Follow Security Guide to update release.yml

ActoryOu · ActoryOu · commit 0a1c2bf88213 · 2024-11-04T10:26:31.000Z
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -19,13 +19,16 @@ env:
   repository_zip_name: ${{ github.event.repository.name }}-${{ github.event.inputs.version_number }}.zip
   # Source folder list for version number updates
   source_folder_list: "source test"
+  repository_name: ${{ github.event.repository.name }}
+  version_number: ${{ github.event.inputs.version_number }}
+  actor: ${{ github.actor }}
+  commit_id: ${{ github.event.inputs.commit_id }}
 
 jobs:
   clean-existing-tag-and-release:
     if: ${{ github.event.inputs.delete_existing_tag_release == 'true' }}
     runs-on: ubuntu-latest
     env:
-      VERSION_NUM: ${{ github.event.inputs.version_number }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout code
@@ -34,10 +37,10 @@ jobs:
       - name: Check if tag exists
         run: |
           git fetch origin
-          if git tag --list $VERSION_NUM
+          if git tag --list ${{ env.version_number }}
           then
-              echo "Deleting existing tag for $VERSION_NUM"
-              git push origin --delete tags/$VERSION_NUM
+              echo "Deleting existing tag for ${{ env.version_number }}"
+              git push origin --delete tags/${{ env.version_number }}
           fi
 
       - name: Check if release exists
@@ -46,10 +49,10 @@ jobs:
           sudo apt-add-repository https://cli.github.com/packages
           sudo apt update
           sudo apt-get install gh
-          if gh release list | grep $VERSION_NUM
+          if gh release list | grep ${{ env.version_number }}
           then
-              echo "Deleting existing release for $VERSION_NUM"
-              gh release delete --yes $VERSION_NUM
+              echo "Deleting existing release for ${{ env.version_number }}
+              gh release delete --yes ${{ env.version_number }}
           fi
 
   add-sbom-and-tag-commit:
@@ -61,47 +64,47 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.inputs.commit_id }}
+          ref: ${{ env.commit_id }}
 
       - name: Configure git identity
         run: |
-          git config --global user.name ${{ github.actor }}
-          git config --global user.email ${{ github.actor }}@users.noreply.github.com
+          git config --global user.name ${{ env.actor }}
+          git config --global user.email ${{ env.actor }}@users.noreply.github.com
 
       - name: create a new branch that references commit id
-        run: git checkout -b ${{ github.event.inputs.version_number }} ${{ github.event.inputs.commit_id }}
+        run: git checkout -b ${{ env.version_number }} ${{ env.commit_id }}
 
       - name: Update version number in source files
         run: |
             echo "${{ env.source_folder_list }}" | \
             xargs -n 1 sh -c \
             'find $1 -type f \( -name "*.c" -o -name "*.h" \) \
-            -exec sed -i -b -E "0,/^ \* ${{ github.event.repository.name }}/s/^ \* ${{ github.event.repository.name }}.*/ \* ${{ github.event.repository.name }} ${{ github.event.inputs.version_number }}/g" {} +'
+            -exec sed -i -b -E "0,/^ \* ${{ env.repository_name }}/s/^ \* ${{ env.repository_name }}.*/ \* ${{ env.repository_name }} ${{ env.version_number }}/g" {} +'
             git add .
             git commit -m '[AUTO][RELEASE]: Update version number in source files'
-            git push -u origin ${{ github.event.inputs.version_number }}
+            git push -u origin ${{ env.version_number }}
 
       - name : Update version number in manifest.yml
         run: |
-          sed -i -b '0,/^version/s/^version.*/version: "${{ github.event.inputs.version_number }}"/g' ./manifest.yml
+          sed -i -b '0,/^version/s/^version.*/version: "${{ env.version_number }}"/g' ./manifest.yml
           git add .
           git commit -m '[AUTO][RELEASE]: Update version number in manifest.yml'
-          git push -u origin ${{ github.event.inputs.version_number }}
+          git push -u origin ${{ env.version_number }}
 
       - name : Update version number in doxygen
         run: |
-          sed -i -b 's/PROJECT_NUMBER *=.*/PROJECT_NUMBER         = ${{ github.event.inputs.version_number }}/g' ./docs/doxygen/config.doxyfile
+          sed -i -b 's/PROJECT_NUMBER *=.*/PROJECT_NUMBER         = ${{ env.version_number }}/g' ./docs/doxygen/config.doxyfile
           git add .
           git commit -m '[AUTO][RELEASE]: Update version number in doxygen'
-          git push -u origin ${{ github.event.inputs.version_number }}
+          git push -u origin ${{ env.version_number }}
 
       - name : Update MQTT version number macro
-        if: ${{ github.event.repository.name == 'coreMQTT' }}
+        if: ${{ env.repository_name == 'coreMQTT' }}
         run: |
-          sed -i -b 's/^\#define MQTT_LIBRARY_VERSION .*/\#define MQTT_LIBRARY_VERSION    "${{ github.event.inputs.version_number }}"/g' source/include/core_mqtt.h
+          sed -i -b 's/^\#define MQTT_LIBRARY_VERSION .*/\#define MQTT_LIBRARY_VERSION    "${{ env.version_number }}"/g' source/include/core_mqtt.h
           git add .
           git commit -m '[AUTO][RELEASE]: Update version number macro in source/include/core_mqtt.h'
-          git push -u origin ${{ github.event.inputs.version_number }}
+          git push -u origin ${{ env.version_number }}
 
