Merge pull request #8 from docker/feat-add-tuf-on-ci-workflows

feat: add tuf-on-ci workflows
docker · Jun 3, 2024 · ee5cc7f · ee5cc7f
2 parents b9c053e + 2651b06
commit ee5cc7f
Show file tree

Hide file tree

Showing 8 changed files with 239 additions and 0 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE/signing_event.md b/.github/PULL_REQUEST_TEMPLATE/signing_event.md
diff --git a/.github/TUF_ON_CI_TEMPLATE/failure.md b/.github/TUF_ON_CI_TEMPLATE/failure.md
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
+      time: "10:35"
diff --git a/.github/workflows/create-signing-events.yml b/.github/workflows/create-signing-events.yml
@@ -0,0 +1,46 @@
+name: TUF-on-CI create Signing events
+
+on:
+  schedule:
+    - cron: '17 1,7,13,19 * * *'
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  create-signing-events:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # for committing to signing event branch
+      actions: write # for dispatching signing event workflow
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - name: Create signing events for offline version bumps
+        uses: theupdateframework/tuf-on-ci/actions/create-signing-events@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+  update-issue:
+    runs-on: ubuntu-latest
+    needs: [create-signing-events]
+    if: always() && !cancelled()
+    permissions:
+      issues: write # for modifying Issues
+      contents: read # for checking out the repository
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - name: Update the issue for the workflow
+        uses: theupdateframework/tuf-on-ci/actions/update-issue@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          success: ${{ !contains(needs.*.result, 'failure') }}
diff --git a/.github/workflows/online-sign.yml b/.github/workflows/online-sign.yml
@@ -0,0 +1,53 @@
+name: TUF-on-CI online signing
+
+permissions: {}
+
+on:
+  schedule:
+    - cron: '17 1,7,13,19 * * *'
+  push:
+    branches: [main]
+    paths:
+      ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json']
+  workflow_dispatch:
+
+jobs:
+  online-sign:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # for OIDC identity access
+      contents: write # for commiting snapshot/timestamp changes
+      actions: write # for dispatching publish workflow
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - id: online-sign
+        uses: theupdateframework/tuf-on-ci/actions/online-sign@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          aws_role_to_assume: ${{ vars.AWS_ROLE_TO_ASSUME }}
+          aws_region: ${{ vars.AWS_REGION }}
+
+  update-issue:
+    runs-on: ubuntu-latest
+    needs: [online-sign]
+    if: always() && !cancelled()
+    permissions:
+      issues: write # for modifying Issues
+      contents: read # for checking out the repository
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - name: Update the issue for the workflow
+        uses: theupdateframework/tuf-on-ci/actions/update-issue@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          success: ${{ !contains(needs.*.result, 'failure') }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,64 @@
+name: TUF-on-CI publish
+
+permissions: {}
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        type: string
+        required: false
+
+jobs:
+  build:
+    permissions:
+      pages: read
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - id: build-and-upload-repository
+        uses: theupdateframework/tuf-on-ci/actions/upload-repository@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0
+        with:
+          gh_pages: true
+          ref: ${{ inputs.ref }}
+
+  deploy-to-pages:
+    permissions:
+      pages: write
+      id-token: write # for authenticating to GH Pages
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy TUF-on-CI repository to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5
+
+  test-deployed-repository:
+    needs: deploy-to-pages
+    permissions:
+      contents: read # for checking out the repository
+      issues: write # for modifying Issues
+    uses: ./.github/workflows/test.yml
+
+  update-issue:
+    runs-on: ubuntu-latest
+    needs: [build, deploy-to-pages, test-deployed-repository]
+    if: always() && !cancelled()
+    permissions:
+      issues: write # for modifying Issues
+      contents: read # for checking out the repository
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - name: Update the issue for the workflow
+        uses: theupdateframework/tuf-on-ci/actions/update-issue@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          success: ${{ !contains(needs.*.result, 'failure') }}
diff --git a/.github/workflows/signing-event.yml b/.github/workflows/signing-event.yml
@@ -0,0 +1,30 @@
+name: TUF-on-CI signing event
+
+permissions: {}
+
+on:
+  workflow_dispatch:
+  push:
+    branches: ['sign/**']
+    paths: ['metadata/**', 'targets/**']
+
+jobs:
+  handle-signing-event:
+    name: TUF-on-CI signing event
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # for making commits in signing event and for modifying draft state
+      pull-requests: write # for modifying signing event pull requests
+      actions: write # for dispatching another signing-event workflow
+
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - name: Signing event
+        uses: theupdateframework/tuf-on-ci/actions/signing-event@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,39 @@
+name: TUF-on-CI repository tests
+
+on:
+  workflow_call:
+  workflow_dispatch:
+  schedule:
+    - cron: "17 4,10,16,22 * * *"
+
+permissions: {}
+
+jobs:
+  smoke-test:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for checking out the repository
+    steps:
+      - name: Smoke test TUF-on-CI repository with a TUF client
+        uses: theupdateframework/tuf-on-ci/actions/test-repository@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0
+
+  update-issue:
+    runs-on: ubuntu-latest
+    needs: [smoke-test]
+    # During workflow_call, caller updates issue
+    if: always() && !cancelled() && github.workflow == 'TUF-on-CI repository tests'
+    permissions:
+      issues: write # for modifying Issues
+      contents: read # for checking out the repository
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+      - name: Update the issue for the workflow
+        uses: theupdateframework/tuf-on-ci/actions/update-issue@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          success: ${{ !contains(needs.*.result, 'failure') }}