Skip to content

ci(actions): immutable github sha instead of github head_ref (#10558) #892

ci(actions): immutable github sha instead of github head_ref (#10558)

ci(actions): immutable github sha instead of github head_ref (#10558) #892

Workflow file for this run

name: Publish packages
on:
push:
tags:
- 'v**'
- 'nightly'
permissions:
contents: read
jobs:
publish_binary_packages:
if: github.repository == 'JanssenProject/jans'
runs-on: ubuntu-20.04
strategy:
fail-fast: false
matrix:
name: [ubuntu22, ubuntu20, el8, suse15]
include:
- name: ubuntu22
asset_suffix: ~ubuntu22.04_amd64.deb
build_files: deb/jammy
asset_prefix: '_'
asset_path: jans
sign_cmd: dpkg-sig -s builder -k DE92BEF14A1A4E542F678B64DC3C790386C73900
python_version: 3.8
- name: ubuntu20
asset_suffix: ~ubuntu20.04_amd64.deb
build_files: deb/focal
asset_prefix: '_'
asset_path: jans
sign_cmd: dpkg-sig -s builder -k DE92BEF14A1A4E542F678B64DC3C790386C73900
python_version: 3.8
- name: el8
asset_suffix: .el8.x86_64.rpm
build_files: rpm/el8
asset_prefix: '-'
asset_path: jans/rpmbuild/RPMS/x86_64
sign_cmd: rpm --addsign
python_version: 3.6
- name: suse15
asset_suffix: .suse15.x86_64.rpm
build_files: rpm/suse15
asset_prefix: '-'
asset_path: jans/rpmbuild/RPMS/x86_64
sign_cmd: rpm --addsign
python_version: 3.6
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
path: temp-jans
- name: Getting build dependencies
id: get_dependencies
run: |
mkdir -p jans/jans-src/opt/
cp -rp temp-jans/automation/packaging/${{ matrix.build_files }}/* jans/
cp temp-jans/jans-linux-setup/jans_setup/install.py jans/install.py
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt-get update
sudo apt-get install -y python${{ matrix.python_version }}
sudo apt install -y build-essential devscripts debhelper rpm dpkg-sig python3-dev python3-requests python3-ruamel.yaml python3-pymysql python3-crypto python3-distutils python3-prompt-toolkit python${{ matrix.python_version }}-distutils libpq-dev python${{ matrix.python_version }}-dev apache2 rsyslog python3-urllib3 python3-certifi postgresql postgresql-contrib
sudo cp -r /usr/lib/python3/dist-packages /usr/lib/python${{ matrix.python_version }}/
sudo python${{ matrix.python_version }} -m pip install psycopg2-binary psycopg2
- name: Import GPG key
id: import_gpg
continue-on-error: true
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
with:
gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: List keys
id: list_keys
run: gpg -K
- name: Get latest tag
id: previoustag
run: |
echo "tag=$(echo ${{ github.event.ref }} | cut -d '/' -f 3)" >> $GITHUB_OUTPUT
if [[ ${{ github.event.ref }} == 'refs/tags/nightly' ]]; then
echo "version=0.0.0-nightly" >> $GITHUB_OUTPUT
else
echo "version=$(echo ${{ github.event.ref }} | cut -d 'v' -f 2)-stable" >> $GITHUB_OUTPUT
fi
echo "PACKAGE_PREFIX=jans" >> ${GITHUB_ENV}
- name: Print Version and tag
run: |
echo "Version: ${{ steps.previoustag.outputs.version }}"
echo "Tag: ${{ steps.previoustag.outputs.tag }}"
- name: Running install and build
id: run_build
run: |
cd jans/
sudo python${{ matrix.python_version }} install.py -download-exit -yes --keep-downloads --keep-setup -force-download
cp -r /opt/dist jans-src/opt/
cp -r /opt/jans jans-src/opt/
touch jans-src/opt/jans/jans-setup/package
rm -rf install.py install jans-cli-tui
rm -rf jans-src/opt/jans/jans-setup/logs/setup.log
rm -rf jans-src/opt/jans/jans-setup/logs/setup_error.log
sed -i "s/%VERSION%/${{ steps.previoustag.outputs.version }}/g" run-build.sh
cat run-build.sh
sudo ./run-build.sh
- name: Sign package
id: sign_package
run : |
echo '%_gpg_name moauto (automation) <[email protected]>' >> ~/.rpmmacros
