From 550f08d62d1639201dbc4846fb98dd047502e559 Mon Sep 17 00:00:00 2001
From: Victor Lyuboslavsky <victor.lyuboslavsky@gmail.com>
Date: Fri, 17 May 2024 13:48:53 -0500
Subject: [PATCH] Generate plist for fleetd-base pkg. (#19112)

#19111
Generate plist for fleetd-base pkg.

Currently configured for TESTING. Uploaded file:
https://download-testing.fleetdm.com/fleetd-base-manifest.plist
---
 .github/actions/r2-upload/action.yml      | 17 +++++----
 .github/workflows/release-fleetd-base.yml | 43 +++++++++++++++++++----
 2 files changed, 46 insertions(+), 14 deletions(-)

diff --git a/.github/actions/r2-upload/action.yml b/.github/actions/r2-upload/action.yml
index 60fb7e0786..4cf73c1bbe 100644
--- a/.github/actions/r2-upload/action.yml
+++ b/.github/actions/r2-upload/action.yml
@@ -9,9 +9,8 @@ description: Upload a file to R2
 # - R2_BUCKET: The bucket to upload to
 
 inputs:
-  filename:
-    # Future improvement: accept array of filenames as JSON string, and loop over it like in https://www.starkandwayne.com/blog/bash-for-loop-over-json-array-using-jq/index.html
-    description: 'Name of the file to upload'
+  filenames:
+    description: 'Comma-delimited names of the file(s) to upload. For example: file1,manifest.json,file with spaces.txt'
     required: true
 
 runs:
@@ -27,8 +26,12 @@ runs:
         provider = Cloudflare
         region = auto
         no_check_bucket = true
-        access_key_id = $R2_ACCESS_KEY_ID
-        secret_access_key = $R2_ACCESS_KEY_SECRET
-        endpoint = $R2_ENDPOINT
+        access_key_id = ${{ env.R2_ACCESS_KEY_ID }}
+        secret_access_key = ${{ env.R2_ACCESS_KEY_SECRET }}
+        endpoint = ${{ env.R2_ENDPOINT }}
         " > ~/.config/rclone/rclone.conf
-        rclone copy --verbose ${{ inputs.filename }} r2:${R2_BUCKET}/
+        : # Loop over each filename in the array of filenames and upload each one.
+        IFS=$'\n'
+        for row in $(echo "${{ inputs.filenames }}" | tr "," "\n"); do
+          rclone copy --verbose "$row" r2:${{ env.R2_BUCKET }}/
+        done
diff --git a/.github/workflows/release-fleetd-base.yml b/.github/workflows/release-fleetd-base.yml
index cf5b3a7ea0..738ba3b2b6 100644
--- a/.github/workflows/release-fleetd-base.yml
+++ b/.github/workflows/release-fleetd-base.yml
@@ -20,10 +20,10 @@ permissions:
 
 env:
   R2_ENDPOINT: ${{ secrets.R2_ENDPOINT }}
-  R2_ACCESS_KEY_ID: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_ID }}
-  R2_ACCESS_KEY_SECRET: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_SECRET }}
-  R2_BUCKET: download # Production: download | Testing: download-testing
-  BASE_URL: https://download.fleetdm.com # Production: https://download.fleetdm.com | Testing: https://download-testing.fleetdm.com
+  R2_ACCESS_KEY_ID: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_ID }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_ID }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_ID }}
+  R2_ACCESS_KEY_SECRET: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_SECRET }} # Production: ${{ secrets.R2_DOWNLOAD_ACCESS_KEY_SECRET }} | Testing: ${{ secrets.R2_DOWNLOAD_TESTING_ACCESS_KEY_SECRET }}
+  R2_BUCKET: download-testing # Production: download | Testing: download-testing
+  BASE_URL: https://download-testing.fleetdm.com # Production: https://download.fleetdm.com | Testing: https://download-testing.fleetdm.com
 
 jobs:
   check-for-fleetd-component-updates:
@@ -109,11 +109,40 @@ jobs:
         run: |
           fleetctl package --type pkg --fleet-desktop --use-system-configuration --sign-identity $PACKAGE_SIGNING_IDENTITY_SHA1 --notarize
           mv fleet-osquery*.pkg fleetd-base.pkg
+          : # Calculate the SHA256 checksum of the package for the next step
+          echo "FLEETD_BASE_PKG_CHECKSUM=$(shasum -a 256 fleetd-base.pkg | cut -d ' ' -f 1)" >> $GITHUB_ENV
+
+      - name: Create plist
+        run: |
+          echo '<plist version="1.0">
+            <dict>
+              <key>items</key>
+              <array>
+                <dict>
+                  <key>assets</key>
+                  <array>
+                    <dict>
+                      <key>kind</key>
+                      <string>software-package</string>
+                      <key>sha256-size</key>
+                      <integer>32</integer>
+                      <key>sha256s</key>
+                      <array>
+                        <string>${{ env.FLEETD_BASE_PKG_CHECKSUM }}</string>
+                      </array>
+                      <key>url</key>
+                      <string>${{ env.BASE_URL }}/fleetd-base.pkg</string>
+                    </dict>
+                  </array>
+                </dict>
+              </array>
+            </dict>
+          </plist>' > fleetd-base-manifest.plist
 
       - name: Upload package
         uses: ./.github/actions/r2-upload
         with:
-          filename: fleetd-base.pkg
+          filenames: fleetd-base.pkg,fleetd-base-manifest.plist
 
   update-fleetd-base-msi:
     needs: [check-for-fleetd-component-updates]
@@ -144,7 +173,7 @@ jobs:
       - name: Upload package
         uses: ./.github/actions/r2-upload
         with:
-          filename: fleetd-base.msi
+          filenames: fleetd-base.msi
 
   update-meta-json:
     needs: [update-fleetd-base-pkg, update-fleetd-base-msi]
@@ -174,4 +203,4 @@ jobs:
       - name: Upload meta.json
         uses: ./.github/actions/r2-upload
         with:
-          filename: meta.json
+          filenames: meta.json