Try to change ownership of files on SD card during installation (#155) #204
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # yamllint disable rule:line-length | |
| --- | |
| name: Sign and prerelease | |
| # Run the workflow on when code or a semver tag is pushed to main branch, | |
| # and on pull requests towards main branch | |
| on: | |
| push: | |
| branches: | |
| - "main" | |
| tags: | |
| # semver, e.g. 1.2.0 (does not match 0.1.2) | |
| - "[1-9]+.[0-9]+.[0-9]+" | |
| # semver with prerelease info, e.g. 1.0.2-beta.1 or 1.2.3-rc.10 | |
| - "[1-9]+.[0-9]+.[0-9]+-[a-z]+.[0-9]+" | |
| # do not match prerelease starting w/ 0, e.g. 1.0.2-beta.0 or 1.2.3-rc.01 | |
| - "![1-9]+.[0-9]+.[0-9]+-[a-z]+.[0]*" | |
| # semver with date info, e.g. 1.0.2-20221125 | |
| - "[1-9]+.[0-9]+.[0-9]+-[0-9]+" | |
| # do not match date starting w/ 0, e.g. 1.0.2-01232023 | |
| - "![1-9]+.[0-9]+.[0-9]+-[0]*" | |
| pull_request: | |
| branches: | |
| - "main" | |
| env: | |
| PROJECT: "docker-compose-acap" | |
| jobs: | |
| # Builds docker ACAP using the build.sh script, then signs the eap-file in | |
| # ACAP Portal and stores it as a build artifact. | |
| # This job runs for all triggers of the workflow | |
| build: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: ["armv7hf", "aarch64"] | |
| outputs: | |
| EAP_FILE_ARMV7HF: ${{ steps.save_full_file_name.outputs.EAP_FILE_ARMV7HF }} | |
| EAP_FILE_AARCH64: ${{ steps.save_full_file_name.outputs.EAP_FILE_AARCH64 }} | |
| SHORT_SHA: ${{ steps.save_full_file_name.outputs.SHORT_SHA }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: get_short_sha | |
| run: | | |
| sha=${{ github.sha }} | |
| strip_sha=${sha:0:7} | |
| echo "SHORT_SHA=${strip_sha}" >> $GITHUB_ENV | |
| - uses: actions/cache@v4 | |
| if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }} | |
| with: | |
| path: ${{ github.workspace }}/build-${{ matrix.arch }} | |
| key: key-${{ env.SHORT_SHA }}-${{ github.run_id }}-${{ matrix.arch }} | |
| - name: Create base image metadata | |
| id: meta | |
| uses: ./.github/actions/metadata-action | |
| with: | |
| suffix: -${{ matrix.arch }} | |
| repository: ${{ env.PROJECT }} | |
| get_version: "true" | |
| - name: Get changes for manifest | |
| id: manifest-settings | |
| if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }} | |
| run: | | |
| if [ ${{github.ref_type}} == tag ]; then | |
| echo "version_value=${{ steps.meta.outputs.version }}" >> $GITHUB_OUTPUT | |
| echo "append_sha='false'" >> $GITHUB_OUTPUT | |
| else | |
| echo "version_value=-${{ env.SHORT_SHA }}" >> $GITHUB_OUTPUT | |
| echo "append_sha='true'" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Update manifest file | |
| if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }} | |
| uses: ./.github/actions/update-acap-manifest-action | |
| with: | |
| manifest_file: ./app/manifest.json | |
| append: ${{ steps.manifest-settings.outputs.append_sha}} | |
| value: ${{ steps.manifest-settings.outputs.version_value }} | |
| - name: Build ${{ env.PROJECT}} application | |
| uses: ./.github/actions/docker-build-action | |
| with: | |
| dockerfile: Dockerfile | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-args: ARCH=${{ matrix.arch }} | |
| outputs: "type=local,dest=build" | |
| - name: Get name of EAP-file | |
| id: get_eap_file_name | |
| if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }} | |
| run: | | |
| export EAP_FILE=$(find build -type f -name "*.eap" -printf "%f\n") | |
| delimiter="$(openssl rand -hex 8)" | |
| echo "EAP_FILE<<${delimiter}" >> ${GITHUB_ENV} | |
| echo "${EAP_FILE}" >> ${GITHUB_ENV} | |
| echo "${delimiter}" >> ${GITHUB_ENV} | |
| - name: Add sha to EAP-file name | |
| if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }} | |