${{ matrix.sign_cmd }} ${{github.workspace}}/${{ matrix.asset_path }}/jans${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }}
gpg --armor --detach-sign ${{github.workspace}}/${{ matrix.asset_path }}/jans${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }}
- name: Create checksum
id: create_checksum
run: |
cd jans/
sed -i "s/%VERSION%/${{ steps.previoustag.outputs.version }}/g" checksum.sh
sudo ./checksum.sh
ls ${{github.workspace}}/${{ matrix.asset_path }}
- name: Upload binaries to release
id: upload_binaries
uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2
with:
repo_token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }}
file: ${{github.workspace}}/${{ matrix.asset_path }}/jans${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }}
asset_name: ${{ env.PACKAGE_PREFIX }}${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }}
tag: ${{ steps.previoustag.outputs.tag }}
overwrite: true
- name: Upload checksum to release
id: upload_shas
uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2
with:
repo_token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }}
file: ${{github.workspace}}/${{ matrix.asset_path }}/jans${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }}.sha256sum
asset_name: ${{ env.PACKAGE_PREFIX }}${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }}.sha256sum
tag: ${{ steps.previoustag.outputs.tag }}
overwrite: true
- name: Upload sig to release
id: upload_sigs
uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2
with:
repo_token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }}
file: ${{github.workspace}}/${{ matrix.asset_path }}/jans${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }}.asc
asset_name: ${{ env.PACKAGE_PREFIX }}${{ matrix.asset_prefix }}${{ steps.previoustag.outputs.version }}${{ matrix.asset_suffix }}.asc
tag: ${{ steps.previoustag.outputs.tag }}
overwrite: true
build_python_packages:
if: github.repository == 'JanssenProject/jans'
runs-on: ubuntu-20.04
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3
name: Build with Suse
continue-on-error: true
with:
image: opensuse/leap:15.4
options: -v ${{ github.workspace }}:/suse
run: |
zypper addrepo https://download.opensuse.org/repositories/openSUSE:Leap:15.1/standard/openSUSE:Leap:15.1.repo
zypper --gpg-auto-import-keys refresh
zypper --non-interactive install -y gcc-c++ make gcc automake autoconf libtool python3-pip python3-setuptools python3-wheel openssl
zypper addrepo https://download.opensuse.org/repositories/home:smarty12:Python/RaspberryPi_Leap_15.2/home:smarty12:Python.repo
zypper --gpg-auto-import-keys refresh
zypper download python3-dev
rpm -i --nodeps /var/cache/zypp/packages/home_smarty12_Python/noarch/python3-dev-0.4.0-lp152.1.4.noarch.rpm
zypper --non-interactive install -y python3
zypper --non-interactive install -y python3-devel
echo "Building jans-linux-setup package"
cd /suse/jans-linux-setup
pip install shiv
make zipapp
mv jans-linux-setup.pyz jans-linux-suse-X86-64-setup.pyz
sha256sum jans-linux-suse-X86-64-setup.pyz > jans-linux-suse-X86-64-setup.pyz.sha256sum
cd ../jans-cli-tui
make zipapp
mv jans-cli-tui.pyz jans-cli-tui-linux-suse-X86-64.pyz
sha256sum jans-cli-tui-linux-suse-X86-64.pyz > jans-cli-tui-linux-suse-X86-64.pyz.sha256sum
- name: Set up Python 3.6
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version: 3.6
- name: Build with Ubuntu
continue-on-error: true
run: |
sudo apt-get update
sudo apt-get install -y python3 build-essential ca-certificates dbus systemd iproute2 gpg python3-pip python3-dev libpq-dev gcc
python3 -m pip install --upgrade pip || echo "Failed to upgrade pip"
pip3 install shiv wheel setuptools
echo "Building jans-linux-setup package"
sudo chown -R runner:docker /home/runner/work/jans/jans
cd jans-linux-setup
make zipapp || echo "Creating linux setup failed for ubuntu"
mv jans-linux-setup.pyz jans-linux-ubuntu-X86-64-setup.pyz || echo "Failed"
sha256sum jans-linux-ubuntu-X86-64-setup.pyz > jans-linux-ubuntu-X86-64-setup.pyz.sha256sum || echo "Failed"
cd ../jans-cli-tui
make zipapp
mv jans-cli-tui.pyz jans-cli-tui-linux-ubuntu-X86-64.pyz
sha256sum jans-cli-tui-linux-ubuntu-X86-64.pyz > jans-cli-tui-linux-ubuntu-X86-64.pyz.sha256sum
- uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
id: cache-installers
with:
path: |
${{github.workspace}}/jans-linux-setup/jans-linux-suse-X86-64-setup.pyz
${{github.workspace}}/jans-linux-setup/jans-linux-suse-X86-64-setup.pyz.sha256sum
${{github.workspace}}/jans-linux-setup/jans-linux-ubuntu-X86-64-setup.pyz
${{github.workspace}}/jans-linux-setup/jans-linux-ubuntu-X86-64-setup.pyz.sha256sum
${{github.workspace}}/jans-cli-tui/jans-cli-tui-linux-suse-X86-64.pyz
${{github.workspace}}/jans-cli-tui/jans-cli-tui-linux-suse-X86-64.pyz.sha256sum
${{github.workspace}}/jans-cli-tui/jans-cli-tui-linux-ubuntu-X86-64.pyz
${{github.workspace}}/jans-cli-tui/jans-cli-tui-linux-ubuntu-X86-64.pyz.sha256sum
key: ${{ github.sha }}
upload_python_packages:
if: github.repository == 'JanssenProject/jans'
needs: build_python_packages
runs-on: ubuntu-20.04
strategy:
matrix:
name: [ubuntu, suse]
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/cache@13aacd865c20de90d75de3b17ebe84f7a17d57d2 # v4.0.0
id: cache-installers
with:
path: |
${{github.workspace}}/jans-linux-setup/jans-linux-suse-X86-64-setup.pyz
${{github.workspace}}/jans-linux-setup/jans-linux-suse-X86-64-setup.pyz.sha256sum
${{github.workspace}}/jans-linux-setup/jans-linux-ubuntu-X86-64-setup.pyz
${{github.workspace}}/jans-linux-setup/jans-linux-ubuntu-X86-64-setup.pyz.sha256sum
${{github.workspace}}/jans-cli-tui/jans-cli-tui-linux-suse-X86-64.pyz
${{github.workspace}}/jans-cli-tui/jans-cli-tui-linux-suse-X86-64.pyz.sha256sum
${{github.workspace}}/jans-cli-tui/jans-cli-tui-linux-ubuntu-X86-64.pyz
${{github.workspace}}/jans-cli-tui/jans-cli-tui-linux-ubuntu-X86-64.pyz.sha256sum
key: ${{ github.sha }}
- name: Get latest tag
id: previoustag
run: |
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "tag=$(echo ${{ github.event.ref }} | cut -d '/' -f 3)" >> $GITHUB_OUTPUT
echo "SETUP_PREFIX=jans-linux" >> ${GITHUB_ENV}
echo "TUI_PREFIX=jans-cli-tui-linux" >> ${GITHUB_ENV}
echo "PACKAGE_PREFIX=jans" >> ${GITHUB_ENV}
- name: Print Version and tag
run: |
echo "Version: ${{ steps.previoustag.outputs.version }}"
echo "Tag: ${{ github.event.ref }}"
- name: Upload binaries to release
id: upload_binaries_setup
continue-on-error: true
uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2
with:
repo_token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }}
file: ${{github.workspace}}/jans-linux-setup/jans-linux-${{ matrix.name }}-X86-64-setup.pyz
asset_name: ${{ env.SETUP_PREFIX }}-${{ matrix.name }}-X86-64-setup.pyz
tag: ${{ steps.previoustag.outputs.tag }}
overwrite: true
- name: Upload checksum to release
id: upload_shas_setup
continue-on-error: true
uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2
with:
repo_token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }}
file: ${{github.workspace}}/jans-linux-setup/jans-linux-${{ matrix.name }}-X86-64-setup.pyz.sha256sum
asset_name: ${{ env.SETUP_PREFIX }}-${{ matrix.name }}-X86-64-setup.pyz.sha256sum
tag: ${{ steps.previoustag.outputs.tag }}