       - name: Generate SBOM
         uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main
@@ -113,19 +116,19 @@ jobs:
         run: |
           git add .
           git commit -m 'Update SBOM'
-          git push -u origin ${{ github.event.inputs.version_number }}
+          git push -u origin ${{ env.version_number }}
 
       - name: Tag Commit and Push to remote
         run: |
-          git tag ${{ github.event.inputs.version_number }} -a -m "${{ github.event.repository.name }} Library ${{ github.event.inputs.version_number }}"
+          git tag ${{ env.version_number }} -a -m "${{ env.repository_name }} Library ${{ env.version_number }}"
           git push origin --tags
 
       - name: Verify tag on remote
         run: |
-          git tag -d ${{ github.event.inputs.version_number }}
+          git tag -d ${{ env.version_number }}
           git remote update
-          git checkout tags/${{ github.event.inputs.version_number }}
-          git diff ${{ github.event.inputs.commit_id }} tags/${{ github.event.inputs.version_number }}
+          git checkout tags/${{ env.version_number }}
+          git diff ${{ env.commit_id }} tags/${{ env.version_number }}
 
   create-zip:
     if: ${{ ( github.event.inputs.delete_existing_tag_release == 'true' && success() )  || ( github.event.inputs.delete_existing_tag_release == 'false' && always() ) }}
@@ -139,18 +142,18 @@ jobs:
       - name: Checkout code
         uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.inputs.version_number }}
-          path: ${{ github.event.repository.name }}
+          ref: ${{ env.version_number }}
+          path: ${{ env.repository_name }}
           submodules: recursive
 
       - name: Checkout disabled submodules
         run: |
-          cd ${{ github.event.repository.name }}
+          cd ${{ env.repository_name }}
           git submodule update --init --checkout --recursive
 
       - name: Create ZIP
         run: |
-          zip -r ${{ env.repository_zip_name }} ${{ github.event.repository.name }} -x "*.git*"
+          zip -r ${{ env.repository_zip_name }} ${{ env.repository_name }} -x "*.git*"
           ls ./
 
       - name: Validate created ZIP
@@ -160,66 +163,66 @@ jobs:
           cd zip-check
           unzip ${{ env.repository_zip_name }} -d ${{ env.repository_compressed_name }}
           ls ${{ env.repository_compressed_name }}
-          diff -r -x "*.git*" ${{ env.repository_compressed_name }}/${{ github.event.repository.name }}/ ../${{ github.event.repository.name }}/
+          diff -r -x "*.git*" ${{ env.repository_compressed_name }}/${{ env.repository_name }}/ ../${{ env.repository_name }}/
           cd ../
 
       - name: Check version number in source files
         run: |
-          cd zip-check/${{ env.repository_compressed_name }}/${{ github.event.repository.name }}
+          cd zip-check/${{ env.repository_compressed_name }}/${{ env.repository_name }}
 
           # List all the *.h *.c files in <source_folder_list>
           SOURCE_FILE_LIST=$( echo "${{ env.source_folder_list }}" | \
           xargs -n 1 sh -c 'find $1 -type f \( -name "*.c" -o -name "*.h" \)' )
 
           # List all the files which contain " * <repository_name>.*" in SOURCE_FILE_LIST
-          SOURCE_FILE_WITH_VERSION_LIST=$( grep -l " \* ${{ github.event.repository.name }}.*" $SOURCE_FILE_LIST )
+          SOURCE_FILE_WITH_VERSION_LIST=$( grep -l " \* ${{ env.repository_name }}.*" $SOURCE_FILE_LIST )
 
           # Compare the <version_number> with input version number in files in SOURCE_FILE_LIST
           echo $SOURCE_FILE_WITH_VERSION_LIST | xargs -I{} sh -c \
-          'grep -x " \* ${{ github.event.repository.name }} ${{ github.event.inputs.version_number }}" {} && \
-          echo {} : match ${{ github.event.repository.name }} ${{ github.event.inputs.version_number }} || \
-          { echo "{} : ${{ github.event.repository.name }} ${{ github.event.inputs.version_number }} not found"; exit 255; }'
+          'grep -x " \* ${{ env.repository_name }} ${{ env.version_number }}" {} && \
+          echo {} : match ${{ env.repository_name }} ${{ env.version_number }} || \
+          { echo "{} : ${{ env.repository_name }} ${{ env.version_number }} not found"; exit 255; }'
 
       - name: Check version number in doxygen
         run: |
-          cd zip-check/${{ env.repository_compressed_name }}/${{ github.event.repository.name }}
+          cd zip-check/${{ env.repository_compressed_name }}/${{ env.repository_name }}
 
