mirror of
https://github.com/AikidoSec/safe-chain.git
synced 2026-05-26 12:10:49 +00:00
82 lines
3.4 KiB
YAML
82 lines
3.4 KiB
YAML
name: Bump Device Protection Automatically
|
|
|
|
on:
|
|
schedule:
|
|
- cron: '0 * * * *' # every hour
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
|
|
jobs:
|
|
bump-endpoint:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Get latest safechain-internals release
|
|
id: latest
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
VERSION=$(gh api repos/AikidoSec/safechain-internals/releases/latest --jq '.tag_name')
|
|
echo "version=$VERSION" >> $GITHUB_OUTPUT
|
|
|
|
- name: Get current version from install script
|
|
id: current
|
|
run: |
|
|
CURRENT=$(grep -oP '(?<=releases/download/)[^/]+(?=/EndpointProtection\.pkg)' install-scripts/install-endpoint-mac.sh)
|
|
echo "version=$CURRENT" >> $GITHUB_OUTPUT
|
|
|
|
- name: Download assets and compute checksums
|
|
if: steps.latest.outputs.version != steps.current.outputs.version
|
|
id: checksums
|
|
run: |
|
|
VERSION="${{ steps.latest.outputs.version }}"
|
|
BASE="https://github.com/AikidoSec/safechain-internals/releases/download/${VERSION}"
|
|
curl -fsSL "${BASE}/EndpointProtection.pkg" -o /tmp/EndpointProtection.pkg
|
|
curl -fsSL "${BASE}/EndpointProtection.msi" -o /tmp/EndpointProtection.msi
|
|
echo "mac=$(sha256sum /tmp/EndpointProtection.pkg | cut -d' ' -f1)" >> $GITHUB_OUTPUT
|
|
echo "win=$(sha256sum /tmp/EndpointProtection.msi | cut -d' ' -f1)" >> $GITHUB_OUTPUT
|
|
|
|
- name: Update install scripts
|
|
if: steps.latest.outputs.version != steps.current.outputs.version
|
|
run: |
|
|
NEW="${{ steps.latest.outputs.version }}"
|
|
OLD="${{ steps.current.outputs.version }}"
|
|
MAC_SHA="${{ steps.checksums.outputs.mac }}"
|
|
WIN_SHA="${{ steps.checksums.outputs.win }}"
|
|
|
|
sed -i "s|${OLD}/EndpointProtection.pkg|${NEW}/EndpointProtection.pkg|" install-scripts/install-endpoint-mac.sh
|
|
sed -i "s|^DOWNLOAD_SHA256=\"[^\"]*\"|DOWNLOAD_SHA256=\"${MAC_SHA}\"|" install-scripts/install-endpoint-mac.sh
|
|
|
|
sed -i "s|${OLD}/EndpointProtection.msi|${NEW}/EndpointProtection.msi|" install-scripts/install-endpoint-windows.ps1
|
|
sed -i 's|^\$DownloadSha256 = "[^"]*"|\$DownloadSha256 = "'"${WIN_SHA}"'"|' install-scripts/install-endpoint-windows.ps1
|
|
|
|
- name: Open PR
|
|
if: steps.latest.outputs.version != steps.current.outputs.version
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
NEW="${{ steps.latest.outputs.version }}"
|
|
OLD="${{ steps.current.outputs.version }}"
|
|
BRANCH="bump/endpoint-${NEW}"
|
|
|
|
# Skip if a PR for this version already exists
|
|
if gh pr list --head "$BRANCH" --json number --jq '.[0].number' | grep -q '[0-9]'; then
|
|
echo "PR for $NEW already open, skipping."
|
|
exit 0
|
|
fi
|
|
|
|
git config user.name "github-actions[bot]"
|
|
git config user.email "github-actions[bot]@users.noreply.github.com"
|
|
git checkout -b "$BRANCH"
|
|
git add install-scripts/install-endpoint-mac.sh install-scripts/install-endpoint-windows.ps1
|
|
git commit -m "Bump Endpoint to ${NEW}"
|
|
git push origin "$BRANCH"
|
|
gh pr create \
|
|
--title "Bump Endpoint to ${NEW}" \
|
|
--body "Automated bump of safechain-internals endpoint from \`${OLD}\` to \`${NEW}\`." \
|
|
--head "$BRANCH" \
|
|
--base main
|