overwrite: true
- name: Upload binaries to release
id: upload_binaries_cli
continue-on-error: true
uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2
with:
repo_token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }}
file: ${{github.workspace}}/jans-cli-tui/jans-cli-tui-linux-${{ matrix.name }}-X86-64.pyz
asset_name: ${{ env.TUI_PREFIX }}-${{ matrix.name }}-X86-64.pyz
tag: ${{ steps.previoustag.outputs.tag }}
overwrite: true
- name: Upload checksum to release
id: upload_shas_cli
continue-on-error: true
uses: svenstaro/upload-release-action@1beeb572c19a9242f4361f4cee78f8e0d9aec5df # v2
with:
repo_token: ${{ secrets.MOAUTO_WORKFLOW_TOKEN }}
file: ${{github.workspace}}/jans-cli-tui/jans-cli-tui-linux-${{ matrix.name }}-X86-64.pyz.sha256sum
asset_name: ${{ env.TUI_PREFIX }}-${{ matrix.name }}-X86-64.pyz.sha256sum
tag: ${{ steps.previoustag.outputs.tag }}
overwrite: true
build_demo_packages:
if: github.repository == 'JanssenProject/jans'
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Build with Ubuntu
continue-on-error: true
run: |
sudo apt-get update
sudo apt-get install -y zip
cd demos
VER=$(echo ${{ github.event.ref }} | cut -d '/' -f 3)
for i in $(ls -d */); do zip -r demo-${i%/}-$VER-source.zip $i && sha256sum demo-${i%/}-$VER-source.zip > demo-${i%/}-$VER-source.zip.sha256sum; done
sudo rm demo-jans-tarp-$VER-source.zip demo-jans-tarp-$VER-source.zip.sha256sum
cd jans-tarp
npm install
npm run build
npm run pack
mv ./release/jans-tarp-chrome-*.zip ../demo-jans-tarp-chrome-$VER.zip
mv ./release/jans-tarp-firefox-*.zip ../demo-jans-tarp-firefox-$VER.zip
sha256sum ../demo-jans-tarp-chrome-$VER.zip > ../demo-jans-tarp-chrome-$VER.zip.sha256sum
sha256sum ../demo-jans-tarp-firefox-$VER.zip > ../demo-jans-tarp-firefox-$VER.zip.sha256sum
cd ..
echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token
gh release upload $VER *.zip *.sha256sum --clobber
build_cedarling_python:
if: github.repository == 'JanssenProject/jans'
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 # v2.7.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Import GPG key
id: import_gpg
continue-on-error: true
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
with:
gpg_private_key: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.MOAUTO_GPG_PRIVATE_KEY_PASSPHRASE }}
git_user_signingkey: true
git_commit_gpgsign: true
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
- uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab # v1.45.0
with:
working-directory: ${{ github.workspace }}/jans-cedarling/bindings/cedarling_python
command: build
args: --release -i python3.10 python3.11
- name: Generate sha256sum and sign
id: sign-cedarling
run: |
TAG=$(echo ${{ github.event.ref }} | cut -d '/' -f 3 | sed 's/^v//')
VERSION="$(echo ${{ github.event.ref }} | cut -d '/' -f 3)"
if [ "${TAG}" == "nightly" ]; then
VERSION=nightly
TAG="0.0.0"
fi
cd ${{ github.workspace }}/jans-cedarling/target/wheels
sha256sum cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_34_x86_64.whl > cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_34_x86_64.whl.sha256sum
sha256sum cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_34_x86_64.whl > cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_34_x86_64.whl.sha256sum
gpg --armor --detach-sign cedarling_python-"${TAG}"-cp311-cp311-manylinux_2_34_x86_64.whl || echo "Failed to sign"
gpg --armor --detach-sign cedarling_python-"${TAG}"-cp310-cp310-manylinux_2_34_x86_64.whl || echo "Failed to sign"
echo "${{ secrets.MOAUTO_WORKFLOW_TOKEN }}" | gh auth login --with-token
gh release upload "${VERSION}" *.whl *.sha256sum *.asc