From 2ca29e384f5f17518f0acd881a5fe71e8c8d4570 Mon Sep 17 00:00:00 2001 From: jrfnl Date: Sun, 8 Dec 2024 20:10:26 +0100 Subject: [PATCH] Remove duplication --- .github/workflows/verify-release.yml | 203 ++++----------------------- 1 file changed, 27 insertions(+), 176 deletions(-) diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml index f7ec6ef638..5238267ff7 100644 --- a/.github/workflows/verify-release.yml +++ b/.github/workflows/verify-release.yml @@ -23,19 +23,23 @@ concurrency: jobs: ############################ - # Verify the release assets. + # Verify the release is available in all the right places and works as expected. ############################ - verify-release-assets: + verify-available-downloads: runs-on: ubuntu-latest strategy: fail-fast: false matrix: + download_flavour: + - "Release assets" + - "Unversioned web" + - "Versioned web" pharfile: - 'phpcs' - 'phpcbf' - name: "Release assets: ${{ matrix.pharfile }}" + name: "${{ matrix.download_flavour }}: ${{ matrix.pharfile }}" steps: - name: Retrieve latest release info @@ -57,184 +61,33 @@ jobs: - name: "DEBUG: Show tag name found in API response" run: "echo ${{ steps.version.outputs.TAG }}" - - - name: Verify PHAR file is available and download - run: wget -O ${{ matrix.pharfile }}.phar https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/latest/download/${{ matrix.pharfile }}.phar - - - name: Verify signature file is available and download - run: wget -O ${{ matrix.pharfile }}.phar.asc https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/latest/download/${{ matrix.pharfile }}.phar.asc - - - name: "DEBUG: List files" - run: ls -Rlh - - - name: Verify attestation of the PHAR file - run: gh attestation verify ${{ matrix.pharfile }}.phar -o PHPCSStandards - env: - GH_TOKEN: ${{ github.token }} - - - name: Download public key - env: - FINGERPRINT: "0x689DAD778FF08760E046228BA978220305CD5C32" - run: gpg --keyserver hkps://keys.openpgp.org --recv-keys $FINGERPRINT - - - name: Verify signature of the PHAR file - run: gpg --verify ${{ matrix.pharfile }}.phar.asc ${{ matrix.pharfile }}.phar - - - name: Setup PHP - uses: shivammathur/setup-php@v2 - with: - php-version: 'latest' - ini-values: error_reporting=-1, display_errors=On - coverage: none - - # Note: the `.` is in the command to make it work for both PHPCS as well PHPCBF. - - name: Verify the PHAR is nominally functional - run: php ${{ matrix.pharfile }}.phar . -e --standard=PSR12 - - - name: Grab the version - id: asset_version - env: - FILE_NAME: ${{ matrix.pharfile }}.phar - # yamllint disable-line rule:line-length - run: echo "VERSION=$(php "$FILE_NAME" --version | grep --only-matching --max-count=1 --extended-regexp '\b[0-9]+(\.[0-9]+)+')" >> "$GITHUB_OUTPUT" - - - name: "DEBUG: Show grabbed version" - run: echo ${{ steps.asset_version.outputs.VERSION }} - - - name: Fail the build if the PHAR is not the correct version - if: ${{ steps.asset_version.outputs.VERSION != steps.version.outputs.TAG }} - run: exit 1 - - ########################################## - # Verify plain downloads from the website. - ########################################## - verify-plain-web: - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - pharfile: - - 'phpcs' - - 'phpcbf' - - name: "Unversioned web: ${{ matrix.pharfile }}" - - steps: - - name: Retrieve latest release info - uses: octokit/request-action@v2.x - id: get_latest_release - with: - route: GET /repos/PHPCSStandards/PHP_CodeSniffer/releases/latest - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: "DEBUG: Show API request failure status" - if: ${{ failure() }} - run: "echo No release found. Request failed with status ${{ steps.get_latest_release.outputs.status }}" - - - name: Grab latest tag name from API response - id: version + + - name: Get source URL + id: source + shell: bash run: | - echo "TAG=${{ fromJson(steps.get_latest_release.outputs.data).tag_name }}" >> "$GITHUB_OUTPUT" - - - name: "DEBUG: Show tag name found in API response" - run: "echo ${{ steps.version.outputs.TAG }}" - - - name: Verify PHAR file is available and download - run: curl --remote-name https://phars.phpcodesniffer.com/${{ matrix.pharfile }}.phar - - - name: Verify signature file is available and download - run: curl --remote-name https://phars.phpcodesniffer.com/${{ matrix.pharfile }}.phar.asc - - - name: "DEBUG: List files" - run: ls -Rlh - - - name: Verify attestation of the PHAR file - run: gh attestation verify ${{ matrix.pharfile }}.phar -o PHPCSStandards - env: - GH_TOKEN: ${{ github.token }} - - - name: Download public key - env: - FINGERPRINT: "0x689DAD778FF08760E046228BA978220305CD5C32" - run: gpg --keyserver hkps://keys.openpgp.org --recv-keys $FINGERPRINT - - - name: Verify signature of the PHAR file - run: gpg --verify ${{ matrix.pharfile }}.phar.asc ${{ matrix.pharfile }}.phar - - - name: Setup PHP - uses: shivammathur/setup-php@v2 - with: - php-version: 'latest' - ini-values: error_reporting=-1, display_errors=On - coverage: none - - # Note: the `.