Skip to content

contrib/sign-release.sh: allow secret via stdin #81

contrib/sign-release.sh: allow secret via stdin

contrib/sign-release.sh: allow secret via stdin #81

Workflow file for this run

---
name: "Build Gluon images"
# yamllint disable-line rule:truthy
on:
pull_request:
push:
workflow_dispatch:
inputs:
repository:
description: 'Repository path (e.g. freifunk-gluon/gluon)'
required: true
reference:
description: 'Reference (commit / tag)'
required: true
targets:
description: 'Targets to build (space separated)'
required: false
jobs:
build-meta:
outputs:
container-version: >-
${{ steps.build-metadata.outputs.container-version }}
release-version: >-
${{ steps.build-metadata.outputs.release-version }}
site-version: >-
${{ steps.build-metadata.outputs.site-version }}
autoupdater-enabled: >-
${{ steps.build-metadata.outputs.autoupdater-enabled }}
autoupdater-branch: >-
${{ steps.build-metadata.outputs.autoupdater-branch }}
broken: >-
${{ steps.build-metadata.outputs.broken }}
gluon-repository: >-
${{ steps.build-metadata.outputs.gluon-repository }}
gluon-commit: >-
${{ steps.build-metadata.outputs.gluon-commit }}
manifest-stable: >-
${{ steps.build-metadata.outputs.manifest-stable }}
manifest-beta: >-
${{ steps.build-metadata.outputs.manifest-beta }}
manifest-experimental: >-
${{ steps.build-metadata.outputs.manifest-experimental }}
manifest-nightly: >-
${{ steps.build-metadata.outputs.manifest-nightly }}
sign-manifest: >-
${{ steps.build-metadata.outputs.sign-manifest }}
create-release: >-
${{ steps.build-metadata.outputs.create-release }}
pre-release: >-
${{ steps.build-metadata.outputs.pre-release }}
deploy: >-
${{ steps.build-metadata.outputs.deploy }}
link-release: >-
${{ steps.build-metadata.outputs.link-release }}
target-whitelist: >-
${{ steps.build-metadata.outputs.target-whitelist }}
env:
WORKFLOW_DISPATCH_REPOSITORY: ${{ github.event.inputs.repository }}
WORKFLOW_DISPATCH_REFERENCE: ${{ github.event.inputs.reference }}
WORKFLOW_DISPATCH_TARGETS: ${{ github.event.inputs.targets }}
runs-on: ubuntu-22.04
name: Determine build-meta
steps:
- uses: actions/checkout@v4
- name: Set Timezone
run: sudo timedatectl set-timezone Europe/Berlin
- name: Show current Timezone settings
run: timedatectl status
- name: Get build-metadata
id: build-metadata
run: bash .github/build-meta.sh
- name: Create Artifact of build-meta
uses: actions/upload-artifact@v4
with:
name: build-meta
path: ${{ steps.build-metadata.outputs.build-meta-output }}
targets:
needs: build-meta
outputs:
targets: ${{ steps.get-targets.outputs.targets }}
runs-on: ubuntu-22.04
name: Get Gluon targets
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: ${{ needs.build-meta.outputs.gluon-repository }}
ref: ${{ needs.build-meta.outputs.gluon-commit }}
path: 'gluon-gha-data/gluon'
- name: Set Timezone
run: sudo timedatectl set-timezone Europe/Berlin
- name: Show current Timezone settings
run: timedatectl status
- name: Get Targets
uses: freifunk-gluon/action-target-list@v1
id: get-targets
with:
gluon-path: "gluon-gha-data/gluon"
broken: ${{ needs.build-meta.outputs.broken }}
allowlist: ${{ needs.build-meta.outputs.target-whitelist }}
host-tools:
needs: build-meta
runs-on: ubuntu-22.04
name: Build host-tools
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: ${{ needs.build-meta.outputs.gluon-repository }}
ref: ${{ needs.build-meta.outputs.gluon-commit }}
path: 'gluon-gha-data/gluon'
- name: Set Timezone
run: sudo timedatectl set-timezone Europe/Berlin
- name: Show current Timezone settings
run: timedatectl status
- name: Determine Cache-Key
id: cache-key
run: >
echo "cache-key=$(bash .github/cache-key.sh
$GITHUB_WORKSPACE/gluon-gha-data/gluon)" >> "$GITHUB_OUTPUT"
- name: Restore Cache
id: restore-cache-tools
uses: actions/cache/restore@v4
with:
path: gluon-gha-data/gluon/openwrt
key: openwrt-${{ steps.cache-key.outputs.cache-key }}
- name: Update Gluon
uses: freifunk-gluon/action-build@v1
if: steps.restore-cache-tools.outputs.cache-hit != 'true'
id: update-gluon
with:
container-version: ${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
make-target: update
site-path: "."
