PrivescCheck/.github/workflows/build.yml at 6296ce374397adf3da1f742272cb124f2b550226 · itm4n/PrivescCheck · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
name: PrivescCheck Update & Build

on:
  # Trigger action when a push occurs on the master branch
  push:
    branches:
      - master
  # Trigger action manually from GitHub > Actions
  workflow_dispatch:
  # Trigger action at a given date and time
  schedule:
    - cron: '47 12 * * 3'

concurrency:
  group: privesccheck-update-and-build

#
# Below, we are building the following chain:
#
# -> Update data files and commit changes (if needed)
#    -> Get release tag to apply to next release
#       -> Build scripts and create new release
#
# Notes:
# - if we fail to update data files for some reason, we still want to be
#   able to build the scripts.
# - if the action is triggered because it was scheduled, we want to create
#   a new release only if data has been updated.
#

jobs:
  update-data:
    name: Update data
    runs-on: ubuntu-latest
    outputs:
      data-updated: ${{ steps.commit-and-push.outputs.data-updated }}
      data-update-diff: ${{ steps.commit-and-push.outputs.data-update-diff }}
    steps:
      - name: Check out master branch
        uses: actions/checkout@v5
        with:
          ref: master
      - name: Update LOL driver list
        # Continue even if we fail to update the LOL driver list.
        continue-on-error: true
        shell: pwsh
        run: |
          . ./build/Build.ps1
          Update-LolDriverList
      - name: Commit and push changes (if needed)
        id: commit-and-push
        shell: bash
        run: |
          if ! bash ./.github/workflows/commit_and_push.sh "${{ github.actor_id }}" "${{ github.actor }}"; then
            echo "data-updated=false" >> "$GITHUB_OUTPUT"
            echo "data-update-diff=$(echo "N/A" | base64 -w 0)" >> "$GITHUB_OUTPUT"
          else
            echo "data-updated=true" >> "$GITHUB_OUTPUT"
            echo "data-update-diff=$(git diff --name-only -- ./data | base64 -w 0)" >> "$GITHUB_OUTPUT"
          fi

  get-release-tag:
    name: Get release tag
    needs: update-data
    runs-on: ubuntu-latest
    outputs:
      release-tag: ${{ steps.get-release-tag.outputs.release-tag }}
    steps:
      - name: Check out master branch
        uses: actions/checkout@v5
        with:
          ref: master
      - name: Get release tag
        id: get-release-tag
        env:
          GH_TOKEN: ${{ github.token }}
        shell: bash
        run: |
          echo "release-tag=$(bash ./.github/workflows/get_release_tag.sh)" >> "$GITHUB_OUTPUT"

  build-scripts:
    name: Build PrivescCheck
    needs: [update-data, get-release-tag]
    runs-on: ubuntu-latest
    steps:
      - name: Check out master branch
        uses: actions/checkout@v5
        with:
          ref: master
          fetch-depth: 0
      - name: Generate Changelog
        shell: bash
        run: |
          event_name="${{ github.event_name }}"
          echo "[*] Event name: ${event_name}"
          changelog_content=""
          if [[ "${event_name}" == "push" ]]; then
            echo "[*] Commit ID before push: ${{ github.event.before }}"
            echo "[*] Commit ID after push: ${{ github.event.after }}"
            changelog_content="$(git diff --unified=0 "${{ github.event.before }}" "${{ github.event.after }}" -- "./info/CHANGELOG.md" 2>/dev/null | grep -E "^\\+" | grep -v '+++' | sed "s/^+//g")"
          elif [[ "${event_name}" == "schedule" ]]; then
            data_file_update=$(echo "${{ needs.update-data.outputs.data-update-diff }}" | base64 -d)
            echo -e "[*] Data file update:\n${data_file_update}"
            changelog_content="## Files updated\n\n${data_file_update}"
          else
            changelog_content="N/A"
          fi
          echo -ne "# Changelog\n\n${changelog_content}\n" > ./release/changelog.md
      - name: Build PrivescCheck script
        shell: pwsh
        run: |
          . ./build/Build.ps1
          Invoke-Build -Name "PrivescCheck" -NoNewSeed
      - name: Create release
        env:
          GH_TOKEN: ${{ github.token }}
          RELEASE_TAG: ${{ needs.get-release-tag.outputs.release-tag }}
          DATA_UPDATED: ${{ needs.update-data.outputs.data-updated }}
        shell: bash
        run: |
          event_name="${{ github.event_name }}"
          echo "[*] Release tag: ${RELEASE_TAG}"
          echo "[*] Data updated: ${DATA_UPDATED}"
          echo "[*] Event name: ${event_name}"
          create_release=0
          if [[ "${event_name}" = "schedule" ]]; then
            if [[ "${DATA_UPDATED}" = "true" ]]; then
              create_release=1
              gh release create "${RELEASE_TAG}" ./release/*.ps1
            fi
          else
            create_release=1
          fi
          if [[ $create_release == 1 ]]; then
            changelog_path="./release/changelog.md"
            if [[ -f "${changelog_path}" ]]; then
              echo "[*] Changelog file found: ${changelog_path}"
              gh release create "${RELEASE_TAG}" --notes-file "${changelog_path}" ./release/*.ps1
            else
              echo "[!] Changelog file not found"
              gh release create "${RELEASE_TAG}" ./release/*.ps1
            fi
          else
            echo "[*] No release to create"
          fi