name: get-signed-installers-from-stampy on: workflow_dispatch: schedule: # 2:35 am central time - cron: '35 7 * * *' jobs: get-signed-from-stampy: runs-on: ubuntu-latest steps: - name: Check out the repo uses: actions/checkout@v4 - name: download env: STAMPY_ARN: ${{ secrets.STAMPY_ARN }} AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} AWS_EC2_METADATA_DISABLED: true # switch AWS identity to the one that can access stampy run: | ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account') TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing) export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId') export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey') export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken') aws s3 cp --recursive ${{ secrets.STAMPY_SIGNED_BUCKET }}/ . - name: upload to CLI s3 id: upload env: AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} AWS_EC2_METADATA_DISABLED: true run: | # Run script and redirect stderr to stdout OUTPUT=$(node scripts/stampy-signed-upload.js 2>&1) # Check for non-zero exit code and stop the workflow if an error occured if [ $? -ne 0 ]; then echo "An error occured:" echo $OUTPUT exit 1 fi # Set multiline string output # https://stackoverflow.com/questions/74137120/how-to-fix-or-avoid-error-unable-to-process-file-command-output-successfully#comment131739699_74232400 echo -e "output<<EOF\n$OUTPUT\nEOF" >> "$GITHUB_OUTPUT" - name: clean up stampy in/out buckets env: STAMPY_ARN: ${{ secrets.STAMPY_ARN }} STAMPY_UNSIGNED_BUCKET: ${{ secrets.STAMPY_UNSIGNED_BUCKET }} STAMPY_SIGNED_BUCKET: ${{ secrets.STAMPY_SIGNED_BUCKET }} AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} AWS_EC2_METADATA_DISABLED: true run: | ACCOUNT_ID=$(aws sts get-caller-identity | jq -r '.Account') TEMP_ROLE=$(aws sts assume-role --role-arn $STAMPY_ARN --role-session-name artifact-signing) export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId') export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey') export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken') node scripts/stampy-signed-delete.js - name: notify uses: slackapi/slack-github-action@v1.26.0 env: SLACK_WEBHOOK_URL: ${{ secrets.CLI_TEAM_SLACK_WEBHOOK_URL }} SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK with: payload: | { "blocks": [ { "type": "header", "text": { "type": "plain_text", "text": "Stampy signed and uploaded the following files:", "emoji": true } }, { "type": "section", "text": { "type": "mrkdwn", "text": ${{ toJson(steps.upload.outputs.output) }} } } ] }