- name: Build host-tools
uses: freifunk-gluon/action-build@v1
if: steps.restore-cache-tools.outputs.cache-hit != 'true'
id: build-host-tools
with:
container-version: ${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
make-target: openwrt/staging_dir/hostpkg/bin/lua
site-path: "."
- name: Save Cache
id: save-cache-tools
if: >
github.ref_type != 'tag' &&
steps.restore-cache-tools.outputs.cache-hit != 'true'
uses: actions/cache/save@v4
with:
path: gluon-gha-data/gluon/openwrt
key: openwrt-${{ steps.cache-key.outputs.cache-key }}
- name: Create Artifact output directory
run: mkdir gluon-gha-data/openwrt
- name: Pack Output
run: >
tar cJf "gluon-gha-data/openwrt/openwrt.tar.xz"
--posix -C "gluon-gha-data/gluon" openwrt
- name: Archive build output
uses: actions/upload-artifact@v4
with:
name: openwrt
path: "gluon-gha-data/openwrt"
compression-level: 0
build:
needs: [targets, build-meta, host-tools]
strategy:
fail-fast: false
matrix:
target: ${{ fromJSON(needs.targets.outputs.targets) }}
runs-on: ubuntu-22.04
if: >
needs.targets.outputs.targets != '[]'
permissions:
id-token: write
attestations: write
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v4
with:
repository: ${{ needs.build-meta.outputs.gluon-repository }}
ref: ${{ needs.build-meta.outputs.gluon-commit }}
path: 'gluon-gha-data/gluon'
fetch-depth: 0
fetch-tags: true
- name: Set Timezone
run: sudo timedatectl set-timezone Europe/Berlin
- name: Show current Timezone settings
run: timedatectl status
- name: Fetch upstream tags
# yamllint disable rule:line-length
if: ${{ needs.build-meta.outputs.gluon-repository != 'freifunk-gluon/gluon' }}
run: |
git -C gluon-gha-data/gluon remote add upstream https://github.com/freifunk-gluon/gluon.git
git -C gluon-gha-data/gluon fetch upstream --tags
# yamllint enable rule:line-length
- name: Print CPU info
run: cat /proc/cpuinfo
- name: Print meminfo
run: cat /proc/meminfo
- name: Download prepared OpenWrt
uses: actions/download-artifact@v4
with:
name: openwrt
path: "gluon-gha-data/openwrt"
- name: Restore OpenWrt
run: >
tar xf gluon-gha-data/openwrt/openwrt.tar.xz -C gluon-gha-data/gluon
- name: Gluon Update
uses: freifunk-gluon/action-build@v1
id: update-gluon
with:
container-version: ${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
hardware-target: ath79-generic
make-target: update
- name: Build
# yamllint disable-line rule:line-length
uses: freifunk-gluon/action-build@3a48a4d0db08ff393e08ec3074f1b218ee5ac54b
id: build-gluon
with:
container-version: ${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
hardware-target: ${{ matrix.target }}
broken: ${{ needs.build-meta.outputs.broken }}
deprecated: "0"
autoupdater-enabled: |
${{ needs.build-meta.outputs.autoupdater-enabled }}
autoupdater-branch: |
${{ needs.build-meta.outputs.autoupdater-branch }}
release: ${{ needs.build-meta.outputs.release-version }}
site-version: ${{ needs.build-meta.outputs.site-version }}
- name: Pack and Upload build output
uses: ./.github/actions/build-artifact
with:
gluon-path: "gluon-gha-data/gluon"
hardware-target: ${{ matrix.target }}
- name: Attest Image Build Provenance
if: ${{ needs.build-meta.outputs.create-release != '0' }}
