Sign - Artifacts #15
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sign - Artifacts | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| project_version: | |
| description: "Project version (e.g. 1.0.0)" | |
| required: true | |
| default: "" | |
| platform: | |
| description: "Platform (e.g. x86, arm)" | |
| required: true | |
| default: "" | |
| jobs: | |
| artifact-name: | |
| name: Calculate artifact name | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| artifact_name: ${{ steps.set_artifact_name.outputs.artifact_name }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set short SHA and timestamp | |
| run: | | |
| echo "SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_ENV | |
| - name: Set artifact name and S3 path | |
| id: set_artifact_name | |
| run: | | |
| ARTIFACT_NAME="javatron-${{ inputs.platform }}-Ubuntu-22.04-${{ inputs.project_version }}-${{ env.SHORT_SHA }}" | |
| echo "ARTIFACT_NAME=$ARTIFACT_NAME" >> $GITHUB_ENV | |
| echo "artifact_name=$ARTIFACT_NAME" >> $GITHUB_OUTPUT | |
| download-from-s3-and-sign: | |
| name: Download from S3 | |
| runs-on: javatron-signer | |
| needs: artifact-name | |
| outputs: | |
| artifact_name: ${{ steps.gzip_files.outputs.artifact_name }} | |
| # Define environment variables for reuse | |
| env: | |
| DOWNLOAD_DIR: "./javatron/${{ inputs.project_version }}" | |
| ARTIFACT_NAME: ${{ needs.artifact-name.outputs.artifact_name }} | |
| permissions: | |
| contents: read | |
| id-token: write # Needed for AWS credential provider | |
| steps: | |
| - name: Set S3 path | |
| run: | | |
| echo "S3_PATH=${{ secrets.S3_BUCKET_DEV }}/${{ secrets.S3_PREFIX }}/${{ inputs.project_version }}/${{ env.ARTIFACT_NAME }}/" >> $GITHUB_ENV | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN_DEV_DOWNLOAD }} # 👈 replace with your IAM role | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| - name: Create download directory | |
| run: mkdir -p ${{ env.DOWNLOAD_DIR }} | |
| - name: Download files from S3 | |
| run: | | |
| echo "Downloading files from ${{ env.S3_PATH }}" | |
| aws s3 cp --recursive s3://${{ env.S3_PATH }} ${{ env.DOWNLOAD_DIR }}/ | |
| # Verify download was successful | |
| if [ -z "$(ls -A ${{ env.DOWNLOAD_DIR }})" ]; then | |
| echo "Error: Failed to download files from S3" | |
| exit 1 | |
| else | |
| echo "Download from S3 completed successfully" | |
| ls -l "${{ env.DOWNLOAD_DIR }}" | awk '{ $3=""; $4=""; print }' | |
| fi | |
| - name: Create download summary | |
| run: | | |
| echo "## S3 Download Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "Downloaded files from \`${{ env.S3_PATH }}\`" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Downloaded Files:" >> $GITHUB_STEP_SUMMARY | |
| echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
| ls -l "${{ env.DOWNLOAD_DIR }}" | awk '{ $3=""; $4=""; print }' >> $GITHUB_STEP_SUMMARY | |
| echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
| echo "### MD5 Summary of Downloaded Files" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Filename | MD5 Hash |" >> $GITHUB_STEP_SUMMARY | |
| echo "|----------|----------|" >> $GITHUB_STEP_SUMMARY | |
| for file in ${{ env.DOWNLOAD_DIR }}/*; do | |
| if [ -f "$file" ]; then | |
| FILENAME=$(basename "$file") | |
| LOCAL_MD5=$(md5sum $file | awk '{print $1}') | |
