github/libhalo
1
1
Fork 0
mirror of https://github.com/arx-research/libhalo.git synced 2026-01-10 05:38:10 -05:00
Code Issues Packages Projects Releases Wiki Activity

Port codebase to ES6 modules, migrate to yarn, bump CI (#330)

Browse Source
This commit is contained in:
Michał Leszczyński
2024-07-09 11:09:16 -07:00
committed by GitHub
parent 18376c2011
commit 448c48545a
57 changed files with 5461 additions and 8765 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.github/workflows/check_cli.yml vendored
View File

@@ -16,24 +16,24 @@ on:
jobs:
check_cli_tool:
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
steps:
- name: Install native dependencies (Linux)
run: |
sudo apt-get update && sudo apt-get install -y libpcsclite-dev
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Install Node.JS
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: 16
node-version: 20
- name: Install dependencies (root)
run: |
npm --include=dev ci
yarn install --frozen-lockfile --production=false
- name: Install dependencies (cli)
run: |
cd cli
npm --include=dev ci
yarn install --frozen-lockfile --production=false
- name: Package HaLo CLI tool (Linux)
run: |
cd cli

10
.github/workflows/check_lib.yml vendored
View File

@@ -16,17 +16,17 @@ on:
jobs:
check_js_lib:
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Install Node.JS
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: 16
node-version: 20
- name: Install dependencies (root)
run: |
npm --include=dev ci
yarn install --frozen-lockfile --production=false
- name: Run webpack
run: |
cd web