uses: actions/attest-build-provenance@v1
with:
subject-path: |
"gluon-gha-data/gluon/output/images/sysupgrade/*"
"gluon-gha-data/gluon/output/images/other/*"
"gluon-gha-data/gluon/output/images/factory/*"
manifest:
needs: [build, build-meta, targets]
runs-on: ubuntu-22.04
if: >
needs.targets.outputs.targets != '[]' &&
github.event_name == 'push'
steps:
- uses: actions/checkout@v4
- name: Set Timezone
run: sudo timedatectl set-timezone Europe/Berlin
- name: Show current Timezone settings
run: timedatectl status
- uses: actions/download-artifact@v4
with:
path: "gluon-gha-data/gluon-output"
- name: Clone Gluon
uses: actions/checkout@v4
with:
repository: ${{ needs.build-meta.outputs.gluon-repository }}
ref: ${{ needs.build-meta.outputs.gluon-commit }}
path: 'gluon-gha-data/gluon'
- name: Download prepared OpenWrt
uses: actions/download-artifact@v4
with:
name: openwrt
path: "gluon-gha-data/openwrt"
- name: Restore OpenWrt
run: |
tar xf gluon-gha-data/openwrt/openwrt.tar.xz -C gluon-gha-data/gluon
- name: Combine Build output
uses: ./.github/actions/build-combine
with:
artifact-dir: "gluon-gha-data/gluon-output"
output-dir: "gluon-gha-data/gluon/output"
targets: ${{ needs.targets.outputs.targets }}
- name: Gluon Update
uses: freifunk-gluon/action-build@v1
id: update-gluon
with:
container-version: ${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
make-target: update
- name: Manifest (Stable)
uses: freifunk-gluon/action-build@v1
if: ${{ needs.build-meta.outputs.manifest-stable != '0' }}
with:
container-version: ${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
make-target: manifest
autoupdater-branch: stable
release: ${{ needs.build-meta.outputs.release-version }}
priority: 1
- name: Manifest (Beta)
uses: freifunk-gluon/action-build@v1
if: ${{ needs.build-meta.outputs.manifest-beta != '0' }}
with:
container-version: >-
${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
make-target: manifest
autoupdater-branch: beta
release: >-
${{ needs.build-meta.outputs.release-version }}
priority: 1
- name: Manifest (Experimental)
uses: freifunk-gluon/action-build@v1
if: ${{ needs.build-meta.outputs.manifest-experimental != '0' }}
with:
container-version: >-
${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
make-target: manifest
autoupdater-branch: experimental
release: >-
${{ needs.build-meta.outputs.release-version }}
priority: 1
- name: Manifest (Nightly)
uses: freifunk-gluon/action-build@v1
if: ${{ needs.build-meta.outputs.manifest-nightly != '0' }}
with:
container-version: ${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
make-target: manifest
autoupdater-branch: nightly
release: ${{ needs.build-meta.outputs.release-version }}
priority: 1
broken: ${{ needs.build-meta.outputs.broken }}
- name: Sign manifest (Stable)
uses: freifunk-gluon/action-sign@v1
if: >
needs.build-meta.outputs.manifest-stable != '0' &&
needs.build-meta.outputs.sign-manifest != '0'
with:
container-version: ${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
manifest: >-
gluon-gha-data/gluon/output/images/sysupgrade/stable.manifest
signing-key: ${{ secrets.GHA_FFRN_BUILD_ECDSA_KEY_STABLE }}
write-signature: "true"
- name: Sign manifest (Beta)
