Build release assets #61
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build release assets | |
| # This workflow is used by the ci and tag workflows to build all release | |
| # assets. It can also be triggered manually. | |
| on: | |
| workflow_call: | |
| inputs: | |
| release_mode: | |
| description: 'Release mode (signed binaries, no commit sha in version number)' | |
| type: boolean | |
| default: false | |
| workflow_dispatch: | |
| inputs: | |
| release_mode: | |
| description: 'Release mode (signed binaries, no commit sha in version number)' | |
| type: boolean | |
| default: false | |
| jobs: | |
| build_wheel_sdist: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install packaging tools | |
| run: | | |
| pip install --upgrade pdm | |
| - name: Create packages | |
| run: | | |
| pdm build | |
| - name: Upload packages | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist | |
| path: | | |
| dist | |
| build_os_packages: | |
| name: Build packages | |
| runs-on: ${{ matrix.os }} | |
| container: ${{ matrix.os == 'ubuntu-22.04' && 'rockylinux/rockylinux:8.8' || null }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-22.04 | |
| - os: windows-2022 | |
| - os: macos-13 | |
| arch: x86_64 | |
| sha256sum: | |
| python: 6378dfd22f58bb553ddb02be28304d739cd730c1f95c15c74955c923a1bc3d6a | |
| rcodesign: bca6e648afaddd48f1c3d5dd25aa516659992cbbd2ba7131ba6add739aa895d3 | |
| - os: macos-14 | |
| arch: aarch64 | |
| sha256sum: | |
| python: 5fdc0f6a5b5a90fd3c528e8b1da8e3aac931ea8690126c2fdb4254c84a3ff04a | |
| rcodesign: 163520079cd6ad1427791c792735a6ddfcb8eca0187bbcf0cc0bebfa4a62153d | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # Get enough commits to run `ggshield secret scan commit-range` on ourselves | |
| fetch-depth: 10 | |
| - name: Set up Python 3.10 (Windows 1/2) | |
| if: matrix.os == 'windows-2022' | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.10' | |
| - name: Set up Python 3.10 (Windows 2/2) | |
| if: matrix.os == 'windows-2022' | |
| shell: bash | |
| run: | | |
| echo PYTHON_CMD=python >> $GITHUB_ENV | |
| - name: Install Linux specific dependencies | |
| if: matrix.os == 'ubuntu-22.04' | |
| run: | | |
| # Install necessary packages | |
| yum install -y \ | |
| python3.9 \ | |
| git-core \ | |
| findutils | |
| echo PYTHON_CMD=/usr/bin/python3.9 >> $GITHUB_ENV | |
| # Install NFPM | |
| NFPM_VERSION=2.36.1 | |
| NFPM_CHECKSUM=9f8effa24bc6033b509611dbe68839542a63e825525b195672298c369051ef0b | |
| scripts/download \ | |
| https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz \ | |
| nfpm.tar.gz \ | |
| $NFPM_CHECKSUM | |
| tar xf nfpm.tar.gz nfpm | |
| cp nfpm /usr/local/bin | |
| - name: Install macOS specific dependencies | |
| if: startsWith(matrix.os, 'macos-') | |
| run: | | |
| # scripts/download needs the `sha256sum` command | |
| brew install coreutils | |
| # Install Python. We don't use actions/setup-python because on M1 | |
| # macs it installs the Framework version of Python, and the binaries | |
| # produced with that version do not pass Apple notarization step. | |
| # (tested with actions/setup-python@v4 and @v5) | |
| PYTHON_VERSION=3.10.13 | |
| PYTHON_BUILD=20240224 | |
| scripts/download \ | |
| https://github.com/indygreg/python-build-standalone/releases/download/${PYTHON_BUILD}/cpython-${PYTHON_VERSION}+${PYTHON_BUILD}-${{ matrix.arch }}-apple-darwin-install_only.tar.gz \ | |
| python.tar.gz \ | |
| ${{ matrix.sha256sum.python }} | |
| tar xf python.tar.gz | |
| # Make Python available | |
| echo PATH=$PWD/python/bin:$PATH >> $GITHUB_ENV | |
| echo PYTHON_CMD=$PWD/python/bin/python >> $GITHUB_ENV | |
| # Install rcodesign | |
| RCODESIGN_VERSION=0.27.0 | |
| scripts/download \ | |
| https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${RCODESIGN_VERSION}/apple-codesign-${RCODESIGN_VERSION}-${{ matrix.arch }}-apple-darwin.tar.gz \ | |
| rcodesign.tar.gz \ | |
| ${{ matrix.sha256sum.rcodesign }} | |
| tar --strip-components=1 -xzf rcodesign.tar.gz | |
| # Make it available | |
| cp rcodesign /usr/local/bin | |
| - name: Install dependencies | |
| shell: bash | |
| run: | | |
| $PYTHON_CMD -m pip install --upgrade pip | |
| $PYTHON_CMD -m pip install --upgrade pdm | |
| pdm sync --group tests --group standalone | |
| - name: Prepare macOS secrets | |
| if: startsWith(matrix.os, 'macos-') && inputs.release_mode | |
| run: | | |
| set -euo pipefail | |
| SECRETS_DIR=$TMPDIR/secrets | |
| mkdir "$SECRETS_DIR" | |
| # Prepare our secret files | |
| # The p12-file is base64-encoded because it's binary | |
| echo "$MACOS_P12_FILE" | base64 --decode > "$SECRETS_DIR/cert.p12" | |
| echo "$MACOS_P12_PASSWORD" > "$SECRETS_DIR/cert.pwd" | |
| echo "$MACOS_API_KEY_FILE" > "$SECRETS_DIR/rcodesign-notarize-key.json" | |
| # Tell next steps where to find them | |
| cat >> $GITHUB_ENV <<EOF | |
