Skip to content

Commit

Permalink
Remove duplication
Browse files Browse the repository at this point in the history
  • Loading branch information
@jrfnl
jrfnl committed Dec 8, 2024
1 parent e7af8c4 commit 2ca29e3
Showing 1 changed file with 27 additions and 176 deletions.
203 changes: 27 additions & 176 deletions .github/workflows/verify-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,19 +23,23 @@ concurrency:

jobs:
############################
# Verify the release assets.
# Verify the release is available in all the right places and works as expected.
############################
verify-release-assets:
verify-available-downloads:
runs-on: ubuntu-latest

strategy:
fail-fast: false
matrix:
download_flavour:
- "Release assets"
- "Unversioned web"
- "Versioned web"
pharfile:
- 'phpcs'
- 'phpcbf'

name: "Release assets: ${{ matrix.pharfile }}"
name: "${{ matrix.download_flavour }}: ${{ matrix.pharfile }}"

steps:
- name: Retrieve latest release info
Expand All @@ -57,184 +61,33 @@ jobs:
- name: "DEBUG: Show tag name found in API response"
run: "echo ${{ steps.version.outputs.TAG }}"

- name: Verify PHAR file is available and download
run: wget -O ${{ matrix.pharfile }}.phar https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/latest/download/${{ matrix.pharfile }}.phar

- name: Verify signature file is available and download
run: wget -O ${{ matrix.pharfile }}.phar.asc https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/latest/download/${{ matrix.pharfile }}.phar.asc

- name: "DEBUG: List files"
run: ls -Rlh

- name: Verify attestation of the PHAR file
run: gh attestation verify ${{ matrix.pharfile }}.phar -o PHPCSStandards
env:
GH_TOKEN: ${{ github.token }}

- name: Download public key
env:
FINGERPRINT: "0x689DAD778FF08760E046228BA978220305CD5C32"
run: gpg --keyserver hkps://keys.openpgp.org --recv-keys $FINGERPRINT

- name: Verify signature of the PHAR file
run: gpg --verify ${{ matrix.pharfile }}.phar.asc ${{ matrix.pharfile }}.phar

- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: 'latest'
ini-values: error_reporting=-1, display_errors=On
coverage: none

# Note: the `.` is in the command to make it work for both PHPCS as well PHPCBF.
- name: Verify the PHAR is nominally functional
run: php ${{ matrix.pharfile }}.phar . -e --standard=PSR12

- name: Grab the version
id: asset_version
env:
FILE_NAME: ${{ matrix.pharfile }}.phar
# yamllint disable-line rule:line-length
run: echo "VERSION=$(php "$FILE_NAME" --version | grep --only-matching --max-count=1 --extended-regexp '\b[0-9]+(\.[0-9]+)+')" >> "$GITHUB_OUTPUT"

- name: "DEBUG: Show grabbed version"
run: echo ${{ steps.asset_version.outputs.VERSION }}

- name: Fail the build if the PHAR is not the correct version
if: ${{ steps.asset_version.outputs.VERSION != steps.version.outputs.TAG }}
run: exit 1

##########################################
# Verify plain downloads from the website.
##########################################
verify-plain-web:
runs-on: ubuntu-latest

strategy:
fail-fast: false
matrix:
pharfile:
- 'phpcs'
- 'phpcbf'

name: "Unversioned web: ${{ matrix.pharfile }}"

steps:
- name: Retrieve latest release info
uses: octokit/request-action@v2.x
id: get_latest_release
with:
route: GET /repos/PHPCSStandards/PHP_CodeSniffer/releases/latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: "DEBUG: Show API request failure status"
if: ${{ failure() }}
run: "echo No release found. Request failed with status ${{ steps.get_latest_release.outputs.status }}"

- name: Grab latest tag name from API response
id: version

- name: Get source URL
id: source
shell: bash
run: |
echo "TAG=${{ fromJson(steps.get_latest_release.outputs.data).tag_name }}" >> "$GITHUB_OUTPUT"
- name: "DEBUG: Show tag name found in API response"
run: "echo ${{ steps.version.outputs.TAG }}"

- name: Verify PHAR file is available and download
run: curl --remote-name https://phars.phpcodesniffer.com/${{ matrix.pharfile }}.phar

- name: Verify signature file is available and download
run: curl --remote-name https://phars.phpcodesniffer.com/${{ matrix.pharfile }}.phar.asc

- name: "DEBUG: List files"
run: ls -Rlh

- name: Verify attestation of the PHAR file
run: gh attestation verify ${{ matrix.pharfile }}.phar -o PHPCSStandards
env:
GH_TOKEN: ${{ github.token }}

- name: Download public key
env:
FINGERPRINT: "0x689DAD778FF08760E046228BA978220305CD5C32"
run: gpg --keyserver hkps://keys.openpgp.org --recv-keys $FINGERPRINT

- name: Verify signature of the PHAR file
run: gpg --verify ${{ matrix.pharfile }}.phar.asc ${{ matrix.pharfile }}.phar

- name: Setup PHP
uses: shivammathur/setup-php@v2
with:
php-version: 'latest'
ini-values: error_reporting=-1, display_errors=On
coverage: none

# Note: the `.` is in the command to make it work for both PHPCS as well PHPCBF.
- name: Verify the PHAR is nominally functional
run: php ${{ matrix.pharfile }}.phar . -e --standard=PSR12

- name: Grab the version
id: asset_version
env:
FILE_NAME: ${{ matrix.pharfile }}.phar
# yamllint disable-line rule:line-length
run: echo "VERSION=$(php "$FILE_NAME" --version | grep --only-matching --max-count=1 --extended-regexp '\b[0-9]+(\.[0-9]+)+')" >> "$GITHUB_OUTPUT"

- name: "DEBUG: Show grabbed version"
run: echo ${{ steps.asset_version.outputs.VERSION }}

- name: Fail the build if the PHAR is not the correct version
if: ${{ steps.asset_version.outputs.VERSION != steps.version.outputs.TAG }}
run: exit 1

# #########################################
# Verify versioned downloads from the website.
# #########################################
verify-versioned-web:
runs-on: ubuntu-latest

strategy:
fail-fast: false
matrix:
pharfile:
- 'phpcs'
- 'phpcbf'

name: "Versioned web: ${{ matrix.pharfile }}"

steps:
- name: Retrieve latest release info
uses: octokit/request-action@v2.x
id: get_latest_release
with:
route: GET /repos/PHPCSStandards/PHP_CodeSniffer/releases/latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: "DEBUG: Show API request failure status"
if: ${{ failure() }}
run: "echo No release found. Request failed with status ${{ steps.get_latest_release.outputs.status }}"

- name: Grab latest tag name from API response
id: version
run: |
echo "TAG=${{ fromJson(steps.get_latest_release.outputs.data).tag_name }}" >> "$GITHUB_OUTPUT"
- name: "DEBUG: Show tag name found in API response"
run: "echo ${{ steps.version.outputs.TAG }}"
if [[ ${{ matrix.download_flavour }} == 'Release assets' ]]; then
echo 'SRC=https://github.com/PHPCSStandards/PHP_CodeSniffer/releases/latest/download/' >> "$GITHUB_OUTPUT"
echo 'FILE=${{ matrix.pharfile }}.phar' >> "$GITHUB_OUTPUT"
elif [[ ${{ matrix.download_flavour }} == 'Unversioned web' ]]; then
echo 'SRC=https://phars.phpcodesniffer.com/' >> "$GITHUB_OUTPUT"
echo 'FILE=${{ matrix.pharfile }}.phar' >> "$GITHUB_OUTPUT"
else
echo 'SRC=https://phars.phpcodesniffer.com/phars/' >> "$GITHUB_OUTPUT"
echo 'FILE=${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar' >> "$GITHUB_OUTPUT"
fi
- name: Verify PHAR file is available and download
run: curl --remote-name https://phars.phpcodesniffer.com/phars/${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar
run: wget -O ${{ steps.source.outputs.FILE }} ${{ steps.source.outputs.SRC }}${{ steps.source.outputs.FILE }}

- name: Verify signature file is available and download
run: curl --remote-name https://phars.phpcodesniffer.com/phars/${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar.asc
run: wget -O ${{ steps.source.outputs.FILE }}.asc ${{ steps.source.outputs.SRC }}${{ steps.source.outputs.FILE }}.asc

- name: "DEBUG: List files"
run: ls -Rlh

- name: Verify attestation of the PHAR file
run: gh attestation verify ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar -o PHPCSStandards
run: gh attestation verify ${{ steps.source.outputs.FILE }} -o PHPCSStandards
env:
GH_TOKEN: ${{ github.token }}

Expand All @@ -244,9 +97,7 @@ jobs:
run: gpg --keyserver hkps://keys.openpgp.org --recv-keys $FINGERPRINT

- name: Verify signature of the PHAR file
run: >
gpg --verify ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar.asc
${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar
run: gpg --verify ${{ steps.source.outputs.FILE }}.asc ${{ steps.source.outputs.FILE }}

- name: Setup PHP
uses: shivammathur/setup-php@v2
Expand All @@ -257,12 +108,12 @@ jobs:

# Note: the `.` is in the command to make it work for both PHPCS as well PHPCBF.
- name: Verify the PHAR is nominally functional
run: php ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar . -e --standard=PSR12
run: php ${{ steps.source.outputs.FILE }} . -e --standard=PSR12

- name: Grab the version
id: asset_version
env:
FILE_NAME: ${{ matrix.pharfile }}-${{ steps.version.outputs.TAG }}.phar
FILE_NAME: ${{ steps.source.outputs.FILE }}
# yamllint disable-line rule:line-length
run: echo "VERSION=$(php "$FILE_NAME" --version | grep --only-matching --max-count=1 --extended-regexp '\b[0-9]+(\.[0-9]+)+')" >> "$GITHUB_OUTPUT"

Expand Down

0 comments on commit 2ca29e3

Please sign in to comment.