ci: forces download each time on packaging

[moabu]

Prepare

• Read PR guidelines
• Read license information

---

Description

Target issue

closes #9355

Implementation Details

---

Test and Document the changes

• Static code analysis has been run locally and issues have been fixed
• Relevant unit and integration tests have been added/updated
• Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Please check the below before submitting your PR. The PR will not be merged if there are no commits that start with docs: to indicate documentation changes or if the below checklist is not selected.

• I confirm that there is no impact on the docs due to the code changes in this PR.

[dryrunsecurity]

DryRun Security Summary

The pull request changes the GitHub Actions workflow for building and publishing packages for the Janssen Project, including triggering the workflow on a push event with a tag that starts with 'v', building packages for different Linux distributions, signing the built packages using GPG keys, and uploading the packages as GitHub releases, with a focus on security and integrity.

Expand for full summary

Summary:

The code changes in this pull request are related to the GitHub Actions workflow for building and publishing packages for the Janssen Project. The key changes include triggering the workflow on a push event with a tag that starts with 'v', building packages for different Linux distributions, signing the built packages using GPG keys, and uploading the packages as GitHub releases. From an application security perspective, the changes demonstrate a strong focus on security and integrity, including hardening the GitHub Actions runner, using GPG keys for package signing, and creating and uploading checksums for the built packages. Additionally, the workflow builds and uploads demo packages, which should be carefully reviewed to ensure they do not contain any security vulnerabilities or sensitive data.

Files Changed:

• .github/workflows/build-packages.yml: This file contains the GitHub Actions workflow for building and publishing packages for the Janssen Project. The key changes include:
  • Triggering the workflow on a push event with a tag that starts with 'v'.
  • Building packages for Ubuntu 22.04, Ubuntu 20.04, CentOS 8, and SUSE 15.
  • Installing necessary dependencies, including Python versions, and running the install.py script to build the packages.
  • Signing the built packages using GPG keys and uploading them as GitHub releases.
  • Building Python packages (jans-linux-setup and jans-cli-tui) for Ubuntu and SUSE, and uploading them as GitHub releases.
  • Building and uploading demo packages (jans-tarp) as GitHub releases.
  • Using the step-security/harden-runner action to harden the GitHub Actions runner.
  • Importing and using GPG keys for signing the built packages.
  • Using the svenstaro/upload-release-action action to upload the built packages to GitHub releases.
  • Creating and uploading checksums for the built packages.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.