From 1f4d1e323e735b782db5b3eb6c4e17dc9c4b7e41 Mon Sep 17 00:00:00 2001 From: s3rj1k Date: Wed, 11 Dec 2024 01:18:37 +0100 Subject: [PATCH] [GHA] Use temporary token to build artifacts, extend manual run options. --- .github/workflows/build.yml | 93 +++++++++++++++++++++++++++++++++++-- 1 file changed, 90 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 49e99e8b48..ea0d0a28fe 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,12 +9,32 @@ on: paths: - "**" workflow_dispatch: + inputs: + freeswitch_ref: + description: 'FreeSWITCH repository ref' + required: true + default: master + type: string + release: + description: 'FreeSWITCH release type' + type: choice + required: true + default: unstable + options: + - release + - unstable + publish: + description: 'Publish build data' + required: true + default: false + type: boolean concurrency: group: ${{ github.head_ref || github.ref }} jobs: preconfig: + name: 'Preconfig' runs-on: ubuntu-latest outputs: deb: ${{ steps.deb.outputs.excludes }} @@ -59,6 +79,8 @@ jobs: elif [[ '${{ github.base_ref }}' == 'v1.10' ]]; then echo 'release=release' | tee -a $GITHUB_OUTPUT fi + elif [[ '${{ github.event_name }}' == 'workflow_dispatch' ]]; then + echo 'release=${{ inputs.release }}' | tee -a $GITHUB_OUTPUT elif [[ '${{ github.ref }}' == 'refs/heads/master' ]]; then echo 'release=unstable' | tee -a $GITHUB_OUTPUT elif [[ '${{ github.ref }}' == 'refs/heads/v1.10' ]]; then @@ -67,6 +89,33 @@ jobs: exit 1 fi + get-nonce: + name: 'Get Nonce for token' + runs-on: freeswitch-repo-auth-client + outputs: + nonce: ${{ steps.get-nonce.outputs.nonce }} + steps: + - name: Get Nonce + id: get-nonce + uses: signalwire/actions-template/.github/actions/repo-auth-client@main + with: + mode: nonce + + issue-token: + name: 'Issue temporary token' + runs-on: ubuntu-latest + needs: get-nonce + outputs: + token: ${{ steps.issue-token.outputs.token }} + steps: + - name: Issue Token + id: issue-token + uses: signalwire/actions-template/.github/actions/repo-auth-client@main + env: + NONCE: ${{ needs.get-nonce.outputs.nonce }} + with: + mode: issue + deb-public: name: 'DEB-PUBLIC' permissions: @@ -74,6 +123,7 @@ jobs: contents: read needs: - preconfig + - issue-token uses: signalwire/actions-template/.github/workflows/cicd-docker-build-and-distribute.yml@main strategy: # max-parallel: 1 @@ -96,6 +146,7 @@ jobs: exclude: ${{ fromJson(needs.preconfig.outputs.deb) }} with: RUNNER: ${{ matrix.platform.runner }} + REF: ${{ inputs.freeswitch_ref }} ARTIFACTS_PATTERN: '.*\.(deb|dsc|changes|tar.bz2|tar.gz|tar.lzma|tar.xz)$' DOCKERFILE: .github/docker/${{ matrix.os }}/${{ matrix.version }}/${{ matrix.platform.name }}/public.${{ matrix.release }}.Dockerfile MAINTAINER: 'Andrey Volk ' @@ -103,7 +154,17 @@ jobs: PLATFORM: ${{ matrix.platform.name }} REPO_DOMAIN: 'freeswitch.signalwire.com' TARGET_ARTIFACT_NAME: ${{ matrix.os }}-${{ matrix.version }}-${{ matrix.platform.name }}-public-${{ matrix.release }}-artifact - UPLOAD_BUILD_ARTIFACTS: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.title, ':upload-artifacts') }} + UPLOAD_BUILD_ARTIFACTS: >- + ${{ + (github.event.pull_request.head.repo.full_name == github.repository) && + ( + ( + github.event_name != 'pull_request' && + github.event_name != 'workflow_dispatch' + ) || + (github.event_name == 'workflow_dispatch' && inputs.publish) + ) + }} secrets: GH_BOT_DEPLOY_TOKEN: ${{ secrets.PAT }} HOSTNAME: ${{ secrets.HOSTNAME }} @@ -111,11 +172,37 @@ jobs: USERNAME: ${{ secrets.USERNAME }} TELEPORT_TOKEN: ${{ secrets.TELEPORT_TOKEN }} REPO_USERNAME: 'SWUSERNAME' - REPO_PASSWORD: ${{ secrets.REPOTOKEN }} + REPO_PASSWORD: ${{ needs.issue-token.outputs.token }} + + revoke-token: + name: 'Revoke temporary token' + runs-on: ubuntu-latest + # if: always() + needs: + - issue-token + - deb-public + steps: + - name: Revoke Token + id: revoke-token + uses: signalwire/actions-template/.github/actions/repo-auth-client@main + env: + TOKEN: ${{ needs.issue-token.outputs.token }} + with: + mode: revoke meta: name: 'Publish build data to meta-repo' - if: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.title, ':upload-artifacts') }} + if: >- + ${{ + (github.event.pull_request.head.repo.full_name == github.repository) && + ( + ( + github.event_name != 'pull_request' && + github.event_name != 'workflow_dispatch' + ) || + (github.event_name == 'workflow_dispatch' && inputs.publish) + ) + }} needs: - deb-public permissions: