github.com/UtilitechAS.amsreader-firmware
1
0
Fork 0
mirror of https://github.com/UtilitechAS/amsreader-firmware.git synced 2026-01-25 20:06:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Updated the MQTT process to make it more secure, updated the updater

Browse Source
This commit is contained in:
EivindH06
2025-10-07 15:15:22 +02:00
parent 0d36daf127
commit ef2e96dadd
6 changed files with 362 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
README.md
View File

@@ -73,6 +73,47 @@ If you want devices to connect to a known MQTT broker immediately after flashing
Any field you leave empty will fall back to the defaults in `lib/AmsConfiguration/include/MqttDefaults.h`, meaning the web UI will prompt for credentials during first-time setup.
### Shipping credentials with GitHub releases (without committing secrets)
The OTA manifest generated by `scripts/package_firmware.py` now carries an
optional `mqtt` block. If the build machine provides values for
`MQTT_DEFAULT_*` (through environment variables or a `.env` file), the script
embeds those defaults alongside the firmware checksum. Devices that upgrade via
GitHub Pages will download the manifest, detect the `mqtt` section, and apply
the broker settings automatically—unless the installer has already customised
the device through the web UI.
To keep secrets out of source control while still provisioning releases:
1. Store your broker credentials as GitHub Action secrets (for example
`MQTT_DEFAULT_USERNAME`, `MQTT_DEFAULT_PASSWORD`, etc.).
2. In the release workflow, write a temporary `.env` file before invoking the
PlatformIO build:
```yaml
- name: Write MQTT defaults
run: |
cat <<'EOF' > .env
MQTT_DEFAULT_HOST=${{ secrets.MQTT_DEFAULT_HOST }}
MQTT_DEFAULT_PORT=${{ secrets.MQTT_DEFAULT_PORT }}
MQTT_DEFAULT_USERNAME=${{ secrets.MQTT_DEFAULT_USERNAME }}
MQTT_DEFAULT_PASSWORD=${{ secrets.MQTT_DEFAULT_PASSWORD }}
MQTT_DEFAULT_CLIENT_ID=${{ secrets.MQTT_DEFAULT_CLIENT_ID }}
MQTT_DEFAULT_PUBLISH_TOPIC=${{ secrets.MQTT_DEFAULT_PUBLISH_TOPIC }}
MQTT_DEFAULT_SUBSCRIBE_TOPIC=${{ secrets.MQTT_DEFAULT_SUBSCRIBE_TOPIC }}
EOF
```
3. Build the firmware and run `scripts/package_firmware.py` as usual; the
generated `manifest.json` will include the broker defaults.
4. Upload `dist/` to GitHub Pages (the existing release workflow already covers
this), so devices retrieving the manifest can bootstrap the MQTT connection
immediately after flashing.
Because the `.env` file is created on-the-fly inside CI and never committed,
your credentials remain private while every release published to GitHub ships
with working MQTT settings out of the box.
# How to wipe bricked board?