Reduce third-party build script dependencies and reduce GITHUB_TOKEN perms in CI (#541)
* Reduce dependence on third-party build scripts in release pipeline This removes one third-party build script from the release pipeline for the release tar.gz, though one is still used in the now-separate netlify deploy. * Reduce GITHUB_TOKEN perms in actions when using 3rd party scripts This avoids allowing third parties to arbitrarily overwrite the repository. * Replace PGP signing action with the bash script from the same The PGP signing action ultimately just calls gpg with arguments set in https://github.com/actionhippie/gpgsign/blob/v1/overlay/usr/local/bin/entrypoint so its rather trivial to simply take the required arguments and put them directly in CI. This is substantially safer than the PGP signing action used as the action currently downloads, unverified and un-pinned, a docker image in order to access PGP.
This commit is contained in:
Matt Corallo
GitHub
parent
9963f3f988
commit
95b814b751
3 changed files with 41 additions and 19 deletions
3
.github/workflows/deploy-pull-request.yml
vendored
3
.github/workflows/deploy-pull-request.yml
vendored
|
|
@ -6,6 +6,9 @@ on:
|
||||||
- completed
|
- completed
|
||||||
jobs:
|
jobs:
|
||||||
get-build-and-deploy:
|
get-build-and-deploy:
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
pull-requests: write
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
if: >
|
if: >
|
||||||
${{ github.event.workflow_run.conclusion == 'success' }}
|
${{ github.event.workflow_run.conclusion == 'success' }}
|
||||||
|
|
|
||||||
3
.github/workflows/netlify-dev.yml
vendored
3
.github/workflows/netlify-dev.yml
vendored
|
|
@ -9,7 +9,8 @@ jobs:
|
||||||
deploy-to-netlify:
|
deploy-to-netlify:
|
||||||
name: 'Deploy'
|
name: 'Deploy'
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v3.0.2
|
uses: actions/checkout@v3.0.2
|
||||||
|
|
|
||||||
54
.github/workflows/prod-deploy.yml
vendored
54
.github/workflows/prod-deploy.yml
vendored
|
|
@ -5,9 +5,43 @@ on:
|
||||||
types: [published]
|
types: [published]
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
create-release:
|
||||||
|
name: 'Create release tar'
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Check out the repo
|
||||||
|
uses: actions/checkout@v3.0.2
|
||||||
|
- name: Build
|
||||||
|
run: |
|
||||||
|
npm ci
|
||||||
|
npm run build
|
||||||
|
- name: Get version from tag
|
||||||
|
id: vars
|
||||||
|
run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
|
||||||
|
- name: Create tar.gz
|
||||||
|
run: tar -czvf cinny-${{ steps.vars.outputs.tag }}.tar.gz dist
|
||||||
|
- name: Sign tar.gz
|
||||||
|
run: |
|
||||||
|
echo '${{ secrets.GNUPG_KEY }}' | gpg --batch --import
|
||||||
|
# Sadly a few lines in the private key match a few lines in the public key,
|
||||||
|
# As a result just --export --armor gives us a few lines replaced with ***
|
||||||
|
# making it useless for importing the signing key. Instead, we dump it as
|
||||||
|
# non-armored and hex-encode it so that its printable.
|
||||||
|
echo "PGP Signing key, in raw PGP format in hex. Import with cat ... | xxd -r -p - | gpg --import"
|
||||||
|
gpg --export | xxd -p
|
||||||
|
echo '${{ secrets.GNUPG_PASSPHRASE }}' | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --armor --detach-sign cinny-${{ steps.vars.outputs.tag }}.tar.gz
|
||||||
|
- name: Upload tagged release
|
||||||
|
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
|
||||||
|
with:
|
||||||
|
files: |
|
||||||
|
cinny-${{ steps.vars.outputs.tag }}.tar.gz
|
||||||
|
cinny-${{ steps.vars.outputs.tag }}.tar.gz.asc
|
||||||
|
|
||||||
deploy-to-netlify:
|
deploy-to-netlify:
|
||||||
name: 'Deploy to Netlify'
|
name: 'Deploy to Netlify'
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v3.0.2
|
uses: actions/checkout@v3.0.2
|
||||||
|
|
@ -20,28 +54,12 @@ jobs:
|
||||||
BUILD_DIRECTORY: "dist"
|
BUILD_DIRECTORY: "dist"
|
||||||
NETLIFY_DEPLOY_MESSAGE: "Prod deploy v${{ github.ref }}"
|
NETLIFY_DEPLOY_MESSAGE: "Prod deploy v${{ github.ref }}"
|
||||||
NETLIFY_DEPLOY_TO_PROD: true
|
NETLIFY_DEPLOY_TO_PROD: true
|
||||||
- name: Get version from tag
|
|
||||||
id: vars
|
|
||||||
run: echo ::set-output name=tag::${GITHUB_REF#refs/*/}
|
|
||||||
- name: Create tar.gz
|
|
||||||
run: tar -czvf cinny-${{ steps.vars.outputs.tag }}.tar.gz dist
|
|
||||||
- name: Sign tar.gz
|
|
||||||
uses: actionhippie/gpgsign@4e28208b142cae93e1582401dcda1cf79e4f72c0
|
|
||||||
with:
|
|
||||||
private_key: ${{ secrets.GNUPG_KEY }}
|
|
||||||
passphrase: ${{ secrets.GNUPG_PASSPHRASE }}
|
|
||||||
detach_sign: true
|
|
||||||
files: cinny-${{ steps.vars.outputs.tag }}.tar.gz
|
|
||||||
- name: Upload tagged release
|
|
||||||
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
|
|
||||||
with:
|
|
||||||
files: |
|
|
||||||
cinny-${{ steps.vars.outputs.tag }}.tar.gz
|
|
||||||
cinny-${{ steps.vars.outputs.tag }}.tar.gz.asc
|
|
||||||
|
|
||||||
push_to_dockerhub:
|
push_to_dockerhub:
|
||||||
name: Push Docker image to Docker Hub
|
name: Push Docker image to Docker Hub
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v3.0.2
|
uses: actions/checkout@v3.0.2
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue