-
Notifications
You must be signed in to change notification settings - Fork 23
87 lines (84 loc) · 3.31 KB
/
update-tuf-seeds.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
name: Update TUF Seeds
on:
workflow_dispatch:
push:
permissions:
contents: read
jobs:
update-tuf-seeds:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
env:
DEBUG: "tuf:*"
TUF_MIRROR: https://tuf-repo-cdn.sigstore.dev
TARGET_TRUSTED_ROOT: trusted_root.json
TARGET_NPM_KEYS: registry.npmjs.org/keys.json
steps:
- name: Checkout source
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v3
- name: Extract current TUF root.json
run: |
cat packages/tuf/seeds.json \
| jq -r --arg mirror ${TUF_MIRROR} '."${{ env.TUF_MIRROR }}"."root.json"'
cat packages/tuf/seeds.json \
| jq -r --arg mirror "$TUF_MIRROR" '."($mirror)"."root.json"' \
| base64 -d
- name: Get Targets
env:
TUF_CACHE: ${{ runner.temp }}/tuf
run: |
npx @tufjs/cli download \
--metadata-base-url ${TUF_MIRROR} \
--cache-path ${TUF_CACHE} \
--unsafe-root-download \
--target-name ${TARGET_TRUSTED_ROOT}
npx @tufjs/cli download \
--metadata-base-url ${TUF_MIRROR} \
--cache-path ${TUF_CACHE} \
--unsafe-root-download \
--target-name ${TARGET_NPM_KEYS}
- name: Assemble TUF Seeds
env:
TUF_CACHE: ${{ runner.temp }}/tuf
TARGET_NPM_KEYS: registry.npmjs.org%2Fkeys.json
run: |
jq -n -c \
--arg mirror "$TUF_MIRROR" \
--arg root "$(cat ${TUF_CACHE}/root.json | base64 -w 0)" \
--arg trusted_root "$TARGET_TRUSTED_ROOT" \
--arg trusted_root_value "$(cat ${TUF_CACHE}/targets/${TARGET_TRUSTED_ROOT} | base64 -w 0)" \
--arg npm_keys "$TARGET_NPM_KEYS" \
--arg npm_keys_value "$(cat ${TUF_CACHE}/targets/${TARGET_NPM_KEYS} | base64 -w 0)" \
'{($mirror):{"root.json":$root,"targets":{($trusted_root):$trusted_root_value,($npm_keys):$npm_keys_value}}}' \
> packages/tuf/seeds.json
- name: Check for changes
id: git-check
run: |
if [ -n "$(git status --porcelain)" ]; then
echo "::set-output name=changed::true"
else
echo "::set-output name=changed::false"
fi
- name: Commit files and push changes
if: steps.git-check.outputs.changed == 'true'
run: |
git config --global user.name 'github-actions[bot]'
git config --global user.email 'github-actions[bot]@users.noreply.github.com'
BRANCH_NAME=tuf-root-update-$(date +%Y-%m-%d)
echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
git checkout -b $BRANCH_NAME
git push --set-upstream origin $BRANCH_NAME
git add -A
git commit -m "Update TUF root files"
git push
- name: Create Pull Request
if: steps.git-check.outputs.changed == 'true'
uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2.12.1
with:
destination_branch: "main"
source_branch: ${{ env.BRANCH_NAME }}
pr_title: "Update TUF seed files ${{ env.BRANCH_NAME }}"
pr_body: "Updates TUF seeds files from the remote TUF repository"
github_token: ${{ secrets.GITHUB_TOKEN }}