Upload Release Assets #28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Upload Release Assets | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| release_name: | |
| description: 'The release version to upload to (e.g. 0.9.0)' | |
| required: true | |
| run_ids: | |
| description: 'Comma-separated run IDs of workflows with artifacts to download' | |
| required: false | |
| force: | |
| description: 'Force upload even if the release is no longer a draft' | |
| type: boolean | |
| required: false | |
| default: false | |
| permissions: | |
| contents: read | |
| jobs: | |
| publish: | |
| name: Publish Assets | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # need to write to releases and download artifacts | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version: '20' | |
| - name: Create artifacts directory | |
| run: mkdir -p ./artifacts | |
| - name: Download artifacts from workflow runs | |
| if: ${{ inputs.run_ids != '' }} | |
| run: | | |
| mkdir -p ./artifacts | |
| # Split the run_ids input by comma and process each run ID | |
| IFS=',' read -ra RUN_IDS <<< "${{ inputs.run_ids }}" | |
| for run_id in "${RUN_IDS[@]}"; do | |
| run_id=$(echo $run_id | xargs) # Trim whitespace | |
| if [ -n "$run_id" ]; then | |
| echo "Downloading artifacts from run ID: $run_id" | |
| # Create a subdirectory for this run | |
| mkdir -p "./artifacts/run-$run_id" | |
| # Download artifacts for this run ID | |
| # Note: This action will automatically download all artifacts from the run | |
| gh run download $run_id --dir "./artifacts/run-$run_id" | |
| fi | |
| done | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: List artifacts | |
| run: | | |
| echo "Downloaded artifacts:" | |
| find ./artifacts -type f -not -path "*/\.*" | sort | |
| # Flatten directory structure for easier upload | |
| - name: Prepare artifacts for upload | |
| run: | | |
| mkdir -p ./flattened-artifacts | |
| find ./artifacts -type f -not -path "*/\.*" -exec cp {} ./flattened-artifacts/ \; | |
| # Remove blockmap files if they exist | |
| find ./flattened-artifacts -type f -name "*.blockmap" -exec rm {} \; | |
| echo "Files prepared for upload:" | |
| ls -la ./flattened-artifacts/ | |
| # Exit if no files are found | |
| if [ -z "$(ls -A ./flattened-artifacts)" ]; then | |
| echo "No artifacts found to upload!" | |
| exit 0 | |
| fi | |
| - name: Prepare GPG key | |
| run: | | |
| gpg_dir=.cr-gpg | |
| mkdir "$gpg_dir" | |
| # referring keyring to private key of gpg | |
| keyring="$gpg_dir/secring.gpg" | |
| # storing base64 GPG key into keyring | |
| base64 -d <<< "$GPG_KEYRING_BASE64" > "$keyring" | |
| # Import the GPG key for signing | |
| gpg --batch --import "$keyring" | |
| passphrase_file="$gpg_dir/passphrase" | |
| # storing passphrase data into a file | |
| echo "$GPG_PASSPHRASE" > "$passphrase_file" | |
| # saving passphrase into github-environment | |
| echo "CR_PASSPHRASE_FILE=$passphrase_file" >> "$GITHUB_ENV" | |
| # saving private key into github-environemnt | |
| echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV" | |
| env: | |
| GPG_KEYRING_BASE64: "${{ secrets.GPG_KEYRING_BASE64 }}" #Referring secrets of github above | |
| GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}" | |
| - name: Install script dependencies | |
| working-directory: ./app/scripts/push-release-assets | |
| run: npm ci | |
| - name: Upload assets to release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_UPDATE_TOKEN }} | |
| run: | | |
| FORCE_FLAG="" | |
| if [ "${{ github.event.inputs.force }}" == "true" ]; then | |
| FORCE_FLAG="--force" | |
| fi | |
| ARTIFACTS_PATH="$(pwd)/flattened-artifacts" | |
| ASSETS=($(ls -1 $ARTIFACTS_PATH)) | |
| # Create the command with all artifact paths | |
| cd ./app/scripts/push-release-assets/ | |
| CMD="node push-release-assets.js $FORCE_FLAG ${{ inputs.release_name }}" | |
| for asset in "${ASSETS[@]}"; do | |
| CMD+=" $ARTIFACTS_PATH/$asset" | |
| done | |
| echo "Executing: $CMD" | |
| eval $CMD | |
| - name: Create and sign checksums signature | |
| run: | | |
| # Wait a moment for the checksums.txt to be available | |
| sleep 5 | |
| # Create temporary directory for checksums | |
| mkdir -p ./temp-checksums | |
| # Download the checksums.txt file that was just uploaded | |
| gh release download ${{ inputs.release_name }} --pattern "checksums.txt" --dir ./temp-checksums --clobber | |
| # Create detached signature for checksums.txt | |
| gpg --batch --yes --passphrase-file "$CR_PASSPHRASE_FILE" --default-key "${{ secrets.GPG_SIGNING_KEY_NAME }}" --armor --detach-sign ./temp-checksums/checksums.txt | |
| # Upload the signature file | |
| gh release upload ${{ inputs.release_name }} ./temp-checksums/checksums.txt.asc --clobber | |
| echo "Checksums signature created and uploaded successfully" | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.RELEASE_UPDATE_TOKEN }} |