mirror of
https://github.com/containers/podman.git
synced 2026-07-10 23:35:04 -04:00
Template expansions are not aware of shell script syntax, and therefore can potentially result in code injection vulnerabilities when used in code contexts: https://docs.zizmor.sh/audits/#template-injection To avoid this, instead use environment variables to safely store the values of the template expansions. Also (in the process of doing the above) added double-quotes around a some instances of variable expansions in shell scripts, which is necessary to avoid unintended shell splitting and globbing. (I didn't see any instances where this was actually likely to result in erroneous behavior, but it's good practice and makes shell scripts more robust.) Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
182 lines
7.3 KiB
YAML
182 lines
7.3 KiB
YAML
name: Upload Windows Installer [DEPRECATED]
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: 'Release version to build and upload (e.g. "v9.8.7")'
|
|
required: true
|
|
dryrun:
|
|
description: 'Perform all the steps except uploading to the release page'
|
|
required: true
|
|
default: "true" # 'choice' type requires string value
|
|
type: choice
|
|
options:
|
|
- "true" # Must be quoted string, boolean value not supported.
|
|
- "false"
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: windows-latest
|
|
permissions:
|
|
contents: write
|
|
env:
|
|
FETCH_BASE_URL: ${{ github.server_url }}/${{ github.repository }}
|
|
steps:
|
|
- name: Consolidate dryrun setting to always be true or false
|
|
id: actual_dryrun
|
|
env:
|
|
INPUT_DRYRUN: ${{ inputs.dryrun }}
|
|
run: |
|
|
# The 'release' trigger will not have a 'dryrun' input set. Handle
|
|
# this case in a readable/maintainable way.
|
|
$inputs_dryrun = "${env:INPUT_DRYRUN}"
|
|
if ($inputs_dryrun.Length -lt 1) {
|
|
Write-Output "dryrun=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
|
|
} else {
|
|
Write-Output "dryrun=${env:INPUT_DRYRUN}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
|
|
}
|
|
- name: Dry Run Status
|
|
env:
|
|
DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }}
|
|
run: |
|
|
Write-Output "::notice::This workflow execution will be a dry-run: ${env:DRYRUN}"
|
|
- name: Determine version
|
|
id: getversion
|
|
env:
|
|
INPUT_VERSION: ${{ inputs.version }}
|
|
TAG_NAME: ${{ github.event.release.tag_name }}
|
|
run: |
|
|
$version = "${env:INPUT_VERSION}"
|
|
if ($version.Length -lt 1) {
|
|
$version = "${env:TAG_NAME}"
|
|
if ($version.Length -lt 1) {
|
|
Write-Host "::error::Could not determine version!"
|
|
Exit 1
|
|
}
|
|
}
|
|
Write-Output "version=$version" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
|
|
# Note this purposefully checks out the same branch the action runs in, as the
|
|
# installer build script is designed to support older releases (uses the archives
|
|
# on the release tag).
|
|
- uses: actions/checkout@v6
|
|
with:
|
|
persist-credentials: false
|
|
# This step is super-duper critical for the built/signed windows installer .exe file.
|
|
# It ensures the referenced $version github release page does NOT already contain
|
|
# this file. Windows assigns a UUID to the installer at build time, it's assumed
|
|
# by windows that one release version == one UUID (always). Breaking this assumption
|
|
# has some rather nasty side-effects in windows, such as possibly breaking 'uninstall'
|
|
# functionality. For dry-runs, the .exe is saved in the workflow artifacts for a human
|
|
# to judge w/n (i.e. in some extreme case) it should be uploaded to the release page.
|
|
- name: Check
|
|
id: check
|
|
env:
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
Push-Location contrib\win-installer-legacy
|
|
.\check.ps1 "${env:VERSION}"
|
|
$code = $LASTEXITCODE
|
|
if ($code -eq 2) {
|
|
Write-Output "already-exists=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
|
|
Pop-Location
|
|
Exit 0
|
|
}
|
|
Write-Output "upload_asset_name=${env:UPLOAD_ASSET_NAME}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
|
|
Pop-Location
|
|
Exit $code
|
|
# The podman release process requires a cross-compile of the windows binaries be uploaded to
|
|
# the release page as a hard-coded filename. If non-existent, this workflow will fail in
|
|
# non-obvious ways with a non-obvious error message. Address that here.
|
|
- name: Confirm upload_asset_name is non-empty
|
|
if: steps.check.outputs.upload_asset_name == ''
|
|
env:
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_amd64.zip github release asset for version ${env:VERSION}."
|
|
Exit 1
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v6
|
|
# N/B: already-exists may be an empty-string or "false", handle both cases.
|
|
if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
|
|
with:
|
|
go-version: stable
|
|
cache: false
|
|
- name: Set up WiX
|
|
run: dotnet tool install --global wix
|
|
- name: Setup Signature Tooling
|
|
if: steps.Check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
|
|
env:
|
|
AZ_CERT_NAME: ${{ secrets.AZ_CERT_NAME }}
|
|
AZ_VAULT_ID: ${{ secrets.AZ_VAULT_ID }}
|
|
AZ_APP_ID: ${{ secrets.AZ_APP_ID }}
|
|
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
|
|
AZ_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }}
|
|
run: |
|
|
dotnet tool install --global AzureSignTool --version 3.0.0
|
|
echo "CERT_NAME=${env:AZ_CERT_NAME}" | Out-File -FilePath $env:GITHUB_ENV -Append
|
|
echo "VAULT_ID=${env:AZ_VAULT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
|
|
echo "APP_ID=${env:AZ_APP_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
|
|
echo "TENANT_ID=${env:AZ_TENANT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
|
|
echo "CLIENT_SECRET=${env:AZ_CLIENT_SECRET}" | Out-File -FilePath $env:GITHUB_ENV -Append
|
|
- name: Pandoc Setup
|
|
uses: r-lib/actions/setup-pandoc@6f6e5bc62fba3a704f74e7ad7ef7676c5c6a2590 # v2.11.4
|
|
with:
|
|
pandoc-version: '3.1.11'
|
|
- name: Build
|
|
id: build
|
|
if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
|
|
env:
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
Push-Location contrib\win-installer-legacy
|
|
.\build.ps1 "${env:VERSION}" prod
|
|
$code = $LASTEXITCODE
|
|
if ($code -eq 2) {
|
|
Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
|
|
Pop-Location
|
|
Exit 0
|
|
}
|
|
Pop-Location
|
|
Exit $code
|
|
- name: Artifact
|
|
if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
|
|
uses: actions/upload-artifact@v5
|
|
with:
|
|
name: installer
|
|
path: |
|
|
${{ steps.check.outputs.upload_asset_name }}
|
|
.\contrib\win-installer-legacy\shasums
|
|
- name: Upload
|
|
if: >-
|
|
steps.actual_dryrun.outputs.dryrun == 'false' &&
|
|
steps.check.outputs.already-exists != 'true' &&
|
|
steps.build.outputs.artifact-missing != 'true'
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
UPLOAD_ASSET_NAME: ${{ steps.check.outputs.upload_asset_name }}
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
Push-Location contrib\win-installer-legacy
|
|
$version = "${env:VERSION}"
|
|
if ($version[0] -ne "v") {
|
|
$version = "v$version"
|
|
}
|
|
gh release upload $version "${env:UPLOAD_ASSET_NAME}"
|
|
if ($LASTEXITCODE -ne 0) {
|
|
.\check.ps1 $version
|
|
if ($LASTEXITCODE -eq 2) {
|
|
Write-Host "Another job uploaded before us, skipping"
|
|
Pop-Location
|
|
Exit 0
|
|
}
|
|
Pop-Location
|
|
Exit 1
|
|
}
|
|
if (Test-Path -Path shasums) {
|
|
gh release upload --clobber $version shasums
|
|
}
|
|
Pop-Location
|