-
Notifications
You must be signed in to change notification settings - Fork 0
142 lines (125 loc) · 5.85 KB
/
autopkg.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
name: AutoPkg run
on:
watch:
types: [started]
schedule:
- cron: 00 14 * * 1-5
workflow_dispatch: # manually triggered
inputs:
recipe:
description: Recipe to Run (optional)
required: false
jobs:
AutoPkg:
runs-on: macos-latest
timeout-minutes: 120 # Keeps your builds from running too long
steps:
- name: Checkout AutoPkg Continuous Integration
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # Pin SHA1 hash instead of version
with:
fetch-depth: 1
- name: Install AutoPkg
run: |
curl -L https://github.com/autopkg/autopkg/releases/download/v2.7.3/autopkg-2.7.3.pkg --output /tmp/autopkg.pkg
sudo installer -pkg /tmp/autopkg.pkg -target /
- name: coreutils install
run: |
brew install coreutils
- name: python-jamf install
run: |
pip3 install -r requirements.txt --break-system-packages
which conf-python-jamf
- name: AutoPkg Configuration
run: |
defaults write com.github.autopkg RECIPE_OVERRIDE_DIRS "$(pwd)"/overrides/
defaults write com.github.autopkg RECIPE_REPO_DIR "$(pwd)"/repos/
defaults write com.github.autopkg CACHE_DIR "$(pwd)"/cache/
defaults write com.github.autopkg FAIL_RECIPES_WITHOUT_TRUST_INFO -bool YES
defaults write com.github.autopkg JSS_URL "${{ secrets.JSS_URL }}"
defaults write com.github.autopkg API_USERNAME "${{ secrets.JSS_API_USERNAME }}"
defaults write com.github.autopkg API_PASSWORD "${{ secrets.JSS_API_PASSWORD }}"
defaults write com.github.autopkg GITHUB_TOKEN "${{ secrets.AUTOPKG_GITHUB_TOKEN }}"
/usr/libexec/PlistBuddy -c "Add :JSS_REPOS array" ~/Library/Preferences/com.github.autopkg.plist
/usr/libexec/PlistBuddy -c "Add :JSS_REPOS:0 dict" ~/Library/Preferences/com.github.autopkg.plist
/usr/libexec/PlistBuddy -c "Add :JSS_REPOS:0:type string CDP" ~/Library/Preferences/com.github.autopkg.plist
- name: Configure Git
run: |
git config --global user.name "runner"
git config --global user.email "[email protected]"
git config --global credential.helper store
echo "https://${{ secrets.AUTOPKG_GITHUB_USER }}:${{ secrets.AUTOPKG_GITHUB_TOKEN }}@github.com" > ~/.git-credentials
- name: Setup SSH
run: |
eval $(ssh-agent)
echo "${{ secrets.AUTOPKG_GITHUB_SSH_PRIV }}" > ~/.ssh/privKey
chmod 700 ~/.ssh
chmod 600 ~/.ssh/privKey
ssh-add -k ~/.ssh/privKey
- name: Setup Signing Key & API keychain entries
run: |
export PATH="/usr/local/opt/curl/bin/:${PATH}"
echo "${{ secrets.SIGNING_CERT_P112 }}" | base64 --decode --output cert.p12
KEYCHAIN_NAME=temp.keychain
KEYCHAIN_PASS=$(echo "$(date)""$RANDOM" | base64)
security create-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN_NAME"
security set-keychain-settings -lut 21600 "$KEYCHAIN_NAME"
security unlock-keychain -p "$KEYCHAIN_PASS" "$KEYCHAIN_NAME"
security import cert.p12 -P ${{ secrets.SIGNING_CERT_PASS }} -A -t cert -f pkcs12 -k "$KEYCHAIN_NAME"
security list-keychain -d user -s "$KEYCHAIN_NAME"
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASS" "$KEYCHAIN_NAME"
echo "Caching API credentials"
python3_bin=$(realpath `which python3`)
python3_app=$(echo ${python3_bin} | sed -e 's/bin\/python.*/Resources\/Python.app/g')
security add-generic-password -a ${{ secrets.JSS_API_USERNAME }} -s ${{ secrets.JSS_URL }} -w ${{ secrets.JSS_API_PASSWORD }} -T "${python3_app}" "$KEYCHAIN_NAME"
echo "Setting partition list"
security set-generic-password-partition-list -S apple-tool:,apple:,unsigned: -a ${{ secrets.JSS_API_USERNAME }} -k "$KEYCHAIN_PASS" "$KEYCHAIN_NAME"
- name: Add AutoPkg repos
run: |
for repo in $(cat repo_list.txt); do autopkg repo-add "$repo" && autopkg repo-update "$repo"; done
- name: Checkout autopkg cache repo
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
with:
repository: ${{ secrets.AUTOPKG_CACHE_REPO }}
token: ${{ secrets.AUTOPKG_GITHUB_TOKEN }}
fetch-depth: 1
ref: refs/heads/main
path: cache
- name: Checkout your autopkg override repo
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c
with:
repository: ${{ secrets.AUTOPKG_OVERRIDES_REPO }}
token: ${{ secrets.AUTOPKG_GITHUB_TOKEN }}
fetch-depth: 1
ref: refs/heads/main
path: overrides
- name: Run AutoPkg
run: |
export PATH="/usr/local/opt/curl/bin/:${PATH}"
python3 autopkg_tools.py -l recipe_list.json
if [ -f pull_request_title ]; then
echo "TITLE=$(cat pull_request_title)" >> $GITHUB_ENV
echo "BODY<<EOF" >> $GITHUB_ENV
cat pull_request_body >> $GITHUB_ENV
echo "EOF" >> $GITHUB_ENV
fi
env:
RECIPE: ${{ github.event.inputs.recipe }}
TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
JAMF_PRO_URL: ${{ secrets.JSS_URL }}
- name: Create Trust Info pull request
if: env.TITLE
run: |
cd overrides
export BRANCH_NAME=trust-info-`date +'%Y-%m-%d'`
git checkout -b $BRANCH_NAME
git add .
git commit -m "${{ env.TITLE }}"
git push --set-upstream origin $BRANCH_NAME
jq -n --arg title "${{ env.TITLE }}" \
--arg body "$BODY" \
--arg head "$BRANCH_NAME" \
'{title: $title, body: $body, head: $head, "base": "${{ github.ref }}"}' | curl -s --request POST \
--url https://api.github.com/repos/${{ secrets.AUTOPKG_OVERRIDES_REPO }}/pulls \
--header 'authorization: Bearer ${{ secrets.AUTOPKG_GITHUB_TOKEN }}' \
--header 'content-type: application/json' \
-d@-