From b38aba43ddd179ef9d6c4d7572679d6d325a39c3 Mon Sep 17 00:00:00 2001 From: bitterpanda Date: Tue, 19 May 2026 14:37:02 -0700 Subject: [PATCH 01/10] Create a bump-endpoint.yml workflow --- .github/workflows/bump-endpoint.yml | 82 +++++++++++++++++++++++++++++ 1 file changed, 82 insertions(+) create mode 100644 .github/workflows/bump-endpoint.yml diff --git a/.github/workflows/bump-endpoint.yml b/.github/workflows/bump-endpoint.yml new file mode 100644 index 0000000..595e820 --- /dev/null +++ b/.github/workflows/bump-endpoint.yml @@ -0,0 +1,82 @@ +name: Bump safechain-internals endpoint + +on: + schedule: + - cron: '0 * * * *' # every hour + workflow_dispatch: + +permissions: + contents: write + pull-requests: write + +jobs: + bump-endpoint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Get latest safechain-internals release + id: latest + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + VERSION=$(gh api repos/AikidoSec/safechain-internals/releases/latest --jq '.tag_name') + echo "version=$VERSION" >> $GITHUB_OUTPUT + + - name: Get current version from install script + id: current + run: | + CURRENT=$(grep -oP '(?<=releases/download/)[^/]+(?=/EndpointProtection\.pkg)' install-scripts/install-endpoint-mac.sh) + echo "version=$CURRENT" >> $GITHUB_OUTPUT + + - name: Download assets and compute checksums + if: steps.latest.outputs.version != steps.current.outputs.version + id: checksums + run: | + VERSION="${{ steps.latest.outputs.version }}" + BASE="https://github.com/AikidoSec/safechain-internals/releases/download/${VERSION}" + curl -fsSL "${BASE}/EndpointProtection.pkg" -o /tmp/EndpointProtection.pkg + curl -fsSL "${BASE}/EndpointProtection.msi" -o /tmp/EndpointProtection.msi + echo "mac=$(sha256sum /tmp/EndpointProtection.pkg | cut -d' ' -f1)" >> $GITHUB_OUTPUT + echo "win=$(sha256sum /tmp/EndpointProtection.msi | cut -d' ' -f1)" >> $GITHUB_OUTPUT + + - name: Update install scripts + if: steps.latest.outputs.version != steps.current.outputs.version + run: | + NEW="${{ steps.latest.outputs.version }}" + OLD="${{ steps.current.outputs.version }}" + MAC_SHA="${{ steps.checksums.outputs.mac }}" + WIN_SHA="${{ steps.checksums.outputs.win }}" + + sed -i "s|${OLD}/EndpointProtection.pkg|${NEW}/EndpointProtection.pkg|" install-scripts/install-endpoint-mac.sh + sed -i "s|^DOWNLOAD_SHA256=\"[^\"]*\"|DOWNLOAD_SHA256=\"${MAC_SHA}\"|" install-scripts/install-endpoint-mac.sh + + sed -i "s|${OLD}/EndpointProtection.msi|${NEW}/EndpointProtection.msi|" install-scripts/install-endpoint-windows.ps1 + sed -i 's|^\$DownloadSha256 = "[^"]*"|\$DownloadSha256 = "'"${WIN_SHA}"'"|' install-scripts/install-endpoint-windows.ps1 + + - name: Open PR + if: steps.latest.outputs.version != steps.current.outputs.version + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + NEW="${{ steps.latest.outputs.version }}" + OLD="${{ steps.current.outputs.version }}" + BRANCH="bump/endpoint-${NEW}" + + # Skip if a PR for this version already exists + if gh pr list --head "$BRANCH" --json number --jq '.[0].number' | grep -q '[0-9]'; then + echo "PR for $NEW already open, skipping." + exit 0 + fi + + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + git checkout -b "$BRANCH" + git add install-scripts/install-endpoint-mac.sh install-scripts/install-endpoint-windows.ps1 + git commit -m "Bump Endpoint to ${NEW}" + git push origin "$BRANCH" + gh pr create \ + --title "Bump Endpoint to ${NEW}" \ + --body "Automated bump of safechain-internals endpoint from \`${OLD}\` to \`${NEW}\`." \ + --head "$BRANCH" \ + --base main From 9d44eca1d169c4c1714c9c39eb48bc20548d9468 Mon Sep 17 00:00:00 2001 From: bitterpanda Date: Tue, 19 May 2026 14:39:04 -0700 Subject: [PATCH 02/10] Apply suggestion from @bitterpanda63 --- .github/workflows/bump-endpoint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bump-endpoint.yml b/.github/workflows/bump-endpoint.yml index 595e820..0968115 100644 --- a/.github/workflows/bump-endpoint.yml +++ b/.github/workflows/bump-endpoint.yml @@ -1,4 +1,4 @@ -name: Bump safechain-internals endpoint +name: Bump Device Protection Automatically on: schedule: From cbbbe703d316912cedcf3ad0127f10956f123f04 Mon Sep 17 00:00:00 2001 From: bitterpanda Date: Tue, 19 May 2026 14:45:10 -0700 Subject: [PATCH 03/10] Add a slack webhook curl req for endpoint bumps --- .github/workflows/bump-endpoint.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/bump-endpoint.yml b/.github/workflows/bump-endpoint.yml index 0968115..db7e3b6 100644 --- a/.github/workflows/bump-endpoint.yml +++ b/.github/workflows/bump-endpoint.yml @@ -75,8 +75,12 @@ jobs: git add install-scripts/install-endpoint-mac.sh install-scripts/install-endpoint-windows.ps1 git commit -m "Bump Endpoint to ${NEW}" git push origin "$BRANCH" - gh pr create \ + PR_URL=$(gh pr create \ --title "Bump Endpoint to ${NEW}" \ --body "Automated bump of safechain-internals endpoint from \`${OLD}\` to \`${NEW}\`." \ --head "$BRANCH" \ - --base main + --base main) + + curl -s -X POST "https://hooks.slack.com/triggers/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" \ + -H "Content-Type: application/json" \ + -d "{\"text\": \"update to ${NEW} - ${PR_URL}\"}" From 47e9ed0f6cd94f5b67d0ada88311fc30f367ec34 Mon Sep 17 00:00:00 2001 From: bitterpanda Date: Tue, 19 May 2026 14:47:33 -0700 Subject: [PATCH 04/10] temp: trigger bump-endpoint on push to test --- .github/workflows/bump-endpoint.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/bump-endpoint.yml b/.github/workflows/bump-endpoint.yml index db7e3b6..d289893 100644 --- a/.github/workflows/bump-endpoint.yml +++ b/.github/workflows/bump-endpoint.yml @@ -1,6 +1,9 @@ name: Bump Device Protection Automatically on: + push: + branches: + - create-bump-endpoint-workflow schedule: - cron: '0 * * * *' # every hour workflow_dispatch: From 3f0837c65a30aafdb0d81bbdf6bdb65d72ff6bb1 Mon Sep 17 00:00:00 2001 From: bitterpanda Date: Tue, 19 May 2026 14:48:23 -0700 Subject: [PATCH 05/10] temp: use open-source-releaser runner --- .github/workflows/bump-endpoint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/bump-endpoint.yml b/.github/workflows/bump-endpoint.yml index d289893..3da395f 100644 --- a/.github/workflows/bump-endpoint.yml +++ b/.github/workflows/bump-endpoint.yml @@ -14,7 +14,7 @@ permissions: jobs: bump-endpoint: - runs-on: ubuntu-latest + runs-on: open-source-releaser steps: - uses: actions/checkout@v4 From 07b8571758638539db7327c19f63061936224e07 Mon Sep 17 00:00:00 2001 From: bitterpanda Date: Tue, 19 May 2026 14:52:37 -0700 Subject: [PATCH 06/10] temp: post compare URL to Slack instead of creating PR --- .github/workflows/bump-endpoint.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.github/workflows/bump-endpoint.yml b/.github/workflows/bump-endpoint.yml index 3da395f..b204c5b 100644 --- a/.github/workflows/bump-endpoint.yml +++ b/.github/workflows/bump-endpoint.yml @@ -78,11 +78,7 @@ jobs: git add install-scripts/install-endpoint-mac.sh install-scripts/install-endpoint-windows.ps1 git commit -m "Bump Endpoint to ${NEW}" git push origin "$BRANCH" - PR_URL=$(gh pr create \ - --title "Bump Endpoint to ${NEW}" \ - --body "Automated bump of safechain-internals endpoint from \`${OLD}\` to \`${NEW}\`." \ - --head "$BRANCH" \ - --base main) + PR_URL="https://github.com/${{ github.repository }}/compare/main...${BRANCH}?expand=1" curl -s -X POST "https://hooks.slack.com/triggers/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" \ -H "Content-Type: application/json" \ From 0b46c5408b18ad924b19f8672590ea28ddb1c24a Mon Sep 17 00:00:00 2001 From: bitterpanda Date: Tue, 19 May 2026 14:55:22 -0700 Subject: [PATCH 07/10] Update bump-endpoint.yml --- .github/workflows/bump-endpoint.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/bump-endpoint.yml b/.github/workflows/bump-endpoint.yml index b204c5b..becdb77 100644 --- a/.github/workflows/bump-endpoint.yml +++ b/.github/workflows/bump-endpoint.yml @@ -1,9 +1,6 @@ name: Bump Device Protection Automatically on: - push: - branches: - - create-bump-endpoint-workflow schedule: - cron: '0 * * * *' # every hour workflow_dispatch: From f2cce7b7e90edad50d1ba3b8bf43a59103d9db99 Mon Sep 17 00:00:00 2001 From: bitterpanda Date: Tue, 19 May 2026 14:56:04 -0700 Subject: [PATCH 08/10] temp: skip if branch already exists instead of checking for PR --- .github/workflows/bump-endpoint.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/bump-endpoint.yml b/.github/workflows/bump-endpoint.yml index becdb77..9a7df3b 100644 --- a/.github/workflows/bump-endpoint.yml +++ b/.github/workflows/bump-endpoint.yml @@ -63,9 +63,8 @@ jobs: OLD="${{ steps.current.outputs.version }}" BRANCH="bump/endpoint-${NEW}" - # Skip if a PR for this version already exists - if gh pr list --head "$BRANCH" --json number --jq '.[0].number' | grep -q '[0-9]'; then - echo "PR for $NEW already open, skipping." + if git ls-remote --exit-code --heads origin "$BRANCH" &>/dev/null; then + echo "Branch $BRANCH already exists, skipping." exit 0 fi From ab058367f1908260d5c1478c4cad620925a175d5 Mon Sep 17 00:00:00 2001 From: bitterpanda Date: Tue, 19 May 2026 14:56:46 -0700 Subject: [PATCH 09/10] temp: re-add push trigger for testing --- .github/workflows/bump-endpoint.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/bump-endpoint.yml b/.github/workflows/bump-endpoint.yml index 9a7df3b..6d4a93e 100644 --- a/.github/workflows/bump-endpoint.yml +++ b/.github/workflows/bump-endpoint.yml @@ -1,6 +1,9 @@ name: Bump Device Protection Automatically on: + push: + branches: + - create-bump-endpoint-workflow schedule: - cron: '0 * * * *' # every hour workflow_dispatch: From f6145d5c20226fcba96c3505290dacac7495e073 Mon Sep 17 00:00:00 2001 From: bitterpanda Date: Tue, 19 May 2026 14:58:55 -0700 Subject: [PATCH 10/10] Update bump-endpoint.yml --- .github/workflows/bump-endpoint.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/bump-endpoint.yml b/.github/workflows/bump-endpoint.yml index 6d4a93e..9a7df3b 100644 --- a/.github/workflows/bump-endpoint.yml +++ b/.github/workflows/bump-endpoint.yml @@ -1,9 +1,6 @@ name: Bump Device Protection Automatically on: - push: - branches: - - create-bump-endpoint-workflow schedule: - cron: '0 * * * *' # every hour workflow_dispatch: