-
-
Notifications
You must be signed in to change notification settings - Fork 1.6k
147 lines (128 loc) · 6.68 KB
/
hash.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
name: Hash Released Files
on:
release:
types:
- published # Trigger the workflow when a release, pre-release, or draft of a release was published
- edited # Trigger the workflow when the details of a release, pre-release, or draft release were edited
concurrency:
group: hash-${{ github.event.release.tag_name }} # Use the release tag name for concurrency
cancel-in-progress: true # Cancel any in-progress runs for the same group
jobs:
calculate-hashes:
runs-on: ubuntu-latest # Use the latest Ubuntu environment
if: github.repository == 'sandboxie-plus/Sandboxie' # Only run this job if the event is from the specified repository
permissions:
contents: write # Allow writing to the repository's contents
env:
HASH_FILE: "sha256-checksums.txt" # Name of the file for storing SHA256 hashes
GITHUB_API_VERSION: "2022-11-28" # Define the GitHub API version as a variable
steps:
- name: Download release assets
run: |
mkdir -p assets # Create a directory for downloaded assets
TAG=${{ github.event.release.tag_name }} # Get the release tag name
# Fetch asset data from GitHub API
ASSET_DATA=$(curl -sSL \
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: ${{ env.GITHUB_API_VERSION }}" \
"https://api.github.com/repos/${{ github.repository }}/releases/tags/$TAG")
ASSET_URLS=($(echo "$ASSET_DATA" | jq -r '.assets[].browser_download_url')) # Extract asset URLs
ASSET_NAMES=($(echo "$ASSET_DATA" | jq -r '.assets[].name')) # Extract asset names
# Download each asset
for i in "${!ASSET_URLS[@]}"; do
url="${ASSET_URLS[i]}" # Current asset URL
name="${ASSET_NAMES[i]}" # Current asset name
echo "Downloading: $url"
if ! curl --fail -L -o "assets/$name" "$url"; then
echo "Failed to download: $url"
exit 1 # Exit on failure
fi
done
- name: Check for downloaded assets
id: check_assets
run: |
# Check if any assets were downloaded (excluding the hash file)
if [ "$(ls -A assets | grep -v ${{ env.HASH_FILE }})" ]; then
echo "Assets downloaded."
echo "assets_downloaded=true" >> $GITHUB_ENV
else
echo "No assets downloaded."
echo "assets_downloaded=false" >> $GITHUB_ENV
fi
- name: Calculate file hashes
if: env.assets_downloaded == 'true' # Only run if assets were downloaded
run: |
cd assets # Change to the assets directory
ls -la # List files for debugging
> "../${{ env.HASH_FILE }}" # Clear or create the hash file
# Loop through each file and calculate its SHA256 hash
for file in *; do
if [[ "$file" == "${{ env.HASH_FILE }}" ]]; then # Skip the hash file itself
echo "Skipping: $file"
continue
fi
echo "Calculating hash for: $file"
hash_value=$(sha256sum "$file" | awk '{ print $1 }') # Calculate the hash
echo "$hash_value $file" >> "../${{ env.HASH_FILE }}" # Append hash to the hash file
done
# Change back to the previous directory to reference the new hash file
cd ..
cat "${{ env.HASH_FILE }}" # Display the contents of the new hash file
- name: Check and upload hashes to release
if: env.assets_downloaded == 'true' # Only run if assets were downloaded
run: |
# Get the Release ID using the GitHub API
RELEASE_ID=$(curl -sL \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: ${{ env.GITHUB_API_VERSION }}" \
"https://api.github.com/repos/${{ github.repository }}/releases/tags/${{ github.event.release.tag_name }}" | \
jq -r '.id')
echo "Release ID: $RELEASE_ID"
# Check if an existing hash file asset is present
EXISTING_HASH_FILE="assets/${{ env.HASH_FILE }}"
if [ -f "$EXISTING_HASH_FILE" ]; then
echo "Found existing hash file. Comparing..."
# Print the contents of both files for debugging
echo "New hash file contents:"
cat "${{ env.HASH_FILE }}"
echo "Existing hash file contents:"
cat "$EXISTING_HASH_FILE"
# Compare the new hash file with the existing one
if cmp -s "${{ env.HASH_FILE }}" "$EXISTING_HASH_FILE"; then
echo "Hashes are the same. Skipping upload."
exit 0 # Exit if hashes are the same
else
echo "Hashes are different."
# Show differences for debugging
diff "${{ env.HASH_FILE }}" "$EXISTING_HASH_FILE" || true
# Proceed to delete the existing asset if necessary
EXISTING_ASSET_ID=$(curl -sL \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: ${{ env.GITHUB_API_VERSION }}" \
"https://api.github.com/repos/${{ github.repository }}/releases/$RELEASE_ID/assets" | \
jq -r --arg FILE_NAME "${{ env.HASH_FILE }}" '.[] | select(.name == $FILE_NAME) | .id')
if [ -n "$EXISTING_ASSET_ID" ]; then
echo "Deleting existing asset..."
curl -sL \
-X DELETE \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: ${{ env.GITHUB_API_VERSION }}" \
"https://api.github.com/repos/${{ github.repository }}/releases/assets/$EXISTING_ASSET_ID" || { echo "Failed to delete asset"; exit 1; }
fi
fi
else
echo "No existing hash file found."
fi
# Upload the new hash file to the release
echo "Uploading new hash file..."
curl -sL \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: ${{ env.GITHUB_API_VERSION }}" \
-H "Content-Type: application/octet-stream" \
"https://uploads.github.com/repos/${{ github.repository }}/releases/$RELEASE_ID/assets?name=${{ env.HASH_FILE }}" \
--data-binary @"${{ github.workspace }}/${{ env.HASH_FILE }}" || { echo "Failed to upload hash file"; exit 1; }