initial commit

.github/workflows/build.yml

@@ -0,0 +1,23 @@
+---
+name: Build Docker Image
+
+# yamllint disable-line rule:truthy
+on: [push, pull_request]
+
+jobs:
+  build-docker:
+    name: "Build Docker Image"
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build Docker Image
+        run: |
+          docker build \
+            --build-arg CONTAINER \
+            --build-arg VERSION \
+            -t sdk \
+            .
+        env:
+          # Utilize matrix with release-versions once available
+          VERSION: master
+        shell: bash

.github/workflows/lint.yml

@@ -0,0 +1,34 @@
+---
+name: "Lint"
+
+# yamllint disable-line rule:truthy
+on: [push, pull_request]
+
+jobs:
+  lint-yaml:
+    name: "YAML"
+    runs-on: ubuntu-22.04
+    env:
+      YAML_FILES: |
+        .github/workflows/build.yml
+        .github/workflows/lint.yml
+        .github/workflows/test.yml
+        action.yml
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Dependencies
+        run: sudo apt-get update && sudo apt-get install -y yamllint shellcheck
+      - name: Validate YAML Files
+        run: yamllint $YAML_FILES
+
+  shellcheck:
+    name: "Shell Scripts"
+    runs-on: ubuntu-22.04
+    env:
+      SHELL_FILES: entrypoint.sh
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Dependencies
+        run: sudo apt-get update && sudo apt-get install -y shellcheck
+      - name: Validate Shell Scripts
+        run: shellcheck $SHELL_FILES

.github/workflows/test.yml

@@ -0,0 +1,126 @@
+---
+# yamllint disable rule:line-length
+name: "Tests"
+
+# yamllint disable-line rule:truthy
+on: [push, pull_request]
+
+env:
+  ACTION_SIGNING_KEY_VALID: >-
+    705fcde17e1ef047bff686a5972028f9d1eb63b9db2a7cf493e3cf53a39f1d56
+  ACTION_SIGNING_KEY_INVALID: >-
+    705fcde17e1ef047bff
+
+jobs:
+  test-valid-writeback:
+    name: "valid-manifest-valid-key-writeback"
+    runs-on: ubuntu-22.04
+    env:
+      ACTION_SIGNATURE_VALID: >-
+        4ea72551d2cb204d66a5f6cd64b1b47eb0f5307f17d0d8cf3a9bc4a55039cc0f69309750aad3e8bd8c70d96d5814a8cdfda03e3d6b2e964ddb71bf6ec719bd08
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Checkout Gluon
+        uses: actions/checkout@v4
+        with:
+          repository: freifunk-gluon/gluon
+          path: gluon-repo
+      - name: Sign Valid
+        id: signature-output
+        uses: "./"
+        with:
+          gluon-path: gluon-repo
+          manifest: tests/valid.manifest
+          signing-key: ${{ env.ACTION_SIGNING_KEY_VALID }}
+          write-signature: true
+      - name: Check writeback Signature
+        run: |
+          if [ "$(tail -n1 ./tests/valid.manifest)" != "$ACTION_SIGNATURE_VALID" ]; then
+            echo "Signature does not match"
+            exit 1
+          fi
+      - name: Check output Signature
+        env:
+          ACTION_SIGNATURE_OUTPUT: ${{ steps.signature-output.outputs.signature }}
+        run: |
+          if [ "$ACTION_SIGNATURE_OUTPUT" != "$ACTION_SIGNATURE_VALID" ]; then
+            echo "Signature does not match"
+            exit 1
+          fi
+
+  test-valid-no-writeback:
+    name: "valid-manifest-valid-key-no-writeback"
+    runs-on: ubuntu-22.04
+    env:
+      ACTION_SIGNATURE_VALID: >-
+        4ea72551d2cb204d66a5f6cd64b1b47eb0f5307f17d0d8cf3a9bc4a55039cc0f69309750aad3e8bd8c70d96d5814a8cdfda03e3d6b2e964ddb71bf6ec719bd08
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Checkout Gluon
+        uses: actions/checkout@v4
+        with:
+          repository: freifunk-gluon/gluon
+          path: gluon-repo
+      - name: Sign Valid
+        id: signature-output
+        uses: "./"
+        with:
+          gluon-path: gluon-repo
+          manifest: tests/valid.manifest
+          signing-key: ${{ env.ACTION_SIGNING_KEY_VALID }}
+          write-signature: true
+      - name: Check writeback Signature
+        run: |
+          if ! grep -q "$ACTION_SIGNATURE_VALID" ./tests/valid.manifest; then
+            echo "Signature contained in output file"
+            exit 1
+          fi
+      - name: Check output Signature
+        env:
+          ACTION_SIGNATURE_OUTPUT: ${{ steps.signature-output.outputs.signature }}
+        run: |
+          if [ "$ACTION_SIGNATURE_OUTPUT" != "$ACTION_SIGNATURE_VALID" ]; then
+            echo "Signature does not match"
+            exit 1
+          fi
+
+  test-invalid-writeback:
+    name: "valid-manifest-invalid-key-writeback"
+    runs-on: ubuntu-22.04
+    env:
+      ACTION_SIGNATURE_VALID: >-
+        4ea72551d2cb204d66a5f6cd64b1b47eb0f5307f17d0d8cf3a9bc4a55039cc0f69309750aad3e8bd8c70d96d5814a8cdfda03e3d6b2e964ddb71bf6ec719bd08
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Checkout Gluon
+        uses: actions/checkout@v4
+        with:
+          repository: freifunk-gluon/gluon
+          path: gluon-repo
+      - name: Save Manifest
+        id: manifest-sha256
+        run: echo "manifest-sha256=$(sha256sum tests/valid.manifest | cut -d " " -f 1 )" > $GITHUB_OUTPUT && cat $GITHUB_OUTPUT
+      - name: Sign Valid
+        id: signature-output
+        continue-on-error: true
+        uses: "./"
+        with:
+          gluon-path: gluon-repo
+          manifest: tests/valid.manifest
+          signing-key: ${{ env.ACTION_SIGNING_KEY_INVALID }}
+          write-signature: true
+      - name: Check signature step failed
+        run: |
+          if [ ${{ steps.signature-output.outcome }} != "failure" ]; then
+            echo "Signature step did not fail"
+            exit 1
+          fi
+      - name: Check writeback Signature
+        run: |
+          if [ "$(sha256sum tests/valid.manifest | cut -d " " -f 1 )" != "${{ steps.manifest-sha256.outputs.manifest-sha256 }}" ]; then
+            echo "Signature does not match"
+            exit 1
+          fi

