From 7c46cd6447f6b9dfc683ab854e36de9e558650ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 14:31:18 +0000 Subject: [PATCH 01/20] update runner --- .github/workflows/publish-upgrade-mode-attestation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-upgrade-mode-attestation.yml b/.github/workflows/publish-upgrade-mode-attestation.yml index a547318..49919ed 100644 --- a/.github/workflows/publish-upgrade-mode-attestation.yml +++ b/.github/workflows/publish-upgrade-mode-attestation.yml @@ -9,7 +9,7 @@ jobs: strategy: fail-fast: false matrix: - platform: [ubuntu-20.04-16-core] + platform: [ubuntu-latest] runs-on: ${{ matrix.platform }} steps: - name: Set up Python From 046906863fc1a1675cd38b76517b21931231b6c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 14:37:21 +0000 Subject: [PATCH 02/20] move script --- .github/{actions => }/generate-attestation/attestation_gen.py | 0 .github/{actions => }/generate-attestation/requirements.txt | 0 .github/workflows/publish-upgrade-mode-attestation.yml | 4 ++-- 3 files changed, 2 insertions(+), 2 deletions(-) rename .github/{actions => }/generate-attestation/attestation_gen.py (100%) rename .github/{actions => }/generate-attestation/requirements.txt (100%) diff --git a/.github/actions/generate-attestation/attestation_gen.py b/.github/generate-attestation/attestation_gen.py similarity index 100% rename from .github/actions/generate-attestation/attestation_gen.py rename to .github/generate-attestation/attestation_gen.py diff --git a/.github/actions/generate-attestation/requirements.txt b/.github/generate-attestation/requirements.txt similarity index 100% rename from .github/actions/generate-attestation/requirements.txt rename to .github/generate-attestation/requirements.txt diff --git a/.github/workflows/publish-upgrade-mode-attestation.yml b/.github/workflows/publish-upgrade-mode-attestation.yml index 49919ed..2728a99 100644 --- a/.github/workflows/publish-upgrade-mode-attestation.yml +++ b/.github/workflows/publish-upgrade-mode-attestation.yml @@ -18,12 +18,12 @@ jobs: python-version: '3.11' - name: Install action-specific dependencies - run: pip install -r .github/actions/generate-attestation/requirements.txt + run: pip install -r .github/generate-attestation/requirements.txt - name: Generate the signed Attestation env: ATTESTER_PRIVATE_KEY: ${{ secrets.TEST_SECRET }} - run: python .github/actions/generate-attestation/attestation_gen.py + run: python .github/generate-attestation/attestation_gen.py - name: Upload artifacts uses: actions/upload-artifact@v4 From 412cbd0b3e81c67dd5f0601766bde6e6d40b66d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 14:44:36 +0000 Subject: [PATCH 03/20] use composite action --- .../action.yml} | 5 ++--- .../attestation_gen.py | 0 .../requirements.txt | 0 3 files changed, 2 insertions(+), 3 deletions(-) rename .github/{workflows/publish-upgrade-mode-attestation.yml => publish-upgrade-mode-attestation/action.yml} (89%) rename .github/{generate-attestation => publish-upgrade-mode-attestation}/attestation_gen.py (100%) rename .github/{generate-attestation => publish-upgrade-mode-attestation}/requirements.txt (100%) diff --git a/.github/workflows/publish-upgrade-mode-attestation.yml b/.github/publish-upgrade-mode-attestation/action.yml similarity index 89% rename from .github/workflows/publish-upgrade-mode-attestation.yml rename to .github/publish-upgrade-mode-attestation/action.yml index 2728a99..e52ae68 100644 --- a/.github/workflows/publish-upgrade-mode-attestation.yml +++ b/.github/publish-upgrade-mode-attestation/action.yml @@ -1,6 +1,5 @@ name: Test Create attestation.json - on: workflow_dispatch: @@ -18,12 +17,12 @@ jobs: python-version: '3.11' - name: Install action-specific dependencies - run: pip install -r .github/generate-attestation/requirements.txt + run: pip install -r $GITHUB_ACTION_PATH/requirements.txt - name: Generate the signed Attestation env: ATTESTER_PRIVATE_KEY: ${{ secrets.TEST_SECRET }} - run: python .github/generate-attestation/attestation_gen.py + run: python $GITHUB_ACTION_PATH/attestation_gen.py - name: Upload artifacts uses: actions/upload-artifact@v4 diff --git a/.github/generate-attestation/attestation_gen.py b/.github/publish-upgrade-mode-attestation/attestation_gen.py similarity index 100% rename from .github/generate-attestation/attestation_gen.py rename to .github/publish-upgrade-mode-attestation/attestation_gen.py diff --git a/.github/generate-attestation/requirements.txt b/.github/publish-upgrade-mode-attestation/requirements.txt similarity index 100% rename from .github/generate-attestation/requirements.txt rename to .github/publish-upgrade-mode-attestation/requirements.txt From d175d6d33d078472f17c3e7b52c1c3e5baf38046 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 14:56:24 +0000 Subject: [PATCH 04/20] wip --- .../action.yml | 46 +++++++++++-------- .../run-publish-upgrade-mode-attestation.yml | 39 ++++++++++++++++ 2 files changed, 66 insertions(+), 19 deletions(-) create mode 100644 .github/workflows/run-publish-upgrade-mode-attestation.yml diff --git a/.github/publish-upgrade-mode-attestation/action.yml b/.github/publish-upgrade-mode-attestation/action.yml index e52ae68..cad39cb 100644 --- a/.github/publish-upgrade-mode-attestation/action.yml +++ b/.github/publish-upgrade-mode-attestation/action.yml @@ -1,7 +1,32 @@ name: Test Create attestation.json -on: - workflow_dispatch: + +inputs: + attester_private_key: + description: "Private key used for signing attestation.json" + required: true + + # jwt_issuers: + # description: "List of public keys of entities allowed to issue upgrade mode JWTs" + # required: true + + runs: + using: "composite" + steps: + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.11" + + - name: Install dependencies + run: pip install -r $GITHUB_ACTION_PATH/requirements.txt + shell: bash + + - name: Generate signed attestation + run: | + export ATTESTER_PRIVATE_KEY="${{ inputs.attester_private_key }}" + python $GITHUB_ACTION_PATH/attestation_gen.py + shell: bash jobs: create-attestation: @@ -23,20 +48,3 @@ jobs: env: ATTESTER_PRIVATE_KEY: ${{ secrets.TEST_SECRET }} run: python $GITHUB_ACTION_PATH/attestation_gen.py - - - name: Upload artifacts - uses: actions/upload-artifact@v4 - with: - name: output-files - path: output/attestation.json - - - name: Create Pull Request - uses: peter-evans/create-pull-request@v6 - with: - commit-message: "enable upgrade mode" - branch: ci/publish-upgrade-mode-attestation - title: "Publish new Upgrade Mode Attestation" - body: | - This PR attempts to publush **attestation.json** with the upgrade mode content. - add-paths: | - src/public/test.txt \ No newline at end of file diff --git a/.github/workflows/run-publish-upgrade-mode-attestation.yml b/.github/workflows/run-publish-upgrade-mode-attestation.yml new file mode 100644 index 0000000..cb4109a --- /dev/null +++ b/.github/workflows/run-publish-upgrade-mode-attestation.yml @@ -0,0 +1,39 @@ +name: Test run create attestation.json + +on: + workflow_dispatch: + +jobs: + create-attestation: + strategy: + fail-fast: false + matrix: + platform: [ubuntu-latest] + runs-on: ${{ matrix.platform }} + steps: + - name: Checkout repo + uses: actions/checkout@v4 + with: + fetch-depth: 0 # needed for PR commits + + - name: Run my the generate action + uses: ./.github/publish-upgrade-mode-attestation + with: + my_secret: ${{ secrets.TEST_SECRET }} + + - name: Upload artifacts + uses: actions/upload-artifact@v4 + with: + name: output-files + path: output/attestation.json + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v6 + with: + commit-message: "enable upgrade mode" + branch: ci/publish-upgrade-mode-attestation + title: "Publish new Upgrade Mode Attestation" + body: | + This PR attempts to publush **attestation.json** with the upgrade mode content. + add-paths: | + src/public/test.txt From a270ff66abae9fc5fe4bd87542212a48eaf3c433 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 14:57:25 +0000 Subject: [PATCH 05/20] wip --- .../action.yml | 21 ------------------- 1 file changed, 21 deletions(-) diff --git a/.github/publish-upgrade-mode-attestation/action.yml b/.github/publish-upgrade-mode-attestation/action.yml index cad39cb..ca60bc4 100644 --- a/.github/publish-upgrade-mode-attestation/action.yml +++ b/.github/publish-upgrade-mode-attestation/action.yml @@ -27,24 +27,3 @@ inputs: export ATTESTER_PRIVATE_KEY="${{ inputs.attester_private_key }}" python $GITHUB_ACTION_PATH/attestation_gen.py shell: bash - -jobs: - create-attestation: - strategy: - fail-fast: false - matrix: - platform: [ubuntu-latest] - runs-on: ${{ matrix.platform }} - steps: - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: '3.11' - - - name: Install action-specific dependencies - run: pip install -r $GITHUB_ACTION_PATH/requirements.txt - - - name: Generate the signed Attestation - env: - ATTESTER_PRIVATE_KEY: ${{ secrets.TEST_SECRET }} - run: python $GITHUB_ACTION_PATH/attestation_gen.py From 5348544f7f2c973b4d7f0cd3b16c91db44f49880 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 14:58:59 +0000 Subject: [PATCH 06/20] fix run block --- .../action.yml | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/publish-upgrade-mode-attestation/action.yml b/.github/publish-upgrade-mode-attestation/action.yml index ca60bc4..789a571 100644 --- a/.github/publish-upgrade-mode-attestation/action.yml +++ b/.github/publish-upgrade-mode-attestation/action.yml @@ -11,19 +11,19 @@ inputs: # required: true runs: - using: "composite" - steps: - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: "3.11" + using: "composite" + steps: + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.11" - - name: Install dependencies - run: pip install -r $GITHUB_ACTION_PATH/requirements.txt - shell: bash + - name: Install dependencies + run: pip install -r $GITHUB_ACTION_PATH/requirements.txt + shell: bash - - name: Generate signed attestation - run: | - export ATTESTER_PRIVATE_KEY="${{ inputs.attester_private_key }}" - python $GITHUB_ACTION_PATH/attestation_gen.py - shell: bash + - name: Generate signed attestation + run: | + export ATTESTER_PRIVATE_KEY="${{ inputs.attester_private_key }}" + python $GITHUB_ACTION_PATH/attestation_gen.py + shell: bash From 1b80e77166ebee1055a23acc24a8b6e3dc2aad54 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 15:00:59 +0000 Subject: [PATCH 07/20] fix run block for real this time --- .../action.yml | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/.github/publish-upgrade-mode-attestation/action.yml b/.github/publish-upgrade-mode-attestation/action.yml index 789a571..04a3f1e 100644 --- a/.github/publish-upgrade-mode-attestation/action.yml +++ b/.github/publish-upgrade-mode-attestation/action.yml @@ -10,20 +10,20 @@ inputs: # description: "List of public keys of entities allowed to issue upgrade mode JWTs" # required: true - runs: - using: "composite" - steps: - - name: Set up Python - uses: actions/setup-python@v5 - with: - python-version: "3.11" +runs: + using: "composite" + steps: + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: "3.11" - - name: Install dependencies - run: pip install -r $GITHUB_ACTION_PATH/requirements.txt - shell: bash + - name: Install dependencies + run: pip install -r $GITHUB_ACTION_PATH/requirements.txt + shell: bash - - name: Generate signed attestation - run: | - export ATTESTER_PRIVATE_KEY="${{ inputs.attester_private_key }}" - python $GITHUB_ACTION_PATH/attestation_gen.py - shell: bash + - name: Generate signed