ExternalVendorCode/openwrt
1
0
Fork 0
mirror of https://github.com/openwrt/openwrt.git synced 2025-01-20 11:39:02 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

ci: build: verify downloaded toolchain tarball

Browse Source 
CDNs are known to ship outdated or corrupted files, if it unpacks
correctly, it necessarily doesn't mean, that we're using the desired
content. So lets fix it by checking the tarball as well.

I'm adding GPG checking explicitly, its not needed, but just double
checking, that everything is working as expected on build
infrastructure.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 95dde52329)
This commit is contained in:
Petr Štetiar 2023-05-26 11:41:18 +02:00 committed by Christian Marangi
parent 37395ecb32
commit 6cdd9a6de4
No known key found for this signature in database
GPG Key ID: AC001D09ADBFEAD7
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
.github/workflows/build.yml vendored
View File

@ -280,13 +280,23 @@ jobs:
restore-keys: |
ccache-${{ inputs.ccache_type }}-${{ inputs.target }}/${{ inputs.subtarget }}-
- name: Import GPG keys
shell: su buildbot -c "sh -e {0}"
if: inputs.build_toolchain == false && steps.parse-toolchain.outputs.toolchain-type != 'internal' && steps.parse-toolchain.outputs.toolchain-type != 'external_container'
run: gpg --receive-keys 0xCD84BCED626471F1 0x1D53D1877742E911 0xCD54E82DADB3684D
- name: Download external toolchain/sdk
if: inputs.build_toolchain == false && steps.parse-toolchain.outputs.toolchain-type != 'internal' && steps.parse-toolchain.outputs.toolchain-type != 'external_container'
shell: su buildbot -c "sh -e {0}"
working-directory: openwrt
run: |
wget -O - https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/${{ env.TOOLCHAIN_FILE }}.tar.xz \
| tar --xz -xf -
wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/${{ env.TOOLCHAIN_FILE }}.tar.xz
wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/sha256sums.asc
wget https://downloads.cdn.openwrt.org/${{ env.TOOLCHAIN_PATH }}/targets/${{ inputs.target }}/${{ inputs.subtarget }}/sha256sums
gpg --with-fingerprint --verify sha256sums.asc
sha256sum --check --ignore-missing sha256sums
tar --xz -xf ${{ env.TOOLCHAIN_FILE }}.tar.xz
rm ${{ env.TOOLCHAIN_FILE }}.tar.xz sha256sums
- name: Configure testing kernel
if: inputs.testing == true