-
Notifications
You must be signed in to change notification settings - Fork 5
103 lines (90 loc) · 3.77 KB
/
Copy pathsys-on-cron-delivery-ext.yml
File metadata and controls
103 lines (90 loc) · 3.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# This workflow is pulling secrets from WorldHealthOrganization/tng-participants-secrets, not from github actions secrets
# Please run the workflow named 'Export and Encrypt Secrets' to export github actions secrets
name: Check Country Delivery
on:
schedule:
# Ownership refresh reset
- cron: '0 * * * *'
workflow_dispatch:
env:
env_var: ${{ vars.ENV_CONTEXT_VAR }}
jobs:
delivery:
runs-on: ubuntu-latest
environment: dev
steps:
- name: Checkout repo
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c #v6.0.0
with:
python-version: 3.8
- name: Configure Python
run: |
pip install --upgrade pip
pip install -r scripts/requirements.txt
- name: Configure Bot
run: |
git config --global user.email ${{secrets.BOT_EMAIL_GITHUB}}
git config --global user.name ${{secrets.BOT_USER_GITHUB}}
git config --global user.password ${{secrets.BOT_TOKEN_GITHUB}}
git config --global pull.rebase true
git config --global branch.autosetuprebase always
- name: Checkout participants-secrets repo
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
env:
REPO_TOKEN: ${{ secrets.EXT_SECRETS_REPO_TOKEN }}
with:
repository: WorldHealthOrganization/tng-participants-secrets
ref: main
path: participants-secrets
token: ${{ secrets.EXT_SECRETS_REPO_TOKEN }}
- name: Set up GPG
run: |
mkdir -p ~/.gnupg
echo "use-agent" > ~/.gnupg/gpg.conf
echo "pinentry-mode loopback" >> ~/.gnupg/gpg.conf
chmod 700 ~/.gnupg
echo "${{ secrets.EXT_SECRETS_GPG_PRIVATE_KEY }}" | gpg --batch --import
echo "List of GPG keys"
gpg --batch --yes --pinentry-mode loopback --passphrase ${{ secrets.EXT_SECRETS_GPG_PRIVATE_KEY_PW }} --list-keys
- name: Decrypt files
run: |
mkdir -p decrypted
for file in participants-secrets/dev/*.pgp; do
filename=$(basename -- "$file")
base=${filename%.pgp}
if [[ $base =~ ^[A-Z]{3}$ ]]; then
gpg --batch --yes --pinentry-mode loopback --passphrase ${{ secrets.EXT_SECRETS_GPG_PRIVATE_KEY_PW }} --output decrypted/$base.txt --decrypt "$file"
fi
done
- name: Generate countries.json
run: |
echo "{" > scripts/countries.json
first=true
for file in decrypted/*.txt; do
filename=$(basename -- "$file")
country=${filename%.txt}
content=$(cat "$file" | jq -Rsa .) # Safely escape as JSON string
if [ "$first" = true ]; then
first=false
else
echo "," >> scripts/countries.json
fi
echo " \"$country\": $content" >> scripts/countries.json
done
echo "}" >> scripts/countries.json
- name: Onboarding
id: Onboarding
env:
GITHUB_TOKEN: ${{secrets.BOT_TOKEN_GITHUB}}
BOT_TOKEN_GITHUB: ${{secrets.BOT_TOKEN_GITHUB}}
GITHUB_JOB_TOKEN: ${{secrets.GITHUB_TOKEN}}
TRANSITIVE_TRUST_SOURCE: ${{vars.TRANSITIVE_TRUST_SOURCE}}
NB_UP_SIGNING_PUB: ${{secrets.NB_UP_SIGNING_PUB}}
NB_UP_SIGNING_KEY: ${{secrets.NB_UP_SIGNING_KEY}}
ENV: ${{vars.ENV}}
SIGN_TA_KEY: ${{secrets.TNG_TA_PRIVATE_KEY}}
SIGN_TA_PEM: ${{secrets.TNG_TA_CA}}
ALLOWED_DOMAINS: ${{vars.ALLOWED_DOMAINS}}
run: |
python scripts/delivery.py