constellation/.github/workflows/package-hasher.yml

73 lines
2.5 KiB
YAML
Raw Normal View History

name: Package hasher
on:
workflow_dispatch:
push:
branches:
- main
paths:
- ".github/workflows/package-hasher.yml"
- "hack/package-hasher/Containerfile.hasher.apk"
schedule:
- cron: "0 22 */3 * *" # every 3 days at 22:00 UTC
jobs:
hash:
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Only run on main branch
if: github.ref != 'refs/heads/main'
run: |
echo "::error::This workflow only runs on the main branch"
exit 1
- name: Checkout Constellation
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Install oras
env:
ORAS_VERSION: "0.16.0"
run: |
curl -fsSLO "https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_amd64.tar.gz"
mkdir -p oras-install/
tar -zxf "oras_${ORAS_VERSION}_linux_amd64.tar.gz" -C oras-install/
mv oras-install/oras /usr/local/bin/
rm -rf "oras_${ORAS_VERSION}_linux_amd64.tar.gz" oras-install/
- name: Run apk hasher
env:
DOCKER_BUILDKIT: 1
run: docker build -o apko -f hack/package-hasher/Containerfile.apk.hasher .
- name: Upload apk packages to container registry content addressed storage
working-directory: apko/repository-apk
run: |
oras push \
-u ${{ github.actor }} \
-p ${{ secrets.GITHUB_TOKEN }} \
ghcr.io/edgelesssys/constellation/packages-apk:latest ./*.apk
- name: Remove apk packages
working-directory: apko
run: rm -rf repository-apk
- name: Create new PR
uses: peter-evans/create-pull-request@2b011faafdcbc9ceb11414d64d0573f37c774b04 # v4.2.3
with:
branch: ci/hasher/apk
title: "deps: update apk package hashes"
commit-message: "deps: update apk package hashes"
body: |
:robot: *This is an automated PR.* :robot:
This PR updates (the hashes of) apk packages. It is generated by the package-hasher workflow.
committer: edgelessci <edgelessci@users.noreply.github.com>
labels: dependencies
# We need to push changes using a token, otherwise triggers like on:push and on:pull_request won't work.
token: ${{ !github.event.pull_request.head.repo.fork && secrets.TIDY_RENOVATE_PUSH || '' }}