Skip to content

refactor: re-encrypt secrets with updated gpg key #633

refactor: re-encrypt secrets with updated gpg key

refactor: re-encrypt secrets with updated gpg key #633

Workflow file for this run

concurrency:
cancel-in-progress: true
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
defaults:
run:
shell: bash
jobs:
# Check that the project is able to configure the current user
# This is the main use case, except for the fact that the current user is root due to GitHub Actions defaults
# This might not be representative, so here we just check that configuring the current user works
# Also, this job also checks formatting
check_current_user:
env:
HOME: /root
runs-on: ubuntu-22.04
container: ubuntu:22.04
steps:
# checkout action falls back to REST API if it does not find 'git',
# which is a case in our virgin container
# This leads to a missing .git directory and complaining
# format check step
# As an exception, let's install git.
# More precise checks will be done in another jobs
- name: Install git
run: apt update && apt-get install --yes --no-install-recommends git ca-certificates
- name: Checkout repository
uses: actions/checkout@v4
# Checkout action sets repo as safe, but this does not look like to work inside container
- name: Mark repo as safe
run: git config --system --add safe.directory $(pwd)
- name: Config
run: ./main.sh config
- name: Check idempotence
run: ./main.sh config --verify-unchanged
# All format checks only available after complete machine setup
# So, we need to do them in one of the check jobs
- name: Check format
run: |
export PATH="$HOME/.local/bin/:$PATH"
./main.sh format
if [[ -n "$(git diff)" ]]; then
echo "Code is not formatted."
git diff
exit 1
fi
# As mentioned, previous check for the root user might not be representative
# Thus, all the main checks are done by root for the "random_user"
check:
runs-on: ubuntu-22.04
container: ${{ matrix.image }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Config
run: ./main.sh config --user random_user
- name: Check idempotence
run: ./main.sh config --user random_user --verify-unchanged
strategy:
matrix:
image:
- ubuntu:22.04
- ubuntu:23.04
- ubuntu:23.10
- ubuntu:24.04
- fedora:38
- fedora:39
- fedora:40
# Check that the project is able to configure remote host, with a user different from the current one
check_remote:
runs-on: ubuntu-22.04
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Check remote config
run: ./main.sh config --host dotfiles_ubuntu_22.04 --user random_user --mode reduced
- name: Check remote idempotence
run: ./main.sh config --host dotfiles_ubuntu_22.04 --user random_user --mode reduced --verify-unchanged
lint:
runs-on: ubuntu-22.04
steps:
# Checkout must be onto the original commit, not a single PR
# Otherwise lint will not see full history and diagnose secrets leakage
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ github.event.pull_request.head.sha }}
- name: Lint
run: ./main.sh lint
scripts:
runs-on: ubuntu-22.04
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Generate roles graph
run: ./main.sh graph
- name: Check update works
run: ./main.sh update
- name: Show diff
run: git diff
name: dotfiles workflow
on:
pull_request:
branches:
- main
push:
branches:
- main