push-bundles.yaml

---
name: push-bundles

on:
  push:
    branches:
    - main
    paths:
    - policy/**
    - data/**

  workflow_dispatch:

jobs:
  push-policy-bundles:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v3
      with:
        # So we can see in which commit a bundle's content was
        # most recently updated
        fetch-depth: 0

    - name: Docker login
      uses: docker/login-action@v2
      with:
        # See also BUNDLE_REPO defined in Makefile
        registry: quay.io
        username: ${{ secrets.BUNDLE_PUSH_USER }}
        password: ${{ secrets.BUNDLE_PUSH_PASS }}

    - name: Install conftest
      run: make install-conftest CONFTEST_BIN=$HOME/.local/bin

    - name: Push bundles and update infra-deployments
      env:
        EC_AUTOMATION_KEY: ${{ secrets.EC_AUTOMATION_KEY }}
        DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
        APP_INSTALL_ID: 32872589
      run: |
        set -o errexit
        set -o pipefail
        set -o nounset

        function createJWT() {
          local header=$(echo -n '{"alg":"RS256","typ":"JWT"}' | base64 | sed s/\+/-/ | sed -E s/=+$//)
          local now_utc=$(date --utc +%s)
          local payload=$(echo -n '{"iat":'$((now_utc - 60))',"exp":'$((now_utc + 120))',"iss":245286}' | base64 | sed s/\+/-/ | sed -E s/=+$//)
          local signature=$(echo -n "${header}.${payload}" | openssl dgst -sha256 -binary -sign <(echo "${EC_AUTOMATION_KEY}")| base64 | tr -d '\n=' | tr -- '+/' '-_')
          echo "${header}.${payload}.${signature}"
        }

        ENSURE_UNIQUE=1 \
        GITHUB_TOKEN=$(curl -s -X POST -H "Authorization: Bearer $(createJWT)" -H "Accept: application/vnd.github+json" "https://api.github.com/app/installations/${APP_INSTALL_ID}/access_tokens" | jq -r .token) \
        hack/update-bundles.sh