE" \
# -o ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.asc \
# ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip

# - name: Upload zip to release
# if: steps.checkTag.outputs.exists == 'false'
# uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
# with:
# repo_token: ${{ secrets.GITHUB_TOKEN }}
# file: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip
# asset_name: xplora_watch.zip
# tag: ${{ steps.version.outputs.version }}
# overwrite: true

# - name: Upload zip to release
# if: steps.checkTag.outputs.exists == 'false'
# uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
# with:
# repo_token: ${{ secrets.GITHUB_TOKEN }}
# file: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.asc
# asset_name: xplora_watch.zip.asc
# tag: ${{ steps.version.outputs.version }}
# overwrite: true

# - name: Upload zip to release
# if: steps.checkTag.outputs.exists == 'false'
# uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
# with:
# repo_token: ${{ secrets.GITHUB_TOKEN }}
# file: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.intoto.jsonl
# asset_name: xplora_watch.zip.intoto.jsonl
# tag: ${{ steps.version.outputs.version }}
# overwrite: true

- name: Create Release
if: steps.checkTag.outputs.exists == 'false'
Expand Down

0 comments on commit 1cfce43

Please sign in to comment.