generated from tegonal/oss-template
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
update files of remote gt to version v1.0.2 via gt
- Loading branch information
1 parent
c8c838b
commit ce1963d
Showing
2 changed files
with
108 additions
and
13 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,7 @@ | |
| # \__/\__/\_, /\___/_//_/\_,_/_/ It is licensed under European Union Public License v. 1.2 | ||
| # /___/ Please report bugs and contribute back your improvements | ||
| # | ||
| # Version: v0.19.0 | ||
| # Version: v1.0.2 | ||
| ################################### | ||
| name: "gt update" | ||
| on: | ||
|
|
@@ -40,12 +40,12 @@ jobs: | |
| echo "public key trusted" && \ | ||
| mkdir ./gpg && \ | ||
| gpg --homedir ./gpg --import ./signing-key.public.asc && \ | ||
| wget "https://raw.githubusercontent.com/tegonal/gt/v0.19.0/install.sh" && \ | ||
| wget "https://raw.githubusercontent.com/tegonal/gt/v0.19.0/install.sh.sig" && \ | ||
| wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.2/install.sh" && \ | ||
| wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.2/install.sh.sig" && \ | ||
| gpg --homedir ./gpg --verify ./install.sh.sig ./install.sh && \ | ||
| chmod +x ./install.sh && \ | ||
| echo "verification successful" || (echo "!! verification failed, don't continue !!"; exit 1) && \ | ||
| ./install.sh && result=true || (echo "installation failed"; exit 1) && \ | ||
| echo "verification successful" || (printf >&2 "\033[0;31mERROR\033[0m: verification failed, don't continue !!"; exit 1) && \ | ||
| ./install.sh && result=true || (echo >&2 "installation failed"; exit 1) && \ | ||
| false || cd "$currentDir" && rm -r "$tmpDir" && "${result:-false}" | ||
| # end install.doc.sh | ||
| - uses: actions/checkout@v4 | ||
|
|
@@ -79,12 +79,12 @@ jobs: | |
| echo "public key trusted" && \ | ||
| mkdir ./gpg && \ | ||
| gpg --homedir ./gpg --import ./signing-key.public.asc && \ | ||
| wget "https://raw.githubusercontent.com/tegonal/gt/v0.19.0/install.sh" && \ | ||
| wget "https://raw.githubusercontent.com/tegonal/gt/v0.19.0/install.sh.sig" && \ | ||
| wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.2/install.sh" && \ | ||
| wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.2/install.sh.sig" && \ | ||
| gpg --homedir ./gpg --verify ./install.sh.sig ./install.sh && \ | ||
| chmod +x ./install.sh && \ | ||
| echo "verification successful" || (echo "!! verification failed, don't continue !!"; exit 1) && \ | ||
| ./install.sh && result=true || (echo "installation failed"; exit 1) && \ | ||
| echo "verification successful" || (printf >&2 "\033[0;31mERROR\033[0m: verification failed, don't continue !!"; exit 1) && \ | ||
| ./install.sh && result=true || (echo >&2 "installation failed"; exit 1) && \ | ||
| false || cd "$currentDir" && rm -r "$tmpDir" && "${result:-false}" | ||
| # end install.doc.sh | ||
| - uses: actions/checkout@v4 | ||
|
|
@@ -93,11 +93,33 @@ jobs: | |
| - name: gt update | ||
| id: gt_update | ||
| run: | | ||
| gt update -r "${{ matrix.remote }}" && gt update -r "${{ matrix.remote }}" | ||
| set -euo pipefail | ||
| gt update -r "${{ matrix.remote }}" | ||
| gt update -r "${{ matrix.remote }}" | ||
| echo "remote_version=$(git --git-dir='.gt/remotes/${{ matrix.remote}}/repo/.git' tag | sort --version-sort | tail -n 1)" >> $GITHUB_OUTPUT | ||
| - name: git status | ||
| run: git status | ||
| - id: has_changes | ||
| name: git status | ||
| run: | | ||
| set -euo pipefail | ||
| git status | ||
| gitStatus=$(git status --porcelain) | ||
| (if [[ $gitStatus != "" ]]; then echo "has_changes=1"; else echo "has_changes=0"; fi) >> $GITHUB_OUTPUT | ||
| - name: git commit | ||
| if: ${{ steps.has_changes.outputs.has_changes == 1 }} | ||
| run: | | ||
| set -euo pipefail | ||
| git config --local user.name 'tegonal-bot' | ||
| git config --local user.email '[email protected]' | ||
| git commit -am 'update files of remote ${{ matrix.remote }} to version ${{steps.gt_update.outputs.remote_version}} via gt' || true | ||
| - name: cleanup-on-push-to-main | ||
| if: ${{ steps.has_changes.outputs.has_changes == 1 && hashFiles('./scripts/cleanup-on-push-to-main.sh') != '' }} | ||
| run: | | ||
| ( | ||
| ./scripts/cleanup-on-push-to-main.sh || (printf '\033[0;31mERROR\033[0m: during cleanup, see error above\n' && false) && | ||
| (git commit -am 'cleanup after gt pull for remote ${{ matrix.remote }} and version ${{steps.gt_update.outputs.remote_version}}' || (printf '\033[0;31mERROR\033[0m: during commit, maybe no changes due to cleanup (which would be fine)?, see above\n'; false )) | ||
