Add changelog for new update improvements #66
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Full Security Fortress Release System | |
| on: | |
| push: | |
| branches: [ main ] | |
| tags: | |
| - 'v*' | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: "Manual version, example: v1.0.0" | |
| required: false | |
| default: "" | |
| publish: | |
| description: "Publish GitHub Release" | |
| required: true | |
| type: boolean | |
| default: false | |
| concurrency: | |
| group: fortress-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| env: | |
| MODULE_ID: ColorOS-Themes-Rock | |
| jobs: | |
| security: | |
| name: Security Fortress Gate | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install security tools | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y git shellcheck | |
| - name: Run Gitleaks secret scan | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Fallback hard-secret scan | |
| run: | | |
| if git grep -I -n -E "AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z\-]{35}|-----BEGIN (RSA|OPENSSH) PRIVATE KEY-----" -- .; then | |
| echo "Hard secret detected" | |
| exit 1 | |
| fi | |
| - name: Shell script quality check | |
| run: | | |
| find scripts -type f -name "*.sh" -print0 | xargs -0 -r shellcheck | |
| - name: Required file integrity check | |
| run: | | |
| test -f module.prop | |
| test -f scripts/package.sh | |
| test -f scripts/validate-module.sh | |
| test -f scripts/check-theme-size.sh | |
| - name: Module validation | |
| run: bash scripts/validate-module.sh | |
| - name: Theme asset validation | |
| run: bash scripts/check-theme-size.sh | |
| build: | |
| name: Fortress Build + Attestation | |
| needs: security | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| outputs: | |
| module_version: ${{ steps.version.outputs.version }} | |
| artifact_name: fortress-${{ steps.version.outputs.version }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install build tools | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y zip coreutils | |
| - name: Resolve version | |
| id: version | |
| run: | | |
| if [[ "${GITHUB_REF}" == refs/tags/* ]]; then | |
| VERSION="${GITHUB_REF_NAME}" | |
| elif [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ inputs.version }}" != "" ]]; then | |
| VERSION="${{ inputs.version }}" | |
| else | |
| git fetch --tags | |
| LATEST=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -n 1 || true) | |
| [ -z "$LATEST" ] && LATEST="v0.0.0" | |
| IFS='.' read -r MAJOR MINOR PATCH <<< "${LATEST#v}" | |
| PATCH=$((PATCH+1)) | |
| VERSION="v${MAJOR}.${MINOR}.${PATCH}" | |
| fi | |
| if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-beta)?$ ]]; then | |
| echo "Invalid version format: $VERSION" | |
| exit 1 | |
| fi | |
| echo "version=$VERSION" >> "$GITHUB_OUTPUT" | |
| echo "MODULE_VERSION=$VERSION" >> "$GITHUB_ENV" | |
| - name: Build module | |
| run: bash scripts/package.sh | |
| - name: Generate SBOM | |
| run: | | |
| mkdir -p dist | |
| cat > dist/SBOM.txt <<EOF | |
| Project: ColorOS Themes Rock | |
| Version: ${MODULE_VERSION} | |
| Build runner: GitHub Actions ubuntu-latest | |
| Build tools: bash, zip, coreutils | |
| Commit: ${GITHUB_SHA} | |
| EOF | |
| - name: Generate SHA256 checksums | |
| run: | | |
| cd dist | |
| sha256sum * > SHA256SUMS.txt | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: fortress-${{ steps.version.outputs.version }} | |
| path: dist/* | |
| if-no-files-found: error | |
| retention-days: 30 | |
| - name: Generate GitHub build provenance attestation | |
| uses: actions/attest-build-provenance@v2 | |
| with: | |
| subject-path: 'dist/*' | |
| release: | |
| name: Fortress Release | |
| needs: build | |
| runs-on: ubuntu-latest | |
| if: startsWith(github.ref, 'refs/tags/') || (github.event_name == 'workflow_dispatch' && inputs.publish == true) | |
| permissions: | |
| contents: write | |
| environment: | |
| name: production | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Download artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ needs.build.outputs.artifact_name }} | |
| path: dist | |
| - name: Generate release notes | |
| run: | | |
| VERSION="${{ needs.build.outputs.module_version }}" | |
| cat > RELEASE_NOTES.md <<EOF | |
| # ColorOS Themes Rock Security Fortress ${VERSION} | |
| ## Changes | |
| EOF | |
| git log -n 20 --pretty=format:'- %s' >> RELEASE_NOTES.md || true | |
| cat >> RELEASE_NOTES.md <<EOF | |
| ## Security verification | |
| - Gitleaks secret scan passed | |
| - Fallback hard-secret scan passed | |
| - ShellCheck script quality check passed | |
| - Module and theme validation passed | |
| - SBOM included | |
| - SHA256 checksums included | |
| - GitHub build provenance attestation generated | |
| EOF | |
| - name: Publish GitHub Release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: ${{ needs.build.outputs.module_version }} | |
| name: ColorOS Themes Security Fortress ${{ needs.build.outputs.module_version }} | |
| body_path: RELEASE_NOTES.md | |
| files: dist/* | |
| draft: false | |
| prerelease: ${{ contains(needs.build.outputs.module_version, 'beta') }} |