Skip to content

Commit

Permalink
chore: secure tokens (#276)
Browse files Browse the repository at this point in the history 
Resolves #275
  • Loading branch information
@chrisba11
chrisba11 authored Aug 18, 2023
1 parent 39bf02c commit 896bf6f
Show file tree
Hide file tree
Showing 4 changed files with 222 additions and 181 deletions.
83 changes: 83 additions & 0 deletions .github/workflows/build_and_test.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
# This workflow will install Python dependencies, run tests and lint with a single version of Python
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
# These jobs are specifically designed to test the codebase
# and ensure that basic contributing from both mac and windows will work

name: Build & Test

on:
push:
branches-ignore: [ main ]
workflow_call:


jobs:
build-windows:
name: Windows
runs-on: windows-latest
steps:
- uses: actions/checkout@v3

- name: Set up Python 3.9
id: setup-python
uses: actions/setup-python@v4
with:
python-version: "3.9"

- name: Set Up Project
run: |
pip install poetry
poetry install
- name: Run Tests
run: |
poetry run poe precommit
# Both of these lines error when run on a windows image, more research required as to why
# poetry run poe coverage
# poetry run secureli build


build-linux:
name: Linux
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0

- name: Validate Branch name
run: ./scripts/get-current-branch.sh

- name: Set up Python 3.9
id: setup-python
uses: actions/setup-python@v4
with:
python-version: "3.9"

- name: Set Up Project
run: |
pip install poetry
poetry install
- name: Run Tests
run: |
poetry run poe precommit
poetry run poe coverage
poetry run secureli build
secureli-release-noop:
name: Release Test
needs: [ build-linux, build-windows ]
if: github.ref != 'refs/heads/main'
runs-on: ubuntu-latest
concurrency: release
steps:
- uses: actions/checkout@v3
with:
fetch-depth: 0

- name: Python Semantic Release
uses: relekang/python-semantic-release@master
with:
root_options: -vv --noop
7 changes: 5 additions & 2 deletions .github/workflows/pr_lint.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,11 @@ name: PR Title Lint

on:
pull_request:
branches: [main]
types: [opened, edited, reopened, synchronize]
branches: [ main ]
types:
- opened
- edited
- reopened

jobs:
check_pr_title:
Expand Down
134 changes: 134 additions & 0 deletions .github/workflows/publish.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
# This workflow will call the build_and_test.yml workflow to install Python dependencies, run tests and lint
# with a single version of Python
# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python
# These jobs are specifically designed to test the codebase
# and ensure that basic contributing from both mac and windows will work
# Once both windows and mac builds are successful, the next steps will
# - using semantic-version will version the code, pushing the version back to the repo
# - push a package to pypi
# - push a formula to the homebrew repo

name: Publish

on:
push:
branches: [ main ]


jobs:
build-test:
name: Build & Test
uses: ./.github/workflows/build_and_test.yml


secureli-release:
name: GH Release
needs: [ build-test ]
runs-on: ubuntu-latest
environment: publish
concurrency: release
permissions:
id-token: write
contents: write
outputs:
uploaded: ${{ steps.upload.outputs.uploaded }}
steps:
- name: Get App Token
uses: tibdex/github-app-token@v1
id: app_token
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}

- uses: actions/checkout@v3
with:
fetch-depth: 0
token: ${{ steps.app_token.outputs.token }}

- name: Python Semantic Release
id: release
uses: python-semantic-release/python-semantic-release@v8.0.4
with:
github_token: ${{ steps.app_token.outputs.token }}

- name: Upload assets to GitHub Releases
id: upload
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
run: |
if [[ -d dist ]]; then
if [[ -n "$(find ./dist -name 'secureli*' -print -quit)" ]]; then
gh release upload ${{ steps.release.outputs.tag }} ./dist/secureli*
echo "uploaded=true" >> "$GITHUB_OUTPUT"
else
echo "uploaded=false" >> "$GITHUB_OUTPUT"
fi
else
echo "uploaded=false" >> "$GITHUB_OUTPUT"
fi
- name: Display Output
run: echo uploaded=${{ steps.upload.outputs.uploaded }}

secureli-publish:
name: PyPI Publish
if: needs.secureli-release.outputs.uploaded == 'true'
runs-on: ubuntu-latest
needs: secureli-release
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- name: Display Inputs
run: echo uploaded=${{ needs.secureli-release.outputs.uploaded }}

- name: Checkout seCureLI Repo
uses: actions/checkout@v3
with:
ref: main
fetch-depth: 0

- run: |
pip install poetry
poetry install
poetry build
- name: Publish package distributions to PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
skip-existing: true

deploy:
name: Upload Homebrew Formula
if: needs.secureli-release.outputs.uploaded == 'true'
runs-on: ubuntu-latest
environment: publish
needs: secureli-release
steps:
- name: Display Inputs
run: echo uploaded=${{ needs.secureli-release.outputs.uploaded }}

- name: Get App Token
uses: tibdex/github-app-token@v1
id: app_token
with:
app_id: ${{ secrets.APP_ID }}
private_key: ${{ secrets.APP_PRIVATE_KEY }}

- uses: actions/checkout@v3
with:
ref: main
fetch-depth: 0

- name: Checkout seCureLI Homebrew Repo
uses: actions/checkout@v3
with:
repository: slalombuild/homebrew-secureli
token: ${{ steps.app_token.outputs.token }}
path: homebrew-secureli
ref: main
fetch-depth: 0

- name: Homebrew Formula Generation
env:
GH_TOKEN: ${{ steps.app_token.outputs.token }}
run: ./scripts/secureli-deployment.sh
Loading

0 comments on commit 896bf6f

Please sign in to comment.