-
Notifications
You must be signed in to change notification settings - Fork 552
101 lines (90 loc) · 3.83 KB
/
nightly.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
name: Nightly S3 Update
run-name: "Nightly S3 (branch: ${{ github.ref_name }})"
on:
workflow_dispatch: {}
schedule:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onschedule
- cron: '0 1 * * *' # Every day at 1AM
jobs:
workflow-requirements:
name: Check Workflow Requirements
runs-on: ubuntu-latest
outputs:
requirements-met: ${{ steps.check-requirements.outputs.requirements-met }}
steps:
- name: Check For Admin Permission
if: ${{ github.event_name != 'schedule' }}
uses: actions-cool/check-user-permission@v2
with:
require: admin
username: ${{ github.triggering_actor }}
- name: Check Requirements
id: check-requirements
run: |
if [ "${{ vars.RUN_SCHEDULED_BUILDS }}" = "1" ]; then
MSG="Running workflow because RUN_SCHEDULED_BUILDS=1"
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
echo "requirements-met=true" >> "${GITHUB_OUTPUT}"
elif [ "${{ github.event.repository.fork }}" = "true" ]; then
MSG="Not running workflow because ${{ github.repository }} is a fork"
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
echo "requirements-met=false" >> "${GITHUB_OUTPUT}"
else
MSG="Running workflow because ${{ github.repository }} is not a fork"
echo "${MSG}"
echo "${MSG}" >> "${GITHUB_STEP_SUMMARY}"
echo "requirements-met=true" >> "${GITHUB_OUTPUT}"
fi
update-s3-bucket:
name: Update S3 Bucket
if: ${{ fromJSON(needs.workflow-requirements.outputs.requirements-met) }}
runs-on:
- self-hosted
- linux
- repo-release
needs:
- workflow-requirements
environment: release
steps:
- uses: actions/checkout@v3
- name: Get Salt Project GitHub Actions Bot Environment
run: |
TOKEN=$(curl -sS -f -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 30")
SPB_ENVIRONMENT=$(curl -sS -f -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/tags/instance/spb:environment)
echo "SPB_ENVIRONMENT=$SPB_ENVIRONMENT" >> "$GITHUB_ENV"
- name: Setup GnuPG
run: |
sudo install -d -m 0700 -o "$(id -u)" -g "$(id -g)" /run/gpg
GNUPGHOME="$(mktemp -d -p /run/gpg)"
echo "GNUPGHOME=${GNUPGHOME}" >> "$GITHUB_ENV"
cat <<EOF > "${GNUPGHOME}/gpg.conf"
batch
no-tty
pinentry-mode loopback
EOF
- name: Get Secrets
id: get-secrets
env:
SECRETS_KEY: ${{ secrets.SECRETS_KEY }}
run: |
SECRETS_KEY_FILE=$(mktemp /tmp/output.XXXXXXXXXX)
echo "$SECRETS_KEY" > "$SECRETS_KEY_FILE"
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text | jq .default_key -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -d - \
| gpg --import -
sync
aws --region us-west-2 secretsmanager get-secret-value --secret-id /cmbu-saltstack/signing/repo-signing-keys-sha256-2023 \
--query SecretString --output text| jq .default_passphrase -r | base64 -d \
| gpg --passphrase-file "${SECRETS_KEY_FILE}" -o "${GNUPGHOME}/passphrase" -d -
sync
rm "$SECRETS_KEY_FILE"
echo "passphrase-file ${GNUPGHOME}/passphrase" >> "${GNUPGHOME}/gpg.conf"
- name: Install Requirements
run: |
python3 -m pip install -r requirements/release.txt
- name: Upload Develop to S3
run: |
tools release s3-publish --key-id 64CBBC8173D76B3F develop