127
.github/workflows/prod_build_cli.yml vendored
View File

@@ -8,7 +8,7 @@ on:
jobs:
create_release:
name: Create halo-tools release
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
steps:
- name: Prepare version number
id: parse_version
@@ -16,12 +16,12 @@ jobs:
( echo -n "version=" && ( echo "$GITHUB_REF" | cut -f2 -d- | tr -d '\n' ) ) >> "$GITHUB_OUTPUT"
- name: Draft release
id: create_release
uses: actions/create-release@v1
uses: softprops/action-gh-release@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
release_name: HaLo Tools ${{ steps.parse_version.outputs.version }}
name: HaLo Tools ${{ steps.parse_version.outputs.version }}
draft: true
prerelease: false
body: |
@@ -37,7 +37,7 @@ jobs:
run: |
echo -n "${{ steps.create_release.outputs.upload_url }}" > release-upload-url.txt
- name: Store release upload URL artifact
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: release-upload-url
path: release-upload-url.txt
@@ -48,97 +48,105 @@ jobs:
strategy:
matrix:
include:
- os: ubuntu-latest
- os: windows-latest
- os: macos-13
name: Build halo-tools (${{ matrix.os }})
- os: ubuntu-22.04
platform: ubuntu
- os: windows-2022
platform: windows
- os: macos-14-large
platform: macos
name: Build halo-tools (${{ matrix.platform }})
runs-on: ${{ matrix.os }}
needs: create_release
steps:
- name: Install native dependencies (Linux)
if: matrix.os == 'ubuntu-latest'
if: matrix.platform == 'ubuntu'
run: |
sudo apt-get update && sudo apt-get install -y libpcsclite-dev
- name: Install native dependencies (MacOS)
if: matrix.os == 'macos-13'
if: matrix.platform == 'macos'
run: |
brew install python@3.11
brew unlink python@3.11
brew link --overwrite python@3.11
brew install pcsc-lite
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Install Node.JS
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: 18
node-version: 20
- name: Install dependencies (root)
shell: bash
run: |
npm --include=dev ci
yarn install --frozen-lockfile --production=false
- name: Install dependencies (cli)
shell: bash
run: |
cd cli
npm --include=dev ci
yarn install --frozen-lockfile --production=false
- name: Build libhalo with webpack
shell: bash
run: |
cd web
../node_modules/.bin/webpack
- name: Build halo-tools with webpack
shell: bash
run: |
cd cli
../node_modules/.bin/webpack
mv dist_webpack/* .
mkdir build
cp node_modules/@pokusew/pcsclite/build/Release/pcsclite.node build/pcsclite.node
- name: Package HaLo CLI tool (Linux)
if: matrix.os == 'ubuntu-latest'
if: matrix.platform == 'ubuntu'
shell: bash
run: |
cd cli
node build/ci_scripts.js --platform linux --product cli
node_modules/.bin/pkg --compress GZip -t node18-linux-x64 -c package.json -o dist/halocli entry_cli.js
node build/ci_scripts.js --platform linux --product bridge
node_modules/.bin/pkg --compress GZip -t node18-linux-x64 -c package.json -o dist/halo-bridge entry_bridge.js
node build/ci_scripts.js --platform linux --product gateway
node_modules/.bin/pkg --compress GZip -t node18-linux-x64 -c package.json -o dist/halo-gateway entry_gateway.js
node build_scripts/ci_scripts.js --platform linux --product cli
node_modules/.bin/pkg --compress GZip -t node20-linux-x64 -c package.json -o dist/halocli entry_cli.bundle.js
node build_scripts/ci_scripts.js --platform linux --product bridge
node_modules/.bin/pkg --compress GZip -t node20-linux-x64 -c package.json -o dist/halo-bridge entry_bridge.bundle.js
node build_scripts/ci_scripts.js --platform linux --product gateway
node_modules/.bin/pkg --compress GZip -t node20-linux-x64 -c package.json -o dist/halo-gateway entry_gateway.bundle.js
- name: Package HaLo CLI tool (Windows)
if: matrix.os == 'windows-latest'
if: matrix.platform == 'windows'
shell: bash
run: |
cd cli
node build/ci_scripts.js --platform windows --product cli
node build_scripts/ci_scripts.js --platform windows --product cli
cat halotools_version.json
