From 896bf6fb64aec868437ee2e03cf47174c2e157b0 Mon Sep 17 00:00:00 2001 From: Chris Ball <39441998+chrisba11@users.noreply.github.com> Date: Fri, 18 Aug 2023 12:20:39 -0700 Subject: [PATCH] chore: secure tokens (#276) Resolves #275 --- .github/workflows/build_and_test.yml | 83 +++++++++++++ .github/workflows/pr_lint.yml | 7 +- .github/workflows/publish.yml | 134 ++++++++++++++++++++ .github/workflows/secureliCI.yml | 179 --------------------------- 4 files changed, 222 insertions(+), 181 deletions(-) create mode 100644 .github/workflows/build_and_test.yml create mode 100644 .github/workflows/publish.yml delete mode 100644 .github/workflows/secureliCI.yml diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml new file mode 100644 index 00000000..e2b642af --- /dev/null +++ b/.github/workflows/build_and_test.yml @@ -0,0 +1,83 @@ +# This workflow will install Python dependencies, run tests and lint with a single version of Python +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python +# These jobs are specifically designed to test the codebase +# and ensure that basic contributing from both mac and windows will work + +name: Build & Test + +on: + push: + branches-ignore: [ main ] + workflow_call: + + +jobs: + build-windows: + name: Windows + runs-on: windows-latest + steps: + - uses: actions/checkout@v3 + + - name: Set up Python 3.9 + id: setup-python + uses: actions/setup-python@v4 + with: + python-version: "3.9" + + - name: Set Up Project + run: | + pip install poetry + poetry install + + - name: Run Tests + run: | + poetry run poe precommit + # Both of these lines error when run on a windows image, more research required as to why + # poetry run poe coverage + # poetry run secureli build + + + build-linux: + name: Linux + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Validate Branch name + run: ./scripts/get-current-branch.sh + + - name: Set up Python 3.9 + id: setup-python + uses: actions/setup-python@v4 + with: + python-version: "3.9" + + - name: Set Up Project + run: | + pip install poetry + poetry install + + - name: Run Tests + run: | + poetry run poe precommit + poetry run poe coverage + poetry run secureli build + + + secureli-release-noop: + name: Release Test + needs: [ build-linux, build-windows ] + if: github.ref != 'refs/heads/main' + runs-on: ubuntu-latest + concurrency: release + steps: + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Python Semantic Release + uses: relekang/python-semantic-release@master + with: + root_options: -vv --noop diff --git a/.github/workflows/pr_lint.yml b/.github/workflows/pr_lint.yml index 5ea012be..f009ec02 100644 --- a/.github/workflows/pr_lint.yml +++ b/.github/workflows/pr_lint.yml @@ -3,8 +3,11 @@ name: PR Title Lint on: pull_request: - branches: [main] - types: [opened, edited, reopened, synchronize] + branches: [ main ] + types: + - opened + - edited + - reopened jobs: check_pr_title: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 00000000..06540f6f --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,134 @@ +# This workflow will call the build_and_test.yml workflow to install Python dependencies, run tests and lint +# with a single version of Python +# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python +# These jobs are specifically designed to test the codebase +# and ensure that basic contributing from both mac and windows will work +# Once both windows and mac builds are successful, the next steps will +# - using semantic-version will version the code, pushing the version back to the repo +# - push a package to pypi +# - push a formula to the homebrew repo + +name: Publish + +on: + push: + branches: [ main ] + + +jobs: + build-test: + name: Build & Test + uses: ./.github/workflows/build_and_test.yml + + + secureli-release: + name: GH Release + needs: [ build-test ] + runs-on: ubuntu-latest + environment: publish + concurrency: release + permissions: + id-token: write + contents: write + outputs: + uploaded: ${{ steps.upload.outputs.uploaded }} + steps: + - name: Get App Token + uses: tibdex/github-app-token@v1 + id: app_token + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + + - uses: actions/checkout@v3 + with: + fetch-depth: 0 + token: ${{ steps.app_token.outputs.token }} + + - name: Python Semantic Release + id: release + uses: python-semantic-release/python-semantic-release@v8.0.4 + with: + github_token: ${{ steps.app_token.outputs.token }} + + - name: Upload assets to GitHub Releases + id: upload + env: + GH_TOKEN: ${{ steps.app_token.outputs.token }} + run: | + if [[ -d dist ]]; then + if [[ -n "$(find ./dist -name 'secureli*' -print -quit)" ]]; then + gh release upload ${{ steps.release.outputs.tag }} ./dist/secureli* + echo "uploaded=true" >> "$GITHUB_OUTPUT" + else + echo "uploaded=false" >> "$GITHUB_OUTPUT" + fi + else + echo "uploaded=false" >> "$GITHUB_OUTPUT" + fi + + - name: Display Output + run: echo uploaded=${{ steps.upload.outputs.uploaded }} + + secureli-publish: + name: PyPI Publish + if: needs.secureli-release.outputs.uploaded == 'true' + runs-on: ubuntu-latest + needs: secureli-release + permissions: + id-token: write # IMPORTANT: this permission is mandatory for trusted publishing + steps: + - name: Display Inputs + run: echo uploaded=${{ needs.secureli-release.outputs.uploaded }} + + - name: Checkout seCureLI Repo + uses: actions/checkout@v3 + with: + ref: main + fetch-depth: 0 + + - run: | + pip install poetry + poetry install + poetry build + + - name: Publish package distributions to PyPI + uses: pypa/gh-action-pypi-publish@release/v1 + with: + skip-existing: true + + deploy: + name: Upload Homebrew Formula + if: needs.secureli-release.outputs.uploaded == 'true' + runs-on: ubuntu-latest + environment: publish + needs: secureli-release + steps: + - name: Display Inputs + run: echo uploaded=${{ needs.secureli-release.outputs.uploaded }} + + - name: Get App Token + uses: tibdex/github-app-token@v1 + id: app_token + with: + app_id: ${{ secrets.APP_ID }} + private_key: ${{ secrets.APP_PRIVATE_KEY }} + + - uses: actions/checkout@v3 + with: + ref: main + fetch-depth: 0 + + - name: Checkout seCureLI Homebrew Repo + uses: actions/checkout@v3 + with: + repository: slalombuild/homebrew-secureli + token: ${{ steps.app_token.outputs.token }} + path: homebrew-secureli + ref: main + fetch-depth: 0 + + - name: Homebrew Formula Generation + env: + GH_TOKEN: ${{ steps.app_token.outputs.token }} + run: ./scripts/secureli-deployment.sh diff --git a/.github/workflows/secureliCI.yml b/.github/workflows/secureliCI.yml deleted file mode 100644 index a5967f19..00000000 --- a/.github/workflows/secureliCI.yml +++ /dev/null @@ -1,179 +0,0 @@ -# This workflow will install Python dependencies, run tests and lint with a single version of Python -# For more information see: https://docs.github.com/en/actions/automating-builds-and-tests/building-and-testing-python -# These jobs are specifically designed to test the codebase -# and ensure that basic contributing from both mac and windows will work -# Once both windows and mac builds are successful, the next steps will -# - using semantic-version will version the code, pushing the version back to the repo -# - push a package to pypi -# - push a formula to the homebrew repo - -name: secureliCI - -on: - push - -jobs: - build-windows: - runs-on: windows-latest - steps: - - uses: actions/checkout@v3 - - name: Set up Python 3.9 - id: setup-python - uses: actions/setup-python@v4 - with: - python-version: "3.9" - - name: Set Up Project - run: | - pip install poetry - poetry install - - name: Run Tests - run: | - poetry run poe precommit -# Both of these lines error when run on a windows