uses: freifunk-gluon/action-sign@v1
if: >
needs.build-meta.outputs.manifest-beta != '0' &&
needs.build-meta.outputs.sign-manifest != '0'
with:
container-version: ${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
manifest: >-
gluon-gha-data/gluon/output/images/sysupgrade/beta.manifest
signing-key: ${{ secrets.GHA_FFRN_BUILD_ECDSA_KEY_BETA }}
write-signature: "true"
- name: Sign manifest (Experimental)
uses: freifunk-gluon/action-sign@v1
if: >
needs.build-meta.outputs.manifest-experimental != '0' &&
needs.build-meta.outputs.sign-manifest != '0'
with:
container-version: ${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
manifest: >-
gluon-gha-data/gluon/output/images/sysupgrade/experimental.manifest
signing-key: ${{ secrets.GHA_FFRN_BUILD_ECDSA_KEY_EXPERIMENTAL }}
write-signature: "true"
- name: Sign manifest (Nightly)
uses: freifunk-gluon/action-sign@v1
if: >
needs.build-meta.outputs.manifest-nightly != '0' &&
needs.build-meta.outputs.sign-manifest != '0'
with:
container-version: ${{ needs.build-meta.outputs.container-version }}
gluon-path: "gluon-gha-data/gluon"
manifest: >-
gluon-gha-data/gluon/output/images/sysupgrade/nightly.manifest
signing-key: ${{ secrets.GHA_FFRN_BUILD_ECDSA_KEY_NIGHTLY }}
write-signature: "true"
- name: Create Artifact Directory
run: mkdir gluon-gha-data/artifact-out
- name: Structure
run: tree gluon-gha-data/gluon
- name: Pack Manifest
run: >
find ./gluon-gha-data/gluon/output/images/sysupgrade
-maxdepth 1 -name "*.manifest" -exec basename {} \; |
tar cJf gluon-gha-data/artifact-out/manifest.tar.xz
-C gluon-gha-data/gluon/output/images/sysupgrade -T -
- name: Archive output
uses: actions/upload-artifact@v4
with:
name: manifest-signed
path: gluon-gha-data/artifact-out
deploy:
needs: [build, build-meta, targets, manifest]
runs-on: ubuntu-22.04
if: >
needs.targets.outputs.targets != '[]' &&
needs.build-meta.outputs.deploy != '0' &&
github.event_name == 'push'
steps:
- uses: actions/checkout@v4
- name: Set Timezone
run: sudo timedatectl set-timezone Europe/Berlin
- name: Show current Timezone settings
run: timedatectl status
- uses: actions/download-artifact@v4
with:
path: "gluon-gha-data/artifact-download"
- name: Create Directory to store Gluon output into
run: mkdir gluon-gha-data/gluon-output
- name: Combine Build output
uses: ./.github/actions/build-combine
with:
artifact-dir: "gluon-gha-data/artifact-download"
output-dir: "gluon-gha-data/gluon-output/output"
targets: ${{ needs.targets.outputs.targets }}
- name: Extract Manifest
run: >
tar xf
gluon-gha-data/artifact-download/manifest-signed/manifest.tar.xz
-C gluon-gha-data/gluon-output/output/images/sysupgrade
- name: Save SSH Key for deployment
run: >
mkdir -p ~/.ssh &&
echo "${{ secrets.GHA_FFRN_BUILD_DEPLOY_SSH_KEY }}" >
~/.ssh/deploy_key && chmod 600 ~/.ssh/deploy_key
- name: Copy Firmware
# yamllint disable-line rule:line-length
run: rsync -avzP -e "ssh -q -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key -oIdentitiesOnly=yes" gluon-gha-data/gluon-output/output/{images,packages} "firmware@fw.gluon.ffrn.de:/srv/firmware/images/${{ needs.build-meta.outputs.release-version }}/"
- name: Link packages
env:
