-
Notifications
You must be signed in to change notification settings - Fork 0
136 lines (133 loc) · 4.31 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
name: Publish package
on:
push:
tags:
- 'v*'
workflow_dispatch:
env:
RPM_ARTIFACT_NAME: rpm_artifact
jobs:
build:
runs-on: ubuntu-latest
container:
image: rockylinux:9-minimal
steps:
- name: Install prerequirements for build
run: microdnf install -y selinux-policy-devel rpm-build rpm-sign
- name: Check out repository code
uses: actions/checkout@v4
- name: Build SELinux policy
working-directory: ./policy
run: make -f /usr/share/selinux/devel/Makefile flexnet.pp
- name: Generate man page of SELinux policy
working-directory: ./policy
run: |
/usr/sbin/semodule -i flexnet.pp
sepolicy manpage -p . -d flexnet_t
- name: Build RPM
working-directory: ./policy
run: |
pwd=$(pwd)
rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}/packages" --define "_buildrootdir ${pwd}/.build" -ba flexnet_selinux.spec
rpm_path=$(find ${pwd}/packages -type f -name "*.rpm" -print0 | head -z)
echo "rpm_path=${rpm_path}" >> "$GITHUB_ENV"
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@v6
with:
gpg_private_key: ${{ secrets.SIGN_SECRET }}
- name: Sign RPM
run: |
export GPG_TTY=$(tty)
gpg --list-keys --with-subkey-fingerprints
rpm --define "%_signature gpg" --define "%_gpg_name ${{ steps.import_gpg.outputs.fingerprint }}" --addsign ${rpm_path}
- name: Archive RPM
uses: actions/upload-artifact@v3
with:
name: ${{ env.RPM_ARTIFACT_NAME }}
path: ${{ env.rpm_path }}
retention-days: 1
list-releases:
runs-on: ubuntu-latest
steps:
- name: List release ids
uses: actions/github-script@v6
id: get-release-id-list
with:
script: |
const resp = await github.rest.repos.listReleases({
owner: context.repo.owner,
repo: context.repo.repo
});
return resp.data.map((release) => release.id);
- name: Print list release
run: echo "${{ steps.get-release-id-list.outputs.result }}"
fetch-previous-rpms:
needs: list-releases
if: ${{ needs.get-release-id-list.outputs.result != '[]' && needs.get-release-id-list.outputs.result != '' }}
runs-on: ubuntu-latest
strategy:
matrix:
release-id: ${{ fromJson(needs.get-release-id-list.outputs.result) }}
steps:
- uses: robinraju/release-downloader@v1.8
with:
releaseId: ${{ matrix.release-id }}
out-file-path: .
- name: Archive previous RPM
uses: actions/upload-artifact@v3
with:
name: "previous_${{ matrix.release-id }}"
path: ./*.rpm
retention-days: 1
create-release:
needs: [build, fetch-previous-rpms]
if: ${{ !cancelled() && !failure() && startsWith(github.ref, 'refs/tags/') }}
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/download-artifact@v3
with:
name: ${{ env.RPM_ARTIFACT_NAME }}
path: .
- name: Create release
uses: softprops/action-gh-release@v1
with:
files: ./*.rpm
create-rpm-repo:
needs: [build, fetch-previous-rpms]
if: ${{ !cancelled() && !failure() }}
runs-on: ubuntu-latest
container:
image: rockylinux:9-minimal
steps:
- name: Install prerequirements for publish
run: microdnf install -y findutils createrepo_c tar
- name: Download new RPM
uses: actions/download-artifact@v3
with:
path: ./artifacts
- name: Display structure of downloaded files
run: ls -R
- name: Reorganize RPMs
run: |
mkdir -p ./repo/packages
find ./artifacts -name "*.rpm" -type f -print0 | xargs -0 mv -t ./repo/packages
- name: Crate RPM repository
run: |
pwd=$(pwd)
createrepo_c --repo "SELinux policy module for FlexNet" -v ${pwd}/repo/
- name: Upload artifacts to GitHub Pages
uses: actions/upload-pages-artifact@v2
with:
path: "repo/"
publish-rpm-repo:
needs: create-rpm-repo
if: ${{ !cancelled() && !failure() }}
runs-on: ubuntu-latest
permissions:
pages: write
id-token: write
steps:
- uses: actions/deploy-pages@v2