2e70c9fdb6
Some checks failed
LNM Migration CI / build-runner (push) Has been cancelled
Ledger OpenAPI CI / deprecation-check (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Airgap Sealed CI Smoke / sealed-smoke (push) Has been cancelled
Ledger Packs CI / build-pack (push) Has been cancelled
Export Center CI / export-ci (push) Has been cancelled
Ledger OpenAPI CI / validate-oas (push) Has been cancelled
Ledger OpenAPI CI / check-wellknown (push) Has been cancelled
Ledger Packs CI / verify-pack (push) Has been cancelled
LNM Migration CI / validate-metrics (push) Has been cancelled
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
102 lines
2.8 KiB
YAML
102 lines
2.8 KiB
YAML
name: Ledger Packs CI
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
snapshot_id:
|
|
description: 'Snapshot ID (leave empty for auto)'
|
|
required: false
|
|
default: ''
|
|
sign:
|
|
description: 'Sign pack (1=yes)'
|
|
required: false
|
|
default: '0'
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- 'ops/devops/ledger/**'
|
|
|
|
jobs:
|
|
build-pack:
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
COSIGN_PRIVATE_KEY_B64: ${{ secrets.COSIGN_PRIVATE_KEY_B64 }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Setup cosign
|
|
uses: sigstore/cosign-installer@v3
|
|
|
|
- name: Configure signing
|
|
run: |
|
|
if [ -z "${COSIGN_PRIVATE_KEY_B64}" ] || [ "${{ github.event.inputs.sign }}" = "1" ]; then
|
|
echo "COSIGN_ALLOW_DEV_KEY=1" >> $GITHUB_ENV
|
|
echo "COSIGN_PASSWORD=stellaops-dev" >> $GITHUB_ENV
|
|
fi
|
|
|
|
- name: Build pack
|
|
run: |
|
|
chmod +x ops/devops/ledger/build-pack.sh
|
|
SNAPSHOT_ID="${{ github.event.inputs.snapshot_id }}"
|
|
if [ -z "$SNAPSHOT_ID" ]; then
|
|
SNAPSHOT_ID="ci-$(date +%Y%m%d%H%M%S)"
|
|
fi
|
|
|
|
SIGN_FLAG=""
|
|
if [ "${{ github.event.inputs.sign }}" = "1" ] || [ -n "${COSIGN_PRIVATE_KEY_B64}" ]; then
|
|
SIGN_FLAG="--sign"
|
|
fi
|
|
|
|
SNAPSHOT_ID="$SNAPSHOT_ID" ops/devops/ledger/build-pack.sh $SIGN_FLAG
|
|
|
|
- name: Verify checksums
|
|
run: |
|
|
cd out/ledger/packs
|
|
for f in *.SHA256SUMS; do
|
|
if [ -f "$f" ]; then
|
|
sha256sum -c "$f"
|
|
fi
|
|
done
|
|
|
|
- name: Upload pack
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: ledger-pack-${{ github.run_number }}
|
|
path: |
|
|
out/ledger/packs/*.pack.tar.gz
|
|
out/ledger/packs/*.SHA256SUMS
|
|
out/ledger/packs/*.dsse.json
|
|
if-no-files-found: warn
|
|
retention-days: 30
|
|
|
|
verify-pack:
|
|
runs-on: ubuntu-22.04
|
|
needs: build-pack
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Download pack
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: ledger-pack-${{ github.run_number }}
|
|
path: out/ledger/packs/
|
|
|
|
- name: Verify pack structure
|
|
run: |
|
|
cd out/ledger/packs
|
|
for pack in *.pack.tar.gz; do
|
|
if [ -f "$pack" ]; then
|
|
echo "Verifying $pack..."
|
|
tar -tzf "$pack" | head -20
|
|
|
|
# Extract and check manifest
|
|
tar -xzf "$pack" -C /tmp manifest.json 2>/dev/null || true
|
|
if [ -f /tmp/manifest.json ]; then
|
|
python3 -c "import json; json.load(open('/tmp/manifest.json'))"
|
|
echo "Pack manifest is valid JSON"
|
|
fi
|
|
fi
|
|
done
|