gt update #13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# | |
# __ __ | |
# / /____ ___ ____ ___ ___ _/ / This script is provided to you by https://github.com/tegonal/gt | |
# / __/ -_) _ `/ _ \/ _ \/ _ `/ / Copyright 2022 Tegonal Genossenschaft <[email protected]> | |
# \__/\__/\_, /\___/_//_/\_,_/_/ It is licensed under European Union Public License v. 1.2 | |
# /___/ Please report bugs and contribute back your improvements | |
# | |
# Version: v1.0.3 | |
################################### | |
name: "gt update" | |
on: | |
schedule: | |
- cron: '0 4 * * MON' | |
workflow_dispatch: | |
jobs: | |
determine_remotes: | |
name: Determine Remotes | |
runs-on: ubuntu-latest | |
if: github.repository_owner == 'tegonal' | |
outputs: | |
matrix: ${{ steps.set-matrix.outputs.matrix }} | |
steps: | |
- name: Import gpg key(s) defined in vars.PUBLIC_GPG_KEYS_WE_TRUST and secrets.PUBLIC_GPG_KEYS_WE_TRUST | |
run: | | |
gpg --import - <<< "${{ vars.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \ | |
|| (echo "could not import GPG keys via vars.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \ | |
false || gpg --import - <<< "${{ secrets.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \ | |
|| (echo "could not import GPG keys via secrets.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \ | |
false || "${success:-false}" && echo "was able to import GPGs either via vars or secrets (or via both -- see above)" | |
- name: Install gt | |
run: | | |
set -e | |
# see install.doc.sh in https://github.com/tegonal/gt, MODIFY THERE NOT HERE (please report bugs) | |
currentDir=$(pwd) && \ | |
tmpDir=$(mktemp -d -t gt-download-install-XXXXXXXXXX) && cd "$tmpDir" && \ | |
wget "https://raw.githubusercontent.com/tegonal/gt/main/.gt/signing-key.public.asc" && \ | |
wget "https://raw.githubusercontent.com/tegonal/gt/main/.gt/signing-key.public.asc.sig" && \ | |
gpg --verify ./signing-key.public.asc.sig ./signing-key.public.asc && \ | |
echo "public key trusted" && \ | |
mkdir ./gpg && \ | |
gpg --homedir ./gpg --import ./signing-key.public.asc && \ | |
wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.3/install.sh" && \ | |
wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.3/install.sh.sig" && \ | |
gpg --homedir ./gpg --verify ./install.sh.sig ./install.sh && \ | |
chmod +x ./install.sh && \ | |
echo "verification successful" || (printf >&2 "\033[0;31mERROR\033[0m: verification failed, don't continue !!"; exit 1) && \ | |
./install.sh && result=true || (echo >&2 "installation failed"; exit 1) && \ | |
false || cd "$currentDir" && rm -r "$tmpDir" && "${result:-false}" | |
# end install.doc.sh | |
- uses: actions/checkout@v4 | |
- id: set-matrix | |
run: | | |
(readarray -t REMOTES; IFS=','; echo "matrix={ 'remote': [ ${REMOTES[*]} ] }" >> "$GITHUB_OUTPUT") < <( gt remote list | sed -E "s/(.*)/'\1'/") | |
Update: | |
needs: determine_remotes | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: ${{ fromJson(needs.determine_remotes.outputs.matrix) }} | |
name: 'Update ${{ matrix.remote }}' | |
steps: | |
- name: Import gpg key(s) defined in vars.PUBLIC_GPG_KEYS_WE_TRUST and secrets.PUBLIC_GPG_KEYS_WE_TRUST | |
run: | | |
gpg --import - <<< "${{ vars.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \ | |
|| (echo "could not import GPG keys via vars.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \ | |
false || gpg --import - <<< "${{ secrets.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \ | |
|| (echo "could not import GPG keys via secrets.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \ | |
false || "${success:-false}" && echo "was able to import GPGs either via vars or secrets (or via both -- see above)" | |
- name: Install gt | |
run: | | |
set -e | |
# see install.doc.sh in https://github.com/tegonal/gt, MODIFY THERE NOT HERE (please report bugs) | |
currentDir=$(pwd) && \ | |
tmpDir=$(mktemp -d -t gt-download-install-XXXXXXXXXX) && cd "$tmpDir" && \ | |
wget "https://raw.githubusercontent.com/tegonal/gt/main/.gt/signing-key.public.asc" && \ | |
wget "https://raw.githubusercontent.com/tegonal/gt/main/.gt/signing-key.public.asc.sig" && \ | |
gpg --verify ./signing-key.public.asc.sig ./signing-key.public.asc && \ | |
echo "public key trusted" && \ | |
mkdir ./gpg && \ | |
gpg --homedir ./gpg --import ./signing-key.public.asc && \ | |
wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.3/install.sh" && \ | |
wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.3/install.sh.sig" && \ | |
gpg --homedir ./gpg --verify ./install.sh.sig ./install.sh && \ | |
chmod +x ./install.sh && \ | |
echo "verification successful" || (printf >&2 "\033[0;31mERROR\033[0m: verification failed, don't continue !!"; exit 1) && \ | |
./install.sh && result=true || (echo >&2 "installation failed"; exit 1) && \ | |
false || cd "$currentDir" && rm -r "$tmpDir" && "${result:-false}" | |
# end install.doc.sh | |
- uses: actions/checkout@v4 | |
- name: reset gpg keys | |
run: gt reset --gpg-only true -r "${{ matrix.remote }}" | |
- name: gt update | |
id: gt_update | |
run: | | |
set -euo pipefail | |
gt update -r "${{ matrix.remote }}" | |
gt update -r "${{ matrix.remote }}" | |
echo "remote_version=$(git --git-dir='.gt/remotes/${{ matrix.remote}}/repo/.git' tag | sort --version-sort | tail -n 1)" >> $GITHUB_OUTPUT | |
- id: has_changes | |
name: git status | |
run: | | |
set -euo pipefail | |
git status | |
gitStatus=$(git status --porcelain) | |
(if [[ $gitStatus != "" ]]; then echo "has_changes=1"; else echo "has_changes=0"; fi) >> $GITHUB_OUTPUT | |
- name: git commit | |
if: ${{ steps.has_changes.outputs.has_changes == 1 }} | |
run: | | |
set -euo pipefail | |
git config --local user.name 'tegonal-bot' | |
git config --local user.email '[email protected]' | |
git commit -am 'update files of remote ${{ matrix.remote }} to version ${{steps.gt_update.outputs.remote_version}} via gt' || true | |
- name: cleanup-on-push-to-main | |
if: ${{ steps.has_changes.outputs.has_changes == 1 && hashFiles('./scripts/cleanup-on-push-to-main.sh') != '' }} | |
run: | | |
( | |
./scripts/cleanup-on-push-to-main.sh || (printf '\033[0;31mERROR\033[0m: during cleanup, see error above\n' && false) && | |
(git commit -am 'cleanup after gt pull for remote ${{ matrix.remote }} and version ${{steps.gt_update.outputs.remote_version}}' || (printf '\033[0;31mERROR\033[0m: during commit, maybe no changes due to cleanup (which would be fine)?, see above\n'; false )) | |
) || (printf '\033[0;34mINFO\033[0m: going to reset changes back to the status after `gt update` and continue without cleanup\n' && git reset --hard) | |
- name: Create pull request if necessary | |
if: ${{ steps.has_changes.outputs.has_changes == 1 }} | |
uses: peter-evans/create-pull-request@v7 | |
with: | |
branch: 'gt/update/${{ matrix.remote }}' | |
base: main | |
title: 'update files of remote ${{ matrix.remote }} to version ${{steps.gt_update.outputs.remote_version}} via gt' | |
commit-message: 'update files of remote ${{ matrix.remote }} to version ${{steps.gt_update.outputs.remote_version}} via gt' | |
body: "following the changes after running `gt update -r \"${{ matrix.remote }}\"` and reset gpg keys" | |
delete-branch: true | |
token: ${{ secrets.AUTO_PR_TOKEN }} | |
push-to-fork: ${{ vars.AUTO_PR_FORK_NAME != '' && vars.AUTO_PR_FORK_NAME || secrets.AUTO_PR_FORK_NAME }} | |
signing_key: | |
name: "Check signing-key" | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: check if signing key already are or will expire within the next 3 months | |
run: | | |
set -euo pipefail | |
currentDir="$(pwd)" | |
signingKey=".gt/signing-key.public.asc" | |
if [[ -f "$currentDir/$signingKey" ]]; then | |
tmpDir=$(mktemp -d -t gt-check-gpg-XXXXXXXXXX) | |
gpg --homedir "$tmpDir" --import "$currentDir/$signingKey" | |
limitTimestamp=$(date -d "+3 month" +%s) | |
limitDate=$(date -d "@$limitTimestamp" +"%Y-%m-%dT%H:%M:%S") | |
echo "checking if the following public keys defined in $signingKey are valid until $limitDate" | |
gpg --homedir "$tmpDir" --list-keys \ | |
--list-options show-sig-expire,show-unusable-subkeys,show-unusable-uids,show-usage,show-user-notations \ | |
--keyid-format LONG | |
echo "" | |
expired=0 | |
while read -r key; do | |
keyId=$(cut -d ':' -f5 <<<"$key") | |
expirationTimestamp=$(cut -d ':' -f7 <<<"$key") | |
if (( expirationTimestamp < $limitTimestamp )); then | |
expirationDate=$(date -d "@$((expirationTimestamp + 0))" +"%Y-%m-%dT%H:%M:%S") | |
printf >&2 "\033[0;31mERROR\033[0m: expiration date (%s) of key %s is before the given limit %s\n" "$expirationDate" "$keyId" "$limitDate" | |
((++expired)) | |
fi | |
done < <(gpg --homedir "$tmpDir" --list-keys --list-options show-unusable-subkeys --with-colons | grep -E '^(pub|sub)') | |
[[ $expired -eq 0 ]] | |
else | |
echo "$signingKey does not exist in this repo, nothing to check" | |
fi | |
trusted_keys: | |
name: "Check trusted-key(s)" | |
runs-on: ubuntu-latest | |
steps: | |
- name: Import gpg key(s) defined in vars.PUBLIC_GPG_KEYS_WE_TRUST and secrets.PUBLIC_GPG_KEYS_WE_TRUST | |
run: | | |
gpg --import - <<< "${{ vars.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \ | |
|| (echo "could not import GPG keys via vars.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \ | |
false || gpg --import - <<< "${{ secrets.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \ | |
|| (echo "could not import GPG keys via secrets.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \ | |
false || "${success:-false}" && echo "was able to import GPGs either via vars or secrets (or via both -- see above)" | |
- name: check if gpg key(s) we trust already are or will expire within the next 3 months | |
run: | | |
set -euo pipefail | |
limitTimestamp=$(date -d "+3 month" +%s) | |
limitDate=$(date -d "@$limitTimestamp" +"%Y-%m-%dT%H:%M:%S") | |
echo "checking if the following public keys defined in PUBLIC_GPG_KEYS_WE_TRUST are valid until $limitDate" | |
gpg --list-keys \ | |
--list-options show-sig-expire,show-unusable-subkeys,show-unusable-uids,show-usage,show-user-notations \ | |
--keyid-format LONG | |
echo "" | |
expired=0 | |
while read -r key; do | |
keyId=$(cut -d ':' -f5 <<<"$key") | |
expirationTimestamp=$(cut -d ':' -f7 <<<"$key") | |
if (( expirationTimestamp < $limitTimestamp )); then | |
expirationDate=$(date -d "@$((expirationTimestamp + 0))" +"%Y-%m-%dT%H:%M:%S") | |
printf >&2 "\033[0;31mERROR\033[0m: expiration date (%s) of key %s is before the given limit %s\n" "$expirationDate" "$keyId" "$limitDate" | |
((++expired)) | |
fi | |
done < <(gpg --list-keys --list-options show-unusable-subkeys --with-colons | grep -E '^(pub|sub)') | |
[[ $expired -eq 0 ]] |