Skip to content
This repository has been archived by the owner on Nov 14, 2024. It is now read-only.

Add support for security.txt #79

Add support for security.txt

Add support for security.txt #79

Workflow file for this run

name: PushAction
on:
push:
branches: [ main, master, develop ]
workflow_dispatch:
# Cancel in-progress jobs or runs for the current workflow
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
process-push:
runs-on: self-hosted
steps:
# - name: Cancel previous runs
# uses: n1hility/cancel-previous-runs@v2
# with:
# token: ${{ secrets.GITHUB_TOKEN }}
# HACK! 96Boards is currently using an old Jekyll theme that caches
# built images inside the source directory which gets reset when the
# fetch occurs so let's move it out of the way briefly ...
#
# This hack can be removed once the website is upgraded to use the
# newer theme, which processes images differently.
- name: Preserve merged_sources
run: MS="$GITHUB_WORKSPACE/website/merged_sources"; if [ -d "$MS" ]; then mv "$MS" "$GITHUB_WORKSPACE"; fi
- name: Fetch website repository
uses: actions/checkout@v3
with:
path: website
# HACK!
- name: Restore merged_sources
run: MS="$GITHUB_WORKSPACE/merged_sources"; if [ -d "$MS" ]; then mv "$MS" "$GITHUB_WORKSPACE/website"; fi
- name: Fetch docs repository
uses: actions/checkout@v3
with:
repository: 96boards/documentation
path: documentation
- name: Initialise environment
run: cat "$GITHUB_WORKSPACE/website/.github-env-${GITHUB_REF##*/}" >> $GITHUB_ENV
- run: env
- name: Directory push/pop
uses: linaro-its/[email protected]
with:
cacheDirectory: /srv/site-builds
namedDirectory: ${{ env.SITE_URL }}
destinationDirectory: ${{ github.workspace }}/website
- name: Build site
run: NSBREPO1=${{ github.workspace }}/website NSBREPO2=${{ github.workspace }}/documentation /srv/github-action-scripts/build-jekyll-site.sh
env:
TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: cat $GITHUB_EVENT_PATH
# - name: Check links
# run: >-
# /srv/github-action-scripts/check-links.sh
# ${{ github.workspace }}/website/${{ env.SITE_URL }}
# --skip-dns-check ${{ github.workspace }}/website/_data/fqdn_exceptions.txt
# --create-github-issue https://api.github.com/repos/96boards/website/issues
# --assign-github-issue '["ric96", "Yang-96Boards"]'
# --github-access-token ${{ secrets.GITHUB_TOKEN }}
- name: Check links
run: >-
/srv/github-action-scripts/check-links.sh
${{ github.workspace }}/website/${{ env.SITE_URL }}
--skip-dns-check ${{ github.workspace }}/website/_data/fqdn_exceptions.txt
--no-external-errors
- name: Check routing rules
run: /srv/github-action-scripts/test-routing-rules.sh
- name: Make staging directory
run: mkdir -p /srv/s3-staging/${{ env.SITE_URL }}
- name: Sync build to staging directory
run: rsync -crui ${{ github.workspace }}/website/${{ env.SITE_URL }}/ /srv/s3-staging/${{ env.SITE_URL }} --delete
- name: set branch env
run: echo "BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
- name: security.txt
# If running on master branch, add signed security.txt file
if: env.BRANCH == 'master'
run: |
cd "$GITHUB_WORKSPACE/website"
/srv/github-action-scripts/sign-security.sh
if [ -f "security.txt.asc" ]; then
mkdir "/srv/s3-staging/${{ env.SITE_URL }}/.well-known"
mv security.txt.asc "/srv/s3-staging/${{ env.SITE_URL }}/.well-known/security.txt"
else
echo "No security.txt.asc produced"
fi
- name: Upload to S3
run: /srv/github-action-scripts/upload-to-s3-root.sh
- name: Set up Lambda redirect
run: /srv/github-action-scripts/set-up-lambda-redirect.sh ${{ github.workspace }}/website
- name: Set up security headers
run: cd /srv/github-action-scripts && pipenv run python lambda-security-headers.py
- name: Invalidate CloudFront cache
run: /srv/github-action-scripts/invalidate-cloudfront.sh
# - name: Run Pa11y scan
# uses: benc-uk/workflow-dispatch@v1
# with:
# workflow: CheckSite
# repo: linaro-its/pa11y-ci-container
# token: ${{ secrets.BUILD_REPO_TOKEN }}
# inputs: '{ "uri": "${{ env.SITE_URL }}" }'