-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
98 lines (90 loc) · 3.92 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
name: 'TimestampIt!'
description: 'Create signed Trusted Timestamps that prove when your code was pushed or merged'
branding:
icon: 'clock'
color: 'black'
inputs:
timestamps_branch:
description: 'Branch where trusted timestamps will be stored'
required: false
default: 'trusted_timestamps'
timestampit_username:
description: 'Username for TimestampIt! user'
required: false
default: 'github_actions_default'
timestampit_password:
description: 'Password for TimestampIt! user'
required: false
default: 'wsgipbtk'
runs:
using: "composite"
steps:
# checkout the repo into a subfolder
- name: checkout default branch of repo
uses: actions/checkout@v4
with:
path: code_to_timestamp
# create a hash of all files in the repo
- name: hash default branch of repo
id: hash-repo
working-directory: code_to_timestamp
shell: bash
run: |
echo "REPO_HASH=$(git ls-tree --full-tree -r --name-only HEAD | sort | xargs shasum -a 256 | shasum -a 256 | awk '{print $1}')" >> "$GITHUB_OUTPUT"
# check if the special trusted timestamp branch exists.
# If it does not, create it.
# If creating a new branch add the support files (Readme and verification script)
# Note: This reuses the checkout used to make the repo hash for speed and convenience
- name: create timestamps branch if it does not exist
env:
TIMESTAMPS_BRANCH: ${{ inputs.timestamps_branch }}
working-directory: code_to_timestamp
shell: bash
run: |
if ! git ls-remote --exit-code --heads origin refs/heads/$TIMESTAMPS_BRANCH > /dev/null; then
# create a new branch that is empty
git switch --orphan $TIMESTAMPS_BRANCH
# Setup the new branch with a README and a verification script
# These files are taken from this github action repo
touch README.md verify_repo_timestamp.sh
cat "${{ github.action_path }}/new_branch_files/new_branch_README.md" > README.md
cat "${{ github.action_path }}/new_branch_files/verify_repo_timestamp.sh" > verify_repo_timestamp.sh
chmod 755 verify_repo_timestamp.sh
git add README.md verify_repo_timestamp.sh
# push the new branch with support files
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git commit -m "Creating $TIMESTAMPS_BRANCH branch"
git push origin $TIMESTAMPS_BRANCH
fi
# checkout the branch to which the new timestamp will be added
- name: checkout timestamps branch of repo
uses: actions/checkout@v4
with:
ref: ${{ inputs.timestamps_branch }}
path: timestamps
# Create and commit, and push the new trusted timestamp
- name: Create trusted timestamp
env:
REPO_HASH: ${{ steps.hash-repo.outputs.REPO_HASH }}
EXT_JSON: ${{ steps.construct-ext.outputs.EXT_JSON }}
TIMESTAMPS_BRANCH: ${{ inputs.timestamps_branch }}
TIMESTAMPIT_USERNAME: ${{ inputs.timestampit_username }}
TIMESTAMPIT_PASSWORD: ${{ inputs.timestampit_password }}
working-directory: timestamps
shell: bash
run: |
timestamp_filename="$GITHUB_SHA.trusted_timestamp"
ext_json="{\"repo\": \"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY\", \"sha\": \"$GITHUB_SHA\"}"
curl \
--data-urlencode algorithm=sha256 \
--data-urlencode digest=$REPO_HASH \
--data-urlencode ext="$ext_json" \
--user $TIMESTAMPIT_USERNAME:$TIMESTAMPIT_PASSWORD \
-o "$timestamp_filename" \
https://timestampit.com/create
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add "$timestamp_filename"
git commit -m "Add trusted timestamp for sha $GITHUB_SHA"
git push origin $TIMESTAMPS_BRANCH