Skip to content

Bump step-security/harden-runner from 2.9.0 to 2.9.1 (#976) #25

Bump step-security/harden-runner from 2.9.0 to 2.9.1 (#976)

Bump step-security/harden-runner from 2.9.0 to 2.9.1 (#976) #25

name: Publish ca-certificates
on:
push:
branches: [ master ]
paths:
- 'linux/ca-certificates/**'
- '.github/workflows/cacert-publish.yml'
permissions:
contents: read
jobs:
publish-ca-certificates:
if: github.repository == 'adoptium/installer'
name: "Publish ca-certificates"
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./linux
steps:
- name: Harden Runner
uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
adoptium.jfrog.io:443
api.github.com:443
auth.docker.io:443
deb.debian.org:80
github.com:443
objects.githubusercontent.com:443
production.cloudflare.docker.com:443
registry-1.docker.io:443
releases-cdn.jfrog.io:443
releases.jfrog.io:443
services.gradle.org:443
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
with:
java-version: '17'
java-package: jdk
architecture: x64
distribution: 'temurin'
- uses: jfrog/setup-jfrog-cli@26532cdb5b1ea07940f10d57666fd988048fc903 # v4.2.2
env:
JF_URL: https://adoptium.jfrog.io
JF_USER: ${{ secrets.ARTIFACTORY_USER }}
JF_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
- name: Build
run: |
export _JAVA_OPTIONS="-Xmx4G"
./gradlew --parallel :ca-certificates:package --stacktrace
- name: Check if deb file exists in Artifactory
id: check-deb
run: |
FILE=$(ls ca-certificates/debian/build/ospackage/*.deb)
echo "File to upload: ${FILE}"
FILE_EXISTS=$(jf rt s --count=true "deb/pool/main/a/adoptium-ca-certificates/$(basename $FILE)")
if [[ "$FILE_EXISTS" == "0" ]]; then
echo file_exists=false >> "$GITHUB_OUTPUT"
fi
- name: Upload deb file to Artifactory
if: steps.check-deb.outputs.file_exists == 'false'
run: |
DISTRO_LIST="trixie,bookworm,buster,noble,jammy,focal,bionic"
FILE=$(ls ca-certificates/debian/build/ospackage/*.deb)
# Upload cacerts deb file
jf rt u "$FILE" "deb/pool/main/a/adoptium-ca-certificates/$(basename ${FILE})" --flat=true
# Add deb.distribution properties
jf rt sp "deb/pool/main/a/adoptium-ca-certificates/$(basename ${FILE})" "deb.distribution=${DISTRO_LIST};deb.architecture=all;deb.component=main"