get-signed-installers-from-stampy #428
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: get-signed-installers-from-stampy | |
| on: | |
| workflow_dispatch: | |
| schedule: | |
| # 2:35 am central time | |
| - cron: '35 7 * * *' | |
| jobs: | |
| get-signed-from-stampy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out the repo | |
| uses: actions/checkout@v4 | |
| - name: download | |
| env: | |
| STAMPY_ARN: ${{ secrets.STAMPY_ARN }} | |
| AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} | |
| AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} | |
| AWS_EC2_METADATA_DISABLED: true | |
| # switch AWS identity to the one that can access stampy | |
| run: | | |
| ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account') | |
| TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing) | |
| export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId') | |
| export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey') | |
| export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken') | |
| aws s3 cp --recursive ${{ secrets.STAMPY_SIGNED_BUCKET }}/ . | |
| - name: upload to CLI s3 | |
| id: upload | |
| env: | |
| AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} | |
| AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} | |
| AWS_EC2_METADATA_DISABLED: true | |
| run: | | |
| echo -e "output<<EOF\n$(node scripts/stampy-signed-upload.js)\nEOF" >> "$GITHUB_OUTPUT" | |
| - name: clean up stampy in/out buckets | |
| env: | |
| STAMPY_ARN: ${{ secrets.STAMPY_ARN }} | |
| STAMPY_UNSIGNED_BUCKET: ${{ secrets.STAMPY_UNSIGNED_BUCKET }} | |
| STAMPY_SIGNED_BUCKET: ${{ secrets.STAMPY_SIGNED_BUCKET }} | |
| AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} | |
| AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} | |
| AWS_EC2_METADATA_DISABLED: true | |
| run: | | |
| ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account') | |
| TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing) | |
| export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId') | |
| export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey') | |
| export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken') | |
| node scripts/stampy-signed-delete.js | |
| - name: notify | |
| uses: slackapi/[email protected] | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.CLI_TEAM_SLACK_WEBHOOK_URL }} | |
| SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK | |
| with: | |
| payload: | | |
| { | |
| "blocks": [{ | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "Stampy signed and uploaded the following files\n ${{ steps.upload.outputs.output }}" | |
| } | |
| }] | |
| } |