Add security.txt support #45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: PushAction | |
| # 96Boards is built from two git repos - website and documentation. To keep things as clean as possible, | |
| # the workflows always treat the website directory as the main directory, regardless of which repository | |
| # triggered the changes. | |
| on: | |
| push: | |
| branches: [ master ] | |
| workflow_dispatch: | |
| # Cancel in-progress jobs or runs for the current workflow | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| process-push: | |
| runs-on: self-hosted | |
| steps: | |
| # HACK! 96Boards is currently using an old Jekyll theme that caches | |
| # built images inside the source directory which gets reset when the | |
| # fetch occurs so let's move it out of the way briefly ... | |
| # | |
| # This hack can be removed once the website is upgraded to use the | |
| # newer theme, which processes images differently. | |
| - name: Preserve merged_sources | |
| run: MS="$GITHUB_WORKSPACE/website/merged_sources"; if [ -d "$MS" ]; then mv "$MS" "$GITHUB_WORKSPACE"; fi | |
| - name: Fetch website repository | |
| uses: actions/checkout@v3 | |
| with: | |
| repository: 96boards/website | |
| path: website | |
| # HACK! | |
| - name: Restore merged_sources | |
| run: MS="$GITHUB_WORKSPACE/merged_sources"; if [ -d "$MS" ]; then mv "$MS" "$GITHUB_WORKSPACE/website"; fi | |
| - name: Fetch docs repository | |
| uses: actions/checkout@v3 | |
| with: | |
| repository: 96boards/documentation | |
| path: documentation | |
| - name: Initialise environment | |
| run: cat "$GITHUB_WORKSPACE/website/.github-env-${GITHUB_REF##*/}" >> $GITHUB_ENV | |
| - run: env | |
| - name: Directory push/pop | |
| uses: linaro-its/directory-push-and-pop@v3.0 | |
| with: | |
| cacheDirectory: /srv/site-builds | |
| namedDirectory: ${{ env.SITE_URL }} | |
| destinationDirectory: ${{ github.workspace }}/website | |
| - name: Build site | |
| run: NSBREPO1=${{ github.workspace }}/website NSBREPO2=${{ github.workspace }}/documentation /srv/github-action-scripts/build-jekyll-site.sh | |
| env: | |
| TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - run: cat $GITHUB_EVENT_PATH | |
| - name: Check links | |
| run: >- | |
| /srv/github-action-scripts/check-links.sh | |
| ${{ github.workspace }}/website/${{ env.SITE_URL }} | |
| --skip-dns-check ${{ github.workspace }}/website/_data/fqdn_exceptions.txt | |
| --no-external-errors | |
| - name: Check routing rules | |
| run: /srv/github-action-scripts/test-routing-rules.sh | |
| - name: Make staging directory | |
| run: mkdir -p /srv/s3-staging/${{ env.SITE_URL }} | |
| - name: Sync build to staging directory | |
| run: rsync -crui ${{ github.workspace }}/website/${{ env.SITE_URL }}/ /srv/s3-staging/${{ env.SITE_URL }} --delete | |
| - name: set branch env | |
| run: echo "BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV | |
| - name: security.txt | |
| # If running on master branch, add signed security.txt file. Note that the security.txt file | |
| # comes from the main 96Boards website repo. | |
| if: env.BRANCH == 'master' | |
| run: | | |
| cd "$GITHUB_WORKSPACE/website" | |
| /srv/github-action-scripts/sign-security.sh | |
| if [ -f "security.txt.asc" ]; then | |
| mkdir "/srv/s3-staging/${{ env.SITE_URL }}/.well-known" | |
| mv security.txt.asc "/srv/s3-staging/${{ env.SITE_URL }}/.well-known/security.txt" | |
| else | |
| echo "No security.txt.asc produced" | |
| fi | |
| - name: Upload to S3 | |
| run: /srv/github-action-scripts/upload-to-s3-root.sh | |
| - name: Set up Lambda redirect | |
| run: /srv/github-action-scripts/set-up-lambda-redirect.sh ${{ github.workspace }}/website/${{ env.SITE_URL }} | |
| - name: Set up security headers | |
| run: cd /srv/github-action-scripts && pipenv run python lambda-security-headers.py | |
| - name: Invalidate CloudFront cache | |
| run: /srv/github-action-scripts/invalidate-cloudfront.sh |