get-signed-installers-from-stampy #738
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: get-signed-installers-from-stampy | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| # 2:35 am central time | |
| - cron: '35 7 * * *' | |
| jobs: | |
| get-signed-from-stampy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: download | |
| # switch AWS identity to the one that can access stampy | |
| run: | | |
| ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account') | |
| TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing) | |
| export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId') | |
| export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey') | |
| export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken') | |
| aws s3 cp --recursive ${{ secrets.STAMPY_SIGNED_BUCKET }}/ . | |
| env: | |
| STAMPY_ARN: ${{ secrets.STAMPY_ARN }} | |
| AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} | |
| AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} | |
| AWS_EC2_METADATA_DISABLED: true | |
| - name: upload to CLI s3 | |
| id: upload | |
| run: | | |
| # Run script and redirect stderr to stdout | |
| OUTPUT=$(node scripts/stampy-signed-upload.js 2>&1) | |
| # Check for non-zero exit code and stop the workflow if an error occured | |
| if [ $? -ne 0 ]; then | |
| echo "An error occured:" | |
| echo $OUTPUT | |
| exit 1 | |
| fi | |
| # Set multiline string output | |
| # https://stackoverflow.com/questions/74137120/how-to-fix-or-avoid-error-unable-to-process-file-command-output-successfully#comment131739699_74232400 | |
| echo -e "output<<EOF\n$OUTPUT\nEOF" >> "$GITHUB_OUTPUT" | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} | |
| AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} | |
| AWS_EC2_METADATA_DISABLED: true | |
| - name: clean up stampy in/out buckets | |
| run: | | |
| ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account') | |
| TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing) | |
| export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId') | |
| export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey') | |
| export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken') | |
| node scripts/stampy-signed-delete.js | |
| env: | |
| STAMPY_ARN: ${{ secrets.STAMPY_ARN }} | |
| STAMPY_UNSIGNED_BUCKET: ${{ secrets.STAMPY_UNSIGNED_BUCKET }} | |
| STAMPY_SIGNED_BUCKET: ${{ secrets.STAMPY_SIGNED_BUCKET }} | |
| AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} | |
| AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} | |
| AWS_EC2_METADATA_DISABLED: true | |
| - name: notify | |
| uses: slackapi/slack-github-action@v1.26.0 | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.CLI_TEAM_SLACK_WEBHOOK_URL }} | |
| SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
| with: | |
| payload: | | |
| { | |
| "blocks": [ | |
| { | |
| "type": "header", | |
| "text": { | |
| "type": "plain_text", | |
| "text": "Stampy signed and uploaded the following files:", | |
| "emoji": true | |
| } | |
| }, | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": ${{ toJson(steps.upload.outputs.output) }} | |
| } | |
| } | |
| ] | |
| } |