Reproduce and verify packages #8065
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Reproduce and verify packages | |
| on: | |
| push: | |
| branches: | |
| - trunk | |
| pull_request: | |
| branches: | |
| - '**' | |
| schedule: | |
| # Hourly schedule. | |
| # | |
| # ┌───────────── minute (0 - 59) | |
| # │ ┌────────── hour (0 - 23) | |
| # │ │ ┌─────── day of the month (1 - 31) | |
| # │ │ │ ┌──── month (1 - 12 or JAN-DEC) | |
| # │ │ │ │ ┌─ day of the week (0 - 6 or SUN-SAT) | |
| # │ │ │ │ │ | |
| # │ │ │ │ │ | |
| # │ │ │ │ │ | |
| - cron: '0 * * * *' | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: Full semver tag name for WordPress release in `x.y.z` format | |
| required: true | |
| type: string | |
| permissions: {} | |
| jobs: | |
| versions: | |
| name: Determine latest version | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| timeout-minutes: 10 | |
| outputs: | |
| version: ${{ steps.fetch.outputs.version }} | |
| steps: | |
| - name: Validate tag input | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| env: | |
| VERSION: ${{ github.event.inputs.version }} | |
| run: | #shell | |
| if ! grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+$' <<< "$VERSION"; then | |
| echo "Error: Version tag is not in x.y.z format." | |
| exit 1 | |
| fi | |
| - name: Checkout repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| persist-credentials: true | |
| - name: Fetch offers from version check API | |
| uses: johnbillion/rave-wordpress/.github/actions/download-with-retry@trunk | |
| with: | |
| url: https://api.wordpress.org/core/version-check/1.7/ | |
| output: offers-raw.json | |
| - name: Process offers data | |
| run: | #shell | |
| # Process the fetched data | |
| jq ' | |
| .offers | |
| | map(select(.response == "autoupdate")) | |
| | max_by(.version | split(".") | map(tonumber)) | |
| ' offers-raw.json > offers.json | |
| - name: Get latest version from API data | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| run: | #shell | |
| # Extract version and if the number is in major.minor syntax, append a .0 | |
| version=$(jq --raw-output '.version | capture("(?<major>\\d+)\\.(?<minor>\\d+)(\\.(?<patch>\\d+))?") | .major + "." + .minor + "." + (.patch // "0")' offers.json) | |
| echo "$version" > version.txt | |
| - name: Fetch version from workflow input | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| env: | |
| VERSION: ${{ github.event.inputs.version }} | |
| run: | #shell | |
| echo "${VERSION}" > version.txt | |
| - name: Output version from version.txt | |
| id: fetch | |
| run: | #shell | |
| echo version="$(cat version.txt)" >> "$GITHUB_OUTPUT" | |
| - name: Save version.txt | |
| uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # 4.5.0 | |
| with: | |
| name: version | |
| path: version.txt | |
| if-no-files-found: error | |
| - name: Save offers.json | |
| uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # 4.5.0 | |
| with: | |
| name: offers | |
| path: offers.json | |
| if-no-files-found: error | |
| - name: Create pull request if there are changes to offers.json | |
| if: github.ref == 'refs/heads/trunk' | |
| uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8 | |
| with: | |
| add-paths: offers.json | |
| title: "Update offers.json" | |
| body: "This pull request updates the offers.json file." | |
| branch: offers | |
| commit-message: "Update offers.json" | |
| base: trunk | |
| delete-branch: true | |
| reproduce: | |
| name: "Reproduce ${{ needs.versions.outputs.version }}" | |
| permissions: {} | |
| needs: | |
| - versions | |
| strategy: | |
| matrix: | |
| source: | |
| - develop.svn.wordpress.org | |
| - develop.git.wordpress.org | |
| - github-wordpress-develop | |
| - core.trac.wordpress.org | |
| fail-fast: false | |
| uses: ./.github/workflows/reproduce.yml | |
| with: | |
| tag: ${{ needs.versions.outputs.version }} | |
| source: ${{ matrix.source }} | |
| fetch-build: | |
| name: ${{ matrix.label }} | |
| permissions: {} | |
| needs: | |
