Skip to content

Bump super-linter/super-linter from 6 to 7 (#174) #230

Bump super-linter/super-linter from 6 to 7 (#174)

Bump super-linter/super-linter from 6 to 7 (#174) #230

Workflow file for this run

# yamllint disable rule:line-length
---
name: Sign and prerelease
# Run the workflow on when code or a semver tag is pushed to main branch,
# and on pull requests towards main branch
on:
push:
branches:
- "main"
tags:
# semver, e.g. 1.2.0 (does not match 0.1.2)
- "[1-9]+.[0-9]+.[0-9]+"
# semver with prerelease info, e.g. 1.0.2-beta.1 or 1.2.3-rc.10
- "[1-9]+.[0-9]+.[0-9]+-[a-z]+.[0-9]+"
# do not match prerelease starting w/ 0, e.g. 1.0.2-beta.0 or 1.2.3-rc.01
- "![1-9]+.[0-9]+.[0-9]+-[a-z]+.[0]*"
# semver with date info, e.g. 1.0.2-20221125
- "[1-9]+.[0-9]+.[0-9]+-[0-9]+"
# do not match date starting w/ 0, e.g. 1.0.2-01232023
- "![1-9]+.[0-9]+.[0-9]+-[0]*"
pull_request:
branches:
- "main"
env:
PROJECT: "docker-compose-acap"
jobs:
# Builds docker ACAP using the build.sh script, then signs the eap-file in
# ACAP Portal and stores it as a build artifact.
# This job runs for all triggers of the workflow
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
arch: ["armv7hf", "aarch64"]
outputs:
EAP_FILE_ARMV7HF: ${{ steps.save_full_file_name.outputs.EAP_FILE_ARMV7HF }}
EAP_FILE_AARCH64: ${{ steps.save_full_file_name.outputs.EAP_FILE_AARCH64 }}
SHORT_SHA: ${{ steps.save_full_file_name.outputs.SHORT_SHA }}
steps:
- uses: actions/checkout@v4
- name: get_short_sha
run: |
sha=${{ github.sha }}
strip_sha=${sha:0:7}
echo "SHORT_SHA=${strip_sha}" >> $GITHUB_ENV
- uses: actions/cache@v4
if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
with:
path: ${{ github.workspace }}/build-${{ matrix.arch }}
key: key-${{ env.SHORT_SHA }}-${{ github.run_id }}-${{ matrix.arch }}
- name: Create base image metadata
id: meta
uses: ./.github/actions/metadata-action
with:
suffix: -${{ matrix.arch }}
repository: ${{ env.PROJECT }}
get_version: "true"
- name: Get changes for manifest
id: manifest-settings
if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
run: |
if [ ${{github.ref_type}} == tag ]; then
echo "version_value=${{ steps.meta.outputs.version }}" >> $GITHUB_OUTPUT
echo "append_sha='false'" >> $GITHUB_OUTPUT
else
echo "version_value=-${{ env.SHORT_SHA }}" >> $GITHUB_OUTPUT
echo "append_sha='true'" >> $GITHUB_OUTPUT
fi
- name: Update manifest file
if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
uses: ./.github/actions/update-acap-manifest-action
with:
manifest_file: ./app/manifest.json
append: ${{ steps.manifest-settings.outputs.append_sha}}
value: ${{ steps.manifest-settings.outputs.version_value }}
- name: Build ${{ env.PROJECT}} application
uses: ./.github/actions/docker-build-action
with:
dockerfile: Dockerfile
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: ARCH=${{ matrix.arch }}
outputs: "type=local,dest=build"
- name: Get name of EAP-file
id: get_eap_file_name
if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
run: |
export EAP_FILE=$(find build -type f -name "*.eap" -printf "%f\n")
delimiter="$(openssl rand -hex 8)"
echo "EAP_FILE<<${delimiter}" >> ${GITHUB_ENV}
echo "${EAP_FILE}" >> ${GITHUB_ENV}
echo "${delimiter}" >> ${GITHUB_ENV}
- name: Add sha to EAP-file name
if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
run: |
eap_file_w_sha=$(echo $"${{ env.EAP_FILE }}" | sed 's/\.eap/_${{ env.SHORT_SHA }}.eap/')
echo "EAP_FILE_W_SHA=${eap_file_w_sha}" >> $GITHUB_ENV
cp build/${{ env.EAP_FILE }} build/$eap_file_w_sha
- name: Save full file name
id: save_full_file_name
if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
run: |
echo "SHORT_SHA=${{ env.SHORT_SHA }}" >> $GITHUB_OUTPUT
if [ ${{ matrix.arch }} = armv7hf ]
then
echo "EAP_FILE_ARMV7HF=${{ env.EAP_FILE_W_SHA }}" >> $GITHUB_OUTPUT
elif [ ${{ matrix.arch }} = aarch64 ]
then
echo "EAP_FILE_AARCH64=${{ env.EAP_FILE_W_SHA }}" >> $GITHUB_OUTPUT
else
echo "::error::Non valid architecture '${{ matrix.arch }}' encountered"
fi
- name: Move EAP-file to cache location
if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
run: |
mkdir -p ${{ github.workspace }}/build-${{ matrix.arch }}
#rm -f ${{ github.workspace }}/build-${{ matrix.arch }}/${{ env.EAP_FILE_W_SHA }}
mv build/${{ env.EAP_FILE_W_SHA }} ${{ github.workspace }}/build-${{ matrix.arch }}/.
# Sign the eap-file from the build
sign-eap:
runs-on: ubuntu-latest
if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
needs: build
permissions:
contents: write
strategy:
fail-fast: false
matrix:
arch: ["armv7hf", "aarch64"]
max-parallel: 1
env:
EAP_FILE_ARMV7HF: ${{ needs.build.outputs.EAP_FILE_ARMV7HF }}
EAP_FILE_AARCH64: ${{ needs.build.outputs.EAP_FILE_AARCH64 }}
SHORT_SHA: ${{ needs.build.outputs.SHORT_SHA }}
outputs:
EAP_FILE_SIGNED_ARMV7HF: ${{ steps.save_full_file_name.outputs.EAP_FILE_SIGNED_ARMV7HF }}
EAP_FILE_SIGNED_AARCH64: ${{ steps.save_full_file_name.outputs.EAP_FILE_SIGNED_AARCH64 }}
steps:
- name: Get EAP file name
id: full_eap_name
run: |
if [ ${{ matrix.arch }} = armv7hf ]
then
echo "EAP_FILE=${{ env.EAP_FILE_ARMV7HF }}" >> $GITHUB_ENV
elif [ ${{ matrix.arch }} = aarch64 ]
then
echo "EAP_FILE=${{ env.EAP_FILE_AARCH64 }}" >> $GITHUB_ENV
else
echo "::error::Non valid architecture '${{ matrix.arch }}' encountered"
fi
- uses: actions/cache/restore@v4
with:
path: ${{ github.workspace }}/build-${{ matrix.arch }}
key: key-${{ env.SHORT_SHA }}-${{ github.run_id }}-${{ matrix.arch }}
- name: Get cached EAP-file
run: |
mkdir -p build
mv ${{ github.workspace }}/build-${{ matrix.arch }}/${{ env.EAP_FILE }} build/.
- name: Refactor naming of EAP-file for signed output
run: |
signed_output=$(echo "${{ env.EAP_FILE }}" | sed 's/\.eap/_signed.eap/')
echo "SIGNED_EAP_FILE=${signed_output}" >> $GITHUB_ENV
- name: Sign eap-file
run: |
cd build
RESPONSE=$(curl -XPOST -H 'accept: */*' -H 'Content-Type: multipart/form-data' \
-H 'Authorization: Bearer ${{secrets.ACAP_PORTAL_SIGNING_BEARER_TOKEN}}' \
'${{ vars.ACAP_PORTAL_URL }}/${{secrets.ACAP_PORTAL_SIGNING_ID}}/sign/binary' \
-F uploadedFile=@"${{ env.EAP_FILE }}" --output ${{ env.SIGNED_EAP_FILE }} \
-w "%{http_code}\n" -o /dev/null --http1.1)
echo "HTTP_RESPONSE=$RESPONSE" >> $GITHUB_ENV
- name: Check that acap has been signed
run: |
if [[ -n "$HTTP_RESPONSE" && "$HTTP_RESPONSE" =~ ^[0-9]+$ ]]; then
if [ "$HTTP_RESPONSE" -eq 200 ]; then
echo "HTTP response code is 200, signing was successful"
else
echo "HTTP response code is: $HTTP_RESPONSE, signing was not successful"
exit 1
fi
else
echo "HTTP_RESPONSE is empty or not a valid integer: $HTTP_RESPONSE"
