Skip to content

get-signed-installers-from-stampy #662

get-signed-installers-from-stampy

get-signed-installers-from-stampy #662

name: get-signed-installers-from-stampy
on:
workflow_dispatch:
schedule:
# 2:35 am central time
- cron: '35 7 * * *'
jobs:
get-signed-from-stampy:
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: download
env:
STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
AWS_EC2_METADATA_DISABLED: true
# switch AWS identity to the one that can access stampy
run: |
ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
aws s3 cp --recursive ${{ secrets.STAMPY_SIGNED_BUCKET }}/ .
- name: upload to CLI s3
id: upload
env:
AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
AWS_EC2_METADATA_DISABLED: true
run: |
# Run script and redirect stderr to stdout
OUTPUT=$(node scripts/stampy-signed-upload.js 2>&1)
# Check for non-zero exit code and stop the workflow if an error occured
if [ $? -ne 0 ]; then
echo "An error occured:"
echo $OUTPUT
exit 1
fi
# Set multiline string output
# https://stackoverflow.com/questions/74137120/how-to-fix-or-avoid-error-unable-to-process-file-command-output-successfully#comment131739699_74232400
echo -e "output<<EOF\n$OUTPUT\nEOF" >> "$GITHUB_OUTPUT"
- name: clean up stampy in/out buckets
env:
STAMPY_ARN: ${{ secrets.STAMPY_ARN }}
STAMPY_UNSIGNED_BUCKET: ${{ secrets.STAMPY_UNSIGNED_BUCKET }}
STAMPY_SIGNED_BUCKET: ${{ secrets.STAMPY_SIGNED_BUCKET }}
AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}}
AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}}
AWS_EC2_METADATA_DISABLED: true
run: |
ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account')
TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing)
export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
node scripts/stampy-signed-delete.js
- name: notify
uses: slackapi/[email protected]
env:
SLACK_WEBHOOK_URL: ${{ secrets.CLI_TEAM_SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
with:
payload: |
{
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "Stampy signed and uploaded the following files:",
"emoji": true
}
},
{
"type": "section",
"text": {
"type": "mrkdwn",
"text": ${{ toJson(steps.upload.outputs.output) }}
}
}
]
}