diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml index 2458690..5fd4b90 100644 --- a/.gitea/workflows/lint.yml +++ b/.gitea/workflows/lint.yml @@ -7,21 +7,11 @@ on: pull_request: branches: [main] workflow_dispatch: - inputs: - deploy: - description: 'Deploy to ESP fleet after build' - required: false - default: 'false' - type: choice - options: - - 'false' - - 'true' jobs: build: name: Build Firmware needs: [cppcheck, flawfinder, gitleaks] - if: ${{ !startsWith(github.ref, 'refs/tags/') }} runs-on: anvil container: image: docker.io/espressif/idf:v5.3 @@ -110,174 +100,6 @@ jobs: echo "Artifacts ready in /tmp/artifacts" ls -la /tmp/artifacts/ - deploy: - name: Deploy to ESP Fleet - runs-on: anvil - needs: [cppcheck, flawfinder, gitleaks] - if: github.event_name == 'workflow_dispatch' && github.event.inputs.deploy == 'true' || startsWith(github.ref, 'refs/tags/v') - # Run on host for local network access to sensors - steps: - - name: Checkout - run: | - curl -sL -H "Authorization: token ${{ github.token }}" \ - "https://git.mymx.me/api/v1/repos/${{ github.repository }}/archive/${{ github.ref_name }}.tar.gz" \ - | tar -xz --strip-components=1 - - - name: Build firmware - run: | - . /home/user/esp/esp-idf/export.sh - cd get-started/csi_recv_router - idf.py build - - - name: Security checks - run: | - BIN="get-started/csi_recv_router/build/csi_recv_router.bin" - CFG="get-started/csi_recv_router/sdkconfig" - - echo "=== Checking for hardcoded secrets ===" - if strings "$BIN" | grep -iqE '(password|secret|api_key|apikey)=[^$]'; then - echo "::error::Potential hardcoded secret found in binary" - exit 1 - fi - echo "No hardcoded secrets detected" - - echo "=== Checking release configuration ===" - LOG_LEVEL=$(grep 'CONFIG_LOG_DEFAULT_LEVEL=' "$CFG" | cut -d= -f2) - if [ "$LOG_LEVEL" -gt 3 ]; then - echo "::warning::Debug/verbose logging enabled (level $LOG_LEVEL)" - else - echo "Log level OK ($LOG_LEVEL)" - fi - - - name: Validate version tag - run: | - TAG="${{ github.ref_name }}" - # Extract version from binary metadata - BIN_VER=$(strings get-started/csi_recv_router/build/csi_recv_router.bin | grep -oP '^v\d+\.\d+(\.\d+)?' | head -1) - - echo "Git tag: $TAG" - echo "Binary version: $BIN_VER" - - if [ "$TAG" != "$BIN_VER" ]; then - echo "::warning::Tag ($TAG) differs from binary ($BIN_VER)" - fi - - - name: Create release and upload firmware - env: - GITEA_TOKEN: ${{ github.token }} - run: | - TAG="${{ github.ref_name }}" - REPO="${{ github.repository }}" - API_URL="https://git.mymx.me/api/v1" - - echo "Creating release for tag: $TAG" - - # Check if release exists - RELEASE=$(curl -s -H "Authorization: token $GITEA_TOKEN" \ - "$API_URL/repos/$REPO/releases/tags/$TAG") - - RELEASE_ID=$(echo "$RELEASE" | jq -r '.id // empty') - - if [ -z "$RELEASE_ID" ]; then - # Create new release - RELEASE=$(curl -s -X POST -H "Authorization: token $GITEA_TOKEN" \ - -H "Content-Type: application/json" \ - -d "{\"tag_name\": \"$TAG\", \"name\": \"$TAG\", \"body\": \"Automated release from CI\"}" \ - "$API_URL/repos/$REPO/releases") - RELEASE_ID=$(echo "$RELEASE" | jq -r '.id') - echo "Created release ID: $RELEASE_ID" - else - echo "Release exists with ID: $RELEASE_ID" - fi - - # Upload firmware binary - echo "Uploading firmware..." - curl -s -X POST -H "Authorization: token $GITEA_TOKEN" \ - -F "attachment=@get-started/csi_recv_router/build/csi_recv_router.bin" \ - "$API_URL/repos/$REPO/releases/$RELEASE_ID/assets?name=csi_recv_router.bin" - - - name: Deploy via OTA - run: | - SENSORS="muddy-storm:192.168.129.29 amber-maple:192.168.129.30 hollow-acorn:192.168.129.31" - EXPECTED_VERSION="${{ github.ref_name }}" - OTA_PORT=8899 - - # Get host IP on local network - RUNNER_IP=$(ip route get 192.168.129.29 | grep -oP 'src \K[0-9.]+') - echo "Runner IP: $RUNNER_IP" - - # Start local HTTP server - cd get-started/csi_recv_router/build - python3 -m http.server $OTA_PORT & - HTTP_PID=$! - sleep 2 - - FIRMWARE_URL="http://${RUNNER_IP}:${OTA_PORT}/csi_recv_router.bin" - echo "Firmware URL: $FIRMWARE_URL" - - # Verify server is running - curl -sI "http://localhost:${OTA_PORT}/csi_recv_router.bin" | head -1 - - # Deploy to all sensors in parallel - echo "=== Deploying to all sensors in parallel ===" - for entry in $SENSORS; do - NAME="${entry%%:*}" - IP="${entry##*:}" - echo "OTA $FIRMWARE_URL" | nc -u -w 2 "$IP" 5501 & - done - wait - - # Monitor progress - echo "=== Monitoring OTA progress (timeout: 90s) ===" - TIMEOUT=90 - INTERVAL=5 - ELAPSED=0 - - while [ $ELAPSED -lt $TIMEOUT ]; do - sleep $INTERVAL - ELAPSED=$((ELAPSED + INTERVAL)) - - echo "--- Progress check at ${ELAPSED}s ---" - ALL_UPDATED=true - - for entry in $SENSORS; do - NAME="${entry%%:*}" - IP="${entry##*:}" - - # Query sensor version via UDP STATUS command - RESPONSE=$(echo "STATUS" | nc -u -w 1 "$IP" 5501 2>/dev/null || echo "") - VERSION=$(echo "$RESPONSE" | grep -oP 'version=\K[^ ]+' || echo "offline") - - if [ "$VERSION" = "$EXPECTED_VERSION" ]; then - echo " $NAME: ✓ $VERSION" - elif [ "$VERSION" = "offline" ] || [ -z "$VERSION" ]; then - echo " $NAME: ⟳ updating..." - ALL_UPDATED=false - else - echo " $NAME: $VERSION (waiting for $EXPECTED_VERSION)" - ALL_UPDATED=false - fi - done - - if [ "$ALL_UPDATED" = true ]; then - echo "=== All sensors updated to $EXPECTED_VERSION ===" - break - fi - done - - # Stop HTTP server - kill $HTTP_PID 2>/dev/null || true - - # Final status - echo "=== Final sensor status ===" - for entry in $SENSORS; do - NAME="${entry%%:*}" - IP="${entry##*:}" - RESPONSE=$(echo "STATUS" | nc -u -w 1 "$IP" 5501 2>/dev/null || echo "") - VERSION=$(echo "$RESPONSE" | grep -oP 'version=\K[^ ]+' || echo "offline") - echo " $NAME: $VERSION" - done - cppcheck: name: C/C++ Static Analysis runs-on: anvil