| MACOS_P12_FILE=$SECRETS_DIR/cert.p12 | |
| MACOS_P12_PASSWORD_FILE=$SECRETS_DIR/cert.pwd | |
| MACOS_API_KEY_FILE=$SECRETS_DIR/rcodesign-notarize-key.json | |
| EOF | |
| env: | |
| MACOS_P12_FILE: ${{ secrets.MACOS_P12_FILE }} | |
| MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }} | |
| MACOS_API_KEY_FILE: ${{ secrets.MACOS_API_KEY_FILE }} | |
| - name: Setup Windows environment | |
| if: startsWith(matrix.os, 'windows-') && inputs.release_mode | |
| shell: bash | |
| run: | | |
| signtool_install_dir="/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64" | |
| smctl_install_dir="/c/Program Files/DigiCert/DigiCert Keylocker Tools" | |
| # Add signtool dir to $PATH | |
| if [ ! -x "$signtool_install_dir/signtool.exe" ] ; then | |
| echo "signtool.exe is not in '$signtool_install_dir'" | |
| exit 1 | |
| fi | |
| echo "$signtool_install_dir" >> $GITHUB_PATH | |
| # Add smctl dir to $PATH | |
| # Don't test if smctl is there: it is installed by the next step | |
| echo "$smctl_install_dir" >> $GITHUB_PATH | |
| # Create our certificate file | |
| cert_file="$TMPDIR/cert.p12" | |
| echo "${{ secrets.SM_CLIENT_CERT_FILE }}" | base64 --decode > "$cert_file" | |
| # Add secrets to env | |
| cat >> $GITHUB_ENV <<EOF | |
| WINDOWS_CERT_FINGERPRINT=${{ secrets.WINDOWS_CERT_FINGERPRINT }} | |
| SM_API_KEY=${{ secrets.SM_API_KEY }} | |
| SM_HOST=${{ secrets.SM_HOST }} | |
| SM_CLIENT_CERT_FILE=$cert_file | |
| SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }} | |
| EOF | |
| - name: Install Windows dependencies | |
| if: startsWith(matrix.os, 'windows-') && inputs.release_mode | |
| shell: bash | |
| run: | | |
| scripts/build-os-packages/install-keylockertools | |
| - name: Build | |
| shell: bash | |
| run: | | |
| if [ "${{ inputs.release_mode }}" = "true" ] ; then | |
| args="--sign" | |
| else | |
| args="--suffix +${GITHUB_SHA:0:7}" | |
| fi | |
| # Run the script with `bash -c` because `pdm run` does not | |
| # automatically do it on Windows | |
| pdm run bash -c "scripts/build-os-packages/build-os-packages $args" | |
| - name: Override base Docker image used for functional tests on Windows | |
| if: matrix.os == 'windows-2022' | |
| # This is required because GitHub Windows runner is not configured to | |
| # run Linux-based Docker images | |
| shell: bash | |
| run: | | |
| echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV | |
| - name: Functional tests | |
| shell: bash | |
| # See note about steps requiring the GITGUARDIAN_API at the top of this file | |
| if: ${{ !github.event.pull_request.head.repo.fork }} | |
| run: | | |
| pdm run bash -c "scripts/build-os-packages/build-os-packages functests" | |
| env: | |
| GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
| GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
| TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }} | |
| TEST_GG_VALID_TOKEN: ${{ secrets.TEST_GG_VALID_TOKEN }} | |
| TEST_GG_VALID_TOKEN_IGNORE_SHA: ${{ secrets.TEST_GG_VALID_TOKEN_IGNORE_SHA }} | |
| TEST_UNKNOWN_SECRET: ${{ secrets.TEST_UNKNOWN_SECRET }} | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: os-packages-${{ matrix.os }} | |
| path: | | |
| packages/ggshield-*.gz | |
| packages/ggshield-*.pkg | |
| packages/ggshield-*.zip | |
| packages/ggshield-*.rpm | |
| packages/ggshield_*.deb | |
| # Run some basic tests, the goal is to verify the ggshield binary has all the | |
| # libraries it needs to run | |
| linux_package_smoke_tests: | |
| needs: build_os_packages | |
| runs-on: ubuntu-22.04 | |
| container: ${{ matrix.image }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| - debian:stable | |
| - ubuntu:latest | |
| - rockylinux/rockylinux:8.8 | |
| - opensuse/leap | |
| # Test a distribution with no deb or rpm support | |
| - clearlinux:latest | |
| steps: | |
| - name: Download OS packages | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: os-packages-ubuntu-22.04 | |
| path: packages | |
| merge-multiple: true | |
| - name: Setup | |
| # Install ggshield dependencies and the package itself | |
| run: | | |
| case "${{ matrix.image }}" in | |
| debian:*|ubuntu:*) | |
| apt update | |
| apt install --no-install-recommends -y git | |
| dpkg -i packages/*.deb | |
| ;; | |
| rockylinux*) | |
| yum install -y git | |
| rpm -i packages/*.rpm | |
| ;; | |
| opensuse*) | |
| zypper install -y git | |
| rpm -i packages/*.rpm | |
| ;; | |
| clearlinux*) | |
| swupd bundle-add git | |
| # Unpack ggshield in /usr/local/ggshield | |
| pkg_dir=$PWD/packages | |
| mkdir /usr/local/ggshield | |
| cd /usr/local/ggshield | |
| tar --strip-components 1 -xf $pkg_dir/*.tar.gz | |
| # Add ggshield to $PATH | |
| mkdir /usr/local/bin | |
| ln -s $PWD/ggshield /usr/local/bin/ggshield | |
| ;; | |
| esac | |
| - name: Smoke test | |
| run: | | |
| ggshield --version | |
| ggshield --help |