` is in the command to make it work for both PHPCS as well PHPCBF. - - name: Verify the PHAR is nominally functional - run: php ${{ matrix.pharfile }}.phar . -e --standard=PSR12 - - - name: Grab the version - id: asset_version - env: - FILE_NAME: ${{ matrix.pharfile }}.phar - # yamllint disable-line rule:line-length - run: echo "VERSION=$(php "$FILE_NAME" --version | grep --only-matching --max-count=1 --extended-regexp '\b[0-9]+(\.[0-9]+)+')" >> "$GITHUB_OUTPUT" - - - name: "DEBUG: Show grabbed version" - run: echo ${{ steps.asset_version.outputs.VERSION }} - - - name: Fail the build if the PHAR is not the correct version - if: ${{ steps.asset_version.outputs.VERSION != steps.version.outputs.TAG }} - run: exit 1 - - # ######################################### - # Verify versioned downloads from the website. - # ######################################### - verify-versioned-web: - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - pharfile: - - 'phpcs' - - 'phpcbf' - - name: "Versioned web: ${{ matrix.pharfile }}" - - steps: - - name: Retrieve latest release info - uses: octokit/request-action@v2.x - id: get_latest_release - with: - route: GET /repos/PHPCSStandards/PHP_CodeSniffer/releases/latest - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: "DEBUG: Show API request failure status" - if: ${{ failure() }} - run: "echo No release found. Request failed with status ${{ steps.get_latest_release.outputs.status }}" - - - name: Grab latest tag name from API response - id: version - run: | - echo "TAG=${{ fromJson(steps.get_latest_release.outputs.data).tag_name }}" >> "$GITHUB_OUTPUT" - - - name: "DEBUG: Show tag name found in API response" - run: "echo ${{ steps.version.outputs.TAG }}" + if [[ ${{ matrix.download_flavour }} == 'Release assets' ]]; then + echo 'SRC=https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/latest/download/' >> "$GITHUB_OUTPUT" + echo 'FILE=${{ matrix.pharfile }}.phar' >> "$GITHUB_OUTPUT" + elif [[ ${{ matrix.download_flavour }} == 'Unversioned web' ]]; then + echo 'SRC=https://phars.phpcodesniffer.com/' >> "$GITHUB_OUTPUT" + echo 'FILE=${{ matrix.pharfile }}.phar' >> "$GITHUB_OUTPUT" + else + echo 'SRC=https://phars.phpcodesniffer.com/phars/' >> "$GITHUB_OUTPUT" + echo 'FILE=${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar' >> "$GITHUB_OUTPUT" + fi - name: Verify PHAR file is available and download - run: curl --remote-name https://phars.phpcodesniffer.com/phars/${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar + run: wget -O ${{ steps.source.outputs.FILE }} ${{ steps.source.outputs.SRC }}${{ steps.source.outputs.FILE }} - name: Verify signature file is available and download - run: curl --remote-name https://phars.phpcodesniffer.com/phars/${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar.asc + run: wget -O ${{ steps.source.outputs.FILE }}.asc ${{ steps.source.outputs.SRC }}${{ steps.source.outputs.FILE }}.asc - name: "DEBUG: List files" run: ls -Rlh - name: Verify attestation of the PHAR file - run: gh attestation verify ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar -o PHPCSStandards + run: gh attestation verify ${{ steps.source.outputs.FILE }} -o PHPCSStandards env: GH_TOKEN: ${{ github.token }} @@ -244,9 +97,7 @@ jobs: run: gpg --keyserver hkps://keys.openpgp.org --recv-keys $FINGERPRINT - name: Verify signature of the PHAR file - run: > - gpg --verify ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar.asc - ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar + run: gpg --verify ${{ steps.source.outputs.FILE }}.asc ${{ steps.source.outputs.FILE }} - name: Setup PHP uses: shivammathur/setup-php@v2 @@ -257,12 +108,12 @@ jobs: # Note: the `.` is in the command to make it work for both PHPCS as well PHPCBF. - name: Verify the PHAR is nominally functional - run: php ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar . -e --standard=PSR12 + run: php ${{ steps.source.outputs.FILE }} . -e --standard=PSR12 - name: Grab the version id: asset_version env: - FILE_NAME: ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar + FILE_NAME: ${{ steps.source.outputs.FILE }} # yamllint disable-line rule:line-length run: echo "VERSION=$(php "$FILE_NAME" --version | grep --only-matching --max-count=1 --extended-regexp '\b[0-9]+(\.[0-9]+)+')" >> "$GITHUB_OUTPUT"