From c0eb8aa6f31c6a74410b37f331e8ce65c5218a9e Mon Sep 17 00:00:00 2001 From: nopeitsnothing Date: Sun, 19 Apr 2026 00:17:39 -0400 Subject: [PATCH] Move out some scripts Signed-off-by: nopeitsnothing --- .github/workflows/build-pdf.yml | 158 ----------------------- .github/workflows/build-sign-release.yml | 6 +- .github/workflows/vt-scan.yml | 77 ----------- 3 files changed, 5 insertions(+), 236 deletions(-) delete mode 100644 .github/workflows/build-pdf.yml delete mode 100644 .github/workflows/vt-scan.yml diff --git a/.github/workflows/build-pdf.yml b/.github/workflows/build-pdf.yml deleted file mode 100644 index 6d0d2ac..0000000 --- a/.github/workflows/build-pdf.yml +++ /dev/null @@ -1,158 +0,0 @@ -name: 📖 Build, Scan & Release PDF - -on: - workflow_dispatch: - inputs: - build_mode: - description: 'PDF build mode' - required: true - default: 'both' - type: choice - options: - - light - - dark - - both - release_mode: - description: 'Release update mode' - required: false - default: 'tag' - type: choice - options: - - tag - - latest - push: - branches: - - main - paths: - - "docs/**" - - "mkdocs.yml" - - "scripts/**" - - ".github/workflows/**" - -permissions: - contents: write - id-token: write - -jobs: - build: - name: Build PDFs (${{ inputs.build_mode || 'both' }}) - runs-on: ubuntu-latest - steps: - - name: 🛠️ Checkout - uses: actions/checkout@v4 - - - name: 🐍 Set up Python - uses: actions/setup-python@v5 - with: - python-version: "3.13" - - - name: 📦 Install MkDocs Material - run: pip install mkdocs-material - - - name: Setup Chrome - uses: browser-actions/setup-chrome@v2 - with: - chrome-version: 120 - install-dependencies: true - install-chromedriver: true - - - name: 🔑 Install GPG tools - run: | - sudo apt-get update - sudo apt-get install gnupg - - - name: 🖨️ Build PDFs - env: - CI: true - run: python scripts/build_guide_pdf.py --${{ inputs.build_mode || 'both' }} - - - name: 🔒 Sign PDFs with GPG key - env: - GPG_KEY: ${{ secrets.GPG_PRIVATE_KEY }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - run: | - cd ${{ github.workspace }} - - # Import GPG key - export GPG_TTY=$(tty) - echo "$GPG_KEY" | gpg --batch --import 2>/dev/null || true - - # Verify the key was imported - if gpg --list-secret-keys &>/dev/null; then - # Sign the PDFs (detach signature) - gpg --batch --yes --armor --detach-sign --output export/thgtoa.pdf.sig export/thgtoa.pdf 2>/dev/null || true - gpg --batch --yes --armor --detach-sign --output export/thgtoa-dark.pdf.sig export/thgtoa-dark.pdf 2>/dev/null || true - - # Create combined hash file and sign it - sha256sum export/thgtoa.pdf > export/thgtoa.pdf.sha256 - sha256sum export/thgtoa-dark.pdf > export/thgtoa-dark.sha256 - gpg --batch --yes --armor --detach-sign --output export/thgtoa.pdf.sig export/thgtoa.pdf.sha256 2>/dev/null || true - gpg --batch --yes --armor --detach-sign --output export/thgtoa-dark.pdf.sig export/thgtoa-dark.pdf.sha256 2>/dev/null || true - - # Create individual hash files - sha256sum export/thgtoa.pdf > export/thgtoa.pdf.sha256 - sha256sum export/thgtoa-dark.pdf > export/thgtoa-dark.pdf.sha256 - fi - - - name: 📤 Upload PDF artifacts - uses: actions/upload-artifact@v4 - with: - name: pdf-artifacts-${{ inputs.build_mode || 'both' }} - path: | - export/*.pdf - export/*.sig - export/*.sha256 - if-no-files-found: error - retention-days: 90 - archive: false - - scan-and-release: - name: Scan & Release - runs-on: ubuntu-latest - needs: build - if: always() && contains(needs.build.result, 'success') - - steps: - - name: 🚀 Checkout - uses: actions/checkout@v4 - - - name: 🔽 Download PDF artifacts - uses: actions/download-artifact@v4 - with: - pattern: pdf-artifacts - path: export/ - merge-multiple: true - - - name: 🦠 