fi
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: ${{ env.SIGNED_EAP_FILE }}
path: build/${{ env.SIGNED_EAP_FILE }}
- name: Save full file name
id: save_full_file_name
run: |
if [ ${{ matrix.arch }} = armv7hf ]
then
echo "EAP_FILE_SIGNED_ARMV7HF=${{ env.SIGNED_EAP_FILE }}" >> $GITHUB_OUTPUT
elif [ ${{ matrix.arch }} = aarch64 ]
then
echo "EAP_FILE_SIGNED_AARCH64=${{ env.SIGNED_EAP_FILE }}" >> $GITHUB_OUTPUT
else
echo "::error::Non valid architecture '${{ matrix.arch }}' encountered"
fi
# Creates a pre-release in the repository.
# This job runs if the workflow is triggered by a tag and the build job was successful.
create_prerelease:
if: (github.ref_type == 'tag')
permissions:
contents: write
runs-on: ubuntu-latest
needs: [build, sign-eap]
outputs:
RELEASE_ID: ${{ steps.prerelease.outputs.RELEASE_ID }}
steps:
- name: Set TAG
id: vars
run: echo "TAG=${GITHUB_REF#refs/*/}" >> ${GITHUB_ENV}
- name: Create prerelease
uses: actions/github-script@v7
id: prerelease
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
script: |
try {
const response = await github.rest.repos.createRelease({
draft: false,
generate_release_notes: true,
name: '${{ env.TAG }}',
owner: context.repo.owner,
prerelease: true,
repo: context.repo.repo,
tag_name: '${{ env.TAG }}',
});
core.setOutput('RELEASE_ID', response.data.id);
} catch (error) {
core.setFailed(error.message);
}
# Uploads the signed eap files from artifacts to the pre-release.
# This job runs if the create_prerelease job
download-and-upload-artifacts:
if: (github.ref_type == 'tag')
permissions:
contents: write
runs-on: ubuntu-latest
needs: [create_prerelease, build, sign-eap]
strategy:
matrix:
arch: [armv7hf, aarch64]
env:
RELEASE_ID: ${{ needs.create_prerelease.outputs.RELEASE_ID }}
EAP_FILE_SIGNED_ARMV7HF: ${{ needs.sign-eap.outputs.EAP_FILE_SIGNED_ARMV7HF }}
EAP_FILE_SIGNED_AARCH64: ${{ needs.sign-eap.outputs.EAP_FILE_SIGNED_AARCH64 }}
steps:
- name: Get EAP file name
id: full_eap_name
run: |
if [ ${{ matrix.arch }} = armv7hf ]
then
echo "EAP_FILE=${{ env.EAP_FILE_SIGNED_ARMV7HF }}" >> $GITHUB_ENV
elif [ ${{ matrix.arch }} = aarch64 ]
then
echo "EAP_FILE=${{ env.EAP_FILE_SIGNED_AARCH64 }}" >> $GITHUB_ENV
else
echo "::error::Non valid architecture '${{ matrix.arch }}' encountered"
fi
- name: Download artifacts
uses: actions/download-artifact@v4
with:
name: ${{ env.EAP_FILE }}
path: ./
- name: Upload file to GitHub release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
RESPONSE=$(curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-H "Accept: application/vnd.github.manifold-preview" \
-H "Content-Type: application/zip" \
--data-binary @${{ env.EAP_FILE }} \
"https://uploads.github.com/repos/$GITHUB_REPOSITORY/releases/${{env.RELEASE_ID}}/assets?name=${{ env.EAP_FILE }}" \
-w "%{http_code}\n" -o /dev/null)
echo "HTTP_RESPONSE=$RESPONSE" >> $GITHUB_ENV
- name: Check that asset has been uploaded correctly
run: |
if [[ -n "$HTTP_RESPONSE" && "$HTTP_RESPONSE" =~ ^[0-9]+$ ]]; then
if [ "$HTTP_RESPONSE" -eq 201 ]; then
echo "HTTP response code is 201, upload was successful"
else
echo "HTTP response code is: $HTTP_RESPONSE, upload was not successful"
exit 1
fi
else
echo "HTTP_RESPONSE is empty or not a valid integer: $HTTP_RESPONSE"
fi