Dockerfile

@@ -0,0 +1,7 @@
+ARG CONTAINER=ghcr.io/freifunk-gluon/gluon-build
+ARG VERSION=master
+FROM $CONTAINER:$VERSION
+
+COPY --chmod=0755 entrypoint.sh /
+
+ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -0,0 +1,23 @@
+# action-sign
+
+This action allows for signing a manifest file generated by the Gluons `make manifest`.
+
+## Inputs
+## gluon-path
+Path to a checked-out Gluon repository used for signing.
+
+## container-version
+Gluon [build-container](https://github.com/freifunk-gluon/gluon/pkgs/container/gluon-build) version to use.
+
+## manifest
+Path to a Gluon autoupdater manifest.
+
+## signing-key
+ECDSA key generated by [ecdsautils](https://github.com/freifunk-gluon/ecdsautils) used for signing the manifest.
+
+## write-signature
+Whether or not to append the signature to the input manifest.
+
+## Outputs
+### signature
+The signature resulted from signing a given manifest with a given key.

action.yml

@@ -0,0 +1,54 @@
+---
+# yamllint disable rule:line-length
+name: "Sign Gluon Manifest"
+description: "Sign Gluon Manifest using the build-gluon container"
+inputs:
+  gluon-path:
+    description: 'Path to an initialized Gluon repository'
+    required: true
+  container-version:
+    description: 'Container version to use'
+    default: 'master'
+  manifest:
+    description: 'Location of the manifest file to sign'
+    required: true
+  signing-key:
+    description: 'ECDSA key to sign manifest with'
+    required: true
+  write-signature:
+    description: 'Write signature to manifest file'
+    default: true
+
+outputs:
+  signature:
+    description: 'Signature output'
+    value: ${{ steps.signature-output.outputs.signature }}
+
+runs:
+  using: 'composite'
+  steps:
+    - run: docker build --build-arg CONTAINER --build-arg VERSION -t sdk $GITHUB_ACTION_PATH
+      env:
+        VERSION: ${{ inputs.container-version }}
+      shell: bash
+    - run: mkdir -p ${RUNNER_TEMP}/workdir
+      shell: bash
+    - run: echo "${{ inputs.signing-key }}" > "${RUNNER_TEMP}/workdir/signing.key"
+      shell: bash
+    - run: cp "${{ inputs.manifest }}" "${RUNNER_TEMP}/workdir/signing.manifest"
+      shell: bash
+    - run: |
+        docker run --rm \
+          --user "$(id -u):$(id -g)" \
+          --volume "${GITHUB_WORKSPACE}/${ACTION_GLUON_PATH}:/gluon/gluon-repo" \
+          --volume "${RUNNER_TEMP}/workdir:/gluon/workdir" \
+          sdk
+      env:
+        ACTION_GLUON_PATH: ${{ inputs.gluon-path }}
+      shell: bash
+    - run: cp "${RUNNER_TEMP}/workdir/signing.manifest" "${{ inputs.manifest }}"
+      shell: bash
+      if: inputs.write-signature == 'true'
+    - run: echo "signature=$(tail -n1 "${RUNNER_TEMP}/workdir/signing.manifest")" > $GITHUB_OUTPUT
+      id: signature-output
+      shell: bash

entrypoint.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+WORKDIR="/gluon/workdir"
+GLUON_DIR="/gluon/gluon-repo"
+
+SIGNING_KEY_PATH="$WORKDIR/signing.key"
+MANIFEST_PATH="$WORKDIR/signing.manifest"
+
+$GLUON_DIR/contrib/sign.sh "$SIGNING_KEY_PATH" "$MANIFEST_PATH"