RELEASE_VERSION: ${{ needs.build-meta.outputs.release-version }}
# yamllint disable rule:line-length
run: >
ssh
-i ~/.ssh/deploy_key
-q
-oUserKnownHostsFile=/dev/null
-oStrictHostKeyChecking=no
-oIdentitiesOnly=yes
firmware@fw.gluon.ffrn.de
"ln -n -f -s /srv/firmware/images/$RELEASE_VERSION/packages/gluon-ffrn-$RELEASE_VERSION /srv/firmware/packages/gluon-ffrn-$RELEASE_VERSION"
# yamllint enable rule:line-length
link-release:
needs: [build, build-meta, targets, manifest, deploy]
runs-on: ubuntu-22.04
if: >
needs.targets.outputs.targets != '[]' &&
needs.build-meta.outputs.deploy != '0' &&
needs.build-meta.outputs.link-release != '0' &&
github.event_name == 'push'
steps:
- name: Save SSH Key for deployment
run: >
mkdir -p ~/.ssh &&
echo "${{ secrets.GHA_FFRN_BUILD_DEPLOY_SSH_KEY }}" >
~/.ssh/deploy_key && chmod 600 ~/.ssh/deploy_key
- name: Link Release
env:
RELEASE_VERSION: ${{ needs.build-meta.outputs.release-version }}
AUTOUPDATER_BRANCH: ${{ needs.build-meta.outputs.autoupdater-branch }}
# yamllint disable rule:line-length
run: >
ssh
-i ~/.ssh/deploy_key
-q
-oUserKnownHostsFile=/dev/null
-oStrictHostKeyChecking=no
-oIdentitiesOnly=yes
firmware@fw.gluon.ffrn.de
"ln -n -f -s /srv/firmware/images/$RELEASE_VERSION/images /srv/firmware/images/$AUTOUPDATER_BRANCH"
# yamllint enable rule:line-length
create-release:
needs: [build, build-meta, targets, manifest]
runs-on: ubuntu-22.04
if: >
needs.targets.outputs.targets != '[]' &&
needs.build-meta.outputs.create-release != '0' &&
github.event_name == 'push'
permissions:
contents: write
id-token: write
attestations: write
steps:
- uses: actions/checkout@v4
- name: Set Timezone
run: sudo timedatectl set-timezone Europe/Berlin
- name: Show current Timezone settings
run: timedatectl status
- uses: actions/download-artifact@v4
with:
path: "gluon-gha-data/artifact-download"
- name: Create Directory to store Gluon output into
run: mkdir gluon-gha-data/gluon-output
- name: Download target Artifacts
uses: ./.github/actions/build-combine
with:
artifact-dir: "gluon-gha-data/artifact-download"
output-dir: "gluon-gha-data/release-artifacts"
targets: ${{ needs.targets.outputs.targets }}
keep-packed: 1
- name: Move manifest archive
run: >-
mv gluon-gha-data/artifact-download/manifest-signed/manifest.tar.xz
gluon-gha-data/release-artifacts/manifest.tar.xz
- name: Move manifest archive
run: >-
mv gluon-gha-data/artifact-download/build-meta/build-meta.txt
gluon-gha-data/release-artifacts/build-meta.txt
- name: Show File sizes
run: du -sh gluon-gha-data/release-artifacts/*
- name: Create Release Notes
run: >-
bash .github/create-release-notes.sh
gluon-gha-data/release-artifacts/build-meta.txt
gluon-gha-data/release-notes.md
- name: Attest Release Artifact Build Provenance
uses: actions/attest-build-provenance@v1
with:
subject-path: |
gluon-gha-data/release-artifacts/*
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
name: ${{ needs.build-meta.outputs.release-version }}
# yamllint disable rule:line-length
prerelease: ${{ needs.build-meta.outputs.pre-release == '1' && 'true' || '' }}
# yamllint enable rule:line-length
body_path: gluon-gha-data/release-notes.md
files: |
gluon-gha-data/release-artifacts/*