VirusTotal Scan & Release Update - env: - VT_API_KEY: ${{ secrets.VT_API_KEY }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_REPOSITORY: ${{ github.repository }} - GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} - GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} - run: | - chmod +x scripts/pdf_release.sh - - # Determine build mode from input or default to both - BUILD_MODE="${{ inputs.build_mode || 'both' }}" - RELEASE_MODE="${{ inputs.release_mode || 'tag' }}" - - echo "Running PDF release script..." - echo "Build Mode: $BUILD_MODE" - echo "Release Mode: $RELEASE_MODE" - - # Run the release script - ./scripts/pdf_release.sh \ - --build "$BUILD_MODE" \ - --release "$RELEASE_MODE" \ - --vt-api-key "$VT_API_KEY" \ - --github-token "$GITHUB_TOKEN" - - - name: 📊 Upload scan results artifact - uses: actions/upload-artifact@v4 - with: - name: vt-scan-results-${{ inputs.build_mode || 'both' }} - path: | - export/virus-total-results.md - if-no-files-found: warn - retention-days: 30 diff --git a/.github/workflows/build-sign-release.yml b/.github/workflows/build-sign-release.yml index 703b728..178bff9 100644 --- a/.github/workflows/build-sign-release.yml +++ b/.github/workflows/build-sign-release.yml @@ -127,7 +127,11 @@ jobs: with: name: pdf-export-${{ inputs.build_mode || 'both' }} path: | - export/** + export/*.pdf + export/*.sig + export/checksums.sha256 + export/checksums.sha256.sig + export/virus-total-results.md if-no-files-found: error retention-days: 90 compression-level: 0 diff --git a/.github/workflows/vt-scan.yml b/.github/workflows/vt-scan.yml deleted file mode 100644 index 9b9069c..0000000 --- a/.github/workflows/vt-scan.yml +++ /dev/null @@ -1,77 +0,0 @@ -name: '🦠 VirusTotal Scan' - -on: - workflow_dispatch: - push: - branches: - - 'main' - tags: - - 'v*' - -jobs: - build: - runs-on: ubuntu-latest - permissions: - contents: write - steps: - - name: '📦 Checkout' - uses: actions/checkout@v6 - - - name: '🔍 Download PDF artifacts from build workflow' - uses: actions/download-artifact@v7 - with: - pattern: light-pdf-files,dark-pdf-files - path: pdfs - merge-multiple: true - - - name: '🦠 Scan PDF files using VT' - uses: crazy-max/ghaction-virustotal@v5 - with: - vt_api_key: ${{ secrets.VT_API_KEY }} - update_release_body: false # We'll handle this manually in the next step - files: | - ./pdfs/thgtoa.pdf - ./pdfs/thgtoa-dark.pdf - - - name: '📊 Extract VT scan results' - id: vt-scan - run: | - echo "status=completed" >> $GITHUB_OUTPUT - - - name: '🔗 Generate VT report links' - run: | - # Create a markdown file with VT scan results and links - cat > vt-results.md << EOF - ## VirusTotal Scan Results - - **Scan Date:** $(date -u +"%Y-%m-%d %H:%M UTC") - - ### thgtoa.pdf (Light Mode) - - **VT Report:** https://www.virustotal.com/gui/file/$(sha256sum pdfs/thgtoa.pdf | cut -d' ' -f1) - - ### thgtoa-dark.pdf (Dark Mode) - - **VT Report:** https://www.virustotal.com/gui/file/$(sha256sum pdfs/thgtoa-dark.pdf | cut -d' ' -f1) - - --- - *Scan performed automatically by GitHub Actions* - EOF - - - name: '📝 Update release with VT results (if tag exists)' - if: startsWith(github.ref, 'refs/tags/') - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GH_REPO: ${{ github.repository }} - run: | - # Get the latest release notes - RELEASE_NOTES=$(gh release view ${{ github.ref_name }} --json body --jq .body 2>/dev/null || echo "") - - # Append VT results to release notes - if [ -n "$RELEASE_NOTES" ]; then - echo "" >> vt-results.md - echo "---" >> vt-results.md - echo "### Previous Release Notes" >> vt-results.md - echo "$RELEASE_NOTES" >> vt-results.md - fi - - # Update the release with VT results - gh release edit ${{ github.ref_name }} --notes-file vt-results.md