From 8323b8cb6144aeab75d93c6dae3d945c46c9f480 Mon Sep 17 00:00:00 2001 From: lincube Date: Tue, 21 Apr 2026 00:46:57 +0800 Subject: [PATCH] ci: validate signing key and quiet missing baselines --- .github/workflows/release.yml | 39 +++++++++++++++++++++++++++++------ scripts/Publish-Plonds.ps1 | 8 ++++++- 2 files changed, 40 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe46a80..abc9813 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -759,15 +759,42 @@ jobs: run: | $ErrorActionPreference = "Stop" - $key = $env:PLONDS_SIGNING_KEY - if ([string]::IsNullOrWhiteSpace($key)) { - $key = $env:PDC_SIGNING_KEY + function Test-PemKey { + param([string]$PemText) + + if ([string]::IsNullOrWhiteSpace($PemText)) { + return $false + } + + $rsa = [System.Security.Cryptography.RSA]::Create() + try { + $rsa.ImportFromPem($PemText) + return $true + } + catch { + return $false + } + finally { + $rsa.Dispose() + } } - if ([string]::IsNullOrWhiteSpace($key)) { - $key = $env:UPDATE_PRIVATE_KEY_PEM + + $candidates = @( + $env:PLONDS_SIGNING_KEY, + $env:UPDATE_PRIVATE_KEY_PEM, + $env:PDC_SIGNING_KEY + ) + + $key = $null + foreach ($candidate in $candidates) { + if (Test-PemKey $candidate) { + $key = $candidate + break + } } + if ([string]::IsNullOrWhiteSpace($key)) { - throw "Missing PLONDS_SIGNING_KEY or UPDATE_PRIVATE_KEY_PEM." + throw "Missing a valid PEM signing key in PLONDS_SIGNING_KEY, UPDATE_PRIVATE_KEY_PEM, or PDC_SIGNING_KEY." } $keyPath = Join-Path $PWD "update-private-key.pem" diff --git a/scripts/Publish-Plonds.ps1 b/scripts/Publish-Plonds.ps1 index 6a63545..659c449 100644 --- a/scripts/Publish-Plonds.ps1 +++ b/scripts/Publish-Plonds.ps1 @@ -80,7 +80,13 @@ function Invoke-AwsSyncIfPossible { return } - & aws @Arguments + if ($IgnoreFailure) { + & aws @Arguments 2>$null + } + else { + & aws @Arguments + } + if ($LASTEXITCODE -ne 0 -and -not $IgnoreFailure) { throw "aws command failed: aws $($Arguments -join ' ')" }