4577254e20
Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. - Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Signed-off-by: naveen <172697+naveensrinivasan@users.noreply.github.com>
506 lines
19 KiB
YAML
506 lines
19 KiB
YAML
name: Build train
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
sourcerepo:
|
|
description: Source repository
|
|
required: true
|
|
default: 'nightly'
|
|
push:
|
|
branches:
|
|
- master
|
|
|
|
jobs:
|
|
|
|
##########################################################################################
|
|
# #
|
|
# cancels previous runs associated with a workflow #
|
|
# #
|
|
##########################################################################################
|
|
|
|
Cancel:
|
|
if: ${{ github.repository_owner == 'Armbian' }}
|
|
runs-on: small
|
|
steps:
|
|
- uses: n1hility/cancel-previous-runs@v2
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Merge master into nighly image from which we build packages #
|
|
# #
|
|
##########################################################################################
|
|
|
|
Merge:
|
|
permissions:
|
|
contents: none
|
|
name: Merging
|
|
needs: Cancel
|
|
if: ${{ github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/merge-from-branch.yml@master
|
|
|
|
with:
|
|
branch: 'nightly'
|
|
runner: small
|
|
|
|
secrets:
|
|
GPG_KEY2: ${{ secrets.GPG_KEY2 }}
|
|
GPG_PASSPHRASE2: ${{ secrets.GPG_PASSPHRASE2 }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Check for changes in patches, kernel config and upstream #
|
|
# #
|
|
##########################################################################################
|
|
|
|
Check:
|
|
permissions:
|
|
contents: none
|
|
name: Checking
|
|
needs: Merge
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/check-for-changes.yml@master
|
|
|
|
with:
|
|
reference: '${{ github.event.inputs.sourcerepo }}'
|
|
runner: small
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Build changed kernel packages #
|
|
# #
|
|
##########################################################################################
|
|
|
|
Kernel:
|
|
permissions:
|
|
contents: none
|
|
needs: Check
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/build-kernel.yml@master
|
|
|
|
with:
|
|
uploading: true
|
|
runner: fast
|
|
reference: '${{ github.event.inputs.sourcerepo }}'
|
|
|
|
secrets:
|
|
GPG_KEY1: ${{ secrets.GPG_KEY1 }}
|
|
GPG_PASSPHRASE1: ${{ secrets.GPG_PASSPHRASE1 }}
|
|
GPG_KEY2: ${{ secrets.GPG_KEY2 }}
|
|
GPG_PASSPHRASE2: ${{ secrets.GPG_PASSPHRASE2 }}
|
|
SCRIPTS_ACCESS_TOKEN: ${{ secrets.SCRIPTS_ACCESS_TOKEN }}
|
|
KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Build changed firmware, zsh, armbian-config #
|
|
# #
|
|
##########################################################################################
|
|
|
|
Firmware:
|
|
permissions:
|
|
contents: none
|
|
needs: Check
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/build-firmware.yml@master
|
|
|
|
with:
|
|
reference: '${{ github.event.inputs.sourcerepo }}'
|
|
uploading: true
|
|
runner: small
|
|
|
|
secrets:
|
|
KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Build changed desktop packages #
|
|
# #
|
|
##########################################################################################
|
|
|
|
Desktop:
|
|
permissions:
|
|
contents: none
|
|
needs: Check
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/build-desktop.yml@master
