gt-update.yml

#
#    __                          __
#   / /____ ___ ____  ___  ___ _/ /       This script is provided to you by https://github.com/tegonal/gt
#  / __/ -_) _ `/ _ \/ _ \/ _ `/ /        Copyright 2022 Tegonal Genossenschaft <info@tegonal.com>
#  \__/\__/\_, /\___/_//_/\_,_/_/         It is licensed under European Union Public License v. 1.2
#         /___/                           Please report bugs and contribute back your improvements
#
#                                         Version: v1.0.3
###################################
name: "gt update"
on:
  schedule:
    - cron: '0 4 * * MON'
  workflow_dispatch:

jobs:
  determine_remotes:
    name: Determine Remotes
    runs-on: ubuntu-latest
    if: github.repository_owner == 'tegonal'
    outputs:
      matrix: ${{ steps.set-matrix.outputs.matrix }}
    steps:
      - name: Import gpg key(s) defined in vars.PUBLIC_GPG_KEYS_WE_TRUST and secrets.PUBLIC_GPG_KEYS_WE_TRUST
        run: |
          gpg --import - <<< "${{ vars.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
            || (echo "could not import GPG keys via vars.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
          false || gpg --import - <<< "${{ secrets.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
            || (echo "could not import GPG keys via secrets.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
          false || "${success:-false}" && echo "was able to import GPGs either via vars or secrets (or via both -- see above)"
      - name: Install gt
        run: |
          set -e
          # see install.doc.sh in https://github.com/tegonal/gt, MODIFY THERE NOT HERE (please report bugs)
          currentDir=$(pwd) && \
          tmpDir=$(mktemp -d -t gt-download-install-XXXXXXXXXX) && cd "$tmpDir" && \
          wget "https://raw.githubusercontent.com/tegonal/gt/main/.gt/signing-key.public.asc" && \
          wget "https://raw.githubusercontent.com/tegonal/gt/main/.gt/signing-key.public.asc.sig" && \
          gpg --verify ./signing-key.public.asc.sig ./signing-key.public.asc && \
          echo "public key trusted" && \
          mkdir ./gpg && \
          gpg --homedir ./gpg --import ./signing-key.public.asc && \
          wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.3/install.sh" && \
          wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.3/install.sh.sig" && \
          gpg --homedir ./gpg --verify ./install.sh.sig ./install.sh && \
          chmod +x ./install.sh && \
          echo "verification successful" || (printf >&2 "\033[0;31mERROR\033[0m: verification failed, don't continue !!"; exit 1) && \
          ./install.sh && result=true || (echo >&2 "installation failed"; exit 1) && \
          false || cd "$currentDir" && rm -r "$tmpDir" && "${result:-false}"
          # end install.doc.sh
      - uses: actions/checkout@v4
      - id: set-matrix
        run: |
          (readarray -t REMOTES; IFS=','; echo "matrix={ 'remote': [ ${REMOTES[*]} ] }" >> "$GITHUB_OUTPUT") < <( gt remote list | sed -E "s/(.*)/'\1'/")
  Update:
    needs: determine_remotes
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix: ${{ fromJson(needs.determine_remotes.outputs.matrix) }}
    name: 'Update ${{ matrix.remote }}'
    steps:
      - name: Import gpg key(s) defined in vars.PUBLIC_GPG_KEYS_WE_TRUST and secrets.PUBLIC_GPG_KEYS_WE_TRUST
        run: |
          gpg --import - <<< "${{ vars.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
            || (echo "could not import GPG keys via vars.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
          false || gpg --import - <<< "${{ secrets.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
            || (echo "could not import GPG keys via secrets.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
          false || "${success:-false}" && echo "was able to import GPGs either via vars or secrets (or via both -- see above)"
      - name: Install gt
        run: |
