Skip to content

TUF-on-CI online signing #573

TUF-on-CI online signing

TUF-on-CI online signing #573

Workflow file for this run

name: TUF-on-CI online signing
permissions: {}
on:
schedule:
- cron: "17 1,7,13,19 * * *"
push:
branches: [main]
paths:
["metadata/**", "!metadata/timestamp.json", "!metadata/snapshot.json"]
workflow_dispatch:
jobs:
online-sign:
runs-on: ubuntu-latest
permissions:
id-token: write # for OIDC identity access
contents: write # for commiting snapshot/timestamp changes
actions: write # for dispatching publish workflow
steps:
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- id: online-sign
uses: theupdateframework/tuf-on-ci/actions/online-sign@95dc66aba6102bbe911ef93c69395ff62ed69bd4 # v0.11.0
with:
token: ${{ steps.app-token.outputs.token }}
aws_role_to_assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
aws_region: ${{ vars.AWS_REGION }}
update-issue:
runs-on: ubuntu-latest
needs: [online-sign]
if: always() && !cancelled()
permissions:
issues: write # for modifying Issues
contents: read # for checking out the repository
steps:
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Update the issue for the workflow
uses: theupdateframework/tuf-on-ci/actions/update-issue@95dc66aba6102bbe911ef93c69395ff62ed69bd4 # v0.11.0
with:
token: ${{ steps.app-token.outputs.token }}
success: ${{ !contains(needs.*.result, 'failure') }}
failure-notification:
runs-on: ubuntu-latest
needs: [online-sign, update-issue]
if: ${{ always() && contains(needs.*.result, 'failure') }}
steps:
- name: Slack Notification
uses: rtCamp/action-slack-notify@v2
env:
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
SLACK_COLOR: failure
MSG_MINIMAL: true
SLACK_TITLE: "${{ github.workflow }} - Failure"
SLACK_MESSAGE: "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
SLACK_FOOTER: "triggered by ${{ github.repository }}"
- name: PagerDuty Alert
env:
PAGERDUTY_KEY: ${{ secrets.PAGERDUTY_KEY }}
run: |
curl -X POST 'https://events.pagerduty.com/v2/enqueue' \
-H 'Content-Type: application/json' \
-d '{
"routing_key": "'$PAGERDUTY_KEY'",
"event_action": "trigger",
"payload": {
"summary": "${{ github.workflow }} - Failure",
"severity": "critical",
"source": "${{ github.server_url }}/${{ github.repository }}",
"custom_details": {
"workflow_run": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
}
}
}'