Skip to content

Commit

Permalink
Standardize repository structure (#17)
Browse files Browse the repository at this point in the history 
* Update README and add LICENSE file

* Add issue template

* Add workflow to check for certificates validity

* Add .gitignore

* Updated go lint dependency

* Add Taskfile

* Update test workflow

* Add DistTasks.yml to generate file for distribution

* Add release workflow

* Add .prettierrc and .prettierignore

* Add verify formatting workflow

* Add stale issues workflow

* Add link validation workflow

* Add check notarization certificates workflow

* Fix README.md formatting

* Fix certificates workflows

* Fix notarization in release workflow

* Fix actions casing

* Fix stale issues workflow

* Fix test workflow

* Fix LICENSE file

* Update markdown link check config

* Update README.md

* Fix certificates workflow

* Fix link validation workflow

* Fix release workflow

* Add gon config file for OS X notarization

* Fix release workflow

* Fix certificates workflows
  • Loading branch information
@silvanocerza
silvanocerza committed Mar 23, 2021
1 parent 2737cb3 commit 5a37bc1
Show file tree
Hide file tree
Showing 20 changed files with 1,413 additions and 185 deletions.
25 changes: 25 additions & 0 deletions .github/ISSUE_TEMPLATE/bug_report.md
View file
@@ -0,0 +1,25 @@
---
name: 🐛 Bug Report
about: If something isn't working as expected 🤔.
---

## Bug Report

### Current behavior

<!-- Paste the full command you run -->

<!-- Add a clear and concise description of the behavior. -->

### Expected behavior

<!-- Add a clear and concise description of what you expected to happen. -->

### Environment

- Updater version:
- OS and platform:

### Additional context

<!-- (Optional) Add any other context about the problem here. -->
99 changes: 99 additions & 0 deletions .github/workflows/check-certificates.yml
View file
@@ -0,0 +1,99 @@
name: Check for issues with signing certificates

on:
schedule:
# run every 10 hours
- cron: "0 */10 * * *"
# workflow_dispatch event allows the workflow to be triggered manually.
# This could be used to run an immediate check after updating certificate secrets.
# See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch
workflow_dispatch:

env:
# Begin notifications when there are less than this many days remaining before expiration
EXPIRATION_WARNING_PERIOD: 30

jobs:
get-certificates-list:
# This workflow would fail in forks that don't have the certificate secrets defined
if: github.repository == 'arduino/FirmwareUpdater'
runs-on: ubuntu-latest
outputs:
certificates: ${{ steps.get-files.outputs.certificates }}

steps:
- name: checkout
uses: actions/checkout@v2

- name: Set certificates path environment variable
run: |
# See: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
echo "FILES=\"$(ls ${{ github.workspace }}/certs/* | xargs | sed 's/ /","/g')\"" >> $GITHUB_ENV
- name: Get files list
id: get-files
run: |
JSON=$(echo '[${{ join(env.FILES) }}]' | jq -c '{"cert_file": .}')
echo "::set-output name=certificates::$JSON"
check-certificates:
# This workflow would fail in forks that don't have the certificate secrets defined
if: github.repository == 'arduino/FirmwareUpdater'
runs-on: ubuntu-latest
needs: get-certificates-list

strategy:
fail-fast: false
matrix: ${{fromJSON(needs.get-certificates-list.outputs.certificates)}}

steps:
- name: checkout
uses: actions/checkout@v2

- name: Get days remaining before certificate expiration date
id: get-days-before-expiration
run: |
EXPIRATION_DATE="$(
(
openssl x509 \
-inform der \
-in ${{ matrix.cert_file }} \
-enddate -noout
) | (
grep \
--max-count=1 \
--only-matching \
--perl-regexp \
'notAfter=(\K.*)'
)
)"
DAYS_BEFORE_EXPIRATION="$((($(date --utc --date="$EXPIRATION_DATE" +%s) - $(date --utc +%s)) / 60 / 60 / 24))"
# Display the expiration information in the log
echo "Certificate expiration date: $EXPIRATION_DATE"
echo "Days remaining before expiration: $DAYS_BEFORE_EXPIRATION"
echo "::set-output name=days::$DAYS_BEFORE_EXPIRATION"
- name: Check if expiration notification period has been reached
id: check-expiration
run: |
DAYS=${{ steps.get-days-before-expiration.outputs.days }}
if [[ $DAYS -lt ${{ env.EXPIRATION_WARNING_PERIOD }} ]]; then
echo "::error::${{ matrix.cert_file }} will expire in $DAYS days!!!"
exit 1
fi
- name: Slack notification of pending certificate expiration
# Don't send spurious expiration notification if verification fails
if: failure() && steps.check-expiration.outcome == 'failure'
uses: rtCamp/action-slack-notify@v2.1.0
env:
SLACK_WEBHOOK: ${{ secrets.TEAM_TOOLING_CHANNEL_SLACK_WEBHOOK }}
SLACK_MESSAGE: |
:warning::warning::warning::warning:
WARNING: ${{ github.repository }} ${{ matrix.cert_file }} will expire in ${{ steps.get-days-before-expiration.outputs.days }} days!!!
:warning::warning::warning::warning:
SLACK_COLOR: danger
MSG_MINIMAL: true
121 changes: 121 additions & 0 deletions .github/workflows/check-notarization-certificates.yml
View file
@@ -0,0 +1,121 @@
name: Check for issues with notarization certificates

