-
Notifications
You must be signed in to change notification settings - Fork 23
108 lines (100 loc) · 3.69 KB
/
update-tuf-seeds.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
name: Update TUF Seeds
on:
# run every monday
schedule:
- cron: '0 0 * * 1'
workflow_dispatch:
permissions:
contents: read
jobs:
update-tuf-seeds:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
env:
DEBUG: "tuf:*"
TUF_MIRROR: https://tuf-repo-cdn.sigstore.dev
TUF_CACHE: /home/runner/work/_temp/tuf
TUF_ROOT: /home/runner/work/_temp/root.json
TARGET_TRUSTED_ROOT: trusted_root.json
TARGET_NPM_KEYS: registry.npmjs.org%2Fkeys.json
steps:
- name: Checkout source
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Extract current TUF root.json
run: |
cat packages/tuf/seeds.json \
| jq -r '."${{ env.TUF_MIRROR }}"."root.json"' \
| base64 -d \
> $TUF_ROOT
- name: Get Targets
run: |
npx @tufjs/cli download \
--metadata-base-url ${TUF_MIRROR} \
--cache-path ${TUF_CACHE} \
--root ${TUF_ROOT} \
--target-name ${TARGET_TRUSTED_ROOT} > /dev/null
npx @tufjs/cli download \
--metadata-base-url ${TUF_MIRROR} \
--cache-path ${TUF_CACHE} \
--root ${TUF_ROOT} \
--target-name ${TARGET_NPM_KEYS/"%2F"/"/"} > /dev/null
- name: Assemble TUF Seeds
run: |
jq -n -c \
--arg root "$(cat ${TUF_CACHE}/root.json | base64 -w 0)" \
--arg trusted_root_value "$(cat ${TUF_CACHE}/targets/${TARGET_TRUSTED_ROOT} | base64 -w 0)" \
--arg npm_keys_value "$(cat ${TUF_CACHE}/targets/${TARGET_NPM_KEYS} | base64 -w 0)" \
'{"${{ env.TUF_MIRROR }}":{"root.json":$root,"targets":{"${{ env.TARGET_TRUSTED_ROOT }}":$trusted_root_value,"${{ env.TARGET_NPM_KEYS }}":$npm_keys_value}}}' \
> packages/tuf/seeds.json
- name: Check for changes
id: git-check
run: |
if [ -n "$(git status --porcelain)" ]; then
echo "CHANGED=true" >> "$GITHUB_OUTPUT"
fi
- name: Add Changeset
if: steps.git-check.outputs.CHANGED == 'true'
run: |
cat << EOF > .changeset/${{ github.run_id }}-${{ github.run_attempt}}.md
---
"@sigstore/tuf": patch
---
Update TUF seed files
EOF
- name: Commit Changes
if: steps.git-check.outputs.CHANGED == 'true'
run: |
git config --global user.name 'github-actions[bot]'
git config --global user.email 'github-actions[bot]@users.noreply.github.com'
BRANCH_NAME=tuf-root-update-$(date +%Y-%m-%d)
echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
git checkout -b $BRANCH_NAME
git push --set-upstream origin $BRANCH_NAME
git add -A
git commit -m "Update TUF seed files"
git push
- name: Create Pull Request
if: steps.git-check.outputs.CHANGED == 'true'
env:
PR_BODY: ${{ runner.temp }}/pr-body.md
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cat << EOF > ${PR_BODY}
Updates the TUF seeds with the latest root metadata and target values.
### \`${TUF_MIRROR}\`
**Root Metadata**
\`\`\`
$(cat ${TUF_CACHE}/root.json)
\`\`\`
**Target: \`${TARGET_TRUSTED_ROOT}\`**
\`\`\`
$(cat ${TUF_CACHE}/targets/${TARGET_TRUSTED_ROOT})
\`\`\`
**Target: \`${TARGET_NPM_KEYS}\`**
\`\`\`
$(cat ${TUF_CACHE}/targets/${TARGET_NPM_KEYS})
\`\`\`
EOF
gh pr create --base main --body-file ${PR_BODY} --title "Update TUF seed files"