name: 📖 Build, Scan & Release PDF on: workflow_dispatch: inputs: build_mode: description: 'PDF build mode' required: true default: 'both' type: choice options: - light - dark - both release_mode: description: 'Release update mode' required: false default: 'tag' type: choice options: - tag - latest push: branches: - main paths: - "docs/**" - "mkdocs.yml" - "scripts/**" - ".github/workflows/**" permissions: contents: write id-token: write jobs: build: name: Build PDFs (${{ inputs.build_mode || 'both' }}) runs-on: ubuntu-latest steps: - name: 🛠️ Checkout uses: actions/checkout@v4 - name: 🐍 Set up Python uses: actions/setup-python@v5 with: python-version: "3.13" - name: 📦 Install MkDocs Material run: pip install mkdocs-material - name: Setup Chrome uses: browser-actions/setup-chrome@v2 with: chrome-version: 120 install-dependencies: true install-chromedriver: true - name: 🔑 Install GPG tools run: | sudo apt-get update sudo apt-get install gnupg - name: 🖨️ Build PDFs env: CI: true run: python scripts/build_guide_pdf.py --${{ inputs.build_mode || 'both' }} - name: 🔒 Sign PDFs with GPG key env: GPG_KEY: ${{ secrets.GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} run: | cd ${{ github.workspace }} # Import GPG key export GPG_TTY=$(tty) echo "$GPG_KEY" | gpg --batch --import 2>/dev/null || true # Verify the key was imported if gpg --list-secret-keys &>/dev/null; then # Sign the PDFs (detach signature) gpg --batch --yes --armor --detach-sign --output export/thgtoa.pdf.sig export/thgtoa.pdf 2>/dev/null || true gpg --batch --yes --armor --detach-sign --output export/thgtoa-dark.pdf.sig export/thgtoa-dark.pdf 2>/dev/null || true # Create combined hash file and sign it sha256sum export/thgtoa.pdf > export/thgtoa.pdf.sha256 sha256sum export/thgtoa-dark.pdf > export/thgtoa-dark.sha256 gpg --batch --yes --armor --detach-sign --output export/thgtoa.pdf.sig export/thgtoa.pdf.sha256 2>/dev/null || true gpg --batch --yes --armor --detach-sign --output export/thgtoa-dark.pdf.sig export/thgtoa-dark.pdf.sha256 2>/dev/null || true # Create individual hash files sha256sum export/thgtoa.pdf > export/thgtoa.pdf.sha256 sha256sum export/thgtoa-dark.pdf > export/thgtoa-dark.pdf.sha256 fi - name: 📤 Upload PDF artifacts uses: actions/upload-artifact@v4 with: name: pdf-artifacts-${{ inputs.build_mode || 'both' }} path: | export/*.pdf export/*.sig export/*.sha256 if-no-files-found: error retention-days: 90 archive: false scan-and-release: name: Scan & Release runs-on: ubuntu-latest needs: build if: always() && contains(needs.build.result, 'success') steps: - name: 🚀 Checkout uses: actions/checkout@v4 - name: 🔽 Download PDF artifacts uses: actions/download-artifact@v4 with: pattern: pdf-artifacts path: export/ merge-multiple: true - name: 🦠 VirusTotal Scan & Release Update env: VT_API_KEY: ${{ secrets.VT_API_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_REPOSITORY: ${{ github.repository }} GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }} GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} run: | chmod +x scripts/pdf_release.sh # Determine build mode from input or default to both BUILD_MODE="${{ inputs.build_mode || 'both' }}" RELEASE_MODE="${{ inputs.release_mode || 'tag' }}" echo "Running PDF release script..." echo "Build Mode: $BUILD_MODE" echo "Release Mode: $RELEASE_MODE" # Run the release script ./scripts/pdf_release.sh \ --build "$BUILD_MODE" \ --release "$RELEASE_MODE" \ --vt-api-key "$VT_API_KEY" \ --github-token "$GITHUB_TOKEN" - name: 📊 Upload scan results artifact uses: actions/upload-artifact@v4 with: name: vt-scan-results-${{ inputs.build_mode || 'both' }} path: | export/virus-total-results.md if-no-files-found: warn retention-days: 30