| run: | | |
| eap_file_w_sha=$(echo $"${{ env.EAP_FILE }}" | sed 's/\.eap/_${{ env.SHORT_SHA }}.eap/') | |
| echo "EAP_FILE_W_SHA=${eap_file_w_sha}" >> $GITHUB_ENV | |
| cp build/${{ env.EAP_FILE }} build/$eap_file_w_sha | |
| - name: Save full file name | |
| id: save_full_file_name | |
| if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }} | |
| run: | | |
| echo "SHORT_SHA=${{ env.SHORT_SHA }}" >> $GITHUB_OUTPUT | |
| if [ ${{ matrix.arch }} = armv7hf ] | |
| then | |
| echo "EAP_FILE_ARMV7HF=${{ env.EAP_FILE_W_SHA }}" >> $GITHUB_OUTPUT | |
| elif [ ${{ matrix.arch }} = aarch64 ] | |
| then | |
| echo "EAP_FILE_AARCH64=${{ env.EAP_FILE_W_SHA }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "::error::Non valid architecture '${{ matrix.arch }}' encountered" | |
| fi | |
| - name: Move EAP-file to cache location | |
| if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/build-${{ matrix.arch }} | |
| #rm -f ${{ github.workspace }}/build-${{ matrix.arch }}/${{ env.EAP_FILE_W_SHA }} | |
| mv build/${{ env.EAP_FILE_W_SHA }} ${{ github.workspace }}/build-${{ matrix.arch }}/. | |
| # Sign the eap-file from the build | |
| sign-eap: | |
| runs-on: ubuntu-latest | |
| if: ${{ (github.ref_type == 'tag') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }} | |
| needs: build | |
| permissions: | |
| contents: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: ["armv7hf", "aarch64"] | |
| max-parallel: 1 | |
| env: | |
| EAP_FILE_ARMV7HF: ${{ needs.build.outputs.EAP_FILE_ARMV7HF }} | |
| EAP_FILE_AARCH64: ${{ needs.build.outputs.EAP_FILE_AARCH64 }} | |
| SHORT_SHA: ${{ needs.build.outputs.SHORT_SHA }} | |
| outputs: | |
| EAP_FILE_SIGNED_ARMV7HF: ${{ steps.save_full_file_name.outputs.EAP_FILE_SIGNED_ARMV7HF }} | |
| EAP_FILE_SIGNED_AARCH64: ${{ steps.save_full_file_name.outputs.EAP_FILE_SIGNED_AARCH64 }} | |
| steps: | |
| - name: Get EAP file name | |
| id: full_eap_name | |
| run: | | |
| if [ ${{ matrix.arch }} = armv7hf ] | |
| then | |
| echo "EAP_FILE=${{ env.EAP_FILE_ARMV7HF }}" >> $GITHUB_ENV | |
| elif [ ${{ matrix.arch }} = aarch64 ] | |
| then | |
| echo "EAP_FILE=${{ env.EAP_FILE_AARCH64 }}" >> $GITHUB_ENV | |
| else | |
| echo "::error::Non valid architecture '${{ matrix.arch }}' encountered" | |
| fi | |
| - uses: actions/cache/restore@v4 | |
| with: | |
| path: ${{ github.workspace }}/build-${{ matrix.arch }} | |
| key: key-${{ env.SHORT_SHA }}-${{ github.run_id }}-${{ matrix.arch }} | |
| - name: Get cached EAP-file | |
| run: | | |
| mkdir -p build | |
| mv ${{ github.workspace }}/build-${{ matrix.arch }}/${{ env.EAP_FILE }} build/. | |
| - name: Refactor naming of EAP-file for signed output | |
| run: | | |
| signed_output=$(echo "${{ env.EAP_FILE }}" | sed 's/\.eap/_signed.eap/') | |
| echo "SIGNED_EAP_FILE=${signed_output}" >> $GITHUB_ENV | |
| - name: Sign eap-file | |
| run: | | |
| cd build | |
| RESPONSE=$(curl -XPOST -H 'accept: */*' -H 'Content-Type: multipart/form-data' \ | |
| -H 'Authorization: Bearer ${{secrets.ACAP_PORTAL_SIGNING_BEARER_TOKEN}}' \ | |
| '${{ vars.ACAP_PORTAL_URL }}/${{secrets.ACAP_PORTAL_SIGNING_ID}}/sign/binary' \ | |
| -F uploadedFile=@"${{ env.EAP_FILE }}" --output ${{ env.SIGNED_EAP_FILE }} \ | |
| -w "%{http_code}\n" -o /dev/null --http1.1) | |
| echo "HTTP_RESPONSE=$RESPONSE" >> $GITHUB_ENV | |
| - name: Check that acap has been signed | |
| run: | | |
| if [[ -n "$HTTP_RESPONSE" && "$HTTP_RESPONSE" =~ ^[0-9]+$ ]]; then | |
| if [ "$HTTP_RESPONSE" -eq 200 ]; then | |
| echo "HTTP response code is 200, signing was successful" | |
| else | |
| echo "HTTP response code is: $HTTP_RESPONSE, signing was not successful" | |
| exit 1 | |
| fi | |
| else | |
| echo "HTTP_RESPONSE is empty or not a valid integer: $HTTP_RESPONSE" | |
