Skip to content

Update roadmap for new improvement release #65

Update roadmap for new improvement release

Update roadmap for new improvement release #65

Workflow file for this run

name: Full Security Fortress Release System
on:
push:
branches: [ main ]
tags:
- 'v*'
workflow_dispatch:
inputs:
version:
description: "Manual version, example: v1.0.0"
required: false
default: ""
publish:
description: "Publish GitHub Release"
required: true
type: boolean
default: false
concurrency:
group: fortress-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
env:
MODULE_ID: ColorOS-Themes-Rock
jobs:
security:
name: Security Fortress Gate
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install security tools
run: |
sudo apt-get update
sudo apt-get install -y git shellcheck
- name: Run Gitleaks secret scan
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Fallback hard-secret scan
run: |
if git grep -I -n -E "AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z\-]{35}|-----BEGIN (RSA|OPENSSH) PRIVATE KEY-----" -- .; then
echo "Hard secret detected"
exit 1
fi
- name: Shell script quality check
run: |
find scripts -type f -name "*.sh" -print0 | xargs -0 -r shellcheck
- name: Required file integrity check
run: |
test -f module.prop
test -f scripts/package.sh
test -f scripts/validate-module.sh
test -f scripts/check-theme-size.sh
- name: Module validation
run: bash scripts/validate-module.sh
- name: Theme asset validation
run: bash scripts/check-theme-size.sh
build:
name: Fortress Build + Attestation
needs: security
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
attestations: write
outputs:
module_version: ${{ steps.version.outputs.version }}
artifact_name: fortress-${{ steps.version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install build tools
run: |
sudo apt-get update
sudo apt-get install -y zip coreutils
- name: Resolve version
id: version
run: |
if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
VERSION="${GITHUB_REF_NAME}"
elif [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ inputs.version }}" != "" ]]; then
VERSION="${{ inputs.version }}"
else
git fetch --tags
LATEST=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -n 1 || true)
[ -z "$LATEST" ] && LATEST="v0.0.0"
IFS='.' read -r MAJOR MINOR PATCH <<< "${LATEST#v}"
PATCH=$((PATCH+1))
VERSION="v${MAJOR}.${MINOR}.${PATCH}"
fi
if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-beta)?$ ]]; then
echo "Invalid version format: $VERSION"
exit 1
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "MODULE_VERSION=$VERSION" >> "$GITHUB_ENV"
- name: Build module
run: bash scripts/package.sh
- name: Generate SBOM
run: |
mkdir -p dist
cat > dist/SBOM.txt <<EOF
Project: ColorOS Themes Rock
Version: ${MODULE_VERSION}
Build runner: GitHub Actions ubuntu-latest
Build tools: bash, zip, coreutils
Commit: ${GITHUB_SHA}
EOF
- name: Generate SHA256 checksums
run: |
cd dist
sha256sum * > SHA256SUMS.txt
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: fortress-${{ steps.version.outputs.version }}
path: dist/*
if-no-files-found: error
retention-days: 30
- name: Generate GitHub build provenance attestation
uses: actions/attest-build-provenance@v2
with:
subject-path: 'dist/*'
release:
name: Fortress Release
needs: build
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/') || (github.event_name == 'workflow_dispatch' && inputs.publish == true)
permissions:
contents: write
environment:
name: production
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ${{ needs.build.outputs.artifact_name }}
path: dist
- name: Generate release notes
run: |
VERSION="${{ needs.build.outputs.module_version }}"
cat > RELEASE_NOTES.md <<EOF
# ColorOS Themes Rock Security Fortress ${VERSION}
## Changes
EOF
git log -n 20 --pretty=format:'- %s' >> RELEASE_NOTES.md || true
cat >> RELEASE_NOTES.md <<EOF
## Security verification
- Gitleaks secret scan passed
- Fallback hard-secret scan passed
- ShellCheck script quality check passed
- Module and theme validation passed
- SBOM included
- SHA256 checksums included
- GitHub build provenance attestation generated
EOF
- name: Publish GitHub Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ needs.build.outputs.module_version }}
name: ColorOS Themes Security Fortress ${{ needs.build.outputs.module_version }}
body_path: RELEASE_NOTES.md
files: dist/*
draft: false
prerelease: ${{ contains(needs.build.outputs.module_version, 'beta') }}