dandri/MeshChatX
1
0
Fork 0
mirror of https://git.quad4.io/RNS-Things/MeshChatX.git synced 2026-05-24 16:45:21 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(ci): update build and scan workflows with cosign integration and frontend dependency management

Browse Source
This commit is contained in:
Ivan
2026-03-31 00:32:35 +03:00
parent e8e5128bc6
commit 4fa7940f9a
2 changed files with 48 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/build.yml
+29 -9
View File
@@ -21,6 +21,9 @@ permissions:
contents: write
packages: write
env:
COSIGN_VERSION: "3.0.5"
jobs:
build:
name: Build and Release
@@ -146,7 +149,7 @@ jobs:
echo "## SHA256 Checksums" > release-body.md
echo "" >> release-body.md
for file in release-assets/*; do
if [ -f "$file" ] && [[ "$file" != *.sha256 ]] && [[ "$file" != *release-body.md* ]]; then
if [ -f "$file" ] && [[ "$file" != *.sha256 ]] && [[ "$file" != *.cosign.bundle ]] && [[ "$file" != *release-body.md* ]]; then
filename=$(basename "$file")
if [ -f "release-assets/${filename}.sha256" ]; then
# Extract just the filename and its sha256 (format: <sha256> <filename>)
@@ -155,6 +158,30 @@ jobs:
fi
done
- name: SLSA attestations (cosign)
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
GITHUB_SERVER_URL: ${{ github.server_url }}
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
GITHUB_RUN_ID: ${{ github.run_id }}
GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}
GITHUB_WORKFLOW: ${{ github.workflow }}
run: |
set -eu
if [ -z "${COSIGN_PRIVATE_KEY:-}" ]; then
echo "Skipping SLSA attestations: add repository secret COSIGN_PRIVATE_KEY (PEM) to sign releases."
exit 0
fi
sh scripts/ci/setup-cosign.sh "${COSIGN_VERSION}"
printf '%s\n' "$COSIGN_PRIVATE_KEY" > /tmp/cosign.key
chmod 600 /tmp/cosign.key
export COSIGN_KEY_PATH=/tmp/cosign.key
sh scripts/ci/attest-release-assets.sh ./release-assets
rm -f /tmp/cosign.key
- name: Validate version
run: |
VERSION="${{ steps.version.outputs.version }}"
@@ -176,14 +203,7 @@ jobs:
gitea_token: ${{ secrets.GITEA_TOKEN }}
title: ${{ steps.version.outputs.version }}
tag: ${{ steps.version.outputs.version }}
files: |
release-assets/*.AppImage
release-assets/*.deb
release-assets/*.rpm
release-assets/*.whl
release-assets/*.zip
release-assets/*.sha256
release-assets/sbom.cyclonedx.json
files: release-assets/*
body_path: "release-body.md"
draft: true
prerelease: false
.gitea/workflows/scan.yml
+19
View File
@@ -30,6 +30,25 @@ jobs:
git init -q && git remote add origin "${SERVER}/${REPO}.git"
git fetch -q --depth=1 origin "${GITHUB_SHA}" && git checkout -q FETCH_HEAD
- name: Setup Node.js
run: sh scripts/ci/setup-node.sh 24
- name: Setup pnpm
run: sh scripts/ci/setup-pnpm.sh
- name: Setup Task
run: sh scripts/ci/setup-task.sh
- name: Install frontend dependencies
run: |
. scripts/ci/ci-node-path.sh
task deps:fe
- name: pnpm audit
run: |
. scripts/ci/ci-node-path.sh
pnpm audit --audit-level=high
- name: Download Trivy
run: |
curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb