234 lines (218 loc) · 8.35 KB
/
reuseable-snapshot-timestamp.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
#
# Copyright 2021 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Snapshot and Timestamp Template
# Reusable workflow that runs snapshot and timestamp on directories.
# TODO(asraa): Create user workflows for repository-beta/, and ceremony/ flows.
on:
workflow_call:
secrets:
token:
description: >
Optional token.
This argument is passed, unchanged, to the job that creates the pull request.
required: false
inputs:
snapshot_key:
description: 'Sets the snapshotting key reference'
required: false
type: string
timestamp_key:
description: 'Sets the timestamping key reference'
required: true
type: string
branch:
description: 'The branch where the staged repository is, e.g. ceremony/2022-10-18'
required: true
type: string
repo:
description: 'Sets the repository to perform the operation on: expects relative path to GitHub repository, for example: repository'
required: false
default: repository
type: string
provider:
description: 'Sets the workflow identity provider'
required: true
type: string
service_account:
description: 'Sets the GitHub service account authorized for keys'
required: true
type: string
snapshot_timestamp:
description: 'Enables snapshot/timestamp step. During ceremonies, you may flip this to false to allow for just a publish step.'
required: false
default: true
type: boolean
disable_snapshot:
description: 'Disables snapshot and only generates timestamp.'
required: false
default: false
type: boolean
publish:
description: 'Enables publishing step. During ceremonies, you may flip this to false to allow for reviewing changes before publishing.'
required: false
default: true
type: boolean
jobs:
snapshot_and_timestamp:
runs-on: ubuntu-latest
permissions:
id-token: 'write'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
ref: ${{ inputs.branch }}
- name: setup
run: |
echo "GITHUB_USER=${{ github.actor }}" >> $GITHUB_ENV
echo "REPO=$(pwd)/${{ inputs.repo }}" >> $GITHUB_ENV
echo "SNAPSHOT_KEY=${{ inputs.snapshot_key }}" >> $GITHUB_ENV
echo "TIMESTAMP_KEY=${{ inputs.timestamp_key }}" >> $GITHUB_ENV
echo "BRANCH=${{ inputs.branch }}" >> $GITHUB_ENV
# Note: we set LOCAL=1 because we manually push the changes in the next job.
echo "LOCAL=1" >> $GITHUB_ENV
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: './go.mod'
check-latest: true
# Setup OIDC->SA auth
- uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2
id: auth
with:
token_format: 'access_token'
workload_identity_provider: ${{ inputs.provider }}
service_account: ${{ inputs.service_account }}
create_credentials_file: true
- uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
with:
# Note: This needs to be parameterized if the KMS keys are in a different project
project_id: sigstore-root-signing
- name: Login
run: |
gcloud auth login --brief --cred-file="${{ steps.auth.outputs.credentials_file_path }}"
gcloud auth list
# Build binary
- name: build
run: |
sudo apt-get install libpcsclite-dev
go build -o tuf -tags=pivkey ./cmd/tuf/
- name: setup timestamping
if: ${{ inputs.disable_snapshot }}
run: |
echo "DISABLE_SNAPSHOT=1" >> $GITHUB_ENV
# Snapshot and timestamp
- name: snapshot and timestamp
if: ${{ inputs.snapshot_timestamp }}
run: |
./scripts/step-3.sh
# Publish
- name: publish
if: ${{ inputs.publish }}
run: |
./scripts/step-4.sh
- name: get patch
run: |
# Setting git config is only needed to create the patch to download in the next step.
git config user.name "GitHub Actions Bot"
git config user.email "<>"
# Commit and create patch
git add .
git commit -m "snapshot and timestamp"
git format-patch HEAD^ -o snapshot-timestamp
- name: Upload snapshot and timestamp
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: snapshot-timestamp
path: snapshot-timestamp
retention-days: 5
if-failed:
runs-on: ubuntu-latest
needs: [snapshot_and_timestamp]
permissions:
issues: 'write'
actions: 'read'
if: always() && needs.snapshot_and_timestamp.result == 'failure'
steps:
- name: Open issue or add comment on failure
uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main
with:
comment_for_each_failure: true
if-pass:
runs-on: ubuntu-latest
needs: [snapshot_and_timestamp]
permissions:
issues: 'write'
actions: 'read'
if: always() && needs.snapshot_and_timestamp.result == 'success'
steps:
- name: Close issue if one is open
uses: sigstore/sigstore-probers/.github/actions/close-workflow-issue@main
push:
needs: snapshot_and_timestamp
runs-on: ubuntu-latest
permissions:
pull-requests: 'write'
contents: 'write'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
ref: ${{ inputs.branch }}
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: snapshot-timestamp
path: snapshot-timestamp
- run: |
git checkout -b update-snapshot-timestamp
git apply --verbose snapshot-timestamp/*
rm -r snapshot-timestamp
git add ${{ inputs.repo }}
git config --global user.email "noreply@github.com"
git config --global user.name "GitHub"
# Open pull request changes
- name: create pull request for no snapshot
if: ${{ inputs.disable_snapshot }}
run: |
git commit -s -m "Update timestamp"
git push origin update-snapshot-timestamp
GH_TOKEN=${{ secrets.token || secrets.GITHUB_TOKEN }} gh pr create -B ${{ inputs.branch }} -H update-snapshot-timestamp -t "Update Timestamp" -b "Sign timestamp file" -r bobcallaway -r haydentherapper -r kommendorkapten
- name: create pull request for timestamp/snapshot
if: ${{ !inputs.disable_snapshot }}
run: |
git commit -s -m "Update snapshot and timestamp"
git push origin update-snapshot-timestamp
GH_TOKEN=${{ secrets.token || secrets.GITHUB_TOKEN }} gh pr create -B ${{ inputs.branch }} -H update-snapshot-timestamp -t "Update Snapshot and Timestamp" -b "Sign snapshot and timestamp files" -r bobcallaway -r haydentherapper -r kommendorkapten
if-push-failed:
runs-on: ubuntu-latest
needs: [push]
permissions:
issues: 'write'
actions: 'read'
if: always() && needs.push.result == 'failure'
steps:
- name: Open issue or add comment on failure
uses: sigstore/sigstore-probers/.github/actions/open-workflow-issue@main
with:
comment_for_each_failure: true
if-push-pass:
runs-on: ubuntu-latest
needs: [push]
permissions:
issues: 'write'
actions: 'read'
if: always() && needs.push.result == 'success'
steps:
- name: Close issue if one is open
uses: sigstore/sigstore-probers/.github/actions/close-workflow-issue@main