attestation + run: | + export ATTESTER_PRIVATE_KEY="${{ inputs.attester_private_key }}" + python $GITHUB_ACTION_PATH/attestation_gen.py + shell: bash From 45bfc113c36ad65e3a5e35abd60452e90eb0c568 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 15:03:01 +0000 Subject: [PATCH 08/20] use correct input name --- .github/workflows/run-publish-upgrade-mode-attestation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-publish-upgrade-mode-attestation.yml b/.github/workflows/run-publish-upgrade-mode-attestation.yml index cb4109a..a0a3df7 100644 --- a/.github/workflows/run-publish-upgrade-mode-attestation.yml +++ b/.github/workflows/run-publish-upgrade-mode-attestation.yml @@ -19,7 +19,7 @@ jobs: - name: Run my the generate action uses: ./.github/publish-upgrade-mode-attestation with: - my_secret: ${{ secrets.TEST_SECRET }} + attester_private_key: ${{ secrets.TEST_SECRET }} - name: Upload artifacts uses: actions/upload-artifact@v4 From 22b7c0ab6100ff0219c61abec59cb9c9bd0ee866 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 15:04:02 +0000 Subject: [PATCH 09/20] write correct value --- .github/publish-upgrade-mode-attestation/attestation_gen.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/publish-upgrade-mode-attestation/attestation_gen.py b/.github/publish-upgrade-mode-attestation/attestation_gen.py index 491f797..1dfe4ea 100644 --- a/.github/publish-upgrade-mode-attestation/attestation_gen.py +++ b/.github/publish-upgrade-mode-attestation/attestation_gen.py @@ -16,6 +16,6 @@ public_path = "src/public" os.makedirs(public_path, exist_ok=True) with open(f"{public_path}/test.txt", "w") as f: - f.write(hash_value) + f.write(attester_private_key) print("written to output/test.txt") \ No newline at end of file From 142f648c2d5e3dd7960f14659209a80537417dea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 16:10:19 +0000 Subject: [PATCH 10/20] full pipeline --- .../action.yml | 7 ++- .../attestation_gen.py | 59 ++++++++++++++++--- .../requirements.txt | 4 ++ .../run-publish-upgrade-mode-attestation.yml | 3 +- 4 files changed, 62 insertions(+), 11 deletions(-) diff --git a/.github/publish-upgrade-mode-attestation/action.yml b/.github/publish-upgrade-mode-attestation/action.yml index 04a3f1e..d79dff9 100644 --- a/.github/publish-upgrade-mode-attestation/action.yml +++ b/.github/publish-upgrade-mode-attestation/action.yml @@ -6,9 +6,9 @@ inputs: description: "Private key used for signing attestation.json" required: true - # jwt_issuers: - # description: "List of public keys of entities allowed to issue upgrade mode JWTs" - # required: true + jwt_issuers: + description: "List of public keys of entities allowed to issue upgrade mode JWTs" + required: true runs: using: "composite" @@ -25,5 +25,6 @@ runs: - name: Generate signed attestation run: | export ATTESTER_PRIVATE_KEY="${{ inputs.attester_private_key }}" + export AUTHORISED_JWT_ISSUERS="${{ inputs.jwt_issuers }}" python $GITHUB_ACTION_PATH/attestation_gen.py shell: bash diff --git a/.github/publish-upgrade-mode-attestation/attestation_gen.py b/.github/publish-upgrade-mode-attestation/attestation_gen.py index 1dfe4ea..5273936 100644 --- a/.github/publish-upgrade-mode-attestation/attestation_gen.py +++ b/.github/publish-upgrade-mode-attestation/attestation_gen.py @@ -1,21 +1,66 @@ import os +import base58 +from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey +from cryptography.hazmat.primitives import serialization +import json +from datetime import datetime, timezone attester_private_key = os.getenv("ATTESTER_PRIVATE_KEY") if not attester_private_key: raise ValueError("ATTESTER_PRIVATE_KEY is not set") +authorised_jwt_issuers_raw = os.getenv("AUTHORISED_JWT_ISSUERS") +if not authorised_jwt_issuers_raw: + raise ValueError("AUTHORISED_JWT_ISSUERS is not set") + + +authorised_jwt_issuers = [authorised_jwt_issuers_raw.split(',')] + +# decode passed private key +attester_private_key_decoded = base58.b58decode(attester_private_key) +ed25519_private_key = Ed25519PrivateKey.from_private_bytes(attester_private_key_decoded) + +# derive corresponding public key +ed25519_public_key = ed25519_private_key.public_key() +ed25519_public_key_bs58 = base58.b58encode( + ed25519_public_key.public_bytes( + encoding=serialization.Encoding.Raw, + format=serialization.PublicFormat.Raw + ) +).decode("utf-8") + +# rfc3339 formatting +starting_time = datetime.now(timezone.utc).strftime('%Y-%m-%dT%H:%M:%SZ') + +# create content we're going to sign +attestation_content = { + "type": "upgrade_mode", + "starting_time": starting_time, + "attester_public_key": ed25519_public_key_bs58, + "authorised_jwt_issuers": authorised_jwt_issuers +} +attestation_content_json = json.dumps(attestation_content, separators=(',', ':')) + +print("signing the following attestation content: ", attestation_content_json) + +signature = ed25519_private_key.sign(attestation_content_json.encode()) +encoded_signature = base58.b58encode(signature).decode("utf-8") + +attestation = attestation_content +attestation["signature"] = encoded_signature + +attestation_pretty = json.dumps(attestation, indent=4) + # Ensure output directory exists os.makedirs("output", exist_ok=True) -# Write hash to output file -with open("output/test.txt", "w") as f: - f.write(attester_private_key) +# Write attestation to output file +with open("output/attestation.json", "w") as f: + f.write(attestation_pretty) # --- Write to repo path (to be committed in PR) --- public_path = "src/public" os.makedirs(public_path, exist_ok=True) -with open(f"{public_path}/test.txt", "w") as f: - f.write(attester_private_key) - -print("written to output/test.txt") \ No newline at end of file +with open(f"{public_path}/attestation.json", "w") as f: + f.write(attestation_pretty) diff --git a/.github/publish-upgrade-mode-attestation/requirements.txt b/.github/publish-upgrade-mode-attestation/requirements.txt index e69de29..29fa97a 100644 --- a/.github/publish-upgrade-mode-attestation/requirements.txt +++ b/.github/publish-upgrade-mode-attestation/requirements.txt @@ -0,0 +1,4 @@ +base58==2.1.1 +cffi==2.0.0 +cryptography==46.0.3 +pycparser==2.23 diff --git a/.github/workflows/run-publish-upgrade-mode-attestation.yml b/.github/workflows/run-publish-upgrade-mode-attestation.yml index a0a3df7..5bd56b8 100644 --- a/.github/workflows/run-publish-upgrade-mode-attestation.yml +++ b/.github/workflows/run-publish-upgrade-mode-attestation.yml @@ -19,7 +19,8 @@ jobs: - name: Run my the generate action uses: ./.github/publish-upgrade-mode-attestation with: - attester_private_key: ${{ secrets.TEST_SECRET }} + attester_private_key: ${{ secrets.DUMMY_ATTESTER_PRIVATE_KEY }} + authorised_jwt_issuers: "EgHv7iW4yaMVFJgezqsdekGky5i9ppyjZcV8V5oGUoxg" - name: Upload artifacts uses: actions/upload-artifact@v4 From a66d4d202a7c1bd71751d0444038a97d8860ecea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 16:11:58 +0000 Subject: [PATCH 11/20] arg typo --- .github/workflows/run-publish-upgrade-mode-attestation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-publish-upgrade-mode-attestation.yml b/.github/workflows/run-publish-upgrade-mode-attestation.yml index 5bd56b8..ac45adb 100644 --- a/.github/workflows/run-publish-upgrade-mode-attestation.yml +++ b/.github/workflows/run-publish-upgrade-mode-attestation.yml @@ -20,7 +20,7 @@ jobs: uses: ./.github/publish-upgrade-mode-attestation with: attester_private_key: ${{ secrets.DUMMY_ATTESTER_PRIVATE_KEY }} - authorised_jwt_issuers: "EgHv7iW4yaMVFJgezqsdekGky5i9ppyjZcV8V5oGUoxg" + jwt_issuers: "EgHv7iW4yaMVFJgezqsdekGky5i9ppyjZcV8V5oGUoxg" - name: Upload artifacts uses: actions/upload-artifact@v4 From 100f37dd84ff7f6dea7c607e47690fec36158354 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 16:13:38 +0000 Subject: [PATCH 12/20] try remove zipping --- .github/workflows/run-publish-upgrade-mode-attestation.