extern/hishtory
1
0
Fork 0
mirror of https://github.com/ddworken/hishtory.git synced 2025-01-22 22:28:51 +01:00
Code Issues Packages Projects Releases Wiki Activity

Delete separate signer and start the work of merging it into the SLSA releaser action

Browse Source
This commit is contained in:
David Dworken 2022-05-23 18:22:03 -07:00
parent a909be7d61
commit 69317e0a85
2 changed files with 77 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
.github/workflows/build-and-sign-macos.yml vendored
View File

@ -1,61 +0,0 @@
name: Sign macOS binaries
on:
workflow_run:
workflows: ["SLSA go releaser"]
types:
- completed
workflow_dispatch:
jobs:
macos:
runs-on: macos-11.0
steps:
- uses: actions/checkout@v2
- name: Download and sign the latest executables
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
brew install md5sha1sum
export TAG_NAME=`curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'| jq -r .tag_name`
if [ $TAG_NAME == "null" ]; then
echo "TAG_NAME is null, this shouldn't happen!"
curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest
exit 1
fi
echo "Signing binaries for $TAG_NAME"
curl -L -o hishtory-darwin-arm64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-arm64/hishtory-darwin-arm64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
curl -L -o hishtory-darwin-amd64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-amd64/hishtory-darwin-amd64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
echo "Signing the binaries:"
file hishtory-*
sha1sum hishtory-*
if [[ `file hishtory-darwin-arm64` == *"ASCII text"* ]]; then
echo "hishtory-darwin-arm64 is ASCII text???"
cat hishtory-darwin-arm64
exit 1
fi
if [[ `file hishtory-darwin-amd64` == *"ASCII text"* ]]; then
echo "hishtory-darwin-amd64 is ASCII text???"
cat hishtory-darwin-amd64
exit 1
fi
echo $MACOS_CERTIFICATE | base64 -d > certificate.p12
security create-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD build.keychain
/usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-arm64 -v
/usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-amd64 -v
echo "Signed the binaries:"
sha1sum hishtory-*
# Move them to the released filenames
cp hishtory-darwin-arm64 hishtory-darwin-arm64-signed
cp hishtory-darwin-amd64 hishtory-darwin-amd64-signed
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
hishtory-darwin-arm64-signed.json
hishtory-darwin-amd64-signed.json

94
.github/workflows/slsa-releaser.yml vendored
View File

@ -28,27 +28,87 @@ jobs:
id-token: write
contents: read
needs: args
uses: slsa-framework/slsa-github-generator-go/.github/workflows/builder.yml@2b2bf8753ae8ab14332b72217daf3c2c670272b3
uses: /.github/workflows/builder.yml@2b2bf8753ae8ab14332b72217daf3c2c670272b3
with:
go-version: 1.17
env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
# Upload to GitHub release.
upload:
permissions:
contents: write
runs-on: ubuntu-latest
needs: build
# Sign the binaries (if this is a macos build)
macos_signer:
runs-on: macos-11.0
steps:
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: ${{ needs.build.outputs.go-binary-name }}
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
- uses: actions/checkout@v2
- name: Download and sign the latest executables
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
echo $GITHUB_REF
# brew install md5sha1sum
# export TAG_NAME=`curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'| jq -r .tag_name`
# if [ $TAG_NAME == "null" ]; then
# echo "TAG_NAME is null, this shouldn't happen!"
# curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest
# exit 1
# fi
# echo "Signing binaries for $TAG_NAME"
# curl -L -o hishtory-darwin-arm64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-arm64/hishtory-darwin-arm64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
# curl -L -o hishtory-darwin-amd64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-amd64/hishtory-darwin-amd64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
# echo "Signing the binaries:"
# file hishtory-*
# sha1sum hishtory-*
# if [[ `file hishtory-darwin-arm64` == *"ASCII text"* ]]; then
# echo "hishtory-darwin-arm64 is ASCII text???"
# cat hishtory-darwin-arm64
# exit 1
# fi
# if [[ `file hishtory-darwin-amd64` == *"ASCII text"* ]]; then
# echo "hishtory-darwin-amd64 is ASCII text???"
# cat hishtory-darwin-amd64
# exit 1
# fi
# echo $MACOS_CERTIFICATE | base64 -d > certificate.p12
# security create-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
# security default-keychain -s build.keychain
# security unlock-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
# security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD build.keychain
# /usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-arm64 -v
# /usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-amd64 -v
# echo "Signed the binaries:"
# sha1sum hishtory-*
# # Move them to the released filenames
# cp hishtory-darwin-arm64 hishtory-darwin-arm64-signed
# cp hishtory-darwin-amd64 hishtory-darwin-amd64-signed
- name: Release
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }}
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
${{ needs.build.outputs.go-binary-name }}
${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
hishtory-darwin-arm64-signed.json
hishtory-darwin-amd64-signed.json
# Upload to GitHub release.
# upload:
# permissions:
# contents: write
# runs-on: ubuntu-latest
# needs:
# - macos_signer
# - build
# steps:
# - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
# with:
# name: ${{ needs.macos_signer.outputs.go-binary-name }}
# - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
# with:
# name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
# - name: Release
# uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
# if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }}
# with:
# files: |
# ${{ needs.macos_signer.outputs.go-binary-name }}
# ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl