Check Country Delivery #13538
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow is pulling secrets from WorldHealthOrganization/tng-participants-secrets, not from github actions secrets | |
| # Please run the workflow named 'Export and Encrypt Secrets' to export github actions secrets | |
| name: Check Country Delivery | |
| on: | |
| schedule: | |
| # Ownership refresh reset | |
| - cron: '0 * * * *' | |
| workflow_dispatch: | |
| env: | |
| env_var: ${{ vars.ENV_CONTEXT_VAR }} | |
| jobs: | |
| delivery: | |
| runs-on: ubuntu-latest | |
| environment: dev | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0 | |
| with: | |
| python-version: 3.8 | |
| - name: Configure Python | |
| run: | | |
| pip install --upgrade pip | |
| pip install -r scripts/requirements.txt | |
| - name: Configure Bot | |
| run: | | |
| git config --global user.email ${{secrets.BOT_EMAIL_GITHUB}} | |
| git config --global user.name ${{secrets.BOT_USER_GITHUB}} | |
| git config --global user.password ${{secrets.BOT_TOKEN_GITHUB}} | |
| git config --global pull.rebase true | |
| git config --global branch.autosetuprebase always | |
| - name: Checkout participants-secrets repo | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0 | |
| env: | |
| REPO_TOKEN: ${{ secrets.EXT_SECRETS_REPO_TOKEN }} | |
| with: | |
| repository: WorldHealthOrganization/tng-participants-secrets | |
| ref: main | |
| path: participants-secrets | |
| token: ${{ secrets.EXT_SECRETS_REPO_TOKEN }} | |
| - name: Set up GPG | |
| run: | | |
| mkdir -p ~/.gnupg | |
| echo "use-agent" > ~/.gnupg/gpg.conf | |
| echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf | |
| chmod 700 ~/.gnupg | |
| echo "${{ secrets.EXT_SECRETS_GPG_PRIVATE_KEY }}" | gpg --batch --import | |
| echo "List of GPG keys" | |
| gpg --batch --yes --pinentry-mode loopback --passphrase ${{ secrets.EXT_SECRETS_GPG_PRIVATE_KEY_PW }} --list-keys | |
| - name: Decrypt files | |
| run: | | |
| mkdir -p decrypted | |
| for file in participants-secrets/dev/*.pgp; do | |
| filename=$(basename -- "$file") | |
| base=${filename%.pgp} | |
| if [[ $base =~ ^[A-Z]{3}$ ]]; then | |
| gpg --batch --yes --pinentry-mode loopback --passphrase ${{ secrets.EXT_SECRETS_GPG_PRIVATE_KEY_PW }} --output decrypted/$base.txt --decrypt "$file" | |
| fi | |
| done | |
| - name: Generate countries.json | |
| run: | | |
| echo "{" > scripts/countries.json | |
| first=true | |
| for file in decrypted/*.txt; do | |
| filename=$(basename -- "$file") | |
| country=${filename%.txt} | |
| content=$(cat "$file" | jq -Rsa .) # Safely escape as JSON string | |
| if [ "$first" = true ]; then | |
| first=false | |
| else | |
| echo "," >> scripts/countries.json | |
| fi | |
| echo " \"$country\": $content" >> scripts/countries.json | |
| done | |
| echo "}" >> scripts/countries.json | |
| - name: Onboarding | |
| id: Onboarding | |
| env: | |
| GITHUB_TOKEN: ${{secrets.BOT_TOKEN_GITHUB}} | |
| BOT_TOKEN_GITHUB: ${{secrets.BOT_TOKEN_GITHUB}} | |
| GITHUB_JOB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
| TRANSITIVE_TRUST_SOURCE: ${{vars.TRANSITIVE_TRUST_SOURCE}} | |
| NB_UP_SIGNING_PUB: ${{secrets.NB_UP_SIGNING_PUB}} | |
| NB_UP_SIGNING_KEY: ${{secrets.NB_UP_SIGNING_KEY}} | |
| ENV: ${{vars.ENV}} | |
| SIGN_TA_KEY: ${{secrets.TNG_TA_PRIVATE_KEY}} | |
| SIGN_TA_PEM: ${{secrets.TNG_TA_CA}} | |
| ALLOWED_DOMAINS: ${{vars.ALLOWED_DOMAINS}} | |
| run: | | |
| python scripts/delivery.py | |