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/run-publish-upgrade-mode-attestation.yml b/.github/workflows/run-publish-upgrade-mode-attestation.yml index ac45adb..be4c049 100644 --- a/.github/workflows/run-publish-upgrade-mode-attestation.yml +++ b/.github/workflows/run-publish-upgrade-mode-attestation.yml @@ -25,7 +25,6 @@ jobs: - name: Upload artifacts uses: actions/upload-artifact@v4 with: - name: output-files path: output/attestation.json - name: Create Pull Request @@ -37,4 +36,4 @@ jobs: body: | This PR attempts to publush **attestation.json** with the upgrade mode content. add-paths: | - src/public/test.txt + src/public/attestation.json From dbbf79d0a1f65712117bd6c0911099f138c7fc1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 16:15:45 +0000 Subject: [PATCH 13/20] removed double array --- .github/publish-upgrade-mode-attestation/attestation_gen.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/publish-upgrade-mode-attestation/attestation_gen.py b/.github/publish-upgrade-mode-attestation/attestation_gen.py index 5273936..7bb2ff7 100644 --- a/.github/publish-upgrade-mode-attestation/attestation_gen.py +++ b/.github/publish-upgrade-mode-attestation/attestation_gen.py @@ -15,7 +15,7 @@ raise ValueError("AUTHORISED_JWT_ISSUERS is not set") -authorised_jwt_issuers = [authorised_jwt_issuers_raw.split(',')] +authorised_jwt_issuers = authorised_jwt_issuers_raw.split(',') # decode passed private key attester_private_key_decoded = base58.b58decode(attester_private_key) From 13f3316bf50aa45d7561bd87a80e66f24dfe9da5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 16:20:39 +0000 Subject: [PATCH 14/20] action to disable upgrade mode --- .github/workflows/disable-upgrade-mode.yml | 43 +++++++++++++++++++ .../run-publish-upgrade-mode-attestation.yml | 1 + 2 files changed, 44 insertions(+) create mode 100644 .github/workflows/disable-upgrade-mode.yml diff --git a/.github/workflows/disable-upgrade-mode.yml b/.github/workflows/disable-upgrade-mode.yml new file mode 100644 index 0000000..924e894 --- /dev/null +++ b/.github/workflows/disable-upgrade-mode.yml @@ -0,0 +1,43 @@ +name: Remove File and Create PR + +on: + workflow_dispatch: # Allows manual triggering + +jobs: + remove-file: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Configure Git + run: | + git config user.name "github-actions[bot]" + git config user.email "github-actions[bot]@users.noreply.github.com" + + - name: Remove the attestation file + run: | + ATTESTATION_PATH="src/public/attestation.json" + if [ -f "$ATTESTATION_PATH" ]; then + git rm "$ATTESTATION_PATH" + git commit -m "Remove $ATTESTATION_PATH" + else + echo "$ATTESTATION_PATH does not exist, nothing to remove" + fi + + - name: Push branch + run: | + BRANCH_NAME="finish-upgrade-mode-$(date +%s)" + git checkout -b "$BRANCH_NAME" + git push origin "$BRANCH_NAME" + + - name: Create Pull Request + uses: peter-evans/create-pull-request@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + commit-message: "disable upgrade mode by removing the published attestation.json" + branch: ${{ github.ref_name }} + base: main + title: "Disable Upgrade Mode" + body: "This PR finishes the system-wide upgrade mode by removing the published attestation.json" \ No newline at end of file diff --git a/.github/workflows/run-publish-upgrade-mode-attestation.yml b/.github/workflows/run-publish-upgrade-mode-attestation.yml index be4c049..3862ebd 100644 --- a/.github/workflows/run-publish-upgrade-mode-attestation.yml +++ b/.github/workflows/run-publish-upgrade-mode-attestation.yml @@ -25,6 +25,7 @@ jobs: - name: Upload artifacts uses: actions/upload-artifact@v4 with: + name: upgrade-mode-attestation path: output/attestation.json - name: Create Pull Request From c45df4c1b904045ae2f0223543076ec6b8012ee5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 16:21:13 +0000 Subject: [PATCH 15/20] rename actions --- .github/workflows/disable-upgrade-mode.yml | 2 +- .github/workflows/run-publish-upgrade-mode-attestation.