| ) || (printf '\033[0;34mINFO\033[0m: going to reset changes back to the status after `gt update` and continue without cleanup\n' && git reset --hard) | ||
| - name: Create pull request if necessary | ||
| if: ${{ steps.has_changes.outputs.has_changes == 1 }} | ||
| uses: peter-evans/create-pull-request@v7 | ||
| with: | ||
| branch: 'gt/update/${{ matrix.remote }}' | ||
|
|
@@ -108,3 +130,76 @@ jobs: | |
| delete-branch: true | ||
| token: ${{ secrets.AUTO_PR_TOKEN }} | ||
| push-to-fork: ${{ vars.AUTO_PR_FORK_NAME != '' && vars.AUTO_PR_FORK_NAME || secrets.AUTO_PR_FORK_NAME }} | ||
|
|
||
| signing_key: | ||
| name: "Check signing-key" | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: check if signing key already are or will expire within the next 3 months | ||
| run: | | ||
| set -euo pipefail | ||
| currentDir="$(pwd)" | ||
| signingKey=".gt/signing-key.public.asc" | ||
| if ! [[ -f "$currentDir/$signingKey" ]]; then | ||
| echo "$signingKey does not exist in this repo" | ||
| return 0 | ||
| fi | ||
| tmpDir=$(mktemp -d -t gt-check-gpg-XXXXXXXXXX) | ||
| gpg --homedir "$tmpDir" --import "$currentDir/$signingKey" | ||
| limitTimestamp=$(date -d "+3 month" +%s) | ||
| limitDate=$(date -d "@$limitTimestamp" +"%Y-%m-%dT%H:%M:%S") | ||
| echo "checking if the following public keys defined in $signingKey are valid until $limitDate" | ||
| gpg --homedir "$tmpDir" --list-keys \ | ||
| --list-options show-sig-expire,show-unusable-subkeys,show-unusable-uids,show-usage,show-user-notations \ | ||
| --keyid-format LONG | ||
| echo "" | ||
| expired=0 | ||
| while read -r key; do | ||
| keyId=$(cut -d ':' -f5 <<<"$key") | ||
| expirationTimestamp=$(cut -d ':' -f7 <<<"$key") | ||
| if (( expirationTimestamp < $limitTimestamp )); then | ||
| expirationDate=$(date -d "@$((expirationTimestamp + 0))" +"%Y-%m-%dT%H:%M:%S") | ||
| printf >&2 "\033[0;31mERROR\033[0m: expiration date (%s) of key %s is before the given limit %s\n" "$expirationDate" "$keyId" "$limitDate" | ||
| ((++expired)) | ||
| fi | ||
| done < <(gpg --homedir "$tmpDir" --list-keys --list-options show-unusable-subkeys --with-colons | grep -E '^(pub|sub)') | ||
| [[ $expired -eq 0 ]] | ||
| trusted_keys: | ||
| name: "Check trusted-key(s)" | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Import gpg key(s) defined in vars.PUBLIC_GPG_KEYS_WE_TRUST and secrets.PUBLIC_GPG_KEYS_WE_TRUST | ||
| run: | | ||
| gpg --import - <<< "${{ vars.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \ | ||
| || (echo "could not import GPG keys via vars.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \ | ||
| false || gpg --import - <<< "${{ secrets.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \ | ||
| || (echo "could not import GPG keys via secrets.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \ | ||
| false || "${success:-false}" && echo "was able to import GPGs either via vars or secrets (or via both -- see above)" | ||
| - name: check if gpg key(s) we trust already are or will expire within the next 3 months | ||
| run: | | ||
| set -euo pipefail | ||
| limitTimestamp=$(date -d "+3 month" +%s) | ||
| limitDate=$(date -d "@$limitTimestamp" +"%Y-%m-%dT%H:%M:%S") | ||
| echo "checking if the following public keys defined in PUBLIC_GPG_KEYS_WE_TRUST are valid until $limitDate" | ||
| gpg --list-keys \ | ||
| --list-options show-sig-expire,show-unusable-subkeys,show-unusable-uids,show-usage,show-user-notations \ | ||
| --keyid-format LONG | ||
| echo "" | ||
| expired=0 | ||
| while read -r key; do | ||
| keyId=$(cut -d ':' -f5 <<<"$key") | ||
| expirationTimestamp=$(cut -d ':' -f7 <<<"$key") | ||
| if (( expirationTimestamp < $limitTimestamp )); then | ||
| expirationDate=$(date -d "@$((expirationTimestamp + 0))" +"%Y-%m-%dT%H:%M:%S") | ||
| printf >&2 "\033[0;31mERROR\033[0m: expiration date (%s) of key %s is before the given limit %s\n" "$expirationDate" "$keyId" "$limitDate" | ||
| ((++expired)) | ||
| fi | ||
| done < <(gpg --list-keys --list-options show-unusable-subkeys --with-colons | grep -E '^(pub|sub)') | ||
| [[ $expired -eq 0 ]] | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,3 @@ | ||
| #@ Version: 1.1.0 | ||
| tag file relativeTarget tagFilter sha512 | ||
| v0.19.0 .github/workflows/gt-update.yml ../.github/workflows/gt-update.yml .* 7b3840b4e2710d0e45b765f9e508b9d36329055a82fcada654371d424508193418ab63005860bb164f9d5c93a2389859a63d8ed1a5e4a08751a4fde2f390dd8a | ||
| v1.0.2 .github/workflows/gt-update.yml ../.github/workflows/gt-update.yml .* 18ccdb1dd544a47a939e342747d9436c5e9e7b121001b0c8f331b7792799c93e172d4ac1cdef1f566d5bad52ac4bc55983c157ae4b7885d63d40fc4a1a71ebb2 |