mirror of
https://github.com/Anon-Planet/thgtoa.git
synced 2026-05-06 19:44:19 +02:00
Overhaul the Hashing, scanning, release management
...tool :) Signed-off-by: nopeitsnothing <no@anonymousplanet.org>
This commit is contained in:
nopeitsnothing
@@ -1,29 +1,41 @@
|
|||||||
name: 📖 Build PDF
|
name: 📖 Build, Scan & Release PDF
|
||||||
|
|
||||||
on:
|
on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
pull_request:
|
inputs:
|
||||||
paths:
|
build_mode:
|
||||||
- "docs/**"
|
description: 'PDF build mode'
|
||||||
- "mkdocs.yml"
|
required: true
|
||||||
- "scripts/build_guide_pdf.py"
|
default: 'both'
|
||||||
- ".github/workflows/build-pdf.yml"
|
type: choice
|
||||||
|
options:
|
||||||
|
- light
|
||||||
|
- dark
|
||||||
|
- both
|
||||||
|
release_mode:
|
||||||
|
description: 'Release update mode'
|
||||||
|
required: false
|
||||||
|
default: 'tag'
|
||||||
|
type: choice
|
||||||
|
options:
|
||||||
|
- tag
|
||||||
|
- latest
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
- main
|
- main
|
||||||
paths:
|
paths:
|
||||||
- "docs/**"
|
- "docs/**"
|
||||||
- "mkdocs.yml"
|
- "mkdocs.yml"
|
||||||
- "scripts/build_guide_pdf.py"
|
- "scripts/**"
|
||||||
- ".github/workflows/build-pdf.yml"
|
- ".github/workflows/**"
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: write
|
contents: write
|
||||||
id-token: write
|
id-token: write
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
pdf:
|
build:
|
||||||
name: PDF build and sign
|
name: Build PDFs (${{ inputs.build_mode || 'both' }})
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: 🛠️ Checkout
|
- name: 🛠️ Checkout
|
||||||
@@ -49,20 +61,10 @@ jobs:
|
|||||||
sudo apt-get update
|
sudo apt-get update
|
||||||
sudo apt-get install gnupg
|
sudo apt-get install gnupg
|
||||||
|
|
||||||
- name: 🖨️ Build PDF
|
- name: 🖨️ Build PDFs
|
||||||
env:
|
env:
|
||||||
CI: true
|
CI: true
|
||||||
run: python scripts/build_guide_pdf.py --both
|
run: python scripts/build_guide_pdf.py --${{ inputs.build_mode || 'both' }}
|
||||||
|
|
||||||
- name: 🔢 Generate SHA256 hashes for root directory
|
|
||||||
run: |
|
|
||||||
cd ${{ github.workspace }}
|
|
||||||
sha256sum export/thgtoa.pdf > sha256sum-light.txt
|
|
||||||
sha256sum export/thgtoa-dark.pdf >> sha256sum-light.txt
|
|
||||||
|
|
||||||
# Create separate hash files for each PDF
|
|
||||||
sha256sum export/thgtoa.pdf > thgtoa.pdf.sha256
|
|
||||||
sha256sum export/thgtoa-dark.pdf > thgtoa-dark.pdf.sha256
|
|
||||||
|
|
||||||
- name: 🔒 Sign PDFs with GPG key
|
- name: 🔒 Sign PDFs with GPG key
|
||||||
env:
|
env:
|
||||||
@@ -73,71 +75,84 @@ jobs:
|
|||||||
|
|
||||||
# Import GPG key
|
# Import GPG key
|
||||||
export GPG_TTY=$(tty)
|
export GPG_TTY=$(tty)
|
||||||
echo "$GPG_KEY" | gpg --batch --import
|
echo "$GPG_KEY" | gpg --batch --import 2>/dev/null || true
|
||||||
|
|
||||||
# Verify the key was imported
|
# Verify the key was imported
|
||||||
gpg --list-secret-keys
|
if gpg --list-secret-keys &>/dev/null; then
|
||||||
|
|
||||||
# Sign the PDFs (detach signature)
|
# Sign the PDFs (detach signature)
|
||||||
gpg --batch --yes --armor --detach-sign --output export/thgtoa.pdf.sig export/thgtoa.pdf
|
gpg --batch --yes --armor --detach-sign --output export/thgtoa.pdf.sig export/thgtoa.pdf 2>/dev/null || true
|
||||||
gpg --batch --yes --armor --detach-sign --output export/thgtoa-dark.pdf.sig export/thgtoa-dark.pdf
|
gpg --batch --yes --armor --detach-sign --output export/thgtoa-dark.pdf.sig export/thgtoa-dark.pdf 2>/dev/null || true
|
||||||
|
|
||||||
# Also sign the hash files
|
# Create combined hash file and sign it
|
||||||
gpg --batch --yes --armor --detach-sign --output sha256sum-light.txt.sig sha256sum-light.txt
|
sha256sum export/thgtoa.pdf > export/thgtoa.pdf.sha256
|
||||||
|
sha256sum export/thgtoa-dark.pdf > export/thgtoa-dark.sha256
|
||||||
|
gpg --batch --yes --armor --detach-sign --output export/thgtoa.pdf.sig export/thgtoa.pdf.sha256 2>/dev/null || true
|
||||||
|
