Skip to content

Commit e86b531

Browse files
kar-rahul-awskar-rahul-aws
authored
Follow Security Guide to update release.yml (#121)
* Update release.yml as per security guidelines * Update version for actions to v4 * Fix formatting
1 parent efe1b51 commit e86b531

File tree

1 file changed

+25
-13
lines changed

1 file changed

+25
-13
lines changed

.github/workflows/release.yml

Lines changed: 25 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ jobs:
2222
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
2323
steps:
2424
- name: Checkout code
25-
uses: actions/checkout@v2
25+
uses: actions/checkout@v4
2626
- name: Check if tag exists
2727
run: |
2828
git fetch origin
@@ -49,35 +49,47 @@ jobs:
4949
runs-on: ubuntu-latest
5050
steps:
5151
- name: Checkout code
52-
uses: actions/checkout@v2
52+
uses: actions/checkout@v4
5353
with:
5454
ref: ${{ github.event.inputs.commit_id }}
5555
- name: Configure git identity
56+
env:
57+
ACTOR: ${{ github.actor }}
5658
run: |
57-
git config --global user.name ${{ github.actor }}
58-
git config --global user.email ${{ github.actor }}@users.noreply.github.com
59+
git config --global user.name "$ACTOR"
60+
git config --global user.email "$ACTOR"@users.noreply.github.com
5961
- name: create a new branch that references commit id
60-
run: git checkout -b ${{ github.event.inputs.version_number }} ${{ github.event.inputs.commit_id }}
62+
env:
63+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
64+
COMMIT_ID: ${{ github.event.inputs.commit_id }}
65+
run: git checkout -b "$VERSION_NUMBER" "$COMMIT_ID"
6166
- name: Generate SBOM
6267
uses: FreeRTOS/CI-CD-Github-Actions/sbom-generator@main
6368
with:
6469
repo_path: ./
6570
source_path: ./source
6671
- name: commit SBOM file
72+
env:
73+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
6774
run: |
6875
git add .
6976
git commit -m 'Update SBOM'
70-
git push -u origin ${{ github.event.inputs.version_number }}
77+
git push -u origin "$VERSION_NUMBER"
7178
- name: Tag Commit and Push to remote
79+
env:
80+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
7281
run: |
73-
git tag ${{ github.event.inputs.version_number }} -a -m "coreMQTT-Agent Library ${{ github.event.inputs.version_number }}"
82+
git tag "$VERSION_NUMBER" -a -m "coreMQTT-Agent Library $VERSION_NUMBER"
7483
git push origin --tags
7584
- name: Verify tag on remote
85+
env:
86+
VERSION_NUMBER: ${{ github.event.inputs.version_number }}
87+
COMMIT_ID: ${{ github.event.inputs.commit_id }}
7688
run: |
77-
git tag -d ${{ github.event.inputs.version_number }}
89+
git tag -d "$VERSION_NUMBER"
7890
git remote update
79-
git checkout tags/${{ github.event.inputs.version_number }}
80-
git diff ${{ github.event.inputs.commit_id }} tags/${{ github.event.inputs.version_number }}
91+
git checkout tags/"$VERSION_NUMBER"
92+
git diff "$COMMIT_ID" tags/"$VERSION_NUMBER"
8193
create-zip:
8294
if: ${{ ( github.event.inputs.delete_existing_tag_release == 'true' && success() ) || ( github.event.inputs.delete_existing_tag_release == 'false' && always() ) }}
8395
needs: tag-commit
@@ -87,7 +99,7 @@ jobs:
8799
- name: Install ZIP tools
88100
run: sudo apt-get install zip unzip
89101
- name: Checkout code
90-
uses: actions/checkout@v2
102+
uses: actions/checkout@v4
91103
with:
92104
ref: ${{ github.event.inputs.commit_id }}
93105
path: coreMQTT-Agent
@@ -125,7 +137,7 @@ jobs:
125137
ctest -E system --output-on-failure
126138
cd ..
127139
- name: Create artifact of ZIP
128-
uses: actions/upload-artifact@v2
140+
uses: actions/upload-artifact@v4
129141
with:
130142
name: coreMQTT-Agent-${{ github.event.inputs.version_number }}.zip
131143
path: zip-check/coreMQTT-Agent-${{ github.event.inputs.version_number }}.zip
@@ -172,7 +184,7 @@ jobs:
172184
draft: false
173185
prerelease: false
174186
- name: Download ZIP artifact
175-
uses: actions/download-artifact@v2
187+
uses: actions/download-artifact@v4
176188
with:
177189
name: coreMQTT-Agent-${{ github.event.inputs.version_number }}.zip
178190
- name: Upload Release Asset

0 commit comments

Comments
 (0)