Skip to content

Commit 55b42ff

Browse files
kar-rahul-awskar-rahul-aws
authored
Update release.yml as per security guidleine (#102)
1 parent 73e76fe commit 55b42ff

File tree

1 file changed

+36
-16
lines changed

1 file changed

+36
-16
lines changed

.github/workflows/release.yml

Lines changed: 36 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -53,31 +53,43 @@ jobs:
5353
with:
5454
ref: ${{ github.event.inputs.commit_id }}
5555
- name: Configure git identity
56+
env:
57+
ACTOR: ${{ github.actor }}
5658
run: |
57-
git config --global user.name ${{ github.actor }}
58-
git config --global user.email ${{ github.actor }}@users.noreply.github.com
59+
git config --global user.name "$ACTOR"
60+
git config --global user.email "$ACTOR"@users.noreply.github.com
5961
- name: create a new branch that references commit id
60-
run: git checkout -b ${{ github.event.inputs.version_number }} ${{ github.event.inputs.commit_id }}
62+
env:
63+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
64+
COMMIT_ID: ${{ github.event.inputs.commit_id }}
65+
run: git checkout -b "$VERSION_NUMBER" "$COMMIT_ID"
6166
- name: Generate SBOM
6267
uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main
6368
with:
6469
repo_path: ./
6570
source_path: ./source
6671
- name: commit SBOM file
72+
env:
73+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
6774
run: |
6875
git add .
6976
git commit -m 'Update SBOM'
70-
git push -u origin ${{ github.event.inputs.version_number }}
77+
git push -u origin "$VERSION_NUMBER"
7178
- name: Tag Commit and Push to remote
79+
env:
80+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
7281
run: |
73-
git tag ${{ github.event.inputs.version_number }} -a -m "coreSNTP Library ${{ github.event.inputs.version_number }}"
82+
git tag "$VERSION_NUMBER" -a -m "coreSNTP Library $VERSION_NUMBER"
7483
git push origin --tags
7584
- name: Verify tag on remote
85+
env:
86+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
87+
COMMIT_ID: ${{ github.event.inputs.commit_id }}
7688
run: |
77-
git tag -d ${{ github.event.inputs.version_number }}
89+
git tag -d "$VERSION_NUMBER"
7890
git remote update
79-
git checkout tags/${{ github.event.inputs.version_number }}
80-
git diff ${{ github.event.inputs.commit_id }} tags/${{ github.event.inputs.version_number }}
91+
git checkout tags/$"$VERSION_NUMBER"
92+
git diff "$COMMIT_ID" tags/"$VERSION_NUMBER"
8193
create-zip:
8294
if: ${{ ( github.event.inputs.delete_existing_tag_release == 'true' && success() ) || ( github.event.inputs.delete_existing_tag_release == 'false' && always() ) }}
8395
needs: tag-commit
@@ -96,22 +108,28 @@ jobs:
96108
run: |
97109
cd coreSNTP
98110
git submodule update --init --checkout --recursive
99-
- name: Create ZIP
111+
- name:
112+
env:
113+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
100114
run: |
101-
zip -r coreSNTP-${{ github.event.inputs.version_number }}.zip coreSNTP -x "*.git*"
115+
zip -r coreSNTP-"$VERSION_NUMBER".zip coreSNTP -x "*.git*"
102116
ls ./
103117
- name: Validate created ZIP
118+
env:
119+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
104120
run: |
105121
mkdir zip-check
106-
mv coreSNTP-${{ github.event.inputs.version_number }}.zip zip-check
122+
mv coreSNTP-"$VERSION_NUMBER".zip zip-check
107123
cd zip-check
108-
unzip coreSNTP-${{ github.event.inputs.version_number }}.zip -d coreSNTP-${{ github.event.inputs.version_number }}
109-
ls coreSNTP-${{ github.event.inputs.version_number }}
110-
diff -r -x "*.git*" coreSNTP-${{ github.event.inputs.version_number }}/coreSNTP/ ../coreSNTP/
124+
unzip coreSNTP-"$VERSION_NUMBER".zip -d coreSNTP-"$VERSION_NUMBER"
125+
ls coreSNTP-"$VERSION_NUMBER"
126+
diff -r -x "*.git*" coreSNTP-"$VERSION_NUMBER"/coreSNTP/ ../coreSNTP/
111127
cd ../
112128
- name: Build
129+
env:
130+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
113131
run: |
114-
cd zip-check/coreSNTP-${{ github.event.inputs.version_number }}/coreSNTP
132+
cd zip-check/coreSNTP-"$VERSION_NUMBER"/coreSNTP
115133
sudo apt-get install -y lcov
116134
cmake -S test -B build/ \
117135
-G "Unix Makefiles" \
@@ -120,8 +138,10 @@ jobs:
120138
-DCMAKE_C_FLAGS='--coverage -Wall -Wextra -DNDEBUG'
121139
make -C build/ all
122140
- name: Test
141+
env:
142+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
123143
run: |
124-
cd zip-check/coreSNTP-${{ github.event.inputs.version_number }}/coreSNTP/build/
144+
cd zip-check/coreSNTP-"$VERSION_NUMBER"/coreSNTP/build/
125145
ctest -E system --output-on-failure
126146
cd ..
127147
- name: Create artifact of ZIP

0 commit comments

Comments
 (0)