|
|
|
|
with:
|
|
uploading: true
|
|
runner: small
|
|
reference: '${{ github.event.inputs.sourcerepo }}'
|
|
|
|
secrets:
|
|
GPG_KEY1: ${{ secrets.GPG_KEY1 }}
|
|
GPG_PASSPHRASE1: ${{ secrets.GPG_PASSPHRASE1 }}
|
|
GPG_KEY2: ${{ secrets.GPG_KEY2 }}
|
|
GPG_PASSPHRASE2: ${{ secrets.GPG_PASSPHRASE2 }}
|
|
SCRIPTS_ACCESS_TOKEN: ${{ secrets.SCRIPTS_ACCESS_TOKEN }}
|
|
KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Build u-boot and board support packages #
|
|
# #
|
|
##########################################################################################
|
|
|
|
legacy:
|
|
permissions:
|
|
contents: none
|
|
needs: Check
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/build-u-boot-with-docker.yml@master
|
|
|
|
with:
|
|
|
|
runner: "small"
|
|
include: 'grep legacy | '
|
|
exclude: ''
|
|
uploading: false
|
|
destref: '${{ github.event.inputs.sourcerepo }}'
|
|
|
|
secrets:
|
|
GPG_KEY1: ${{ secrets.GPG_KEY1 }}
|
|
GPG_PASSPHRASE1: ${{ secrets.GPG_PASSPHRASE1 }}
|
|
GPG_KEY2: ${{ secrets.GPG_KEY2 }}
|
|
GPG_PASSPHRASE2: ${{ secrets.GPG_PASSPHRASE2 }}
|
|
SCRIPTS_ACCESS_TOKEN: ${{ secrets.SCRIPTS_ACCESS_TOKEN }}
|
|
SSH_KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|
|
|
|
current:
|
|
permissions:
|
|
contents: none
|
|
needs: Check
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/build-u-boot-with-docker.yml@master
|
|
|
|
with:
|
|
|
|
runner: "small"
|
|
include: 'grep current | '
|
|
exclude: ''
|
|
uploading: false
|
|
destref: '${{ github.event.inputs.sourcerepo }}'
|
|
|
|
secrets:
|
|
GPG_KEY1: ${{ secrets.GPG_KEY1 }}
|
|
GPG_PASSPHRASE1: ${{ secrets.GPG_PASSPHRASE1 }}
|
|
GPG_KEY2: ${{ secrets.GPG_KEY2 }}
|
|
GPG_PASSPHRASE2: ${{ secrets.GPG_PASSPHRASE2 }}
|
|
SCRIPTS_ACCESS_TOKEN: ${{ secrets.SCRIPTS_ACCESS_TOKEN }}
|
|
SSH_KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|
|
|
|
|
|
edge:
|
|
permissions:
|
|
contents: none
|
|
needs: Check
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/build-u-boot-with-docker.yml@master
|
|
|
|
with:
|
|
|
|
runner: "small"
|
|
include: 'grep edge | '
|
|
exclude: ''
|
|
uploading: false
|
|
destref: '${{ github.event.inputs.sourcerepo }}'
|
|
|
|
secrets:
|
|
GPG_KEY1: ${{ secrets.GPG_KEY1 }}
|
|
GPG_PASSPHRASE1: ${{ secrets.GPG_PASSPHRASE1 }}
|
|
GPG_KEY2: ${{ secrets.GPG_KEY2 }}
|
|
GPG_PASSPHRASE2: ${{ secrets.GPG_PASSPHRASE2 }}
|
|
SCRIPTS_ACCESS_TOKEN: ${{ secrets.SCRIPTS_ACCESS_TOKEN }}
|
|
SSH_KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Store build hashes for future comparission #
|
|
# #
|
|
##########################################################################################
|
|
|
|
Deploycheck:
|
|
permissions:
|
|
contents: none
|
|
needs: [Kernel,Desktop,Firmware,legacy,current,edge]
|
|
if: ${{ inputs.sourcerepo != 'nightly' }}
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Early exit
|
|
run: exit_with_success
|
|
|
|
Deploy:
|
|
permissions:
|
|
contents: none
|
|
needs: [Deploycheck]
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/deploy.yml@master
|
|
|
|
with:
|
|
|
|
uploading: true
|
|
|
|
secrets:
|
|
GPG_KEY1: ${{ secrets.GPG_KEY1 }}
|
|
GPG_PASSPHRASE1: ${{ secrets.GPG_PASSPHRASE1 }}
|
|
GPG_KEY2: ${{ secrets.GPG_KEY2 }}
|
|
GPG_PASSPHRASE2: ${{ secrets.GPG_PASSPHRASE2 }}
|
|
SCRIPTS_ACCESS_TOKEN: ${{ secrets.SCRIPTS_ACCESS_TOKEN }}
|
|
KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|