export PKG_PATCHED_BIN='1'
export PKG_CACHE_PATH='./.pkg-cache/'
export PKG_IGNORE_TAG='1'
node_modules/.bin/pkg --compress GZip -t node18-win-x64 -c package.json -o dist/halocli.exe entry_cli.js
node_modules/.bin/pkg --compress GZip -t node20-win-x64 -c package.json -o dist/halocli.exe entry_cli.bundle.js
- name: Package HaLo Bridge tool (Windows)
if: matrix.os == 'windows-latest'
if: matrix.platform == 'windows'
shell: bash
run: |
cd cli
node build/ci_scripts.js --platform windows --product bridge
node build_scripts/ci_scripts.js --platform windows --product bridge
export PKG_PATCHED_BIN='1'
export PKG_CACHE_PATH='./.pkg-cache/'
export PKG_IGNORE_TAG='1'
node_modules/.bin/pkg --compress GZip -t node18-win-x64 -c package.json -o dist/halo-bridge.exe entry_bridge.js
node_modules/.bin/pkg --compress GZip -t node20-win-x64 -c package.json -o dist/halo-bridge.exe entry_bridge.bundle.js
- name: Package HaLo Gateway tool (Windows)
if: matrix.os == 'windows-latest'
if: matrix.platform == 'windows'
shell: bash
run: |
cd cli
node build/ci_scripts.js --platform windows --product gateway
node build_scripts/ci_scripts.js --platform windows --product gateway
export PKG_PATCHED_BIN='1'
export PKG_CACHE_PATH='./.pkg-cache/'
export PKG_IGNORE_TAG='1'
node_modules/.bin/pkg --compress GZip -t node18-win-x64 -c package.json -o dist/halo-gateway.exe entry_gateway.js
node_modules/.bin/pkg --compress GZip -t node20-win-x64 -c package.json -o dist/halo-gateway.exe entry_gateway.bundle.js
- name: Package HaLo CLI tool (MacOS)
if: matrix.os == 'macos-13'
if: matrix.platform == 'macos'
shell: bash
run: |
cd cli
node build/ci_scripts.js --platform macos --product cli
node_modules/.bin/pkg --compress GZip -t node18-macos-x64 -c package.json -o dist/halocli entry_cli.js
node build/ci_scripts.js --platform macos --product bridge
node_modules/.bin/pkg --compress GZip -t node18-macos-x64 -c package.json -o dist/halo-bridge entry_bridge.js
node build/ci_scripts.js --platform macos --product gateway
node_modules/.bin/pkg --compress GZip -t node18-macos-x64 -c package.json -o dist/halo-gateway entry_gateway.js
node build_scripts/ci_scripts.js --platform macos --product cli
node_modules/.bin/pkg --compress GZip -t node20-macos-x64 -c package.json -o dist/halocli entry_cli.bundle.js
node build_scripts/ci_scripts.js --platform macos --product bridge
node_modules/.bin/pkg --compress GZip -t node20-macos-x64 -c package.json -o dist/halo-bridge entry_bridge.bundle.js
node build_scripts/ci_scripts.js --platform macos --product gateway
node_modules/.bin/pkg --compress GZip -t node20-macos-x64 -c package.json -o dist/halo-gateway entry_gateway.bundle.js
mv "macos_bridge_app" "dist/HaLo CLI Bridge Server.app"
mv "macos_pkgbuild_scripts" "dist/macos_pkgbuild_scripts"
mv "Entitlements.plist" "dist/Entitlements.plist"
@@ -153,7 +161,7 @@ jobs:
run: |
echo y | cosign sign-blob ./cli/dist.tgz --output-certificate ./cli/dist.tgz-keyless.pem --output-signature ./cli/dist.tgz-keyless.sig
- name: Store binary as artifact
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: binary-${{ matrix.os }}
path: |
@@ -169,13 +177,16 @@ jobs:
strategy:
matrix:
include:
- os: ubuntu-latest
- os: ubuntu-22.04
out_name: halo-tools-linux-x64.tgz
- os: windows-latest
platform: ubuntu
- os: windows-2022
out_name: halo-tools-win-x64.zip
- os: macos-13
platform: windows
- os: macos-14-large
out_name: halo-tools-macos-x64.pkg
name: Sign halo-tools and release (${{ matrix.os }})
platform: macos
name: Sign halo-tools and release (${{ matrix.platform }})
runs-on: ${{ matrix.os }}
needs: build_cli_tool
steps:
@@ -193,56 +204,56 @@ jobs:
run: |
tar -xopf dist.tgz
- name: Compress application (Linux)
if: matrix.os == 'ubuntu-latest'
if: matrix.platform == 'ubuntu'
run: |
chmod +x halocli
chmod +x halo-bridge
chmod +x halo-gateway
tar -pczf halo-tools-linux-x64.tgz halocli halo-bridge halo-gateway
