ci_release: upload hashes and run on pull_request and run scheduled

2025-12-06 06:44:57 +01:00 · 2023-01-29 16:58:30 +01:00 · 2023-01-29 16:58:30 +01:00 · 63fc21cc90
commit 63fc21cc90
parent d234cf4112
3 changed files with 85 additions and 12 deletions
--- a/.github/workflows/ci_docker.yml
+++ b/.github/workflows/ci_docker.yml
@ -92,7 +92,14 @@ jobs:
      - name: Image digest
        # TODO upload digests to assets
        run: |
-          echo "extract_otp_secrets: ${{ steps.docker_build_qr_reader_latest.outputs.digest }}"
+          echo "extract_otp_secrets digests: ${{ steps.docker_build_qr_reader_latest.outputs.digest }}"
+          echo "${{ steps.docker_build_qr_reader_latest.outputs.digest }}" > digests.txt
+      - name: Save docker digests as artifacts
+        if: github.ref == 'refs/heads/master'
+        uses: actions/upload-artifact@v3
+        with:
+          name: debian_digests
+          path: digests.txt

  build-and-push-docker-alpine-image:
    name: Build Docker Alpine image and push to repositories
@ -155,8 +162,15 @@ jobs:
          build-args: |
            RUN_TESTS=true

-
      - name: Image digest
        # TODO upload digests to assets
        run: |
-          echo "extract_otp_secrets:only-txt: ${{ steps.docker_build_only_txt.outputs.digest }}"
+          echo "extract_otp_secrets:only-txt digests: ${{ steps.docker_build_only_txt.outputs.digest }}"
+          echo "${{ steps.docker_build_qr_reader_latest.outputs.digest }}" > digests.txt
+
+      - name: Save docker digests as artifacts
+        if: github.ref == 'refs/heads/master'
+        uses: actions/upload-artifact@v3
+        with:
+          name: alpine_digests
+          path: digests.txt
--- a/.github/workflows/ci_release.yml
+++ b/.github/workflows/ci_release.yml
@ -1,10 +1,8 @@
 name: release

 # https://data-dive.com/multi-os-deployment-in-cloud-using-pyinstaller-and-github-actions
-# https://github.com/actions/create-release (archived)
 # https://github.com/actions/upload-artifact
 # https://github.com/actions/download-artifact
-# https://github.com/actions/upload-release-asset (archived)
 # https://github.com/docker/metadata-action
 # https://github.com/marketplace/actions/generate-release-hashes

@ -36,12 +34,17 @@ on:
  push:
    tags:
      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+  pull_request:
+  schedule:
+    # Run weekly on default branch
+    - cron: '47 3 * * 6'

 jobs:

  create-release:
    name: Create Release
    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/v')
    steps:
      - name: Set meta data
        id: meta
@ -80,7 +83,7 @@ jobs:
          name: release_id
          path: release_id.txt

-  build-and-push-docker-image:
+  build-linux-executable-in-docker:
    name: Build Linux release in docker container
    # run only when code is compiling and tests are passing
    runs-on: ubuntu-latest
@ -172,6 +175,7 @@ jobs:
          dist/extract_otp_secrets_linux_x86_64 --qr CV2 example_export.png
          dist/extract_otp_secrets_linux_x86_64 --qr CV2_WECHAT example_export.png
      - name: Load Release URL File from release job
+        if: startsWith(github.ref, 'refs/tags/v')
        uses: actions/download-artifact@v3
        with:
          name: release_url
@ -179,7 +183,7 @@ jobs:
        run: ls -R
      - name: Upload Release Asset
        id: upload-release-asset
-        # TODO only for tags
+        if: startsWith(github.ref, 'refs/tags/v')
        run: |
          response=$(curl \
            -X POST \
@ -192,8 +196,8 @@ jobs:
            --data-binary @dist/extract_otp_secrets_linux_x86_64 \
            $(cat release_url.txt)=extract_otp_secrets_linux_x86_64)

