From c182a9992f07090d2b3251246f4d4605fa8c1427 Mon Sep 17 00:00:00 2001 From: Taras Drozdovskyi Date: Mon, 12 Feb 2024 11:27:51 +0200 Subject: [PATCH] ci: Added auto create release Signed-off-by: Taras Drozdovskyi --- .github/workflows/build.yml | 2 +- .github/workflows/publish.yml | 123 ++++++++++++++++++++++++++++++++++ 2 files changed, 124 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cdfa8c49..6b8bc5f1 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,7 +17,7 @@ jobs: - name: Install extra tools run: | sudo apt-get update - sudo apt-get install -y subversion make build-essential libncurses5-dev libssl-dev libcurl4-openssl-dev wget + sudo apt-get install -y make build-essential libncurses5-dev libssl-dev libcurl4-openssl-dev wget - name: Build the project run: | make PLATFORM=${{ matrix.platform }} create_context diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 00000000..2ab7619c --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,123 @@ +name: Create Release & Upload Asset + +on: + push: + tags: + - "v*" + +permissions: + contents: read + +jobs: + # Build LPVS + build: + runs-on: ubuntu-latest + name: Build LPVS + outputs: + artifacts: ${{ steps.build.outputs.artifacts }} + hashes: ${{ steps.hash.outputs.hashes }} + version: ${{ steps.lpvs_version.outputs.version }} + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: Checkout repository + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 + + - name: Install extra tools + run: | + sudo apt-get update + sudo apt-get install -y make build-essential libncurses5-dev libssl-dev libcurl4-openssl-dev wget + - name: Build the project + run: | + make PLATFORM=numaker_pfm_m2351 create_context + wget -L https://raw.githubusercontent.com/OpenNuvoton/M2351BSP/master/Library/Device/Nuvoton/M2351/Source/GCC/_syscalls.c -O ./arch/cortex-m23/m2351/src/Device/Nuvoton/M2351/Source/GCC/_syscalls.c + wget -L https://raw.githubusercontent.com/OpenNuvoton/M2351BSP/master/SampleCode/MKROM/SecureBootDemo/NuBL2/main.c -O ./arch/cortex-m23/m2351/src/NuBL2/main.c + wget -L https://raw.githubusercontent.com/OpenNuvoton/M2351BSP/master/SampleCode/MKROM/SecureBootDemo/NuBL2/VerifyNuBL3x.c -O ./arch/cortex-m23/m2351/src/NuBL2/VerifyNuBL3x.c + wget -L https://raw.githubusercontent.com/OpenNuvoton/M2351BSP/master/SampleCode/MKROM/SecureBootDemo/NuBL2/NuBL2.h -O ./arch/cortex-m23/m2351/src/NuBL2/NuBL2.h + wget -L https://raw.githubusercontent.com/OpenNuvoton/M2351BSP/master/SampleCode/MKROM/SecureBootDemo/NuBL2/FwInfo/FwInfo.c -O ./arch/cortex-m23/m2351/src/NuBL2/FwInfo.c + make toolchain + make + # Save the location of the mtower_*.bin output files for easier reference + ARTIFACT_PATTERN=./mtower_s.bin + echo "artifact_pattern=$ARTIFACT_PATTERN" >> "$GITHUB_OUTPUT" + + - name: Generate subject + id: hash + run: | + echo "hashes=$(sha256sum ${{ steps.build.outputs.artifact_pattern }} | base64 -w0)" >> "$GITHUB_OUTPUT" + + - name: Get mTower version + id: mtower_version + run: | + VERSION=${{ github.ref_name }} + # echo "version=mtower-${VERSION:1}.bin" >> "$GITHUB_OUTPUT" + echo "version=mtower_s.bin" >> "$GITHUB_OUTPUT" + + - name: Upload build artifacts + uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # tag=v3 + with: + name: ${{ steps.mtower_version.outputs.version }} + path: ./${{ steps.mtower_version.outputs.version }} + if-no-files-found: error + + # Create Release + create-release: + permissions: + contents: write # for marvinpinto/action-automatic-releases to generate pre-release + needs: [build] + name: Create Release + runs-on: "ubuntu-latest" + + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - uses: marvinpinto/action-automatic-releases@d68defdd11f9dcc7f52f35c1b7c236ee7513bcc1 + with: + repo_token: "${{ secrets.GITHUB_TOKEN }}" + prerelease: false + title: "mTower ${{ github.ref_name }}" + + # Generate Provenance + provenance: + needs: [build, create-release] + name: Generate Provenance + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + with: + base64-subjects: "${{ needs.build.outputs.hashes }}" + upload-assets: true # Optional: Upload to a new release + + # Upload Assets + release: + permissions: + contents: write # for softprops/action-gh-release to create GitHub release + needs: [build, create-release, provenance] + name: Upload Assets + runs-on: ubuntu-latest + if: startsWith(github.ref, 'refs/tags/') + steps: + - name: Harden Runner + uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1 + with: + egress-policy: audit + + - name: Download ${{ needs.build.outputs.version }} + uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # tag=v2.1.0 + with: + name: ${{ needs.build.outputs.version }} + + - name: Upload assets + uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14 + with: + files: | + ${{ needs.build.outputs.version }}