- name: Write certificate file (Windows)
if: matrix.os == 'windows-latest'
if: matrix.platform == 'windows'
uses: DamianReeves/write-file-action@0a7fcbe1960c53fc08fe789fa4850d24885f4d84
with:
path: ./chain.cer
write-mode: overwrite
contents: ${{ vars.WINDOWS_CODE_SIGN_CERT_CHAIN }}
- name: Download jsign and verify (Windows)
if: matrix.os == 'windows-latest'
if: matrix.platform == 'windows'
shell: bash
run: |
curl -s -L -o jsign.jar https://github.com/ebourg/jsign/releases/download/4.2/jsign-4.2.jar
echo "290377fc4f593256200b3ea4061b7409e8276255f449d4c6de7833faf0850cc1 jsign.jar" > jsign.sum
sha256sum -c jsign.sum
- name: Authenticate with gcloud (Windows)
if: matrix.os == 'windows-latest'
if: matrix.platform == 'windows'
uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d
with:
credentials_json: ${{ secrets.GCLOUD_SERVICE_ACCOUNT_KEY }}
- name: Set up Cloud SDK (Windows)
uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587
if: matrix.os == 'windows-latest'
if: matrix.platform == 'windows'
with:
install_components: 'gcloud'
project_id: ${{ secrets.GCLOUD_PROJECT_ID }}
- name: Sign application (Windows)
if: matrix.os == 'windows-latest'
if: matrix.platform == 'windows'
shell: bash
run: |
java -jar jsign.jar --storetype GOOGLECLOUD --storepass "$(gcloud auth print-access-token)" --keystore "${{ vars.WINDOWS_CODE_SIGN_KEYSTORE }}" --alias "${{ vars.WINDOWS_CODE_SIGN_KEY_ALIAS }}" --certfile "chain.cer" --tsmode RFC3161 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 halocli.exe
java -jar jsign.jar --storetype GOOGLECLOUD --storepass "$(gcloud auth print-access-token)" --keystore "${{ vars.WINDOWS_CODE_SIGN_KEYSTORE }}" --alias "${{ vars.WINDOWS_CODE_SIGN_KEY_ALIAS }}" --certfile "chain.cer" --tsmode RFC3161 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 halo-bridge.exe
java -jar jsign.jar --storetype GOOGLECLOUD --storepass "$(gcloud auth print-access-token)" --keystore "${{ vars.WINDOWS_CODE_SIGN_KEYSTORE }}" --alias "${{ vars.WINDOWS_CODE_SIGN_KEY_ALIAS }}" --certfile "chain.cer" --tsmode RFC3161 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 halo-gateway.exe
- name: Compress application (Windows)
if: matrix.os == 'windows-latest'
if: matrix.platform == 'windows'
run: |
Compress-Archive -Path halocli.exe,halo-bridge.exe,halo-gateway.exe halo-tools-win-x64.zip
- name: Load signing credentials (Mac OS)
if: matrix.os == 'macos-13'
if: matrix.platform == 'macos'
uses: apple-actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071
with:
p12-file-base64: ${{ secrets.MACOS_SIGN_P12 }}
p12-password: ${{ secrets.MACOS_SIGN_P12_PASSWORD }}
- name: Sign application (Mac OS)
if: matrix.os == 'macos-13'
if: matrix.platform == 'macos'
run: |
mkdir -p root/usr/local/bin/
mkdir -p root/Applications/
@@ -260,11 +271,11 @@ jobs:
chmod +x "./root/Applications/HaLo CLI Bridge Server.app/Contents/MacOS/halocli_bridge_launcher"
pkgbuild --root ./root --identifier "org.arx.halo.halocli" --version "1.0.$(date +%s)" --scripts "macos_pkgbuild_scripts/" --install-location "/" --sign "${{ secrets.MACOS_SIGN_IDENTITY_INSTALLER }}" ./halo-tools-macos-x64.pkg
- name: Notarize application for Mac OS
if: matrix.os == 'macos-13'
if: matrix.platform == 'macos'
run: |
xcrun notarytool submit "--apple-id=${{ secrets.MACOS_NOTARIZE_APPLE_ID }}" "--password=${{ secrets.MACOS_NOTARIZE_PASSWORD }}" "--team-id=${{ secrets.MACOS_NOTARIZE_TEAM_ID }}" --progress --wait ./halo-tools-macos-x64.pkg
- name: Staple notarized application (Mac OS)
if: matrix.os == 'macos-13'
if: matrix.platform == 'macos'
run: |
xcrun stapler staple ./halo-tools-macos-x64.pkg
rm -rf ./root/
@@ -312,6 +323,6 @@ jobs:
asset_content_type: application/octet-stream
- name: Delete binary artifact
if: always()
uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af
uses: geekyeggo/delete-artifact@v5.0.0
with:
name: binary-${{ matrix.os }}

