From 2651b067fd1e45bf101c5a146df1c919ce97c8c3 Mon Sep 17 00:00:00 2001 From: mrjoelkamp Date: Mon, 3 Jun 2024 11:49:09 -0500 Subject: [PATCH] feat: add tuf-on-ci workflows --- .../PULL_REQUEST_TEMPLATE/signing_event.md | 0 .github/TUF_ON_CI_TEMPLATE/failure.md | 0 .github/dependabot.yml | 7 ++ .github/workflows/create-signing-events.yml | 46 +++++++++++++ .github/workflows/online-sign.yml | 53 +++++++++++++++ .github/workflows/publish.yml | 64 +++++++++++++++++++ .github/workflows/signing-event.yml | 30 +++++++++ .github/workflows/test.yml | 39 +++++++++++ 8 files changed, 239 insertions(+) create mode 100644 .github/PULL_REQUEST_TEMPLATE/signing_event.md create mode 100644 .github/TUF_ON_CI_TEMPLATE/failure.md create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/create-signing-events.yml create mode 100644 .github/workflows/online-sign.yml create mode 100644 .github/workflows/publish.yml create mode 100644 .github/workflows/signing-event.yml create mode 100644 .github/workflows/test.yml diff --git a/.github/PULL_REQUEST_TEMPLATE/signing_event.md b/.github/PULL_REQUEST_TEMPLATE/signing_event.md new file mode 100644 index 0000000..e69de29 diff --git a/.github/TUF_ON_CI_TEMPLATE/failure.md b/.github/TUF_ON_CI_TEMPLATE/failure.md new file mode 100644 index 0000000..e69de29 diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..b1cb94d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,7 @@ +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + time: "10:35" diff --git a/.github/workflows/create-signing-events.yml b/.github/workflows/create-signing-events.yml new file mode 100644 index 0000000..2b3e953 --- /dev/null +++ b/.github/workflows/create-signing-events.yml @@ -0,0 +1,46 @@ +name: TUF-on-CI create Signing events + +on: + schedule: + - cron: '17 1,7,13,19 * * *' + workflow_dispatch: + +permissions: {} + +jobs: + create-signing-events: + runs-on: ubuntu-latest + permissions: + contents: write # for committing to signing event branch + actions: write # for dispatching signing event workflow + steps: + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0 + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Create signing events for offline version bumps + uses: theupdateframework/tuf-on-ci/actions/create-signing-events@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0 + with: + token: ${{ steps.app-token.outputs.token }} + + update-issue: + runs-on: ubuntu-latest + needs: [create-signing-events] + if: always() && !cancelled() + permissions: + issues: write # for modifying Issues + contents: read # for checking out the repository + steps: + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0 + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Update the issue for the workflow + uses: theupdateframework/tuf-on-ci/actions/update-issue@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0 + with: + token: ${{ steps.app-token.outputs.token }} + success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/online-sign.yml b/.github/workflows/online-sign.yml new file mode 100644 index 0000000..fcf6e77 --- /dev/null +++ b/.github/workflows/online-sign.yml @@ -0,0 +1,53 @@ +name: TUF-on-CI online signing + +permissions: {} + +on: + schedule: + - cron: '17 1,7,13,19 * * *' + push: + branches: [main] + paths: + ['metadata/**', '!metadata/timestamp.json', '!metadata/snapshot.json'] + workflow_dispatch: + +jobs: + online-sign: + runs-on: ubuntu-latest + permissions: + id-token: write # for OIDC identity access + contents: write # for commiting snapshot/timestamp changes + actions: write # for dispatching publish workflow + steps: + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0 + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - id: online-sign + uses: theupdateframework/tuf-on-ci/actions/online-sign@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0 + with: + token: ${{ steps.app-token.outputs.token }} + aws_role_to_assume: ${{ vars.AWS_ROLE_TO_ASSUME }} + aws_region: ${{ vars.AWS_REGION }} + + update-issue: + runs-on: ubuntu-latest + needs: [online-sign] + if: always() && !cancelled() + permissions: + issues: write # for modifying Issues + contents: read # for checking out the repository + steps: + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0 + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Update the issue for the workflow + uses: theupdateframework/tuf-on-ci/actions/update-issue@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0 + with: + token: ${{ steps.app-token.outputs.token }} + success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..9930b67 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,64 @@ +name: TUF-on-CI publish + +permissions: {} + +on: + workflow_dispatch: + inputs: + ref: + type: string + required: false + +jobs: + build: + permissions: + pages: read + contents: read + runs-on: ubuntu-latest + steps: + - id: build-and-upload-repository + uses: theupdateframework/tuf-on-ci/actions/upload-repository@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0 + with: + gh_pages: true + ref: ${{ inputs.ref }} + + deploy-to-pages: + permissions: + pages: write + id-token: write # for authenticating to GH Pages + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest + needs: build + steps: + - name: Deploy TUF-on-CI repository to GitHub Pages + id: deployment + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 + + test-deployed-repository: + needs: deploy-to-pages + permissions: + contents: read # for checking out the repository + issues: write # for modifying Issues + uses: ./.github/workflows/test.yml + + update-issue: + runs-on: ubuntu-latest + needs: [build, deploy-to-pages, test-deployed-repository] + if: always() && !cancelled() + permissions: + issues: write # for modifying Issues + contents: read # for checking out the repository + steps: + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0 + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Update the issue for the workflow + uses: theupdateframework/tuf-on-ci/actions/update-issue@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0 + with: + token: ${{ steps.app-token.outputs.token }} + success: ${{ !contains(needs.*.result, 'failure') }} diff --git a/.github/workflows/signing-event.yml b/.github/workflows/signing-event.yml new file mode 100644 index 0000000..6a3e371 --- /dev/null +++ b/.github/workflows/signing-event.yml @@ -0,0 +1,30 @@ +name: TUF-on-CI signing event + +permissions: {} + +on: + workflow_dispatch: + push: + branches: ['sign/**'] + paths: ['metadata/**', 'targets/**'] + +jobs: + handle-signing-event: + name: TUF-on-CI signing event + runs-on: ubuntu-latest + permissions: + contents: write # for making commits in signing event and for modifying draft state + pull-requests: write # for modifying signing event pull requests + actions: write # for dispatching another signing-event workflow + + steps: + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0 + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Signing event + uses: theupdateframework/tuf-on-ci/actions/signing-event@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0 + with: + token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml new file mode 100644 index 0000000..779a0f1 --- /dev/null +++ b/.github/workflows/test.yml @@ -0,0 +1,39 @@ +name: TUF-on-CI repository tests + +on: + workflow_call: + workflow_dispatch: + schedule: + - cron: "17 4,10,16,22 * * *" + +permissions: {} + +jobs: + smoke-test: + runs-on: ubuntu-latest + permissions: + contents: read # for checking out the repository + steps: + - name: Smoke test TUF-on-CI repository with a TUF client + uses: theupdateframework/tuf-on-ci/actions/test-repository@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0 + + update-issue: + runs-on: ubuntu-latest + needs: [smoke-test] + # During workflow_call, caller updates issue + if: always() && !cancelled() && github.workflow == 'TUF-on-CI repository tests' + permissions: + issues: write # for modifying Issues + contents: read # for checking out the repository + steps: + - name: Generate GitHub App Token + id: app-token + uses: actions/create-github-app-token@a0de6af83968303c8c955486bf9739a57d23c7f1 # v1.10.0 + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.APP_PRIVATE_KEY }} + - name: Update the issue for the workflow + uses: theupdateframework/tuf-on-ci/actions/update-issue@a486e2d6fcf93af4cb0f479e6a280f34125647d6 # v0.10.0 + with: + token: ${{ steps.app-token.outputs.token }} + success: ${{ !contains(needs.*.result, 'failure') }}