-
Notifications
You must be signed in to change notification settings - Fork 0
210 lines (177 loc) · 5.78 KB
/
Copy pathbuild-module.yml
File metadata and controls
210 lines (177 loc) · 5.78 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
name: Full Security Fortress Release System
on:
push:
branches: [ main ]
tags:
- 'v*'
workflow_dispatch:
inputs:
version:
description: "Manual version, example: v1.0.0"
required: false
default: ""
publish:
description: "Publish GitHub Release"
required: true
type: boolean
default: false
concurrency:
group: fortress-${{ github.ref }}
cancel-in-progress: true
permissions:
contents: read
env:
MODULE_ID: ColorOS-Themes-Rock
jobs:
security:
name: Security Fortress Gate
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install security tools
run: |
sudo apt-get update
sudo apt-get install -y git shellcheck
- name: Run Gitleaks secret scan
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Fallback hard-secret scan
run: |
if git grep -I -n -E "AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z\-]{35}|-----BEGIN (RSA|OPENSSH) PRIVATE KEY-----" -- .; then
echo "Hard secret detected"
exit 1
fi
- name: Shell script quality check
run: |
find scripts -type f -name "*.sh" -print0 | xargs -0 -r shellcheck
- name: Required file integrity check
run: |
test -f module.prop
test -f scripts/package.sh
test -f scripts/validate-module.sh
test -f scripts/check-theme-size.sh
- name: Module validation
run: bash scripts/validate-module.sh
- name: Theme asset validation
run: bash scripts/check-theme-size.sh
build:
name: Fortress Build + Attestation
needs: security
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
attestations: write
outputs:
module_version: ${{ steps.version.outputs.version }}
artifact_name: fortress-${{ steps.version.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install build tools
run: |
sudo apt-get update
sudo apt-get install -y zip coreutils
- name: Resolve version
id: version
run: |
if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
VERSION="${GITHUB_REF_NAME}"
elif [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ inputs.version }}" != "" ]]; then
VERSION="${{ inputs.version }}"
else
git fetch --tags
LATEST=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -n 1 || true)
[ -z "$LATEST" ] && LATEST="v0.0.0"
IFS='.' read -r MAJOR MINOR PATCH <<< "${LATEST#v}"
PATCH=$((PATCH+1))
VERSION="v${MAJOR}.${MINOR}.${PATCH}"
fi
if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-beta)?$ ]]; then
echo "Invalid version format: $VERSION"
exit 1
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
echo "MODULE_VERSION=$VERSION" >> "$GITHUB_ENV"
- name: Build module
run: bash scripts/package.sh
- name: Generate SBOM
run: |
mkdir -p dist
cat > dist/SBOM.txt <<EOF
Project: ColorOS Themes Rock
Version: ${MODULE_VERSION}
Build runner: GitHub Actions ubuntu-latest
Build tools: bash, zip, coreutils
Commit: ${GITHUB_SHA}
EOF
- name: Generate SHA256 checksums
run: |
cd dist
sha256sum * > SHA256SUMS.txt
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: fortress-${{ steps.version.outputs.version }}
path: dist/*
if-no-files-found: error
retention-days: 30
- name: Generate GitHub build provenance attestation
uses: actions/attest-build-provenance@v2
with:
subject-path: 'dist/*'
release:
name: Fortress Release
needs: build
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/') || (github.event_name == 'workflow_dispatch' && inputs.publish == true)
permissions:
contents: write
environment:
name: production
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ${{ needs.build.outputs.artifact_name }}
path: dist
- name: Generate release notes
run: |
VERSION="${{ needs.build.outputs.module_version }}"
cat > RELEASE_NOTES.md <<EOF
# ColorOS Themes Rock Security Fortress ${VERSION}
## Changes
EOF
git log -n 20 --pretty=format:'- %s' >> RELEASE_NOTES.md || true
cat >> RELEASE_NOTES.md <<EOF
## Security verification
- Gitleaks secret scan passed
- Fallback hard-secret scan passed
- ShellCheck script quality check passed
- Module and theme validation passed
- SBOM included
- SHA256 checksums included
- GitHub build provenance attestation generated
EOF
- name: Publish GitHub Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ needs.build.outputs.module_version }}
name: ColorOS Themes Security Fortress ${{ needs.build.outputs.module_version }}
body_path: RELEASE_NOTES.md
files: dist/*
draft: false
prerelease: ${{ contains(needs.build.outputs.module_version, 'beta') }}