|
|
|
apt-armbian-com:
|
|
permissions:
|
|
contents: none
|
|
name: "Stable repository"
|
|
needs: [Deploy]
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/update-repository.yml@master
|
|
|
|
with:
|
|
KEY_ID: 'repository'
|
|
|
|
secrets:
|
|
KEY_REPOSITORY: ${{ secrets.KEY_REPOSITORY }}
|
|
USER_REPOSITORY: ${{ secrets.USER_REPOSITORY }}
|
|
HOST_REPOSITORY: ${{ secrets.HOST_REPOSITORY }}
|
|
KNOWN_HOSTS_REPOSITORY: ${{ secrets.KNOWN_HOSTS_REPOSITORY }}
|
|
|
|
beta-armbian-com:
|
|
permissions:
|
|
contents: none
|
|
name: "Nighly repository"
|
|
needs: [Deploy]
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/update-repository.yml@master
|
|
|
|
with:
|
|
KEY_ID: 'repository-beta'
|
|
|
|
secrets:
|
|
KEY_REPOSITORY: ${{ secrets.KEY_REPOSITORY_BETA }}
|
|
USER_REPOSITORY: ${{ secrets.USER_REPOSITORY }}
|
|
HOST_REPOSITORY: ${{ secrets.HOST_REPOSITORY }}
|
|
KNOWN_HOSTS_REPOSITORY: ${{ secrets.KNOWN_HOSTS_REPOSITORY }}
|
|
|
|
sync-servers:
|
|
permissions:
|
|
contents: none
|
|
name: "Sync servers"
|
|
needs: [apt-armbian-com,beta-armbian-com]
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/sync-servers.yml@master
|
|
|
|
with:
|
|
KEY_ID: 'upload'
|
|
|
|
secrets:
|
|
KEY_UPLOAD: ${{ secrets.KEY_UPLOAD }}
|
|
USER_REPOSITORY: ${{ secrets.USER_REPOSITORY }}
|
|
HOST_REPOSITORY: ${{ secrets.HOST_REPOSITORY }}
|
|
KNOWN_HOSTS_REPOSITORY: ${{ secrets.KNOWN_HOSTS_REPOSITORY }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Build x86 CLI images #
|
|
# #
|
|
##########################################################################################
|
|
|
|
x86-cli-images:
|
|
permissions:
|
|
contents: none
|
|
needs: [apt-armbian-com,beta-armbian-com,sync-servers]
|
|
uses: armbian/scripts/.github/workflows/build-with-docker.yml@master
|
|
|
|
with:
|
|
|
|
variant: 'cli:beta'
|
|
runner: "small"
|
|
sourcerepo: '${{ github.event.inputs.sourcerepo }}'
|
|
part: 1
|
|
of: 1
|
|
include: 'grep uefi-x86 | '
|
|
exclude: ''
|
|
uploading: false
|
|
|
|
secrets:
|
|
GPG_KEY1: ${{ secrets.GPG_KEY1 }}
|
|
GPG_PASSPHRASE1: ${{ secrets.GPG_PASSPHRASE1 }}
|
|
GPG_KEY2: ${{ secrets.GPG_KEY2 }}
|
|
GPG_PASSPHRASE2: ${{ secrets.GPG_PASSPHRASE2 }}
|
|
SCRIPTS_ACCESS_TOKEN: ${{ secrets.SCRIPTS_ACCESS_TOKEN }}
|
|
SSH_KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Build x86 desktop images #
|
|
# #
|
|
##########################################################################################
|
|
|
|
x86-desktop-images:
|
|
permissions:
|
|
contents: none
|
|
needs: [apt-armbian-com,beta-armbian-com,sync-servers]
|
|
uses: armbian/scripts/.github/workflows/build-with-docker.yml@master
|
|
|
|
with:
|
|
|
|
variant: 'desktop:beta'
|
|
runner: "big"
|
|
sourcerepo: '${{ github.event.inputs.sourcerepo }}'
|
|
part: 1
|
|
of: 1
|
|
include: 'grep uefi-x86 | '
|
|
exclude: ''
|
|
uploading: false
|
|
|
|
secrets:
|
|
GPG_KEY1: ${{ secrets.GPG_KEY1 }}
|
|
GPG_PASSPHRASE1: ${{ secrets.GPG_PASSPHRASE1 }}
|
|
GPG_KEY2: ${{ secrets.GPG_KEY2 }}
|
|
GPG_PASSPHRASE2: ${{ secrets.GPG_PASSPHRASE2 }}
|
|
SCRIPTS_ACCESS_TOKEN: ${{ secrets.SCRIPTS_ACCESS_TOKEN }}
|
|
SSH_KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Build CLI images #
|
|
# #
|
|
##########################################################################################
|
|
|
|
cli-images:
|
|
permissions:
|
|
contents: none
|
|
needs: [apt-armbian-com,beta-armbian-com,sync-servers]
