diff --git a/.github/workflows/deploy-pull-request.yml b/.github/workflows/deploy-pull-request.yml index 84098f2..77801b1 100644 --- a/.github/workflows/deploy-pull-request.yml +++ b/.github/workflows/deploy-pull-request.yml @@ -6,6 +6,9 @@ on: - completed jobs: get-build-and-deploy: + permissions: + contents: read + pull-requests: write runs-on: ubuntu-latest if: > ${{ github.event.workflow_run.conclusion == 'success' }} diff --git a/.github/workflows/netlify-dev.yml b/.github/workflows/netlify-dev.yml index 2c36f79..bd9d163 100644 --- a/.github/workflows/netlify-dev.yml +++ b/.github/workflows/netlify-dev.yml @@ -9,7 +9,8 @@ jobs: deploy-to-netlify: name: 'Deploy' runs-on: ubuntu-latest - + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v3.0.2 diff --git a/.github/workflows/prod-deploy.yml b/.github/workflows/prod-deploy.yml index 0f790ff..127a2f5 100644 --- a/.github/workflows/prod-deploy.yml +++ b/.github/workflows/prod-deploy.yml @@ -5,9 +5,43 @@ on: types: [published] jobs: + create-release: + name: 'Create release tar' + runs-on: ubuntu-latest + steps: + - name: Check out the repo + uses: actions/checkout@v3.0.2 + - name: Build + run: | + npm ci + npm run build + - name: Get version from tag + id: vars + run: echo ::set-output name=tag::${GITHUB_REF#refs/*/} + - name: Create tar.gz + run: tar -czvf cinny-${{ steps.vars.outputs.tag }}.tar.gz dist + - name: Sign tar.gz + run: | + echo '${{ secrets.GNUPG_KEY }}' | gpg --batch --import + # Sadly a few lines in the private key match a few lines in the public key, + # As a result just --export --armor gives us a few lines replaced with *** + # making it useless for importing the signing key. Instead, we dump it as + # non-armored and hex-encode it so that its printable. + echo "PGP Signing key, in raw PGP format in hex. Import with cat ... | xxd -r -p - | gpg --import" + gpg --export | xxd -p + echo '${{ secrets.GNUPG_PASSPHRASE }}' | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --armor --detach-sign cinny-${{ steps.vars.outputs.tag }}.tar.gz + - name: Upload tagged release + uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 + with: + files: | + cinny-${{ steps.vars.outputs.tag }}.tar.gz + cinny-${{ steps.vars.outputs.tag }}.tar.gz.asc + deploy-to-netlify: name: 'Deploy to Netlify' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v3.0.2 @@ -20,28 +54,12 @@ jobs: BUILD_DIRECTORY: "dist" NETLIFY_DEPLOY_MESSAGE: "Prod deploy v${{ github.ref }}" NETLIFY_DEPLOY_TO_PROD: true - - name: Get version from tag - id: vars - run: echo ::set-output name=tag::${GITHUB_REF#refs/*/} - - name: Create tar.gz - run: tar -czvf cinny-${{ steps.vars.outputs.tag }}.tar.gz dist - - name: Sign tar.gz - uses: actionhippie/gpgsign@4e28208b142cae93e1582401dcda1cf79e4f72c0 - with: - private_key: ${{ secrets.GNUPG_KEY }} - passphrase: ${{ secrets.GNUPG_PASSPHRASE }} - detach_sign: true - files: cinny-${{ steps.vars.outputs.tag }}.tar.gz - - name: Upload tagged release - uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 - with: - files: | - cinny-${{ steps.vars.outputs.tag }}.tar.gz - cinny-${{ steps.vars.outputs.tag }}.tar.gz.asc push_to_dockerhub: name: Push Docker image to Docker Hub runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout repository uses: actions/checkout@v3.0.2