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/disable-upgrade-mode.yml b/.github/workflows/disable-upgrade-mode.yml index 924e894..3bd8820 100644 --- a/.github/workflows/disable-upgrade-mode.yml +++ b/.github/workflows/disable-upgrade-mode.yml @@ -1,4 +1,4 @@ -name: Remove File and Create PR +name: Finish Upgrade Mode on: workflow_dispatch: # Allows manual triggering diff --git a/.github/workflows/run-publish-upgrade-mode-attestation.yml b/.github/workflows/run-publish-upgrade-mode-attestation.yml index 3862ebd..a0f95b1 100644 --- a/.github/workflows/run-publish-upgrade-mode-attestation.yml +++ b/.github/workflows/run-publish-upgrade-mode-attestation.yml @@ -1,4 +1,4 @@ -name: Test run create attestation.json +name: Start Upgrade Mode on: workflow_dispatch: From 94d3b5ec56237b3da3488994b32b2487f973720f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 16:23:42 +0000 Subject: [PATCH 16/20] simplify action --- .github/workflows/disable-upgrade-mode.yml | 28 +++++++--------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/.github/workflows/disable-upgrade-mode.yml b/.github/workflows/disable-upgrade-mode.yml index 3bd8820..657b28b 100644 --- a/.github/workflows/disable-upgrade-mode.yml +++ b/.github/workflows/disable-upgrade-mode.yml @@ -16,28 +16,16 @@ jobs: git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" - - name: Remove the attestation file - run: | - ATTESTATION_PATH="src/public/attestation.json" - if [ -f "$ATTESTATION_PATH" ]; then - git rm "$ATTESTATION_PATH" - git commit -m "Remove $ATTESTATION_PATH" - else - echo "$ATTESTATION_PATH does not exist, nothing to remove" - fi - - - name: Push branch - run: | - BRANCH_NAME="finish-upgrade-mode-$(date +%s)" - git checkout -b "$BRANCH_NAME" - git push origin "$BRANCH_NAME" - - - name: Create Pull Request + - name: Remove the attestation file and create a PR uses: peter-evans/create-pull-request@v5 with: token: ${{ secrets.GITHUB_TOKEN }} commit-message: "disable upgrade mode by removing the published attestation.json" - branch: ${{ github.ref_name }} - base: main title: "Disable Upgrade Mode" - body: "This PR finishes the system-wide upgrade mode by removing the published attestation.json" \ No newline at end of file + body: "This PR finishes the system-wide upgrade mode by removing the published attestation.json" + base: main + branch: remove-attestation-json-${{ github.run_id }} + # Automatically create branch with a unique name + changes: | + src/public/attestation.json: + type: delete \ No newline at end of file From 1a388ab909d167dc98125c331f7ae985683df349 Mon Sep 17 00:00:00 2001 From: jstuczyn <11290743+jstuczyn@users.noreply.github.com> Date: Fri, 14 Nov 2025 16:24:44 +0000 Subject: [PATCH 17/20] enable upgrade mode --- src/public/attestation.json | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 src/public/attestation.json diff --git a/src/public/attestation.json b/src/public/attestation.json new file mode 100644 index 0000000..817e8c8 --- /dev/null +++ b/src/public/attestation.json @@ -0,0 +1,9 @@ +{ + "type": "upgrade_mode", + "starting_time": "2025-11-14T16:24:43Z", + "attester_public_key": "6sfL7xcCzmcsxA1uXtnExcpA7KWypCcsUbs7SzUADxng", + "authorised_jwt_issuers": [ + "EgHv7iW4yaMVFJgezqsdekGky5i9ppyjZcV8V5oGUoxg" + ], + "signature": "yh8KJ9WJ69kFmQuZ4FBducU4rSrQx4QM78war7P2b8zUmiZcTiNyFqkFKoHLY85nNQLRZgQyYzS4kfoFbewR3mC" +} \ No newline at end of file From 85701860346e2d8beb36325449b4b3481e843f60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 16:27:16 +0000 Subject: [PATCH 18/20] another attempt --- .github/workflows/disable-upgrade-mode.yml | 12 ++++++------ .../run-publish-upgrade-mode-attestation.yml | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/disable-upgrade-mode.yml b/.github/workflows/disable-upgrade-mode.yml index 657b28b..295c30a 100644 --- a/.github/workflows/disable-upgrade-mode.yml +++ b/.github/workflows/disable-upgrade-mode.yml @@ -16,6 +16,10 @@ jobs: git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" + - run: | + rm src/public/attestation.json + + - name: Remove the attestation file and create a PR uses: peter-evans/create-pull-request@v5 with: @@ -23,9 +27,5 @@ jobs: commit-message: "disable upgrade mode by removing the published attestation.json" title: "Disable Upgrade Mode" body: "This PR finishes the system-wide upgrade mode by removing the published attestation.json" - base: main - branch: remove-attestation-json-${{ github.run_id }} - # Automatically create branch with a unique name - changes: | - src/public/attestation.json: - type: delete \ No newline at end of file + add-paths: | + src/public/attestation.json \ No newline at end of file diff --git a/.github/workflows/run-publish-upgrade-mode-attestation.yml b/.github/workflows/run-publish-upgrade-mode-attestation.yml index a0f95b1..2ac9d3a 100644 --- a/.github/workflows/run-publish-upgrade-mode-attestation.yml +++ b/.github/workflows/run-publish-upgrade-mode-attestation.yml @@ -35,6 +35,6 @@ jobs: branch: ci/publish-upgrade-mode-attestation title: "Publish new Upgrade Mode Attestation" body: | - This PR attempts to publush **attestation.json** with the upgrade mode content. + This PR attempts to publish **attestation.json** with the upgrade mode content. add-paths: | src/public/attestation.json From 88a6ccb6a656c9321ea0a82a9d2fbc3780588ced Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C4=99drzej=20Stuczy=C5=84ski?= Date: Fri, 14 Nov 2025 16:30:16 +0000 Subject: [PATCH 19/20] replace content with null --- .github/workflows/disable-upgrade-mode.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/disable-upgrade-mode.yml b/.github/workflows/disable-upgrade-mode.yml index 295c30a..28110af 100644 --- a/.github/workflows/disable-upgrade-mode.yml +++ b/.github/workflows/disable-upgrade-mode.yml @@ -17,14 +17,14 @@ jobs: git config user.email "github-actions[bot]@users.noreply.github.com" - run: | - rm src/public/attestation.json + echo 'null' > src/public/attestation.json - name: Remove the attestation file and create a PR uses: peter-evans/create-pull-request@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - commit-message: "disable upgrade mode by removing the published attestation.json" + commit-message: "disable upgrade mode by removing the contents of the published attestation.json" title: "Disable Upgrade Mode" body: "This PR finishes the system-wide upgrade mode by removing the published attestation.json" add-paths: | From af78cc19f90ab636216856075a562a20b60eb2ce Mon Sep 17 00:00:00 2001 From: jstuczyn Date: Fri, 14 Nov 2025 16:30:36 +0000 Subject: [PATCH 20/20] disable upgrade mode by removing the contents of the published attestation.json --- src/public/attestation.json | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) diff --git a/src/public/attestation.json b/src/public/attestation.json index 817e8c8..19765bd 100644 --- a/src/public/attestation.json +++ b/src/public/attestation.json @@ -1,9 +1 @@ -{ - "type": "upgrade_mode", - "starting_time": "2025-11-14T16:24:43Z", - "attester_public_key": "6sfL7xcCzmcsxA1uXtnExcpA7KWypCcsUbs7SzUADxng", - "authorised_jwt_issuers": [ - "EgHv7iW4yaMVFJgezqsdekGky5i9ppyjZcV8V5oGUoxg" - ], - "signature": "yh8KJ9WJ69kFmQuZ4FBducU4rSrQx4QM78war7P2b8zUmiZcTiNyFqkFKoHLY85nNQLRZgQyYzS4kfoFbewR3mC" -} \ No newline at end of file +null