|
| 1 | +name: Validate fleetd base checksums |
| 2 | + |
| 3 | +on: |
| 4 | + schedule: |
| 5 | + - cron: '0 0 * * *' # Runs every 24 hours |
| 6 | + workflow_dispatch: # Allows manual trigger |
| 7 | + |
| 8 | +jobs: |
| 9 | + check-files: |
| 10 | + runs-on: ubuntu-latest |
| 11 | + |
| 12 | + steps: |
| 13 | + - name: Checkout repository |
| 14 | + uses: actions/checkout@v2 |
| 15 | + |
| 16 | + - name: Install dependencies |
| 17 | + run: sudo apt-get update |
| 18 | + |
| 19 | + - name: Download files from Cloudflare R2 |
| 20 | + env: |
| 21 | + R2_ACCESS_KEY: ${{ secrets.R2_ACCESS_KEY }} |
| 22 | + R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }} |
| 23 | + R2_BUCKET: your-r2-bucket-name |
| 24 | + R2_REGION: your-r2-region |
| 25 | + run: | |
| 26 | + mkdir -p downloads |
| 27 | + cat << 'EOF' > download_files.sh |
| 28 | + #!/bin/bash |
| 29 | + set -e |
| 30 | +
|
| 31 | + ENDPOINT_URL="https://<R2_ENDPOINT_URL>" |
| 32 | +
|
| 33 | + FILES=("fleetd-base-manifest.plist" "fleetd-base.msi" "fleetd-base.pkg" "meta.json") |
| 34 | +
|
| 35 | + for FILE in "${FILES[@]}"; do |
| 36 | + aws s3 cp s3://$R2_BUCKET/$FILE downloads/$FILE --endpoint-url $ENDPOINT_URL |
| 37 | + done |
| 38 | +EOF |
| 39 | + |
| 40 | + chmod +x download_files.sh |
| 41 | + ./download_files.sh |
| 42 | + |
| 43 | + - name: Validate checksums |
| 44 | + run: | |
| 45 | + cat << 'EOF' > validate_checksums.sh |
| 46 | + #!/bin/bash |
| 47 | + set -e |
| 48 | +
|
| 49 | + validate_checksum() { |
| 50 | + local file_path=$1 |
| 51 | + local expected_checksum=$2 |
| 52 | + local actual_checksum=$(shasum -a 256 "$file_path" | awk '{ print $1 }') |
| 53 | +
|
| 54 | + if [ "$actual_checksum" != "$expected_checksum" ]; then |
| 55 | + echo "Checksum mismatch for $file_path: expected $expected_checksum, got $actual_checksum" |
| 56 | + return 1 |
| 57 | + fi |
| 58 | + } |
| 59 | +
|
| 60 | + declare -A checksums |
| 61 | + checksums["downloads/fleetd-base-manifest.plist"]="expected_checksum_1" |
| 62 | + checksums["downloads/fleetd-base.msi"]="expected_checksum_2" |
| 63 | + checksums["downloads/fleetd-base.pkg"]="expected_checksum_3" |
| 64 | + checksums["downloads/meta.json"]="expected_checksum_4" |
| 65 | +
|
| 66 | + all_valid=true |
| 67 | +
|
| 68 | + for file_path in "${!checksums[@]}"; do |
| 69 | + expected_checksum=${checksums[$file_path]} |
| 70 | + if ! validate_checksum "$file_path" "$expected_checksum"; then |
| 71 | + all_valid=false |
| 72 | + fi |
| 73 | + done |
| 74 | +
|
| 75 | + if [ "$all_valid" = false ]; then |
| 76 | + exit 1 |
| 77 | + fi |
| 78 | +EOF |
| 79 | + |
| 80 | + chmod +x validate_checksums.sh |
| 81 | + ./validate_checksums.sh |
| 82 | + |
| 83 | + - name: Notify Slack on failure |
| 84 | + if: failure() |
| 85 | + env: |
| 86 | + SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} |
| 87 | + run: | |
| 88 | + curl -X POST -H 'Content-type: application/json' --data '{"text":"File validation failed in the GitHub workflow!"}' $SLACK_WEBHOOK_URL |
0 commit comments