From 5ca655b02d3e7dd12091e6bc841af0df6b246e81 Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Sat, 20 May 2023 04:03:51 +0200 Subject: [PATCH] Fix: signature of tar balls Uses the `sign-release`files` action instead of using curl manually. This allows us easier maintenance as we can get support from a dedicated team. Besides that the version calculation is separated into an own job by using the output functionality. This allows us to reuse that calculation later. --- .github/workflows/release.yml | 59 +++++++++++++++++++++++++++-------- 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ed48477a1..2e7bd2fe3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,8 +34,8 @@ on: # Once the version is found and enhanced, each CMakeLists file is updated to the new # version, and a commit is created in the found branch. jobs: - release: - name: release + calculate_version: + runs-on: "ubuntu-latest" if: | ${{ (github.event_name == 'workflow_dispatch') || @@ -45,11 +45,14 @@ jobs: contains(github.event.pull_request.labels.*.name, 'major_release') || contains(github.event.pull_request.labels.*.name, 'minor_release') || contains(github.event.pull_request.labels.*.name, 'patch_release') - ) ) }} - runs-on: "ubuntu-latest" + outputs: + new_version: ${{ steps.version.outputs.new_version }} + latest_version: ${{ steps.version.outputs.latest_version }} + release_kind: ${{ steps.version.outputs.release_kind }} + release_ref: ${{ steps.version.outputs.release_ref }} steps: - uses: actions/checkout@v3 with: @@ -103,6 +106,29 @@ jobs: echo "NEW_VERSION=$(sh .github/enhance_version.sh ${{ env.LATEST_VERSION }} ${{ env.RELEASE_KIND }})" >> $GITHUB_ENV - name: NEW_VERSION != NULL run: ([ -n "${{ env.NEW_VERSION }}" ]) + - name: set output + id: version + run: | + echo "latest_version=$LATEST_VERSION" >> "$GITHUB_OUTPUT" + echo "new_version=$NEW_VERSION" >> "$GITHUB_OUTPUT" + echo "release_kind=$RELEASE_KIND" >> "$GITHUB_OUTPUT" + echo "release_ref=$RELEASE_REF" >> "$GITHUB_OUTPUT" + + + release: + name: release + needs: calculate_version + runs-on: "ubuntu-latest" + env: + RELEASE_KIND: ${{needs.calculate_version.outputs.release_kind}} + RELEASE_REF: ${{needs.calculate_version.outputs.release_ref}} + LATEST_VERSION: ${{needs.calculate_version.outputs.latest_version}} + NEW_VERSION: ${{needs.calculate_version.outputs.new_version}} + steps: + - uses: actions/checkout@v3 + with: + token: ${{ secrets.GREENBONE_BOT_TOKEN }} + fetch-depth: '0' - name: set git credentials run: | git config --global user.email "${{ secrets.GREENBONE_BOT_MAIL }}" @@ -122,7 +148,8 @@ jobs: git checkout "${{ env.RELEASE_REF }}" # change version python3 -m pip install pontos - pontos-version update ${{ env.NEW_VERSION }} + # ignore failure on setting version + pontos-version update ${{ env.NEW_VERSION }} || true # as soon as pontos-version release is available and it supports cargo do # cd rust # pontos-version update ${{ env.NEW_VERSION }} @@ -145,7 +172,8 @@ jobs: rust/target/ key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - run: rustup update stable && rustup default stable - - run: cargo install cross + # ignore failing install, it may already be installed + - run: cargo install cross || true - run: CROSS_CONFIG=Cross.toml cross -v build --release --target aarch64-unknown-linux-gnu working-directory: rust - run: CROSS_CONFIG=Cross.toml cross build --release --target x86_64-unknown-linux-gnu @@ -178,12 +206,17 @@ jobs: export nrn="v${{ env.NEW_VERSION }}" export filename="$PROJECT-$nrn" gh release create "$nrn" -F /tmp/changelog.md - mkdir -p assets ls -las assets/ - curl -Lo assets/$filename.zip https://github.com/${{ github.repository }}/openvas-scanner/archive/refs/tags/$nrn.zip - curl -Lo assets/$filename.tar.gz https://github.com/${{ github.repository }}/openvas-scanner/archive/refs/tags/$nrn.tar.gz - echo -e "${{ secrets.GPG_KEY }}" > private.pgp - echo ${{ secrets.GPG_PASSPHRASE }} | bash .github/sign-assets.sh private.pgp - rm assets/$filename.zip - rm assets/$filename.tar.gz gh release upload $nrn assets/* + sign: + name: "sign ${{needs.calculate_version.outputs.new_version}}" + runs-on: "ubuntu-latest" + needs: [calculate_version, release] + steps: + - name: Sign release files + uses: greenbone/actions/sign-release-files@v2 + with: + gpg-key: ${{ secrets.GPG_KEY }} + gpg-fingerprint: ${{ secrets.GPG_FINGERPRINT }} + gpg-passphrase: ${{ secrets.GPG_PASSPHRASE }} + release-version: ${{needs.calculate_version.outputs.new_version}}