           # find "PROJECT_NUMBER = <version_number>"
           DOXYGEN_VERSION_NUMBER=$(grep -x "[ ]*PROJECT_NUMBER[ ]*=[ ]*[^ ]*[ ]*" docs/doxygen/config.doxyfile | awk -F= '{gsub(" ","",$2); print $2 }');
 
           # compare the <version_number> with input version number
-          [[ $DOXYGEN_VERSION_NUMBER == "${{ github.event.inputs.version_number }}" ]] \
-          && echo "config.doxyfile : match ${{ github.event.inputs.version_number }}" \
-          || { echo "config.doxyfile : $DOXYGEN_VERSION_NUMBER doesn't match ${{ github.event.inputs.version_number }}"; exit 255; }
+          [[ $DOXYGEN_VERSION_NUMBER == "${{ env.version_number }}" ]] \
+          && echo "config.doxyfile : match ${{ env.version_number }}" \
+          || { echo "config.doxyfile : $DOXYGEN_VERSION_NUMBER doesn't match ${{ env.version_number }}"; exit 255; }
 
       - name: Check version number in manifest.yml
         run: |
-          cd zip-check/${{ env.repository_compressed_name }}/${{ github.event.repository.name }}
+          cd zip-check/${{ env.repository_compressed_name }}/${{ env.repository_name }}
 
           # find the first occurence of "version: <version_number>" and comare the <version_number> with input version number
           MANIFEST_VESION_NUMBER=$( grep -m 1 -E "^version:[ ]*\".*\"[ ]*" manifest.yml | awk -F: '{ gsub(" ","",$2); gsub("\"","",$2); print $2 }' );
 
           # compare the <version_number> with input version number
-          [[ $MANIFEST_VESION_NUMBER == "${{ github.event.inputs.version_number }}" ]] \
-          && echo "manifest.yml : match ${{ github.event.inputs.version_number }}" \
-          || { echo "manifest.yml : $MANIFEST_VESION_NUMBER doesn't match ${{ github.event.inputs.version_number }}"; exit 255; }
+          [[ $MANIFEST_VESION_NUMBER == "${{ env.version_number }}" ]] \
+          && echo "manifest.yml : match ${{ env.version_number }}" \
+          || { echo "manifest.yml : $MANIFEST_VESION_NUMBER doesn't match ${{ env.version_number }}"; exit 255; }
 
       - name: Check MQTT version number macro in header file
-        if: ${{ github.event.repository.name == 'coreMQTT' }}
+        if: ${{ env.repository_name == 'coreMQTT' }}
         run: |
-          cd zip-check/${{ env.repository_compressed_name }}/${{ github.event.repository.name }}
+          cd zip-check/${{ env.repository_compressed_name }}/${{ env.repository_name }}
 
           # find "#define MQTT_LIBRARY_VERSION <version_number>" in core_mqtt.h
           MACRO_VERSION_NUMBER=$(grep -x "^\#define[ ]*MQTT_LIBRARY_VERSION[ ]*\".*\"[ ]*" source/include/core_mqtt.h | awk '{gsub("\"","",$3); print $3 }');
           
           # compare the <version_number> with input version number
-          [[ $MACRO_VERSION_NUMBER == "${{ github.event.inputs.version_number }}" ]] \
-          && echo "core_mqtt.h : match ${{ github.event.inputs.version_number }}" \
-          || { echo "core_mqtt.h : $MACRO_VERSION_NUMBER doesn't match ${{ github.event.inputs.version_number }}"; exit 255; }
+          [[ $MACRO_VERSION_NUMBER == "${{ env.version_number }}" ]] \
+          && echo "core_mqtt.h : match ${{ env.version_number }}" \
+          || { echo "core_mqtt.h : $MACRO_VERSION_NUMBER doesn't match ${{ env.version_number }}"; exit 255; }
 
       - name: Build
         run: |
-          cd zip-check/${{ env.repository_compressed_name }}/${{ github.event.repository.name }}
+          cd zip-check/${{ env.repository_compressed_name }}/${{ env.repository_name }}
           sudo apt-get install -y lcov
           cmake -S test -B build/ \
           -G "Unix Makefiles" \
@@ -230,7 +233,7 @@ jobs:
 
       - name: Test
         run: |
-          cd zip-check/${{ env.repository_compressed_name }}/${{ github.event.repository.name }}/build/
+          cd zip-check/${{ env.repository_compressed_name }}/${{ env.repository_name }}/build/
           ctest -E system --output-on-failure
           cd ..
 
@@ -249,7 +252,7 @@ jobs:
       - name: Doxygen generation
         uses: FreeRTOS/CI-CD-Github-Actions/doxygen-generation@main
         with:
-          ref: ${{ github.event.inputs.version_number }}
+          ref: ${{ env.version_number }}
           add_release: "true"
 
   create-release:
@@ -266,9 +269,9 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: ${{ github.event.inputs.version_number }}
-          release_name: ${{ github.event.inputs.version_number }}
-          body: Release ${{ github.event.inputs.version_number }} of the ${{ github.event.repository.name }} Library.
+          tag_name: ${{ env.version_number }}
+          release_name: ${{ env.version_number }}
+          body: Release ${{ env.version_number }} of the ${{ env.repository_name }} Library.
           draft: false
           prerelease: false
 
