Skip to content

Commit b5757a2

Browse files
sthulbsthulb
committed
Add metadata and checks
- checks SHA256 against expected - sets metadata for layer
1 parent f3aba6b commit b5757a2

File tree

1 file changed

+33
-2
lines changed

1 file changed

+33
-2
lines changed

.github/workflows/layer_govcloud.yml

Lines changed: 33 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -65,14 +65,21 @@ jobs:
6565
- name: Grab Zip
6666
run: |
6767
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_${{ matrix.arch }}.zip
68-
68+
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} > ${{ matrix.layer }}_${{ matrix.arch }}.json
6969
- name: Store Zip
7070
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
7171
with:
7272
name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
7373
path: ${{ matrix.layer }}_${{ matrix.arch }}.zip
7474
retention-days: 1
7575
if-no-files-found: error
76+
- name: Store Metadata
77+
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
78+
with:
79+
name: ${{ matrix.layer }}_${{ matrix.arch }}.json
80+
path: ${{ matrix.layer }}_${{ matrix.arch }}.json
81+
retention-days: 1
82+
if-no-files-found: error
7683

7784
copy_east:
7885
name: Copy (East)
@@ -98,6 +105,14 @@ jobs:
98105
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
99106
with:
100107
name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
108+
- name: Download Metadata
109+
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
110+
with:
111+
name: ${{ matrix.layer }}_${{ matrix.arch }}.json
112+
- name: Verify Layer Signature
113+
run: |
114+
SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json)
115+
test $(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64) == $SHA && echo "SHA OK: ${SHA}" || exit 1
101116
- name: Configure AWS Credentials
102117
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
103118
with:
@@ -109,6 +124,10 @@ jobs:
109124
aws --region us-gov-east-1 lambda publish-layer-version \
110125
--layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \
111126
--zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \
127+
--compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \
128+
--compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \
129+
--license-info "MIT-0" \
130+
--description "$(jq -r \".Description\" ${{ matrix.layer }}_${{ matrix.arch }}.json)" \
112131
--query 'Version' | \
113132
xargs aws --region us-gov-east-1 lambda add-layer-version-permission \
114133
--layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \
@@ -142,6 +161,14 @@ jobs:
142161
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
143162
with:
144163
name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
164+
- name: Download Metadata
165+
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
166+
with:
167+
name: ${{ matrix.layer }}_${{ matrix.arch }}.json
168+
- name: Verify Layer Signature
169+
run: |
170+
SHA=$(jq -r '.Content.CodeSha256' ${{ matrix.layer }}_${{ matrix.arch }}.json)
171+
test $(openssl dgst -sha256 -binary ${{ matrix.layer }}_${{ matrix.arch }}.zip | openssl enc -base64) == $SHA && echo "SHA OK: ${SHA}" || exit 1
145172
- name: Configure AWS Credentials
146173
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
147174
with:
@@ -153,10 +180,14 @@ jobs:
153180
aws --region us-gov-west-1 lambda publish-layer-version \
154181
--layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \
155182
--zip-file fileb://./${{ matrix.layer }}_${{ matrix.arch }}.zip \
183+
--compatible-runtimes $(jq -r ".CompatibleRuntimes[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \
184+
--compatible-architectures $(jq -r ".CompatibleArchitectures[0]" ${{ matrix.layer }}_${{ matrix.arch }}.json) \
185+
--license-info "MIT-0" \
186+
--description "$(jq -r \".Description\" ${{ matrix.layer }}_${{ matrix.arch }}.json)" \
156187
--query 'Version' | \
157188
xargs aws --region us-gov-west-1 lambda add-layer-version-permission \
158189
--layer-name ${{ inputs.environment }}-${{ matrix.layer }}-${{ matrix.arch }} \
159190
--statement-id 'PublicLayer' \
160191
--action lambda:GetLayerVersion \
161192
--principal '*' \
162-
--version-number
193+
--version-number

0 commit comments

Comments
 (0)