on:
schedule:
# run every 10 hours
- cron: "0 */10 * * *"
# workflow_dispatch event allows the workflow to be triggered manually.
# This could be used to run an immediate check after updating certificate secrets.
# See: https://docs.github.com/en/actions/reference/events-that-trigger-workflows#workflow_dispatch
workflow_dispatch:

env:
# Begin notifications when there are less than this many days remaining before expiration
EXPIRATION_WARNING_PERIOD: 30

jobs:
check-certificates:
# This workflow would fail in forks that don't have the certificate secrets defined
if: github.repository == 'arduino/FirmwareUpdater'
runs-on: ubuntu-latest

strategy:
fail-fast: false

matrix:
certificate:
- identifier: macOS signing certificate # Text used to identify the certificate in notifications
certificate-secret: INSTALLER_CERT_MAC_P12 # The name of the secret that contains the certificate
password-secret: INSTALLER_CERT_MAC_PASSWORD # The name of the secret that contains the certificate password

steps:
- name: Set certificate path environment variable
run: |
# See: https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-commands-for-github-actions#setting-an-environment-variable
echo "CERTIFICATE_PATH=${{ runner.temp }}/certificate.p12" >> "$GITHUB_ENV"
- name: Decode certificate
env:
CERTIFICATE: ${{ secrets[matrix.certificate.certificate-secret] }}
run: |
echo "${{ env.CERTIFICATE }}" | base64 --decode > "${{ env.CERTIFICATE_PATH }}"
- name: Verify certificate
env:
CERTIFICATE_PASSWORD: ${{ secrets[matrix.certificate.password-secret] }}
run: |
(
openssl pkcs12 \
-in "${{ env.CERTIFICATE_PATH }}" \
-noout -passin env:CERTIFICATE_PASSWORD
) || (
echo "::error::Verification of ${{ matrix.certificate.identifier }} failed!!!"
exit 1
)
# See: https://github.com/rtCamp/action-slack-notify
- name: Slack notification of certificate verification failure
if: failure()
uses: rtCamp/action-slack-notify@v2.1.0
env:
SLACK_WEBHOOK: ${{ secrets.TEAM_TOOLING_CHANNEL_SLACK_WEBHOOK }}
SLACK_MESSAGE: |
:warning::warning::warning::warning:
WARNING: ${{ github.repository }} ${{ matrix.certificate.identifier }} verification failed!!!
:warning::warning::warning::warning:
SLACK_COLOR: danger
MSG_MINIMAL: true

- name: Get days remaining before certificate expiration date
env:
CERTIFICATE_PASSWORD: ${{ secrets[matrix.certificate.password-secret] }}
id: get-days-before-expiration
run: |
EXPIRATION_DATE="$(
(
openssl pkcs12 \
-in "${{ env.CERTIFICATE_PATH }}" \
-clcerts \
-nodes \
-passin env:CERTIFICATE_PASSWORD
) | (
openssl x509 \
-noout \
-enddate
) | (
grep \
--max-count=1 \
--only-matching \
--perl-regexp \
'notAfter=(\K.*)'
)
)"
DAYS_BEFORE_EXPIRATION="$((($(date --utc --date="$EXPIRATION_DATE" +%s) - $(date --utc +%s)) / 60 / 60 / 24))"
# Display the expiration information in the log
echo "Certificate expiration date: $EXPIRATION_DATE"
echo "Days remaining before expiration: $DAYS_BEFORE_EXPIRATION"
echo "::set-output name=days::$DAYS_BEFORE_EXPIRATION"
- name: Check if expiration notification period has been reached
id: check-expiration
run: |
if [[ ${{ steps.get-days-before-expiration.outputs.days }} -lt ${{ env.EXPIRATION_WARNING_PERIOD }} ]]; then
echo "::error::${{ matrix.certificate.identifier }} will expire in ${{ steps.get-days-before-expiration.outputs.days }} days!!!"
exit 1
fi
- name: Slack notification of pending certificate expiration
# Don't send spurious expiration notification if verification fails
if: failure() && steps.check-expiration.outcome == 'failure'
uses: rtCamp/action-slack-notify@v2.1.0
env:
SLACK_WEBHOOK: ${{ secrets.TEAM_TOOLING_CHANNEL_SLACK_WEBHOOK }}
SLACK_MESSAGE: |
:warning::warning::warning::warning:
WARNING: ${{ github.repository }} ${{ matrix.certificate.identifier }} will expire in ${{ steps.get-days-before-expiration.outputs.days }} days!!!
:warning::warning::warning::warning:
SLACK_COLOR: danger
MSG_MINIMAL: true
24 changes: 24 additions & 0 deletions .github/workflows/link-validation.yml
View file
@@ -0,0 +1,24 @@
name: Verifies documentation links

on:
push:
pull_request:
schedule:
- cron: "0 3 * * 1" # Every Monday at 03:00

jobs:
verify-links:
# Don't trigger on schedule event when in a fork
if: github.event_name != 'schedule' || (github.event_name == 'schedule' && github.repository == 'arduino/FirmwareUpdater')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2

- name: Install Taskfile
uses: arduino/actions/setup-taskfile@master
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
version: 3.x

- name: Verify links
run: task docs:check-links

0 comments on commit 5a37bc1

Please sign in to comment.