Skip to content

Commit 63c32c5

Browse files
ricalrical
committed
.github: add bitSign workflow for signing releases
This is currently a standalone workflow that needs manual trigger via workflow_dispatch, but the end goal here is to chain it to the release job. Signed-off-by: Richard Alpe <[email protected]>
1 parent 2f13fc7 commit 63c32c5

File tree

1 file changed

+208
-0
lines changed

1 file changed

+208
-0
lines changed

.github/workflows/bitsign.yml

Lines changed: 208 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,208 @@
1+
name: bitSign Infix Release
2+
3+
on:
4+
workflow_dispatch:
5+
inputs:
6+
release_version:
7+
description: 'Release version (e.g., v25.08.0)'
8+
required: true
9+
type: string
10+
push:
11+
branches: [ sign-with-bitsign ]
12+
13+
jobs:
14+
sign-infix-release:
15+
runs-on: ubuntu-latest
16+
17+
steps:
18+
- name: Checkout repository
19+
uses: actions/checkout@v4
20+
21+
- name: Validate release version format
22+
id: validate
23+
run: |
24+
# Use default version for push events, input version for manual dispatch
25+
if [ "${{ github.event_name }}" = "push" ]; then
26+
VERSION="v25.08.0"
27+
echo "Using default version for push trigger: $VERSION"
28+
else
29+
VERSION="${{ inputs.release_version }}"
30+
echo "Using input version for manual trigger: $VERSION"
31+
fi
32+
33+
# Check if version starts with 'v' and has proper format
34+
if ! echo "$VERSION" | grep -qE '^v[0-9]+\.[0-9]+(\.[0-9]+)?(-alpha[0-9]*|-beta[0-9]*|-rc[0-9]*)?$'; then
35+
echo "❌ Invalid version format. Expected format: vYY.MM(.PP)(-alphaN|-betaN|-rcN)"
36+
echo "Examples: v25.08.0, v25.08.0-alpha1, v25.08.0-rc1"
37+
exit 1
38+
fi
39+
40+
# Extract version without 'v' prefix for filename
41+
FILE_VERSION="${VERSION#v}"
42+
FILENAME="infix-x86_64-${FILE_VERSION}.tar.gz"
43+
RELEASE_URL="https://github.com/kernelkit/infix/releases/download/${VERSION}/${FILENAME}"
44+
45+
echo "✅ Version format valid"
46+
echo "file_version=${FILE_VERSION}" >> $GITHUB_OUTPUT
47+
echo "filename=${FILENAME}" >> $GITHUB_OUTPUT
48+
echo "release_url=${RELEASE_URL}" >> $GITHUB_OUTPUT
49+
50+
- name: Download Infix release
51+
run: |
52+
RELEASE_URL="${{ steps.validate.outputs.release_url }}"
53+
FILENAME="${{ steps.validate.outputs.filename }}"
54+
55+
echo "Downloading Infix release: $FILENAME"
56+
echo "From: $RELEASE_URL"
57+
58+
if ! curl -L "$RELEASE_URL" -o "$FILENAME" --fail --show-error --progress-bar; then
59+
echo "❌ Failed to download release file from: $RELEASE_URL"
60+
echo "Please verify that the release version exists and contains the x86_64 build."
61+
echo "You can check available releases at: https://github.com/kernelkit/infix/releases"
62+
exit 1
63+
fi
64+
65+
# Verify download
66+
if [ -f "$FILENAME" ] && [ -s "$FILENAME" ]; then
67+
FILE_SIZE=$(ls -lh "$FILENAME" | awk '{print $5}')
68+
echo "✅ Successfully downloaded: $FILENAME ($FILE_SIZE)"
69+
else
70+
echo "❌ Failed to download release file"
71+
exit 1
72+
fi
73+
74+
- name: Create signing request
75+
id: create_request
76+
run: |
77+
FILENAME="${{ steps.validate.outputs.filename }}"
78+
echo "Creating signing request for $FILENAME..."
79+
80+
# Create signing request using BitSign API
81+
RESPONSE=$(curl -s -X POST "https://portal.bitsign.se/api/v1/requests" \
82+
-H "Authorization: Bearer ${{ secrets.BITSIGN_API_KEY }}" \
83+
-F "file=@$FILENAME" \
84+
-F "key=bit42-Demo1" \
85+
-F "job=Infix-x86" \
86+
-F "parameters={\"timestamp\": true}")
87+
88+
echo "API Response: $RESPONSE"
89+
90+
# Check if request was successful
91+
if echo "$RESPONSE" | jq -e '.success == true' > /dev/null; then
92+
REQUEST_ID=$(echo "$RESPONSE" | jq -r '.requestId')
93+
echo "✅ Request created successfully with ID: $REQUEST_ID"
94+
echo "request_id=$REQUEST_ID" >> $GITHUB_OUTPUT
95+
else
96+
echo "❌ Failed to create signing request"
97+
echo "$RESPONSE" | jq -r '.error // .message // "Unknown error"'
98+
exit 1
99+
fi
100+
101+
- name: Wait for signing completion
102+
id: wait_completion
103+
run: |
104+
REQUEST_ID="${{ steps.create_request.outputs.request_id }}"
105+
echo "Waiting for signing completion for request: $REQUEST_ID"
106+
107+
# Poll status for up to 10 minutes (600 seconds) - longer timeout for larger files
108+
MAX_WAIT=600
109+
WAITED=0
110+
111+
while [ $WAITED -lt $MAX_WAIT ]; do
112+
RESPONSE=$(curl -s -X GET "https://portal.bitsign.se/api/v1/requests/$REQUEST_ID/status" \
113+
-H "Authorization: Bearer ${{ secrets.BITSIGN_API_KEY }}")
114+
115+
STATUS=$(echo "$RESPONSE" | jq -r '.status')
116+
echo "Current status: $STATUS (waited ${WAITED}s)"
117+
118+
if [ "$STATUS" = "completed" ]; then
119+
echo "✅ Signing completed successfully!"
120+
break
121+
elif [ "$STATUS" = "failed" ]; then
122+
echo "❌ Signing failed"
123+
echo "$RESPONSE" | jq -r '.error // .message // "Unknown error"'
124+
exit 1
125+
fi
126+
127+
sleep 10
128+
WAITED=$((WAITED + 10))
129+
done
130+
131+
if [ $WAITED -ge $MAX_WAIT ]; then
132+
echo "❌ Timeout: Signing did not complete within ${MAX_WAIT} seconds"
133+
exit 1
134+
fi
135+
136+
- name: Download signed file
137+
id: download_signed
138+
run: |
139+
REQUEST_ID="${{ steps.create_request.outputs.request_id }}"
140+
FILENAME="${{ steps.validate.outputs.filename }}"
141+
FILE_VERSION="${{ steps.validate.outputs.file_version }}"
142+
SIGNED_FILENAME="infix-x86_64-${FILE_VERSION}-signed.tar.gz"
143+
144+
echo "Downloading signed file for request: $REQUEST_ID"
145+
echo "Expected signed filename: $SIGNED_FILENAME"
146+
147+
# Download the signed file
148+
curl -X GET "https://portal.bitsign.se/api/v1/requests/$REQUEST_ID/download" \
149+
-H "Authorization: Bearer ${{ secrets.BITSIGN_API_KEY }}" \
150+
-o "$SIGNED_FILENAME" \
151+
--fail --show-error
152+
153+
if [ -f "$SIGNED_FILENAME" ] && [ -s "$SIGNED_FILENAME" ]; then
154+
FILE_SIZE=$(ls -lh "$SIGNED_FILENAME" | awk '{print $5}')
155+
echo "Successfully downloaded signed file: $SIGNED_FILENAME ($FILE_SIZE)"
156+
echo "signed_filename=$SIGNED_FILENAME" >> $GITHUB_OUTPUT
157+
else
158+
echo "Failed to download signed file"
159+
exit 1
160+
fi
161+
162+
- name: Upload signed artifacts
163+
uses: actions/upload-artifact@v4
164+
with:
165+
name: signed-infix-${{ steps.validate.outputs.file_version }}
166+
path: |
167+
${{ steps.validate.outputs.filename }}
168+
${{ steps.download_signed.outputs.signed_filename }}
169+
retention-days: 90
170+
171+
- name: Summary
172+
run: |
173+
cat >> $GITHUB_STEP_SUMMARY << 'EOF'
174+
# bitSign Infix Release Signing Complete
175+
176+
The Infix release has been successfully signed using the bitSign API.
177+
178+
## Process Overview
179+
180+
1. **Release Download** - Downloaded specified Infix release from GitHub
181+
2. **Signing Request** - Created signing request via bitSign API
182+
3. **Approval Process** - Trusted signers received notification and approved with 2FA
183+
4. **bitSign Processing** - Backend securely signed the release file
184+
5. **Download & Store** - Retrieved signed result and stored as artifacts
185+
186+
## Signing Details
187+
188+
| Property | Value |
189+
|----------|-------|
190+
| 📦 **Original File** | `${{ steps.validate.outputs.filename }}` |
191+
| ✍️ **Signed File** | `${{ steps.download_signed.outputs.signed_filename }}` |
192+
| 🔑 **Signing Key** | `bit42-Demo1` |
193+
| ⚙️ **Job Type** | `Infix-x86` |
194+
| 🆔 **Request ID** | `${{ steps.create_request.outputs.request_id }}` |
195+
| 📋 **Release Version** | `${{ inputs.release_version }}` |
196+
| 🌐 **API Endpoint** | `portal.bitsign.se` |
197+
198+
## Download Files
199+
200+
> **Both the original release file and signed version are available as a workflow artifact:**
201+
> **`signed-infix-${{ steps.validate.outputs.file_version }}`**
202+
>
203+
> The artifact contains both `${{ steps.validate.outputs.filename }}` and `${{ steps.download_signed.outputs.signed_filename }}` files.
204+
205+
---
206+
207+
**Next Steps:** The signed release can now be distributed with cryptographic verification of authenticity.
208+
EOF

0 commit comments

Comments
 (0)