|
|
uses: armbian/scripts/.github/workflows/build-with-docker.yml@master
|
|
|
|
with:
|
|
|
|
variant: 'cli:beta'
|
|
runner: "small"
|
|
sourcerepo: '${{ github.event.inputs.sourcerepo }}'
|
|
part: 1
|
|
of: 1
|
|
include: ''
|
|
exclude: 'grep -v uefi-x86 | '
|
|
uploading: false
|
|
|
|
secrets:
|
|
GPG_KEY1: ${{ secrets.GPG_KEY1 }}
|
|
GPG_PASSPHRASE1: ${{ secrets.GPG_PASSPHRASE1 }}
|
|
GPG_KEY2: ${{ secrets.GPG_KEY2 }}
|
|
GPG_PASSPHRASE2: ${{ secrets.GPG_PASSPHRASE2 }}
|
|
SCRIPTS_ACCESS_TOKEN: ${{ secrets.SCRIPTS_ACCESS_TOKEN }}
|
|
SSH_KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Build desktop images #
|
|
# #
|
|
##########################################################################################
|
|
|
|
desktop-images:
|
|
permissions:
|
|
contents: none
|
|
needs: [apt-armbian-com,beta-armbian-com,sync-servers]
|
|
uses: armbian/scripts/.github/workflows/build-with-docker.yml@master
|
|
|
|
with:
|
|
variant: 'desktop:beta'
|
|
runner: "big"
|
|
sourcerepo: '${{ github.event.inputs.sourcerepo }}'
|
|
part: 1
|
|
of: 1
|
|
include: ''
|
|
exclude: 'grep -v uefi-x86 | '
|
|
uploading: false
|
|
|
|
secrets:
|
|
GPG_KEY1: ${{ secrets.GPG_KEY1 }}
|
|
GPG_PASSPHRASE1: ${{ secrets.GPG_PASSPHRASE1 }}
|
|
GPG_KEY2: ${{ secrets.GPG_KEY2 }}
|
|
GPG_PASSPHRASE2: ${{ secrets.GPG_PASSPHRASE2 }}
|
|
SCRIPTS_ACCESS_TOKEN: ${{ secrets.SCRIPTS_ACCESS_TOKEN }}
|
|
SSH_KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Bump with version if compilation succeeded #
|
|
# #
|
|
##########################################################################################
|
|
|
|
Bump:
|
|
permissions:
|
|
contents: none
|
|
needs: [x86-cli-images,x86-desktop-images,cli-images,desktop-images]
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/update-version.yml@master
|
|
|
|
with:
|
|
|
|
uploading: true
|
|
|
|
secrets:
|
|
GPG_KEY1: ${{ secrets.GPG_KEY1 }}
|
|
GPG_PASSPHRASE1: ${{ secrets.GPG_PASSPHRASE1 }}
|
|
GPG_KEY2: ${{ secrets.GPG_KEY2 }}
|
|
GPG_PASSPHRASE2: ${{ secrets.GPG_PASSPHRASE2 }}
|
|
SCRIPTS_ACCESS_TOKEN: ${{ secrets.SCRIPTS_ACCESS_TOKEN }}
|
|
KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Update download links and create torrents #
|
|
# #
|
|
##########################################################################################
|
|
|
|
Torrents:
|
|
permissions:
|
|
contents: none
|
|
name: Torrents
|
|
needs: [x86-cli-images,x86-desktop-images,cli-images,desktop-images]
|
|
if: ${{ github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/update-download.yml@master
|
|
|
|
secrets:
|
|
KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
USER_TORRENTS: ${{ secrets.USER_TORRENTS }}
|
|
HOST_TORRENTS: ${{ secrets.HOST_TORRENTS }}
|
|
KNOWN_HOSTS_TORRENTS: ${{ secrets.KNOWN_HOSTS_TORRENTS }}
|
|
|
|
##########################################################################################
|
|
# #
|
|
# Clean runners #
|
|
# #
|
|
##########################################################################################
|
|
|
|
Maintaining:
|
|
|
|
permissions:
|
|
contents: none
|
|
needs: [Bump,Torrents]
|
|
if: ${{ success() && github.repository_owner == 'Armbian' }}
|
|
uses: armbian/scripts/.github/workflows/maintain-runners.yml@master
|
|
|
|
with:
|
|
|
|
checking: true
|
|
|
|
secrets:
|
|
KEY_TORRENTS: ${{ secrets.KEY_TORRENTS }}
|
|
KNOWN_HOSTS_UPLOAD: ${{ secrets.KNOWN_HOSTS_UPLOAD }}
|