image, more research required as to why - # poetry run poe coverage - # poetry run secureli build - - build-linux: - runs-on: ubuntu-latest - steps: - - name: Get App Token - uses: tibdex/github-app-token@v1 - id: app_token - with: - app_id: 360953 - private_key: ${{ secrets.ACTIONHELPER }} - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Validate Branch name - run: ./scripts/get-current-branch.sh - - name: Set up Python 3.9 - id: setup-python - uses: actions/setup-python@v4 - with: - python-version: "3.9" - - name: Set Up Project - run: | - pip install poetry - poetry install - - name: Run Tests - run: | - export GH_TOKEN=${{ steps.app_token.outputs.token }} - poetry run poe precommit - poetry run poe coverage - poetry run secureli build - - secureli-release-noop: - needs: [ build-linux, build-windows ] - if: github.ref != 'refs/heads/main' - runs-on: ubuntu-latest - concurrency: release - steps: - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - name: Python Semantic Release - uses: relekang/python-semantic-release@master - with: - root_options: -vv --noop - - secureli-release: - needs: [ build-linux, build-windows ] - if: github.ref == 'refs/heads/main' - runs-on: ubuntu-latest - concurrency: release - permissions: - id-token: write - contents: write - outputs: - uploaded: ${{ steps.upload.outputs.uploaded }} - steps: - - name: Get App Token - uses: tibdex/github-app-token@v1 - id: app_token - with: - app_id: 360953 - private_key: ${{ secrets.ACTIONHELPER }} - - - uses: actions/checkout@v3 - with: - fetch-depth: 0 - token: ${{ steps.app_token.outputs.token }} - - - name: Python Semantic Release - id: release - uses: python-semantic-release/python-semantic-release@v8.0.4 - with: - github_token: ${{ steps.app_token.outputs.token }} - - - name: Upload assets to GitHub Releases - id: upload - run: | - if [[ -d dist ]]; then - if [[ -n "$(find ./dist -name 'secureli*' -print -quit)" ]]; then - export GH_TOKEN=${{ steps.app_token.outputs.token }} - gh release upload ${{ steps.release.outputs.tag }} ./dist/secureli* - echo "uploaded=true" >> "$GITHUB_OUTPUT" - else - echo "uploaded=false" >> "$GITHUB_OUTPUT" - fi - else - echo "uploaded=false" >> "$GITHUB_OUTPUT" - fi - - name: Display Output - run: echo uploaded=${{ steps.upload.outputs.uploaded }} - - secureli-publish: - name: Upload release to PyPI - if: github.ref == 'refs/heads/main' && needs.secureli-release.outputs.uploaded == 'true' - runs-on: ubuntu-latest - needs: secureli-release - permissions: - id-token: write # IMPORTANT: this permission is mandatory for trusted publishing - steps: - - name: Display Inputs - run: echo uploaded=${{ needs.secureli-release.outputs.uploaded }} - - name: Checkout seCureLI Repo - uses: actions/checkout@v3 - with: - ref: main - fetch-depth: 0 - - run: | - pip install poetry - poetry install - poetry build - - name: Publish package distributions to PyPI - uses: pypa/gh-action-pypi-publish@release/v1 - with: - skip-existing: true - - deploy: - name: Upload Homebrew Formula - if: github.ref == 'refs/heads/main' && needs.secureli-release.outputs.uploaded == 'true' - runs-on: ubuntu-latest - needs: secureli-release - steps: - - name: Display Inputs - run: echo uploaded=${{ needs.secureli-release.outputs.uploaded }} - - name: Get App Token - uses: tibdex/github-app-token@v1 - id: app_token - with: - app_id: 360953 - private_key: ${{ secrets.ACTIONHELPER }} - - uses: actions/checkout@v3 - with: - ref: main - fetch-depth: 0 - - name: Checkout seCureLI Homebrew Repo - uses: actions/checkout@v3 - with: - repository: slalombuild/homebrew-secureli - token: ${{ steps.app_token.outputs.token }} - path: homebrew-secureli - ref: main - fetch-depth: 0 - - name: Homebrew Formula Generation - env: - GH_TOKEN: ${{ steps.app_token.outputs.token }} - run: ./scripts/secureli-deployment.sh