flashduty-cli/.github/workflows/install-scripts.yml at main · flashcatcloud/flashduty-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
name: install scripts

on:
  push:
    branches:
      - main
    paths:
      - install.sh
      - install.ps1
      - .github/workflows/install-scripts.yml
  pull_request:
    paths:
      - install.sh
      - install.ps1
      - .github/workflows/install-scripts.yml

permissions:
  contents: read

jobs:
  lint:
    name: shellcheck + parse
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: shellcheck
        run: shellcheck -s sh install.sh
      - name: sh parse
        run: sh -n install.sh
      - name: bash parse
        run: bash -n install.sh

  mirror:
    name: mirror install scripts
    runs-on: ubuntu-latest
    needs: lint
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    steps:
      - uses: actions/checkout@v4
      - name: Upload install scripts to S3-compatible storage
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.MIRROR_S3_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.MIRROR_S3_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: ${{ secrets.MIRROR_S3_REGION }}
          BUCKET: ${{ secrets.MIRROR_S3_BUCKET }}
          ENDPOINT: ${{ secrets.MIRROR_S3_ENDPOINT }}
          PREFIX: ${{ secrets.MIRROR_S3_PATH_PREFIX }}
          MIRROR_PUBLIC_URL: ${{ secrets.MIRROR_PUBLIC_URL }}
        run: |
          set -eu
          if [ -z "${BUCKET:-}" ] || [ -z "${ENDPOINT:-}" ]; then
            echo "Mirror not configured (need MIRROR_S3_BUCKET + MIRROR_S3_ENDPOINT). Skipping."
            exit 0
          fi
          # Aliyun OSS rejects path-style requests; force virtual-hosted style.
          aws configure set default.s3.addressing_style virtual
          # AWS CLI v2.23+ default integrity protections add `aws-chunked`
          # encoding which OSS rejects (InvalidArgument). Restore old behavior.
          aws configure set default.request_checksum_calculation when_required
          aws configure set default.response_checksum_validation when_required
          PREFIX="${PREFIX#/}"; PREFIX="${PREFIX%/}"

          # Bake the CDN as the default MIRROR_URL into the copy we serve from the
          # CDN, so `curl <cdn>/install.sh | sh` pulls binaries from the CDN with
          # no MIRROR_URL arg. The repo / GitHub copy stays generic (GitHub default).
          src_sh=install.sh
          if [ -n "${MIRROR_PUBLIC_URL:-}" ]; then
            pub="${MIRROR_PUBLIC_URL%/}${PREFIX:+/${PREFIX}}"
            sed "s#MIRROR_URL=\"\${MIRROR_URL:-}\"#MIRROR_URL=\"\${MIRROR_URL:-${pub}}\"#" install.sh > /tmp/install.sh
            grep -q "MIRROR_URL:-${pub}" /tmp/install.sh || { echo "ERROR: MIRROR_URL default not injected (install.sh default line changed?)" >&2; exit 1; }
            src_sh=/tmp/install.sh
          fi
          sh_key="${PREFIX:+${PREFIX}/}install.sh"
          aws --endpoint-url="$ENDPOINT" s3 cp "$src_sh" "s3://${BUCKET}/${sh_key}" \
            --cache-control "public, max-age=300" \
            --content-type "text/x-shellscript; charset=utf-8"

          ps1_key="${PREFIX:+${PREFIX}/}install.ps1"
          aws --endpoint-url="$ENDPOINT" s3 cp install.ps1 "s3://${BUCKET}/${ps1_key}" \
            --cache-control "public, max-age=300" \
            --content-type "text/plain; charset=utf-8"