This repository has been archived by the owner on Nov 14, 2024. It is now read-only.
Add support for security.txt #79
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PushAction | |
on: | |
push: | |
branches: [ main, master, develop ] | |
workflow_dispatch: | |
# Cancel in-progress jobs or runs for the current workflow | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
process-push: | |
runs-on: self-hosted | |
steps: | |
# - name: Cancel previous runs | |
# uses: n1hility/cancel-previous-runs@v2 | |
# with: | |
# token: ${{ secrets.GITHUB_TOKEN }} | |
# HACK! 96Boards is currently using an old Jekyll theme that caches | |
# built images inside the source directory which gets reset when the | |
# fetch occurs so let's move it out of the way briefly ... | |
# | |
# This hack can be removed once the website is upgraded to use the | |
# newer theme, which processes images differently. | |
- name: Preserve merged_sources | |
run: MS="$GITHUB_WORKSPACE/website/merged_sources"; if [ -d "$MS" ]; then mv "$MS" "$GITHUB_WORKSPACE"; fi | |
- name: Fetch website repository | |
uses: actions/checkout@v3 | |
with: | |
path: website | |
# HACK! | |
- name: Restore merged_sources | |
run: MS="$GITHUB_WORKSPACE/merged_sources"; if [ -d "$MS" ]; then mv "$MS" "$GITHUB_WORKSPACE/website"; fi | |
- name: Fetch docs repository | |
uses: actions/checkout@v3 | |
with: | |
repository: 96boards/documentation | |
path: documentation | |
- name: Initialise environment | |
run: cat "$GITHUB_WORKSPACE/website/.github-env-${GITHUB_REF##*/}" >> $GITHUB_ENV | |
- run: env | |
- name: Directory push/pop | |
uses: linaro-its/[email protected] | |
with: | |
cacheDirectory: /srv/site-builds | |
namedDirectory: ${{ env.SITE_URL }} | |
destinationDirectory: ${{ github.workspace }}/website | |
- name: Build site | |
run: NSBREPO1=${{ github.workspace }}/website NSBREPO2=${{ github.workspace }}/documentation /srv/github-action-scripts/build-jekyll-site.sh | |
env: | |
TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- run: cat $GITHUB_EVENT_PATH | |
# - name: Check links | |
# run: >- | |
# /srv/github-action-scripts/check-links.sh | |
# ${{ github.workspace }}/website/${{ env.SITE_URL }} | |
# --skip-dns-check ${{ github.workspace }}/website/_data/fqdn_exceptions.txt | |
# --create-github-issue https://api.github.com/repos/96boards/website/issues | |
# --assign-github-issue '["ric96", "Yang-96Boards"]' | |
# --github-access-token ${{ secrets.GITHUB_TOKEN }} | |
- name: Check links | |
run: >- | |
/srv/github-action-scripts/check-links.sh | |
${{ github.workspace }}/website/${{ env.SITE_URL }} | |
--skip-dns-check ${{ github.workspace }}/website/_data/fqdn_exceptions.txt | |
--no-external-errors | |
- name: Check routing rules | |
run: /srv/github-action-scripts/test-routing-rules.sh | |
- name: Make staging directory | |
run: mkdir -p /srv/s3-staging/${{ env.SITE_URL }} | |
- name: Sync build to staging directory | |
run: rsync -crui ${{ github.workspace }}/website/${{ env.SITE_URL }}/ /srv/s3-staging/${{ env.SITE_URL }} --delete | |
- name: set branch env | |
run: echo "BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV | |
- name: security.txt | |
# If running on master branch, add signed security.txt file | |
if: env.BRANCH == 'master' | |
run: | | |
cd "$GITHUB_WORKSPACE/website" | |
/srv/github-action-scripts/sign-security.sh | |
if [ -f "security.txt.asc" ]; then | |
mkdir "/srv/s3-staging/${{ env.SITE_URL }}/.well-known" | |
mv security.txt.asc "/srv/s3-staging/${{ env.SITE_URL }}/.well-known/security.txt" | |
else | |
echo "No security.txt.asc produced" | |
fi | |
- name: Upload to S3 | |
run: /srv/github-action-scripts/upload-to-s3-root.sh | |
- name: Set up Lambda redirect | |
run: /srv/github-action-scripts/set-up-lambda-redirect.sh ${{ github.workspace }}/website | |
- name: Set up security headers | |
run: cd /srv/github-action-scripts && pipenv run python lambda-security-headers.py | |
- name: Invalidate CloudFront cache | |
run: /srv/github-action-scripts/invalidate-cloudfront.sh | |
# - name: Run Pa11y scan | |
# uses: benc-uk/workflow-dispatch@v1 | |
# with: | |
# workflow: CheckSite | |
# repo: linaro-its/pa11y-ci-container | |
# token: ${{ secrets.BUILD_REPO_TOKEN }} | |
# inputs: '{ "uri": "${{ env.SITE_URL }}" }' |