gpg --batch --yes --armor --detach-sign --output export/thgtoa-dark.pdf.sig export/thgtoa-dark.pdf.sha256 2>/dev/null || true
|
||||||
|
|
||||||
upload:
|
# Create individual hash files
|
||||||
name: Upload artifacts
|
sha256sum export/thgtoa.pdf > export/thgtoa.pdf.sha256
|
||||||
|
sha256sum export/thgtoa-dark.pdf > export/thgtoa-dark.pdf.sha256
|
||||||
|
fi
|
||||||
|
|
||||||
|
- name: 📤 Upload PDF artifacts
|
||||||
|
uses: actions/upload-artifact@v4
|
||||||
|
with:
|
||||||
|
name: pdf-artifacts-${{ inputs.build_mode || 'both' }}
|
||||||
|
path: |
|
||||||
|
export/*.pdf
|
||||||
|
export/*.sig
|
||||||
|
export/*.sha256
|
||||||
|
if-no-files-found: error
|
||||||
|
retention-days: 90
|
||||||
|
archive: false
|
||||||
|
|
||||||
|
scan-and-release:
|
||||||
|
name: Scan & Release
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: pdf
|
needs: build
|
||||||
|
if: always() && contains(needs.build.result, 'success')
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: 📤 Upload PDF artifact (Light Mode)
|
- name: 🚀 Checkout
|
||||||
uses: actions/upload-artifact@v4
|
uses: actions/checkout@v4
|
||||||
with:
|
|
||||||
name: light-pdf-files
|
|
||||||
path: |
|
|
||||||
export/thgtoa.pdf
|
|
||||||
export/thgtoa.pdf.sig
|
|
||||||
thgtoa.pdf.sha256
|
|
||||||
archive: false
|
|
||||||
if-no-files-found: error
|
|
||||||
retention-days: 90
|
|
||||||
|
|
||||||
- name: 📤 Upload PDF artifact (Dark Mode)
|
- name: 🔽 Download PDF artifacts
|
||||||
uses: actions/upload-artifact@v4
|
uses: actions/download-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: dark-pdf-files
|
pattern: pdf-artifacts
|
||||||
path: |
|
path: export/
|
||||||
export/thgtoa-dark.pdf
|
merge-multiple: true
|
||||||
export/thgtoa-dark.pdf.sig
|
|
||||||
thgtoa-dark.pdf.sha256
|
|
||||||
archive: false
|
|
||||||
if-no-files-found: error
|
|
||||||
retention-days: 90
|
|
||||||
|
|
||||||
- name: 📤 Upload combined hash file to root
|
- name: 🦠 VirusTotal Scan & Release Update
|
||||||
uses: actions/upload-artifact@v4
|
|
||||||
with:
|
|
||||||
name: hash-files
|
|
||||||
path: |
|
|
||||||
sha256sum-light.txt
|
|
||||||
archive: false
|
|
||||||
if-no-files-found: error
|
|
||||||
retention-days: 90
|
|
||||||
|
|
||||||
release:
|
|
||||||
name: Create Release
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
needs: pdf
|
|
||||||
steps:
|
|
||||||
- name: 🚀 Create Release (if tag exists)
|
|
||||||
if: startsWith(github.ref, 'refs/tags/')
|
|
||||||
uses: softprops/action-gh-release@v1
|
|
||||||
with:
|
|
||||||
files: |
|
|
||||||
export/thgtoa.pdf
|
|
||||||
export/thgtoa-dark.pdf
|
|
||||||
export/thgtoa.pdf.sig
|
|
||||||
export/thgtoa-dark.pdf.sig
|
|
||||||
sha256sum-light.txt
|
|
||||||
env:
|
env:
|
||||||
|
VT_API_KEY: ${{ secrets.VT_API_KEY }}
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
GITHUB_REPOSITORY: ${{ github.repository }}
|
||||||
|
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
|
||||||
|
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
|
||||||
|
run: |
|
||||||
|
chmod +x scripts/pdf_release.sh
|
||||||
|
|
||||||
|
# Determine build mode from input or default to both
|
||||||
|
BUILD_MODE="${{ inputs.build_mode || 'both' }}"
|
||||||
|
RELEASE_MODE="${{ inputs.release_mode || 'tag' }}"
|
||||||
|
|
||||||
|
echo "Running PDF release script..."
|
||||||
|
echo "Build Mode: $BUILD_MODE"
|
||||||
|
echo "Release Mode: $RELEASE_MODE"
|
||||||
|
|
||||||
|
# Run the release script
|
||||||
|
./scripts/pdf_release.sh \
|
||||||
|
--build "$BUILD_MODE" \
|
||||||
|
--release "$RELEASE_MODE" \
|
||||||
|
--vt-api-key "$VT_API_KEY" \
|
||||||
|
--github-token "$GITHUB_TOKEN"
|
||||||
|
|
||||||
|
- name: 📊 Upload scan results artifact
|
||||||
|
uses: actions/upload-artifact@v4
|
||||||
|
with:
|
||||||
|
name: vt-scan-results-${{ inputs.build_mode || 'both' }}
|
||||||
|
path: |
|
||||||
|
export/virus-total-results.md
|
||||||
|
if-no-files-found: warn
|
||||||
|
retention-days: 30
|
||||||
|
|||||||
Reference in New Issue
Block a user