mTower/.github/workflows/publish.yml at 439865ab4887eb54ba3a1ef62dfd0cc25479c6f6 · Samsung/mTower · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: Create Release & Upload Asset

on:
  push:
    tags:
      - "v*"

permissions:
  contents: read

jobs:
  # Build mTower
  build:
    runs-on: ubuntu-latest
    name: Build mTower
    outputs:
      artifacts: ${{ steps.build.outputs.artifacts }}
      hashes: ${{ steps.hash.outputs.hashes }}
      version:  ${{ steps.mtower_version.outputs.version }}

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0
        with:
          egress-policy: audit

      - name: Checkout repository
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

      - name: Install extra tools
        run: |
          sudo apt-get update
          sudo apt-get install -y make build-essential libncurses5-dev libssl-dev libcurl4-openssl-dev
      - name: Build the project
        run: |
          make PLATFORM=numaker_pfm_m2351 create_context
          make toolchain
          make
          # Save the location of the mtower_*.bin output files for easier reference
          # ARTIFACT_PATTERN=./mtower_s.bin
          # echo "artifact_pattern=$ARTIFACT_PATTERN" >> "$GITHUB_OUTPUT"
          # echo "artifact_pattern=mtower_s.bin" >> "$GITHUB_OUTPUT"

      - name: Generate subject
        id: hash
        run: |
          echo "hashes=$(sha256sum mtower_s.bin mtower_ns.bin | base64 -w0)" >> "$GITHUB_OUTPUT"

      - name: Get mTower version
        id: mtower_version
        run: |
          echo "version=mtower" >> "$GITHUB_OUTPUT"

        # VERSION=${{ github.ref_name }}
        # echo "version=mtower-${VERSION:1}.bin" >> "$GITHUB_OUTPUT"

      - name: Upload build artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: ${{ steps.mtower_version.outputs.version }}_s.bin
          path: ./${{ steps.mtower_version.outputs.version }}_s.bin
          if-no-files-found: error

      - name: Upload build artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
        with:
          name: ${{ steps.mtower_version.outputs.version }}_ns.bin
          path: ./${{ steps.mtower_version.outputs.version }}_ns.bin
          if-no-files-found: error

  # Create Release
  create-release:
    permissions:
      contents: write  # for marvinpinto/action-automatic-releases to generate pre-release
    needs: [build]
    name: Create Release
    runs-on: "ubuntu-latest"

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0
        with:
          egress-policy: audit

      - uses: marvinpinto/action-automatic-releases@d68defdd11f9dcc7f52f35c1b7c236ee7513bcc1
        with:
          repo_token: "${{ secrets.GITHUB_TOKEN }}"
          prerelease: false
          title: "mTower ${{ github.ref_name }}"

  # Generate Provenance
  provenance:
    needs: [build, create-release]
    name: Generate Provenance
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true # Optional: Upload to a new release

  # Upload Assets
  release:
    permissions:
      contents: write  # for softprops/action-gh-release to create GitHub release
    needs: [build, create-release, provenance]
    name: Upload Assets
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0
        with:
          egress-policy: audit

      - name: Download ${{ needs.build.outputs.version }}_s.bin
        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
        with:
          name: ${{ needs.build.outputs.version }}_s.bin

      - name: Download ${{ needs.build.outputs.version }}_ns.bin
        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3
        with:
          name: ${{ needs.build.outputs.version }}_ns.bin

      - name: Upload assets
        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631
        with:
          files: |
            ${{ needs.build.outputs.version }}_s.bin
            ${{ needs.build.outputs.version }}_ns.bin