          set -e
          # see install.doc.sh in https://github.com/tegonal/gt, MODIFY THERE NOT HERE (please report bugs)
          currentDir=$(pwd) && \
          tmpDir=$(mktemp -d -t gt-download-install-XXXXXXXXXX) && cd "$tmpDir" && \
          wget "https://raw.githubusercontent.com/tegonal/gt/main/.gt/signing-key.public.asc" && \
          wget "https://raw.githubusercontent.com/tegonal/gt/main/.gt/signing-key.public.asc.sig" && \
          gpg --verify ./signing-key.public.asc.sig ./signing-key.public.asc && \
          echo "public key trusted" && \
          mkdir ./gpg && \
          gpg --homedir ./gpg --import ./signing-key.public.asc && \
          wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.3/install.sh" && \
          wget "https://raw.githubusercontent.com/tegonal/gt/v1.0.3/install.sh.sig" && \
          gpg --homedir ./gpg --verify ./install.sh.sig ./install.sh && \
          chmod +x ./install.sh && \
          echo "verification successful" || (printf >&2 "\033[0;31mERROR\033[0m: verification failed, don't continue !!"; exit 1) && \
          ./install.sh && result=true || (echo >&2 "installation failed"; exit 1) && \
          false || cd "$currentDir" && rm -r "$tmpDir" && "${result:-false}"
          # end install.doc.sh
      - uses: actions/checkout@v4
      - name: reset gpg keys
        run: gt reset --gpg-only true -r "${{ matrix.remote }}"
      - name: gt update
        id: gt_update
        run: |
          set -euo pipefail
          gt update -r "${{ matrix.remote }}"
          gt update -r "${{ matrix.remote }}"
          echo "remote_version=$(git --git-dir='.gt/remotes/${{ matrix.remote}}/repo/.git' tag | sort --version-sort | tail -n 1)" >> $GITHUB_OUTPUT
      - id: has_changes
        name: git status
        run: |
          set -euo pipefail
          git status
          gitStatus=$(git status --porcelain)
          (if [[ $gitStatus != "" ]]; then echo "has_changes=1"; else echo "has_changes=0"; fi) >> $GITHUB_OUTPUT
      - name: git commit
        if: ${{ steps.has_changes.outputs.has_changes == 1 }}
        run: |
          set -euo pipefail
          git config --local user.name 'tegonal-bot'
          git config --local user.email 'tegonal-bot@users.noreply.github.com'
          git commit -am 'update files of remote ${{ matrix.remote }} to version ${{steps.gt_update.outputs.remote_version}} via gt' || true
      - name: cleanup-on-push-to-main
        if: ${{ steps.has_changes.outputs.has_changes == 1 && hashFiles('./scripts/cleanup-on-push-to-main.sh') != '' }}
        run: |
          (
              ./scripts/cleanup-on-push-to-main.sh || (printf '\033[0;31mERROR\033[0m: during cleanup, see error above\n' && false) &&
              (git commit -am 'cleanup after gt pull for remote ${{ matrix.remote }} and version ${{steps.gt_update.outputs.remote_version}}' || (printf '\033[0;31mERROR\033[0m: during commit, maybe no changes due to cleanup (which would be fine)?, see above\n'; false ))
          ) || (printf '\033[0;34mINFO\033[0m: going to reset changes back to the status after `gt update` and continue without cleanup\n' && git reset --hard)
      - name: Create pull request if necessary
        if: ${{ steps.has_changes.outputs.has_changes == 1 }}
        uses: peter-evans/create-pull-request@v7
        with:
          branch: 'gt/update/${{ matrix.remote }}'
          base: main
          title: 'update files of remote ${{ matrix.remote }} to version ${{steps.gt_update.outputs.remote_version}} via gt'
          commit-message: 'update files of remote ${{ matrix.remote }} to version ${{steps.gt_update.outputs.remote_version}} via gt'
          body: "following the changes after running `gt update -r \"${{ matrix.remote }}\"` and reset gpg keys"
          delete-branch: true
          token: ${{ secrets.AUTO_PR_TOKEN }}
          push-to-fork: ${{ vars.AUTO_PR_FORK_NAME != '' && vars.AUTO_PR_FORK_NAME || secrets.AUTO_PR_FORK_NAME }}

