Skip to content
Prepare Secure Boot Binaries

pip: bump ruff from 0.15.0 to 0.15.1 #946

Sign in to view logs

pip: bump ruff from 0.15.0 to 0.15.1

pip: bump ruff from 0.15.0 to 0.15.1 #946

Workflow file for this run

.github/workflows/prepare-binaries.yml at dbfbd6a
# This workflow call is responsible for building the secure boot binaries and
# uploading them as a build artifact. This is for PR Checks.
#
# If the workflow call is triggered by a release, (i.e. a tag push), then it
# will additionally archive them (zip, tar.gz) and upload the archives to the
# release as an asset.
#
# NOTE: The GITHUB_TOKEN is used by the action-gh-release@v1 action to upload
# the archives to the release, and thus must have Read and Write
# permissions.
#
# Copyright (c) Microsoft Corporation.
# SPDX-License-Identifier: BSD-2-Clause-Patent
name: Prepare Secure Boot Binaries
on:
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]
release:
types: [published]
jobs:
build:
name: Build
permissions:
actions: write
contents: write
runs-on: ubuntu-latest
steps:
- name: Checkout Self
uses: actions/checkout@v6
- name: Generate Token
if: github.event_name == 'release'
id: app-token
uses: actions/create-github-app-token@v2
with:
app-id: ${{ vars.MU_ACCESS_APP_ID }}
private-key: ${{ secrets.MU_ACCESS_APP_PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
- name: Set up Python
uses: actions/setup-python@v6
with:
python-version: 3.12
cache: 'pip'
cache-dependency-path: pip-requirements.txt
- name: Install Pip Dependencies
run: |
python -m pip install --upgrade pip
pip install -r pip-requirements.txt
- name: Run Ruff Checks
run: ruff check scripts --output-format=github
- name: Run Unit Tests
run: pytest scripts/
- name: Validate DBX Certificate References
run: python scripts/validate_dbx_references.py PreSignedObjects/DBX
- name: Build Microsoft Only Defaults Template (2023 MSFT)
run: python scripts/secure_boot_default_keys.py --keystore Templates/MicrosoftOnly.toml -o FirmwareArtifacts
- name: Build Microsoft + OROMS Defaults Template (2023 MSFT + 2023 OROM)
run: python scripts/secure_boot_default_keys.py --keystore Templates/MicrosoftAndOptionRoms.toml -o FirmwareArtifacts
- name: Build Compatible Defaults Template (2023 MSFT + 2023 3P + 2023 OROM)
run: python scripts/secure_boot_default_keys.py --keystore Templates/MicrosoftAndThirdParty.toml -o FirmwareArtifacts
- name: Build X86 / X64 / ARM Binaries
run: python scripts/secure_boot_default_keys.py --keystore Templates/LegacyFirmwareDefaults.toml -o FirmwareArtifacts
- name: Upload Firmware Binaries as Artifacts
uses: actions/upload-artifact@v6
with:
name: Binaries
path: FirmwareArtifacts/
- name: Prepare Release Firmware Archive
run: python scripts/prepare_firmware_binaries.py FirmwareArtifacts --output ReleaseFirmwareArchive --version ${{ github.event.release.tag_name }}
if: startsWith(github.ref, 'refs/tags/')
- name: Upload Firmware Release Archive
uses: softprops/action-gh-release@v2
if: startsWith(github.ref, 'refs/tags/') && !endsWith(github.event.release.tag_name, '-signed')
with:
files: ReleaseFirmwareArchive/*
token: ${{ steps.app-token.outputs.token }}
- name: Prepare Release Signed Archive
run: python scripts/prepare_signed_binaries.py PostSignedObjects --output ReleaseSignedArtifacts --version ${{ github.event.release.tag_name }}
if: startsWith(github.ref, 'refs/tags/')
- name: Upload Signed Release Archive
uses: softprops/action-gh-release@v2
if: startsWith(github.ref, 'refs/tags/') && endsWith(github.event.release.tag_name, '-signed')
with:
files: ReleaseSignedArtifacts/*
token: ${{ steps.app-token.outputs.token }}