.github/workflows/package_and_release.yml #1835
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: [main] | |
types: [opened, synchronize] | |
schedule: | |
# this string has quotes because '*' is a special character in YAML | |
- cron: '0 */12 * * *' # Every 12 hours at minute 0 | |
jobs: | |
packaging_snap: | |
runs-on: ubuntu-22.04 | |
env: | |
SNAP_NAME: folding-at-home-fcole90 | |
steps: | |
- name: Install Review Tools | |
run: sudo snap install review-tools | |
# Download the snap, check notices, inline the JSON output and save as 'env.CVEs' | |
- name: Check CVEs | |
if: ${{ github.event_name == 'schedule' }} | |
run: | | |
snap download ${{ env.SNAP_NAME }} | |
review-tools.check-notices ${{ env.SNAP_NAME }}*.snap --with-cves | |
echo "CVEs=$(review-tools.check-notices ${{ env.SNAP_NAME }}*.snap --with-cves | sed -Ez 's/\n//g')" >> $GITHUB_ENV | |
rm ${{ env.SNAP_NAME }}*.snap | |
# Print notices on screen and set 'HAS_CVE' to 'true' or 'false' ( /!\ Note that it is a string) | |
- name: Print Notices and Set HAS_CVE env variable | |
if: ${{ github.event_name == 'schedule' }} | |
run: | | |
echo "Notices: ${{ env.CVEs }}" | |
echo "Notices: ${{ toJSON(fromJSON(env.CVEs)) }}" | |
echo "HAS_CVE=${{ !contains(toJSON((fromJSON(env.CVEs).*.*)), '{}') }}" >> $GITHUB_ENV | |
echo "Has CVE? ${{ !contains(toJSON((fromJSON(env.CVEs).*.*)), '{}') }}" | |
- name: Decide if should rebuild | |
run: | | |
echo SHOULD_BUILD=$(echo ${{ github.event_name == 'push' || (github.event_name == 'schedule' && env.HAS_CVE == 'true') }}) >> $GITHUB_ENV | |
- uses: actions/checkout@v3 | |
if: ${{ fromJSON(env.SHOULD_BUILD) }} | |
- name: Install and Configure LXD and Snapcraft | |
if: ${{ fromJSON(env.SHOULD_BUILD) }} | |
run: | | |
echo "Get latest LXD" | |
sudo snap refresh --channel=stable lxd | |
echo "Add usermod..." | |
sudo usermod --append --groups lxd $USER | |
echo "Waiting LXD to be ready..." | |
sudo /snap/bin/lxd waitready | |
echo "Initialise LXD (auto)..." | |
sudo /snap/bin/lxd init --auto | |
echo "Get socket ownership..." | |
sudo chown $USER:$USER /var/snap/lxd/common/lxd/unix.socket | |
echo "Installing snapcraft in the LXD container..." | |
sg lxd -c "sudo snap install snapcraft --classic" | |
- name: Disable firewall | |
if: ${{ fromJSON(env.SHOULD_BUILD) }} | |
run: | | |
sudo ufw disable | |
- name: Snap Store Login Verification | |
if: ${{ fromJSON(env.SHOULD_BUILD) }} | |
env: # Export secret as an environment variable | |
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }} | |
run: | | |
snapcraft whoami || (echo "Cannot determine who I am." && exit 1) | |
- name: Build Snap | |
if: ${{ fromJSON(env.SHOULD_BUILD) }} | |
run: sg lxd -c "SNAPCRAFT_BUILD_INFO=1 snapcraft --use-lxd" | |
- name: Check Files | |
run: ls | |
- name: Review Snap | |
if: ${{ fromJSON(env.SHOULD_BUILD) }} | |
run: review-tools.snap-review ${{ env.SNAP_NAME }}*.snap | |
- name: Snap Store Release | |
if: ${{ fromJSON(env.SHOULD_BUILD) }} | |
env: # Export secret as an environment variable | |
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_CREDENTIALS }} | |
run: snapcraft upload --release=stable ${{ env.SNAP_NAME }}*.snap |