-
Notifications
You must be signed in to change notification settings - Fork 0
135 lines (110 loc) · 3.38 KB
/
Copy pathbuild-module.yml
File metadata and controls
135 lines (110 loc) · 3.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
name: Enterprise Release System
on:
push:
branches: [ main ]
workflow_dispatch:
inputs:
version:
description: "Manual version (optional)"
required: false
default: ""
publish:
description: "Publish Release"
required: true
type: boolean
default: false
permissions:
contents: write
concurrency:
group: enterprise-${{ github.ref }}
cancel-in-progress: true
env:
MODULE_ID: ColorOS-Themes-Rock
jobs:
security:
name: Security Validation
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Secret Scan
run: |
echo "Scanning repo..."
! grep -R "PASSWORD\|TOKEN\|SECRET" -n . || exit 1
- name: File Integrity Check
run: |
test -f scripts/package.sh
test -f module.prop
build:
name: Build Package
needs: security
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install tools
run: |
sudo apt-get update
sudo apt-get install -y zip coreutils
- name: Resolve version
id: version
run: |
if [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ inputs.version }}" != "" ]]; then
VERSION="${{ inputs.version }}"
else
git fetch --tags
LATEST=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -n 1 || true)
[ -z "$LATEST" ] && LATEST="v0.0.0"
IFS='.' read -r MAJOR MINOR PATCH <<< "${LATEST#v}"
PATCH=$((PATCH+1))
VERSION="v${MAJOR}.${MINOR}.${PATCH}"
fi
echo "MODULE_VERSION=$VERSION" >> $GITHUB_ENV
- name: Build Module
run: bash scripts/package.sh
- name: Generate SBOM
run: |
echo "SBOM for $MODULE_VERSION" > dist/SBOM.txt
echo "Dependencies: zip, bash, coreutils" >> dist/SBOM.txt
- name: Generate Checksums
run: |
cd dist
for f in *.zip; do
sha256sum "$f" > "$f.sha256"
done
- name: Upload Artifact
uses: actions/upload-artifact@v4
with:
name: enterprise-${{ env.MODULE_VERSION }}
path: dist/*
release:
name: Publish Release
needs: build
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/') || inputs.publish == true
environment:
name: production
steps:
- uses: actions/checkout@v4
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: enterprise-${{ env.MODULE_VERSION }}
path: dist
- name: Generate Release Notes
run: |
echo "# Enterprise Release $MODULE_VERSION" > RELEASE_NOTES.md
echo "## Changes" >> RELEASE_NOTES.md
git log -n 20 --pretty=format:'- %s' >> RELEASE_NOTES.md || true
echo "## Security" >> RELEASE_NOTES.md
echo "- SBOM included" >> RELEASE_NOTES.md
echo "- Checksums verified" >> RELEASE_NOTES.md
- name: Publish GitHub Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ env.MODULE_VERSION }}
name: ColorOS Themes Enterprise ${{ env.MODULE_VERSION }}
body_path: RELEASE_NOTES.md
files: dist/*
draft: false
prerelease: false