| - versions | |
| strategy: | |
| matrix: | |
| label: | |
| - Fetch builds | |
| build: | |
| - core.svn.wordpress.org | |
| - core.git.wordpress.org | |
| fail-fast: false | |
| uses: ./.github/workflows/fetch-build.yml | |
| with: | |
| tag: ${{ needs.versions.outputs.version }} | |
| build: ${{ matrix.build }} | |
| compare: | |
| name: ${{ matrix.label }} | |
| permissions: {} | |
| needs: | |
| - versions | |
| - reproduce | |
| - fetch-build | |
| strategy: | |
| matrix: | |
| label: | |
| - Compare reproduced builds | |
| source: | |
| - develop.git.wordpress.org | |
| - github-wordpress-develop | |
| - core.git.wordpress.org | |
| - core.svn.wordpress.org | |
| - core.trac.wordpress.org | |
| fail-fast: false | |
| uses: ./.github/workflows/compare.yml | |
| with: | |
| tag: ${{ needs.versions.outputs.version }} | |
| source: ${{ matrix.source }} | |
| offers: | |
| name: Verify update offers | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| permissions: {} | |
| needs: | |
| - versions | |
| uses: ./.github/workflows/offer.yml | |
| with: | |
| tag: ${{ needs.versions.outputs.version }} | |
| verify-packages: | |
| name: ${{ matrix.label }} | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| needs: | |
| - versions | |
| - reproduce | |
| - compare | |
| strategy: | |
| matrix: | |
| label: | |
| - Verify packages | |
| package: | |
| - wordpress.org-zip | |
| - wordpress.org-tar | |
| - downloads.wordpress.org-zip | |
| - downloads.wordpress.org-tar | |
| - downloads.w.org-zip | |
| - downloads.w.org-tar | |
| - github-zip | |
| - docker-wordpress | |
| - wpengine-zip | |
| - aspirecloud-zip | |
| - roots-wordpress-full | |
| - johnpbloch-wordpress | |
| - build.trac.wordpress.org | |
| tag: | |
| - ${{ needs.versions.outputs.version }} | |
| fail-fast: false | |
| uses: ./.github/workflows/verify.yml | |
| with: | |
| tag: ${{ matrix.tag }} | |
| package: ${{ matrix.package }} | |
| # These packages are verified against the latest tag, they cannot be verified against a prior version. | |
| verify-latest-packages: | |
| name: ${{ matrix.label }} | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| permissions: | |
| contents: read | |
| id-token: write | |
| attestations: write | |
| needs: | |
| - versions | |
| - reproduce | |
| - compare | |
| - verify-packages | |
| strategy: | |
| matrix: | |
| include: | |
| - label: Verify packages | |
| package: fair-zip | |
| tag: ${{ needs.versions.outputs.version }} | |
| - label: Verify latest packages | |
| package: wordpress.org-zip | |
| tag: latest | |
| - label: Verify latest packages | |
| package: wordpress.org-tar | |
| tag: latest | |
| fail-fast: false | |
| uses: ./.github/workflows/verify.yml | |
| with: | |
| tag: ${{ matrix.tag }} | |
| package: ${{ matrix.package }} | |
| verify-hashes: | |
| name: Verify hashes | |
| permissions: {} | |
| needs: | |
| - versions | |
| uses: ./.github/workflows/hashes.yml | |
| with: | |
| tag: ${{ needs.versions.outputs.version }} | |
| verify-versions: | |
| name: ${{ matrix.label }} | |
| if: ${{ github.event_name != 'workflow_dispatch' }} | |
| permissions: | |
| contents: read | |
| needs: | |
| - versions | |
| strategy: | |
| matrix: | |
| label: | |
| - Verify distributed versions | |
| package: | |
| - github-zip | |
| - docker-wordpress | |
| - wordpress.org-zip | |
| - wordpress.org-tar | |
| - downloads.wordpress.org-zip | |
| - downloads.wordpress.org-tar | |
| - wpengine-zip | |
| - aspirecloud-zip | |
| - fair-zip | |
| - roots-wordpress-full | |
| - johnpbloch-wordpress | |
| - stable-check | |
| fail-fast: false | |
| uses: ./.github/workflows/versions.yml | |
| with: | |
| tag: ${{ needs.versions.outputs.version }} | |
| package: ${{ matrix.package }} | |
| verify-checksums: | |
| name: Verify checksums | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| needs: | |
| - versions | |
| uses: ./.github/workflows/checksums.yml | |
| with: | |
| tag: ${{ needs.versions.outputs.version }} |