-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit 4b190af
Showing
8 changed files
with
552 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
--- | ||
name: Build Docker Image | ||
|
||
# yamllint disable-line rule:truthy | ||
on: [push, pull_request] | ||
|
||
jobs: | ||
build-docker: | ||
name: "Build Docker Image" | ||
runs-on: ubuntu-22.04 | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- name: Build Docker Image | ||
run: | | ||
docker build \ | ||
--build-arg CONTAINER \ | ||
--build-arg VERSION \ | ||
-t sdk \ | ||
. | ||
env: | ||
# Utilize matrix with release-versions once available | ||
VERSION: master | ||
shell: bash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
--- | ||
name: "Lint" | ||
|
||
# yamllint disable-line rule:truthy | ||
on: [push, pull_request] | ||
|
||
jobs: | ||
lint-yaml: | ||
name: "YAML" | ||
runs-on: ubuntu-22.04 | ||
env: | ||
YAML_FILES: | | ||
.github/workflows/build.yml | ||
.github/workflows/lint.yml | ||
.github/workflows/test.yml | ||
action.yml | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- name: Install Dependencies | ||
run: sudo apt-get update && sudo apt-get install -y yamllint shellcheck | ||
- name: Validate YAML Files | ||
run: yamllint $YAML_FILES | ||
|
||
shellcheck: | ||
name: "Shell Scripts" | ||
runs-on: ubuntu-22.04 | ||
env: | ||
SHELL_FILES: entrypoint.sh | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- name: Install Dependencies | ||
run: sudo apt-get update && sudo apt-get install -y shellcheck | ||
- name: Validate Shell Scripts | ||
run: shellcheck $SHELL_FILES |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,126 @@ | ||
--- | ||
# yamllint disable rule:line-length | ||
name: "Tests" | ||
|
||
# yamllint disable-line rule:truthy | ||
on: [push, pull_request] | ||
|
||
env: | ||
ACTION_SIGNING_KEY_VALID: >- | ||
705fcde17e1ef047bff686a5972028f9d1eb63b9db2a7cf493e3cf53a39f1d56 | ||
ACTION_SIGNING_KEY_INVALID: >- | ||
705fcde17e1ef047bff | ||
jobs: | ||
test-valid-writeback: | ||
name: "valid-manifest-valid-key-writeback" | ||
runs-on: ubuntu-22.04 | ||
env: | ||
ACTION_SIGNATURE_VALID: >- | ||
4ea72551d2cb204d66a5f6cd64b1b47eb0f5307f17d0d8cf3a9bc4a55039cc0f69309750aad3e8bd8c70d96d5814a8cdfda03e3d6b2e964ddb71bf6ec719bd08 | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
- name: Checkout Gluon | ||
uses: actions/checkout@v4 | ||
with: | ||
repository: freifunk-gluon/gluon | ||
path: gluon-repo | ||
- name: Sign Valid | ||
id: signature-output | ||
uses: "./" | ||
with: | ||
gluon-path: gluon-repo | ||
manifest: tests/valid.manifest | ||
signing-key: ${{ env.ACTION_SIGNING_KEY_VALID }} | ||
write-signature: true | ||
- name: Check writeback Signature | ||
run: | | ||
if [ "$(tail -n1 ./tests/valid.manifest)" != "$ACTION_SIGNATURE_VALID" ]; then | ||
echo "Signature does not match" | ||
exit 1 | ||
fi | ||
- name: Check output Signature | ||
env: | ||
ACTION_SIGNATURE_OUTPUT: ${{ steps.signature-output.outputs.signature }} | ||
run: | | ||
if [ "$ACTION_SIGNATURE_OUTPUT" != "$ACTION_SIGNATURE_VALID" ]; then | ||
echo "Signature does not match" | ||
exit 1 | ||
fi | ||
test-valid-no-writeback: | ||
name: "valid-manifest-valid-key-no-writeback" | ||
runs-on: ubuntu-22.04 | ||
env: | ||
ACTION_SIGNATURE_VALID: >- | ||
4ea72551d2cb204d66a5f6cd64b1b47eb0f5307f17d0d8cf3a9bc4a55039cc0f69309750aad3e8bd8c70d96d5814a8cdfda03e3d6b2e964ddb71bf6ec719bd08 | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
- name: Checkout Gluon | ||
uses: actions/checkout@v4 | ||
with: | ||
repository: freifunk-gluon/gluon | ||
path: gluon-repo | ||
- name: Sign Valid | ||
id: signature-output | ||
uses: "./" | ||
with: | ||
gluon-path: gluon-repo | ||
manifest: tests/valid.manifest | ||
signing-key: ${{ env.ACTION_SIGNING_KEY_VALID }} | ||
write-signature: true | ||
- name: Check writeback Signature | ||
run: | | ||
if ! grep -q "$ACTION_SIGNATURE_VALID" ./tests/valid.manifest; then | ||
echo "Signature contained in output file" | ||
exit 1 | ||
fi | ||
- name: Check output Signature | ||
env: | ||
ACTION_SIGNATURE_OUTPUT: ${{ steps.signature-output.outputs.signature }} | ||
run: | | ||
if [ "$ACTION_SIGNATURE_OUTPUT" != "$ACTION_SIGNATURE_VALID" ]; then | ||
echo "Signature does not match" | ||
exit 1 | ||
fi | ||
test-invalid-writeback: | ||
name: "valid-manifest-invalid-key-writeback" | ||
runs-on: ubuntu-22.04 | ||
env: | ||
ACTION_SIGNATURE_VALID: >- | ||