| fi | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ env.SIGNED_EAP_FILE }} | |
| path: build/${{ env.SIGNED_EAP_FILE }} | |
| - name: Save full file name | |
| id: save_full_file_name | |
| run: | | |
| if [ ${{ matrix.arch }} = armv7hf ] | |
| then | |
| echo "EAP_FILE_SIGNED_ARMV7HF=${{ env.SIGNED_EAP_FILE }}" >> $GITHUB_OUTPUT | |
| elif [ ${{ matrix.arch }} = aarch64 ] | |
| then | |
| echo "EAP_FILE_SIGNED_AARCH64=${{ env.SIGNED_EAP_FILE }}" >> $GITHUB_OUTPUT | |
| else | |
| echo "::error::Non valid architecture '${{ matrix.arch }}' encountered" | |
| fi | |
| # Creates a pre-release in the repository. | |
| # This job runs if the workflow is triggered by a tag and the build job was successful. | |
| create_prerelease: | |
| if: (github.ref_type == 'tag') | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| needs: [build, sign-eap] | |
| outputs: | |
| RELEASE_ID: ${{ steps.prerelease.outputs.RELEASE_ID }} | |
| steps: | |
| - name: Set TAG | |
| id: vars | |
| run: echo "TAG=${GITHUB_REF#refs/*/}" >> ${GITHUB_ENV} | |
| - name: Create prerelease | |
| uses: actions/github-script@v7 | |
| id: prerelease | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| script: | | |
| try { | |
| const response = await github.rest.repos.createRelease({ | |
| draft: false, | |
| generate_release_notes: true, | |
| name: '${{ env.TAG }}', | |
| owner: context.repo.owner, | |
| prerelease: true, | |
| repo: context.repo.repo, | |
| tag_name: '${{ env.TAG }}', | |
| }); | |
| core.setOutput('RELEASE_ID', response.data.id); | |
| } catch (error) { | |
| core.setFailed(error.message); | |
| } | |
| # Uploads the signed eap files from artifacts to the pre-release. | |
| # This job runs if the create_prerelease job | |
| download-and-upload-artifacts: | |
| if: (github.ref_type == 'tag') | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| needs: [create_prerelease, build, sign-eap] | |
| strategy: | |
| matrix: | |
| arch: [armv7hf, aarch64] | |
| env: | |
| RELEASE_ID: ${{ needs.create_prerelease.outputs.RELEASE_ID }} | |
| EAP_FILE_SIGNED_ARMV7HF: ${{ needs.sign-eap.outputs.EAP_FILE_SIGNED_ARMV7HF }} | |
| EAP_FILE_SIGNED_AARCH64: ${{ needs.sign-eap.outputs.EAP_FILE_SIGNED_AARCH64 }} | |
| steps: | |
| - name: Get EAP file name | |
| id: full_eap_name | |
| run: | | |
| if [ ${{ matrix.arch }} = armv7hf ] | |
| then | |
| echo "EAP_FILE=${{ env.EAP_FILE_SIGNED_ARMV7HF }}" >> $GITHUB_ENV | |
| elif [ ${{ matrix.arch }} = aarch64 ] | |
| then | |
| echo "EAP_FILE=${{ env.EAP_FILE_SIGNED_AARCH64 }}" >> $GITHUB_ENV | |
| else | |
| echo "::error::Non valid architecture '${{ matrix.arch }}' encountered" | |
| fi | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ env.EAP_FILE }} | |
| path: ./ | |
| - name: Upload file to GitHub release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| RESPONSE=$(curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \ | |
| -H "Accept: application/vnd.github.manifold-preview" \ | |
| -H "Content-Type: application/zip" \ | |
| --data-binary @${{ env.EAP_FILE }} \ | |
| "https://uploads.github.com/repos/$GITHUB_REPOSITORY/releases/${{env.RELEASE_ID}}/assets?name=${{ env.EAP_FILE }}" \ | |
| -w "%{http_code}\n" -o /dev/null) | |
| echo "HTTP_RESPONSE=$RESPONSE" >> $GITHUB_ENV | |
| - name: Check that asset has been uploaded correctly | |
| run: | | |
| if [[ -n "$HTTP_RESPONSE" && "$HTTP_RESPONSE" =~ ^[0-9]+$ ]]; then | |
| if [ "$HTTP_RESPONSE" -eq 201 ]; then | |
| echo "HTTP response code is 201, upload was successful" | |
| else | |
| echo "HTTP response code is: $HTTP_RESPONSE, upload was not successful" | |
| exit 1 | |
| fi | |
| else | |
| echo "HTTP_RESPONSE is empty or not a valid integer: $HTTP_RESPONSE" | |
| fi |