Pre Release v1.2.0 (#63) #12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Auto Update Modules On Merge | |
on: | |
workflow_dispatch: | |
push: | |
paths: | |
- 'setup/tags.json' | |
branches: | |
- main | |
env: | |
ARTIFACT_NAME: PowerShell.Workflows.Modules.ScriptSigning | |
jobs: | |
sign_scripts: | |
name: Sign, validate, test and publish PowerShell scripts | |
runs-on: windows-2019 | |
environment: test | |
permissions: | |
id-token: write | |
contents: read | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@v2 | |
- name: Install AzureSignTool | |
run: dotnet tool install --no-cache --global AzureSignTool --version 4.0.1 | |
- name: AZ Login | |
uses: azure/login@v1 | |
with: | |
client-id: ${{ secrets.ENT_AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.ENT_AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.ENT_AZURE_SUBSCRIPTION_ID }} | |
enable-AzPSSession: true | |
- name: Azure token | |
run: | | |
$az_token=$(az account get-access-token --scope https://vault.azure.net/.default --query accessToken --output tsv) | |
echo "::add-mask::$az_token" | |
echo "AZ_TOKEN=$az_token" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append | |
- name: Sign pwsh scripts and modules | |
shell: powershell | |
run: | | |
$scripts = Get-ChildItem -Path . -Include *.ps1,*.psm1,*.psd1 -Recurse -ErrorAction Stop | |
$vaultName = $env:VAULTNAME | |
foreach ($script in $scripts) { | |
try { | |
# sign script | |
azuresigntool.exe sign --verbose -kvu https://$vaultName.vault.azure.net/ -kvc $env:CERTNAME -kva ${{ env.AZ_TOKEN }} -fd sha256 -tr "http://timestamp.comodoca.com/rfc3161" $script.FullName | |
} | |
catch { | |
Write-Error $_ | |
} | |
} | |
env: | |
CERTNAME: ${{ secrets.ENT_VAULTSECRETNAME }} | |
VAULTNAME: ${{ secrets.ENT_VAULTNAME }} | |
- name: Validate Signature | |
shell: powershell | |
run: | | |
$signatureStatuses = Get-ChildItem -r -i *.ps* | Get-AuthenticodeSignature | |
Foreach ($signatureStatus in $signatureStatuses) { | |
If ($signatureStatus.Status -eq 'HashMismatch') { | |
throw "File '$($signatureStatus.Path)' has a hash status of '$($signatureStatus.status)'" | |
} | |
ElseIf ($signatureStatus.Status -eq 'NotSigned') { | |
Write-Warning "File '$($signatureStatus.Path)' has a hash status of '$($signatureStatus.status)'" | |
} | |
ElseIf ($signatureStatus.Status -eq 'Valid') { | |
Write-Host "File '$($signatureStatus.Path)' has a hash status of '$($signatureStatus.status)'" | |
} | |
Else { | |
throw "File '$($signatureStatus.Path)' has an unhandled hash status of '$($signatureStatus.status)'" | |
} | |
} | |
- name: Test Module Imports | |
shell: powershell | |
run: | | |
$ErrorActionPreference = 'Stop' | |
$moduleFiles = Get-ChildItem -path ./* -recurse -include *.psm1 | |
Write-Host "Count of module files: $($moduleFiles.count)" | |
try { | |
ForEach ($moduleFile in $moduleFiles) { | |
Import-Module $moduleFile.Fullname -ErrorAction Stop | |
} | |
} | |
catch { | |
throw "Failed test import module '$moduleFile' with error: $_" | |
} | |
$importedModules = Get-Module | |
Write-Host "Imported modules: `n $($importedModules.Path | Out-String)" | |
$missingModules = $moduleFiles | Where-object {$_ -inotin ($importedModules).Path} | |
If ($missingModules) { | |
throw "The following modules failed import test: $missingModules" | |
} | |
- name: Zip Signed Modules | |
shell: powershell | |
run: | | |
$moduleCodeFilesObjs = Get-ChildItem -Path .\src -Recurse -Include *.psm1 -Exclude '*-GSA*','*GuardrailsSolutionAcceleratorSetup*','*Deploy-GuardrailsSolutionAccelerator*' | |
Write-Host "'$($moduleCodeFilesObjs.count)' module manifest files " | |
ForEach ($moduleCodeFile in $moduleCodeFilesObjs) { | |
$moduleManifestFile = Get-Item -Path $moduleCodeFile.FullName.replace('psm1','psd1') | |
If ($moduleCodeFilesObjs.FullName -icontains $moduleCodeFile.FullName -or $moduleCodeFilesObjs.FullName -icontains $moduleManifestFile.FullName) { | |
Write-Host "Module '$($moduleCodeFile.BaseName)' found, zipping module files..." | |
$destPath = "./psmodules/$($moduleCodeFile.BaseName).zip" | |
If ($moduleCodeFile.DIrectory.Name -eq 'Guardrails-Localization') { | |
Compress-Archive -Path "$($moduleCodeFile.Directory)/*" -DestinationPath $destPath -Force | |
} | |
Else { | |
$filesToZip = $moduleManifestFile,$moduleCodeFile | |
Compress-Archive -Path $filesToZip -DestinationPath $destPath -Force | |
} | |
} | |
Else { | |
Write-Host "Neither the manifest '$($moduleCodeFile.FullName.toLower())' or script file '$($moduleManifestFile.FullName.ToLower())' for module '$($moduleCodeFile.BaseName)' was changed, skipping zipping..." | |
} | |
} | |
- name: Publish artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ env.ARTIFACT_NAME }} | |
path: ./psmodules/*.zip | |
create-pr: | |
needs: sign_scripts | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write | |
contents: write | |
repository-projects: write | |
steps: | |
- name: Check Out | |
uses: actions/checkout@v3 | |
- name: Download zipped modules and replace old ones | |
uses: actions/download-artifact@v3 | |
with: | |
name: ${{ env.ARTIFACT_NAME }} | |
path: ./psmodules | |
- name: Create, checkout dynamic branch and raise PR | |
run: | | |
# Git config for creating PR | |
git config --global user.email "[email protected]" | |
git config --global user.name "Release Bot" | |
# Create a dynamic branch name using the run_id or sha | |
branch_name="update-modules-${{ github.run_id }}" | |
git checkout -b "$branch_name" | |
# Commit the changes | |
git add psmodules/* | |
git commit -m "Update Modules" | |
git push origin "$branch_name" | |
gh pr create --base main --head "$branch_name" --title "Update Modules Pre Release" --body "This is an AutoGenerated PR for updating modules Pre Release" | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |