148 lines
6.7 KiB
YAML
148 lines
6.7 KiB
YAML
name: Hash Released Files
|
|
|
|
on:
|
|
release:
|
|
types:
|
|
- published # Trigger the workflow when a release, pre-release, or draft of a release was published
|
|
- edited # Trigger the workflow when the details of a release, pre-release, or draft release were edited
|
|
|
|
concurrency:
|
|
group: hash-${{ github.event.release.tag_name }} # Use the release tag name for concurrency
|
|
cancel-in-progress: true # Cancel any in-progress runs for the same group
|
|
|
|
jobs:
|
|
calculate-hashes:
|
|
runs-on: ubuntu-latest # Use the latest Ubuntu environment
|
|
if: github.repository == 'sandboxie-plus/Sandboxie' # Only run this job if the event is from the specified repository
|
|
permissions:
|
|
contents: write # Allow writing to the repository's contents
|
|
|
|
env:
|
|
HASH_FILE: "sha256-checksums.txt" # Name of the file for storing SHA256 hashes
|
|
GITHUB_API_VERSION: "2022-11-28" # Define the GitHub API version as a variable
|
|
|
|
steps:
|
|
- name: Download release assets
|
|
run: |
|
|
mkdir -p assets # Create a directory for downloaded assets
|
|
TAG=${{ github.event.release.tag_name }} # Get the release tag name
|
|
|
|
# Fetch asset data from GitHub API
|
|
ASSET_DATA=$(curl -sSL \
|
|
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
|
|
-H "X-GitHub-Api-Version: ${{ env.GITHUB_API_VERSION }}" \
|
|
"https://api.github.com/repos/${{ github.repository }}/releases/tags/$TAG")
|
|
|
|
ASSET_URLS=($(echo "$ASSET_DATA" | jq -r '.assets[].browser_download_url')) # Extract asset URLs
|
|
ASSET_NAMES=($(echo "$ASSET_DATA" | jq -r '.assets[].name')) # Extract asset names
|
|
|
|
# Download each asset
|
|
for i in "${!ASSET_URLS[@]}"; do
|
|
url="${ASSET_URLS[i]}" # Current asset URL
|
|
name="${ASSET_NAMES[i]}" # Current asset name
|
|
echo "Downloading: $url"
|
|
if ! curl --fail -L -o "assets/$name" "$url"; then
|
|
echo "Failed to download: $url"
|
|
exit 1 # Exit on failure
|
|
fi
|
|
done
|
|
|
|
- name: Check for downloaded assets
|
|
id: check_assets
|
|
run: |
|
|
# Check if any assets were downloaded (excluding the hash file)
|
|
if [ "$(ls -A assets | grep -v ${{ env.HASH_FILE }})" ]; then
|
|
echo "Assets downloaded."
|
|
echo "assets_downloaded=true" >> $GITHUB_ENV
|
|
else
|
|
echo "No assets downloaded."
|
|
echo "assets_downloaded=false" >> $GITHUB_ENV
|
|
fi
|
|
|
|
- name: Calculate file hashes
|
|
if: env.assets_downloaded == 'true' # Only run if assets were downloaded
|
|
run: |
|
|
cd assets # Change to the assets directory
|
|
ls -la # List files for debugging
|
|
> "../${{ env.HASH_FILE }}" # Clear or create the hash file
|
|
|
|
# Loop through each file and calculate its SHA256 hash
|
|
for file in *; do
|
|
if [[ "$file" == "${{ env.HASH_FILE }}" ]]; then # Skip the hash file itself
|
|
echo "Skipping: $file"
|
|
continue
|
|
fi
|
|
echo "Calculating hash for: $file"
|
|
hash_value=$(sha256sum "$file" | awk '{ print $1 }') # Calculate the hash
|
|
echo "$hash_value $file" >> "../${{ env.HASH_FILE }}" # Append hash to the hash file
|
|
done
|
|
# Change back to the previous directory to reference the new hash file
|
|
cd ..
|
|
cat "${{ env.HASH_FILE }}" # Display the contents of the new hash file
|
|
|
|
- name: Check and upload hashes to release
|
|
if: env.assets_downloaded == 'true' # Only run if assets were downloaded
|
|
run: |
|
|
# Get the Release ID using the GitHub API
|
|
RELEASE_ID=$(curl -sL \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
|
|
-H "X-GitHub-Api-Version: ${{ env.GITHUB_API_VERSION }}" \
|
|
"https://api.github.com/repos/${{ github.repository }}/releases/tags/${{ github.event.release.tag_name }}" | \
|
|
jq -r '.id')
|
|
|
|
echo "Release ID: $RELEASE_ID"
|
|
|
|
# Check if an existing hash file asset is present
|
|
EXISTING_HASH_FILE="assets/${{ env.HASH_FILE }}"
|
|
if [ -f "$EXISTING_HASH_FILE" ]; then
|
|
echo "Found existing hash file. Comparing..."
|
|
# Print the contents of both files for debugging
|
|
echo "New hash file contents:"
|
|
cat "${{ env.HASH_FILE }}"
|
|
|
|
echo "Existing hash file contents:"
|
|
cat "$EXISTING_HASH_FILE"
|
|
|
|
# Compare the new hash file with the existing one
|
|
if cmp -s "${{ env.HASH_FILE }}" "$EXISTING_HASH_FILE"; then
|
|
echo "Hashes are the same. Skipping upload."
|
|
exit 0 # Exit if hashes are the same
|
|
else
|
|
echo "Hashes are different."
|
|
# Show differences for debugging
|
|
diff "${{ env.HASH_FILE }}" "$EXISTING_HASH_FILE" || true
|
|
|
|
# Proceed to delete the existing asset if necessary
|
|
EXISTING_ASSET_ID=$(curl -sL \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
|
|
-H "X-GitHub-Api-Version: ${{ env.GITHUB_API_VERSION }}" \
|
|
"https://api.github.com/repos/${{ github.repository }}/releases/$RELEASE_ID/assets" | \
|
|
jq -r --arg FILE_NAME "${{ env.HASH_FILE }}" '.[] | select(.name == $FILE_NAME) | .id')
|
|
|
|
if [ -n "$EXISTING_ASSET_ID" ]; then
|
|
echo "Deleting existing asset..."
|
|
curl -sL \
|
|
-X DELETE \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
|
|
-H "X-GitHub-Api-Version: ${{ env.GITHUB_API_VERSION }}" \
|
|
"https://api.github.com/repos/${{ github.repository }}/releases/assets/$EXISTING_ASSET_ID" || { echo "Failed to delete asset"; exit 1; }
|
|
fi
|
|
fi
|
|
else
|
|
echo "No existing hash file found."
|
|
fi
|
|
|
|
# Upload the new hash file to the release
|
|
echo "Uploading new hash file..."
|
|
curl -sL \
|
|
-X POST \
|
|
-H "Accept: application/vnd.github+json" \
|
|
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
|
|
-H "X-GitHub-Api-Version: ${{ env.GITHUB_API_VERSION }}" \
|
|
-H "Content-Type: application/octet-stream" \
|
|
"https://uploads.github.com/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=${{ env.HASH_FILE }}" \
|
|
--data-binary @"${{ github.workspace }}/${{ env.HASH_FILE }}" || { echo "Failed to upload hash file"; exit 1; }
|