77
.github/workflows/prod_build_lib.yml vendored
View File

@@ -8,7 +8,7 @@ on:
jobs:
create_release:
name: Create libhalo release
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
steps:
- name: Prepare version number
id: parse_version
@@ -36,28 +36,28 @@ jobs:
- name: Store release upload URL
run: |
echo -n "${{ steps.create_release.outputs.upload_url }}" > release-upload-url.txt
- uses: actions/upload-artifact@v3
- uses: actions/upload-artifact@v4
with:
name: release-upload-url
path: release-upload-url.txt
build_js_lib:
name: Build libhalo and release
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
permissions:
contents: write
id-token: write
needs: create_release
steps:
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Install Node.JS
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: 16
node-version: 20
- name: Install dependencies (root)
run: |
npm --include=dev ci
yarn install --frozen-lockfile --production=false
- name: Run webpack
run: |
cd web
@@ -121,7 +121,7 @@ jobs:
publish_npm:
name: Publish libhalo package
environment: prod-npm
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
permissions:
contents: write
packages: write
@@ -137,69 +137,24 @@ jobs:
run: |
echo "release_upload_url=$(cat release-upload-url.txt)" >> "$GITHUB_OUTPUT"
- name: Checkout the repository
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Setup Node.JS
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: '16.x'
node-version: 20
registry-url: 'https://registry.npmjs.org'
- name: Install cosign
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
- name: Run npm ci
run: npm ci
- name: Get package integrity hash
run: |
PKG_HASH=$(npm publish --dry-run --json 2>/dev/null | jq --raw-output '.integrity' | tr -d '\n')
echo "Package hash: ${PKG_HASH}"
echo -n "${PKG_HASH}" > "${RUNNER_TEMP}/libhalo-npm-hash.txt"
echo y | cosign sign-blob "${RUNNER_TEMP}/libhalo-npm-hash.txt" --output-certificate "${RUNNER_TEMP}/libhalo-npm-hash.txt-keyless.pem" --output-signature "${RUNNER_TEMP}/libhalo-npm-hash.txt-keyless.sig"
cosign verify-blob --cert "${RUNNER_TEMP}/libhalo-npm-hash.txt-keyless.pem" --signature "${RUNNER_TEMP}/libhalo-npm-hash.txt-keyless.sig" --certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_lib.yml@${GITHUB_REF}" --certificate-oidc-issuer https://token.actions.githubusercontent.com "${RUNNER_TEMP}/libhalo-npm-hash.txt"
run: yarn install --frozen-lockfile --production=false
- name: Publish package to npmjs
run: npm publish --json | tee "${RUNNER_TEMP}/npmjs-publish.json"
run: yarn publish
env:
NODE_AUTH_TOKEN: ${{ secrets.RELEASE_NPM_TOKEN }}
- name: Re-setup Node.JS with GitHub pkg
uses: actions/setup-node@v3
uses: actions/setup-node@v4
with:
node-version: '16.x'
node-version: 20
registry-url: https://npm.pkg.github.com/
- name: Publish package to GitHub
run: npm publish --json | tee "${RUNNER_TEMP}/gh-publish.json"
run: yarn publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Compare released hashes
run: |
( cat "${RUNNER_TEMP}/npmjs-publish.json" | jq --raw-output '.integrity' | tr -d '\n' ) > "${RUNNER_TEMP}/npmjs-hash.txt"
( cat "${RUNNER_TEMP}/gh-publish.json" | jq --raw-output '.integrity' | tr -d '\n' ) > "${RUNNER_TEMP}/gh-hash.txt"
cmp -s "${RUNNER_TEMP}/libhalo-npm-hash.txt" "${RUNNER_TEMP}/npmjs-hash.txt"
cmp -s "${RUNNER_TEMP}/libhalo-npm-hash.txt" "${RUNNER_TEMP}/gh-hash.txt"
- name: Upload release asset (npm hash)
id: upload-release-asset-license
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ${{ runner.temp }}/libhalo-npm-hash.txt
asset_name: libhalo-npm-hash.txt
asset_content_type: text/plain
- name: Upload release asset (npm hash cosign pem)
id: upload-release-asset-cosign-pem
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ${{ runner.temp }}/libhalo-npm-hash.txt-keyless.pem
asset_name: libhalo-npm-hash.txt-keyless.pem
asset_content_type: application/octet-stream
- name: Upload release asset (npm hash cosign sig)
id: upload-release-asset-cosign-sig
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ${{ runner.temp }}/libhalo-npm-hash.txt-keyless.sig
asset_name: libhalo-npm-hash.txt-keyless.sig
asset_content_type: application/octet-stream