4ea72551d2cb204d66a5f6cd64b1b47eb0f5307f17d0d8cf3a9bc4a55039cc0f69309750aad3e8bd8c70d96d5814a8cdfda03e3d6b2e964ddb71bf6ec719bd08 | ||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
- name: Checkout Gluon | ||
uses: actions/checkout@v4 | ||
with: | ||
repository: freifunk-gluon/gluon | ||
path: gluon-repo | ||
- name: Save Manifest | ||
id: manifest-sha256 | ||
run: echo "manifest-sha256=$(sha256sum tests/valid.manifest | cut -d " " -f 1 )" > $GITHUB_OUTPUT && cat $GITHUB_OUTPUT | ||
- name: Sign Valid | ||
id: signature-output | ||
continue-on-error: true | ||
uses: "./" | ||
with: | ||
gluon-path: gluon-repo | ||
manifest: tests/valid.manifest | ||
signing-key: ${{ env.ACTION_SIGNING_KEY_INVALID }} | ||
write-signature: true | ||
- name: Check signature step failed | ||
run: | | ||
if [ ${{ steps.signature-output.outcome }} != "failure" ]; then | ||
echo "Signature step did not fail" | ||
exit 1 | ||
fi | ||
- name: Check writeback Signature | ||
run: | | ||
if [ "$(sha256sum tests/valid.manifest | cut -d " " -f 1 )" != "${{ steps.manifest-sha256.outputs.manifest-sha256 }}" ]; then | ||
echo "Signature does not match" | ||
exit 1 | ||
fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
ARG CONTAINER=ghcr.io/freifunk-gluon/gluon-build | ||
ARG VERSION=master | ||
FROM $CONTAINER:$VERSION | ||
|
||
COPY --chmod=0755 entrypoint.sh / | ||
|
||
ENTRYPOINT ["/entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# action-sign | ||
|
||
This action allows for signing a manifest file generated by the Gluons `make manifest`. | ||
|
||
## Inputs | ||
## gluon-path | ||
Path to a checked-out Gluon repository used for signing. | ||
|
||
## container-version | ||
Gluon [build-container](https://github.com/freifunk-gluon/gluon/pkgs/container/gluon-build) version to use. | ||
|
||
## manifest | ||
Path to a Gluon autoupdater manifest. | ||
|
||
## signing-key | ||
ECDSA key generated by [ecdsautils](https://github.com/freifunk-gluon/ecdsautils) used for signing the manifest. | ||
|
||
## write-signature | ||
Whether or not to append the signature to the input manifest. | ||
|
||
## Outputs | ||
### signature | ||
The signature resulted from signing a given manifest with a given key. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
--- | ||
# yamllint disable rule:line-length | ||
name: "Sign Gluon Manifest" | ||
description: "Sign Gluon Manifest using the build-gluon container" | ||
inputs: | ||
gluon-path: | ||
description: 'Path to an initialized Gluon repository' | ||
required: true | ||
container-version: | ||
description: 'Container version to use' | ||
default: 'master' | ||
manifest: | ||
description: 'Location of the manifest file to sign' | ||
required: true | ||
signing-key: | ||
description: 'ECDSA key to sign manifest with' | ||
required: true | ||
write-signature: | ||
description: 'Write signature to manifest file' | ||
default: true | ||
|
||
outputs: | ||
signature: | ||
description: 'Signature output' | ||
value: ${{ steps.signature-output.outputs.signature }} | ||
|
||
runs: | ||
using: 'composite' | ||
steps: | ||
- run: docker build --build-arg CONTAINER --build-arg VERSION -t sdk $GITHUB_ACTION_PATH | ||
env: | ||
VERSION: ${{ inputs.container-version }} | ||
shell: bash | ||
- run: mkdir -p ${RUNNER_TEMP}/workdir | ||
shell: bash | ||
- run: echo "${{ inputs.signing-key }}" > "${RUNNER_TEMP}/workdir/signing.key" | ||
shell: bash | ||
- run: cp "${{ inputs.manifest }}" "${RUNNER_TEMP}/workdir/signing.manifest" | ||
shell: bash | ||
- run: | | ||
docker run --rm \ | ||
--user "$(id -u):$(id -g)" \ | ||
--volume "${GITHUB_WORKSPACE}/${ACTION_GLUON_PATH}:/gluon/gluon-repo" \ | ||
--volume "${RUNNER_TEMP}/workdir:/gluon/workdir" \ | ||
sdk | ||
env: | ||
ACTION_GLUON_PATH: ${{ inputs.gluon-path }} | ||
shell: bash | ||
- run: cp "${RUNNER_TEMP}/workdir/signing.manifest" "${{ inputs.manifest }}" | ||
shell: bash | ||
if: inputs.write-signature == 'true' | ||
- run: echo "signature=$(tail -n1 "${RUNNER_TEMP}/workdir/signing.manifest")" > $GITHUB_OUTPUT | ||
id: signature-output | ||
shell: bash |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
#!/bin/bash | ||
|
||
set -euxo pipefail | ||
|
||
WORKDIR="/gluon/workdir" | ||
GLUON_DIR="/gluon/gluon-repo" | ||
|
||
SIGNING_KEY_PATH="$WORKDIR/signing.key" | ||
MANIFEST_PATH="$WORKDIR/signing.manifest" | ||
|
||
$GLUON_DIR/contrib/sign.sh "$SIGNING_KEY_PATH" "$MANIFEST_PATH" |
Oops, something went wrong.