| echo "| $FILENAME | $LOCAL_MD5 |" >> $GITHUB_STEP_SUMMARY | |
| echo "$FILENAME: $LOCAL_MD5" | |
| fi | |
| done | |
| - name: List files to sign | |
| run: | | |
| echo "Files to sign:" | |
| ls -l ${{ env.DOWNLOAD_DIR }} | awk '{ $3=""; $4=""; print }' | |
| - name: Sign artifacts | |
| run: | | |
| # Sign each JAR file | |
| for file in ${{ env.DOWNLOAD_DIR }}/*.jar; do | |
| if [ -f "$file" ]; then | |
| echo "Signing $file" | |
| gpg --local-user ${{ secrets.GPG_FINGERPRINT }} --detach-sign "$file" | |
| fi | |
| done | |
| # Verify signature files were created | |
| echo "Signature files created:" | |
| ls -l ${{ env.DOWNLOAD_DIR }}/*.sig | awk '{ $3=""; $4=""; print }' || echo "No signature files found" | |
| - name: Create signing summary | |
| run: | | |
| echo "## Signing Summary" >> $GITHUB_STEP_SUMMARY | |
| echo "Signed artifacts for \`${{ env.S3_PATH }}\`" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "### Signed Files:" >> $GITHUB_STEP_SUMMARY | |
| echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
| ls -l ${{ env.DOWNLOAD_DIR }} | awk '{ $3=""; $4=""; print }' >> $GITHUB_STEP_SUMMARY | |
| echo "\`\`\`" >> $GITHUB_STEP_SUMMARY | |
| - name: Gzip files | |
| id: gzip_files | |
| run: | | |
| rm -f ${{ env.ARTIFACT_NAME }}-bundle.zip | |
| zip -r ${{ env.ARTIFACT_NAME }}-bundle.zip ${{ env.DOWNLOAD_DIR }} | |
| LOCAL_MD5=$(md5sum ${{ env.ARTIFACT_NAME }}-bundle.zip | awk '{print $1}') | |
| echo "${{ env.ARTIFACT_NAME }}-bundle.zip: $LOCAL_MD5" | |
| echo "artifact_name=${{ env.ARTIFACT_NAME }}-bundle.zip" >> $GITHUB_OUTPUT | |
| - name: Upload signed artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }}-bundle.zip | |
| path: "./${{ env.ARTIFACT_NAME }}-bundle.zip" | |
| if-no-files-found: error | |
| upload-signed-to-s3: | |
| name: Upload Signed Artifacts to S3 | |
| runs-on: ubuntu-22.04 | |
| needs: download-from-s3-and-sign | |
| permissions: | |
| actions: read | |
| contents: read | |
| id-token: write # Needed for AWS credential provider | |
| env: | |
| S3_BUCKET: s3://${{ secrets.S3_BUCKET_TEST }}/${{ secrets.S3_PREFIX }}/${{ inputs.project_version }} | |
| ARTIFACT_NAME: ${{ needs.download-from-s3-and-sign.outputs.artifact_name }} | |
| steps: | |
| - name: Download signed artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.ARTIFACT_NAME }} | |
| path: ./signed-artifacts/ | |
| - name: Configure AWS Credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: ${{ secrets.AWS_ROLE_ARN_TEST_UPLOAD }} # 👈 replace with your IAM role | |
| aws-region: ${{ secrets.AWS_REGION }} | |
| - name: Upload signed artifacts to S3 | |
| run: | | |
| echo "Uploading signed artifacts to ${{ env.S3_BUCKET }}/" | |
| aws s3 cp "./signed-artifacts/" "${{ env.S3_BUCKET }}/" --recursive | |
| echo "Upload of signed artifacts to S3 completed successfully" | |
| echo "## MD5 Summary of Uploaded Files" >> $GITHUB_STEP_SUMMARY | |
| echo "" >> $GITHUB_STEP_SUMMARY | |
| echo "| Filename | MD5 Hash |" >> $GITHUB_STEP_SUMMARY | |
| echo "|----------|----------|" >> $GITHUB_STEP_SUMMARY | |
| for file in ./signed-artifacts/*; do | |
| if [ -f "$file" ]; then | |
| FILENAME=$(basename "$file") | |
| LOCAL_MD5=$(md5sum $file | awk '{print $1}') | |
| echo "| $FILENAME | $LOCAL_MD5 |" >> $GITHUB_STEP_SUMMARY | |
| echo "$FILENAME: $LOCAL_MD5" | |
| fi | |
| done |