-  build:
-    name: Build packages
+  build-native-executables:
+    name: Build native packages
    needs: create-release
    runs-on: ${{ matrix.os }}
    strategy:
@ -286,10 +290,12 @@ jobs:
        run: |
          dist/${{ matrix.OUT_FILE_NAME }} - < example_export.txt
      - name: Load Release URL File from release job
+        if: startsWith(github.ref, 'refs/tags/v')
        uses: actions/download-artifact@v3
        with:
          name: release_url
      - name: Load Release Id File from release job
+        if: startsWith(github.ref, 'refs/tags/v')
        uses: actions/download-artifact@v3
        with:
          name: release_id
@ -297,14 +303,66 @@ jobs:
        run: ls -R
      - name: Set meta data
        id: meta
+        if: startsWith(github.ref, 'refs/tags/v')
        shell: bash
        run: |
-          cat release_url.txt
-          echo "release_url=$(cat release_url.txt)" >> $GITHUB_OUTPUT
          echo "release_id=$(cat release_id.txt)" >> $GITHUB_OUTPUT
          echo "upload_url=https://uploads.github.com/repos/scito/extract_otp_secrets/releases/$(cat release_id.txt)/assets?name=" >> $GITHUB_OUTPUT
      - name: Upload Release Asset
        id: upload-release-asset
-        if: ${{ matrix.UPLOAD }}
+        if: matrix.UPLOAD && startsWith(github.ref, 'refs/tags/v')
        run: |
          curl -X POST -H "Accept: application/vnd.github+json" -H "Content-Type: ${{ matrix.ASSET_MIME }}" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" -H "X-GitHub-Api-Version: 2022-11-28" --show-error --data-binary @dist/${{ matrix.OUT_FILE_NAME }} ${{ steps.meta.outputs.upload_url }}=${{ matrix.ASSET_NAME }}
+
+  upload-hashes:
+    name: Upload hashes
+    if: startsWith(github.ref, 'refs/tags/v')
+    needs:
+      - build-linux-executable-in-docker
+      - build-native-executables
+    runs-on: ubuntu-latest
+    steps:
+      - name: Load Release Id File from release job
+        uses: actions/download-artifact@v3
+        with:
+          name: release_id
+      - name: Set meta data
+        id: meta
+        run: |
+          echo "release_id=$(cat release_id.txt)" >> $GITHUB_OUTPUT
+          echo "upload_url=https://uploads.github.com/repos/scito/extract_otp_secrets/releases/$(cat release_id.txt)/assets?name=" >> $GITHUB_OUTPUT
+      - name: Calculate and upload hashes from assets
+        run: |
+          GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
+          for asset_url in $(curl \
+            -H "Accept: application/vnd.github+json" \
+            -H "Authorization: Bearer $GITHUB_TOKEN"\
+            -H "X-GitHub-Api-Version: 2022-11-28" \
+            --silent \
+            --show-error \
+            https://api.github.com/repos/scito/extract_otp_secrets/releases/90604736/assets |
+          jq -r '.[].url'); do
+              echo "Download $asset_url"
+              name=$(curl \
+                  -H "Accept: application/vnd.github+json" \
+                  -H "Authorization: Bearer $GITHUB_TOKEN"\
+                  -H "X-GitHub-Api-Version: 2022-11-28" \
+                  --output-dir assets \
+                  -L \
+                  $asset_url |
+                  jq -r '.name')
+              curl \
+                  -H "Accept: application/octet-stream" \
+                  -H "Authorization: Bearer $GITHUB_TOKEN"\
+                  -H "X-GitHub-Api-Version: 2022-11-28" \
+                  --create-dirs \
+                  --output-dir assets \
+                  -L \
+                  -o $name \
+                  $asset_url
+          done
+          (cd assets/ && sha256sum * > ../sha256_hashes.txt)
+          curl -X POST -H "Accept: application/vnd.github+json" -H "Content-Type: text/plain" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" -H "X-GitHub-Api-Version: 2022-11-28" --show-error --data @sha256_hashes.txt ${{ steps.meta.outputs.upload_url }}=sha256_hashes.txt
+
+          (cd assets/ && sha512sum * > ../sha512_hashes.txt)
+          curl -X POST -H "Accept: application/vnd.github+json" -H "Content-Type: text/plain" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" -H "X-GitHub-Api-Version: 2022-11-28" --show-error --data @sha512_hashes.txt ${{ steps.meta.outputs.upload_url }}=sha512_hashes.txt
--- a/.gitignore
+++ b/.gitignore
@ -25,3 +25,4 @@ dist_*/
 file_version_info_python.txt
 file_version_info_explorer.txt
 file_version_info.txt
+assets/*