86
.github/workflows/prod_integrity_check.yml vendored
View File

@@ -1,86 +0,0 @@
name: Integrity check
on:
push:
branches:
- master
schedule:
- cron: '37 21 * * *'
jobs:
integrity_npmjs:
name: Integrity check (npmjs)
runs-on: ubuntu-latest
steps:
- name: Install cosign
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
- name: Get latest version from npm
id: get-latest-npm
run: |
curl -s -o "$RUNNER_TEMP/package-npm.json" https://registry.npmjs.org/@arx-research/libhalo/latest
NPM_LATEST_VER=$(cat "$RUNNER_TEMP/package-npm.json" | jq --raw-output '.version' | tr -d '\n')
NPM_HASH=$(cat "$RUNNER_TEMP/package-npm.json" | jq --raw-output '.dist.integrity' | tr -d '\n')
echo "NPM_LATEST_VER=$NPM_LATEST_VER" >> $GITHUB_ENV
echo "NPM_HASH=$NPM_HASH" >> $GITHUB_ENV
- name: Check cosign signature
run: |
curl -s -o "$RUNNER_TEMP/release_info.json" https://api.github.com/repos/arx-research/libhalo/releases/tags/libhalo-v${NPM_LATEST_VER}
COMMIT_HASH=$(cat "$RUNNER_TEMP/release_info.json" | jq --raw-output '.target_commitish' | tr -d '\n')
curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${NPM_LATEST_VER}/libhalo-npm-hash.txt"
curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.pem" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${NPM_LATEST_VER}/libhalo-npm-hash.txt-keyless.pem"
curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.sig" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${NPM_LATEST_VER}/libhalo-npm-hash.txt-keyless.sig"
cosign verify-blob \
--cert "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.pem" \
--signature "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.sig" \
--certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_lib.yml@refs/tags/libhalo-v${NPM_LATEST_VER}" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-sha "$COMMIT_HASH" \
"$RUNNER_TEMP/libhalo-npm-hash.txt"
echo "Verified ${NPM_LATEST_VER} with commit ID: ${COMMIT_HASH}"
- name: Verify integrity hash on npmjs
run: |
OUR_HASH=$(cat "$RUNNER_TEMP/libhalo-npm-hash.txt" | tr -d '\n')
echo "Our hash: $OUR_HASH"
echo "NPM hash: $NPM_HASH"
[[ "$NPM_HASH" == "$OUR_HASH" ]]
integrity_gh:
name: Integrity check (GitHub Packages)
runs-on: ubuntu-latest
permissions:
packages: read
steps:
- name: Install cosign
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
- name: Get latest version from npm
id: get-latest-gh
run: |
curl -s -L -o "$RUNNER_TEMP/package-gh.json" \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://npm.pkg.github.com/@arx-research%2flibhalo
GH_LATEST_VER=$(cat "$RUNNER_TEMP/package-gh.json" | jq --raw-output '.["dist-tags"].latest' | tr -d '\n')
NPM_HASH=$(cat "$RUNNER_TEMP/package-gh.json" | jq --raw-output ".versions[\"${GH_LATEST_VER}\"].dist.integrity" | tr -d '\n')
echo "GH_LATEST_VER=$GH_LATEST_VER" >> $GITHUB_ENV
echo "NPM_HASH=$NPM_HASH" >> $GITHUB_ENV
- name: Check cosign signature
run: |
curl -s -o "$RUNNER_TEMP/release_info.json" https://api.github.com/repos/arx-research/libhalo/releases/tags/libhalo-v${GH_LATEST_VER}
COMMIT_HASH=$(cat "$RUNNER_TEMP/release_info.json" | jq --raw-output '.target_commitish' | tr -d '\n')
curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${GH_LATEST_VER}/libhalo-npm-hash.txt"
curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.pem" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${GH_LATEST_VER}/libhalo-npm-hash.txt-keyless.pem"
curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.sig" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${GH_LATEST_VER}/libhalo-npm-hash.txt-keyless.sig"
cosign verify-blob \
--cert "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.pem" \
--signature "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.sig" \
--certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_lib.yml@refs/tags/libhalo-v${GH_LATEST_VER}" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-sha "$COMMIT_HASH" \
"$RUNNER_TEMP/libhalo-npm-hash.txt"
echo "Verified ${GH_LATEST_VER} with commit ID: ${COMMIT_HASH}"
- name: Verify integrity hash on npmjs
run: |
OUR_HASH=$(cat "$RUNNER_TEMP/libhalo-npm-hash.txt" | tr -d '\n')
echo "Our hash: $OUR_HASH"
echo "NPM hash: $NPM_HASH"
[[ "$NPM_HASH" == "$OUR_HASH" ]]