clone/pico-fido
1
0
Fork 0
mirror of https://github.com/polhenarejos/pico-fido synced 2026-06-18 20:35:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Harden GitHub workflows

Browse Source 
Signed-off-by: Pol Henarejos <pol.henarejos@cttc.es>
This commit is contained in:
Pol Henarejos
2026-06-12 17:21:04 +02:00
parent 4d13107aac
commit df949f3d45
3 changed files with 29 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.github/workflows/codeql.yml vendored
View File

@@ -40,7 +40,9 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v3 uses: actions/checkout@v4
with:
persist-credentials: false
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL

23
.github/workflows/nightly.yml vendored
View File

@@ -5,34 +5,49 @@ on:
- cron: '0 2 * * *' - cron: '0 2 * * *'
workflow_dispatch: workflow_dispatch:
permissions:
contents: write
jobs: jobs:
nightly: nightly:
name: Deploy nightly name: Deploy nightly
permissions:
contents: write
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
refs: [main, development] refs: [main, development]
runs-on: ubuntu-latest runs-on: ubuntu-latest
env:
SIGNING_KEY_PATH: ${{ github.workspace }}/../private.pem
steps: steps:
- name: Validate signing secret
run: |
test -n "${{ secrets.PRIVATE_KEY_B64 }}" || {
echo "PRIVATE_KEY_B64 is required for nightly signed releases." >&2
exit 1
}
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
with: with:
ref: ${{ matrix.refs }} ref: ${{ matrix.refs }}
submodules: 'recursive' submodules: 'recursive'
persist-credentials: false
- name: Restore private key - name: Restore private key
run: | run: |
echo "${{ secrets.PRIVATE_KEY_B64 }}" | base64 -d > private.pem echo "${{ secrets.PRIVATE_KEY_B64 }}" | base64 -d > "${SIGNING_KEY_PATH}"
chmod 600 private.pem chmod 600 "${SIGNING_KEY_PATH}"
- name : Build - name : Build
env: env:
PICO_SDK_PATH: ../pico-sdk PICO_SDK_PATH: ../pico-sdk
SECURE_BOOT_PKEY: ../private.pem SECURE_BOOT_PKEY: ${{ github.workspace }}/../private.pem
run: | run: |
./workflows/autobuild.sh pico ./workflows/autobuild.sh pico
./build_pico_fido.sh --no-eddsa ./build_pico_fido.sh --no-eddsa
./workflows/autobuild.sh esp32 ./workflows/autobuild.sh esp32
- name: Delete private key - name: Delete private key
run: rm private.pem if: always()
run: rm -f "${SIGNING_KEY_PATH}"
- name: Update nightly release - name: Update nightly release
uses: pyTooling/Actions/releaser@v6.7.0 uses: pyTooling/Actions/releaser@v6.7.0
with: with:

8
.github/workflows/test.yml vendored
View File

@@ -21,16 +21,22 @@ on:
- cron: '23 5 * * 4' - cron: '23 5 * * 4'
workflow_dispatch: workflow_dispatch:
permissions:
contents: read
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
steps: steps:
- name: Checkout repository and submodules - name: Checkout repository and submodules
uses: actions/checkout@v3 uses: actions/checkout@v4
with: with:
submodules: recursive submodules: recursive
persist-credentials: false
- name: Build in container - name: Build in container
run: ./tests/build-in-docker.sh run: ./tests/build-in-docker.sh
- name: Start emulation and test - name: Start emulation and test