From 1cfce43a5a33461902caad8a1cc29ff4ed5aad1e Mon Sep 17 00:00:00 2001 From: Ludy87 Date: Fri, 17 Jan 2025 16:53:36 +0100 Subject: [PATCH] Update release.yaml --- .github/workflows/release.yaml | 199 ++++++++++++++++++++++----------- 1 file changed, 131 insertions(+), 68 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index bd48c70..e8e05b6 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -72,87 +72,150 @@ jobs: cd ${{ github.workspace }}/custom_components/xplora_watch zip -r xplora_watch.zip ./ - - name: Generate artifact attestation + - name: Upload build artifacts if: steps.checkTag.outputs.exists == 'false' - id: attestation - uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: - subject-path: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip + retention-days: 1 + if-no-files-found: error + name: xplora_watch-binaries + path: | + ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip - - name: Debug attestation output + - name: Download build artifacts if: steps.checkTag.outputs.exists == 'false' - run: | - echo "Bundle path: ${{ steps.attestation.outputs.bundle-path }}" - ls -l "${{ steps.attestation.outputs.bundle-path }}" - - - name: Copy attestation - if: steps.checkTag.outputs.exists == 'false' - run: | - cp "${{ steps.attestation.outputs.bundle-path }}" ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.intoto.jsonl - - - name: Import GPG key - if: steps.checkTag.outputs.exists == 'false' - env: - GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} - PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - run: | - mkdir -p ~/.gnupg - chmod 700 ~/.gnupg - echo "$GPG_PRIVATE_KEY" | gpg --batch --import - echo "use-agent" > ~/.gnupg/gpg.conf - echo "allow-loopback-pinentry" >> ~/.gnupg/gpg.conf - gpg --list-keys - - - name: Debug Passphrase - if: steps.checkTag.outputs.exists == 'false' - run: | - if [ -z "$PASSPHRASE" ]; then - echo "Passphrase is empty!" - exit 1 - else - echo "Passphrase is set." - fi - env: - PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + name: xplora_watch-binaries - - name: Sign ZIP file + - name: Display structure of downloaded files if: steps.checkTag.outputs.exists == 'false' - env: - PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - run: | - gpg --detach-sign --batch --yes --pinentry-mode loopback --passphrase "$PASSPHRASE" \ - -o ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.asc \ - ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip + run: ls -R - - name: Upload zip to release + - name: Install Cosign if: steps.checkTag.outputs.exists == 'false' - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2 - with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - file: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip - asset_name: xplora_watch.zip - tag: ${{ steps.version.outputs.version }} - overwrite: true + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 - - name: Upload zip to release + - name: Generate key pair if: steps.checkTag.outputs.exists == 'false' - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2 - with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - file: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.asc - asset_name: xplora_watch.zip.asc - tag: ${{ steps.version.outputs.version }} - overwrite: true + run: cosign generate-key-pair - - name: Upload zip to release + - name: Sign and generate attestations if: steps.checkTag.outputs.exists == 'false' - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2 + run: | + cosign sign-blob \ + --key ./cosign.key \ + --yes \ + --output-signature ./xplora_watch.zip.sig \ + ./xplora_watch.zip + + cosign attest-blob \ + --predicate - \ + --key ./cosign.key \ + --yes \ + --output-attestation ./xplora_watch.zip.intoto.jsonl \ + ./xplora_watch.zip + + cosign verify-blob \ + --key ./cosign.pub \ + --signature ./xplora_watch.zip.sig \ + ./xplora_watch.zip + + - name: Display structure of downloaded files + run: ls -R + + - name: Upload signed artifacts + uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 with: - repo_token: ${{ secrets.GITHUB_TOKEN }} - file: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.intoto.jsonl - asset_name: xplora_watch.zip.intoto.jsonl - tag: ${{ steps.version.outputs.version }} - overwrite: true + retention-days: 1 + if-no-files-found: error + name: xplora_watch-signed + path: | + xplora_watch.zip + xplora_watch.zip.* + !cosign.* + + # - name: Generate artifact attestation + # if: steps.checkTag.outputs.exists == 'false' + # id: attestation + # uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0 + # with: + # subject-path: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip + + # - name: Debug attestation output + # if: steps.checkTag.outputs.exists == 'false' + # run: | + # echo "Bundle path: ${{ steps.attestation.outputs.bundle-path }}" + # ls -l "${{ steps.attestation.outputs.bundle-path }}" + + # - name: Copy attestation + # if: steps.checkTag.outputs.exists == 'false' + # run: | + # cp "${{ steps.attestation.outputs.bundle-path }}" ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.intoto.jsonl + + # - name: Import GPG key + # if: steps.checkTag.outputs.exists == 'false' + # env: + # GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} + # PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + # run: | + # mkdir -p ~/.gnupg + # chmod 700 ~/.gnupg + # echo "$GPG_PRIVATE_KEY" | gpg --batch --import + # echo "use-agent" > ~/.gnupg/gpg.conf + # echo "allow-loopback-pinentry" >> ~/.gnupg/gpg.conf + # gpg --list-keys + + # - name: Debug Passphrase + # if: steps.checkTag.outputs.exists == 'false' + # run: | + # if [ -z "$PASSPHRASE" ]; then + # echo "Passphrase is empty!" + # exit 1 + # else + # echo "Passphrase is set." + # fi + # env: + # PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + + # - name: Sign ZIP file + # if: steps.checkTag.outputs.exists == 'false' + # env: + # PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} + # run: | + # gpg --detach-sign --batch --yes --pinentry-mode loopback --passphrase "$PASSPHRASE" \ + # -o ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.asc \ + # ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip + + # - name: Upload zip to release + # if: steps.checkTag.outputs.exists == 'false' + # uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2 + # with: + # repo_token: ${{ secrets.GITHUB_TOKEN }} + # file: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip + # asset_name: xplora_watch.zip + # tag: ${{ steps.version.outputs.version }} + # overwrite: true + + # - name: Upload zip to release + # if: steps.checkTag.outputs.exists == 'false' + # uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2 + # with: + # repo_token: ${{ secrets.GITHUB_TOKEN }} + # file: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.asc + # asset_name: xplora_watch.zip.asc + # tag: ${{ steps.version.outputs.version }} + # overwrite: true + + # - name: Upload zip to release + # if: steps.checkTag.outputs.exists == 'false' + # uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2 + # with: + # repo_token: ${{ secrets.GITHUB_TOKEN }} + # file: ${{ github.workspace }}/custom_components/xplora_watch/xplora_watch.zip.intoto.jsonl + # asset_name: xplora_watch.zip.intoto.jsonl + # tag: ${{ steps.version.outputs.version }} + # overwrite: true - name: Create Release if: steps.checkTag.outputs.exists == 'false'