  signing_key:
    name: "Check signing-key"
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: check if signing key already are or will expire within the next 3 months
        run: |
          set -euo pipefail
          currentDir="$(pwd)"
          signingKey=".gt/signing-key.public.asc"
          if [[ -f "$currentDir/$signingKey" ]]; then
            tmpDir=$(mktemp -d -t gt-check-gpg-XXXXXXXXXX)
            gpg --homedir "$tmpDir" --import "$currentDir/$signingKey"

            limitTimestamp=$(date -d "+3 month" +%s)
            limitDate=$(date -d "@$limitTimestamp" +"%Y-%m-%dT%H:%M:%S")
            echo "checking if the following public keys defined in $signingKey are valid until $limitDate"
            gpg --homedir "$tmpDir" --list-keys \
              --list-options show-sig-expire,show-unusable-subkeys,show-unusable-uids,show-usage,show-user-notations \
              --keyid-format LONG
            echo ""

            expired=0
            while read -r key; do
              keyId=$(cut -d ':' -f5 <<<"$key")
              expirationTimestamp=$(cut -d ':' -f7 <<<"$key")
              if (( expirationTimestamp < $limitTimestamp )); then
                expirationDate=$(date -d "@$((expirationTimestamp + 0))" +"%Y-%m-%dT%H:%M:%S")
                printf >&2 "\033[0;31mERROR\033[0m: expiration date (%s) of key %s is before the given limit %s\n" "$expirationDate" "$keyId" "$limitDate"
                ((++expired))
              fi
            done < <(gpg --homedir "$tmpDir" --list-keys --list-options show-unusable-subkeys --with-colons | grep -E '^(pub|sub)')
            [[ $expired -eq 0 ]]
          else
            echo "$signingKey does not exist in this repo, nothing to check"
          fi

  trusted_keys:
    name: "Check trusted-key(s)"
    runs-on: ubuntu-latest
    steps:
      - name: Import gpg key(s) defined in vars.PUBLIC_GPG_KEYS_WE_TRUST and secrets.PUBLIC_GPG_KEYS_WE_TRUST
        run: |
          gpg --import - <<< "${{ vars.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
            || (echo "could not import GPG keys via vars.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
          false || gpg --import - <<< "${{ secrets.PUBLIC_GPG_KEYS_WE_TRUST }}" && success=true \
            || (echo "could not import GPG keys via secrets.PUBLIC_GPG_KEYS_WE_TRUST -- maybe it's not defined"; exit 1) && \
          false || "${success:-false}" && echo "was able to import GPGs either via vars or secrets (or via both -- see above)"
      - name: check if gpg key(s) we trust already are or will expire within the next 3 months
        run: |
          set -euo pipefail
          limitTimestamp=$(date -d "+3 month" +%s)
          limitDate=$(date -d "@$limitTimestamp" +"%Y-%m-%dT%H:%M:%S")
          echo "checking if the following public keys defined in PUBLIC_GPG_KEYS_WE_TRUST are valid until $limitDate"
          gpg --list-keys \
            --list-options show-sig-expire,show-unusable-subkeys,show-unusable-uids,show-usage,show-user-notations \
            --keyid-format LONG
          echo ""
          expired=0
          while read -r key; do
            keyId=$(cut -d ':' -f5 <<<"$key")
            expirationTimestamp=$(cut -d ':' -f7 <<<"$key")
            if (( expirationTimestamp < $limitTimestamp )); then
              expirationDate=$(date -d "@$((expirationTimestamp + 0))" +"%Y-%m-%dT%H:%M:%S")
              printf >&2 "\033[0;31mERROR\033[0m: expiration date (%s) of key %s is before the given limit %s\n" "$expirationDate" "$keyId" "$limitDate"
              ((++expired))
            fi
          done < <(gpg --list-keys --list-options show-unusable-subkeys --with-colons | grep -E '^(pub|sub)')
          [[ $expired -eq 0 ]]