Build release assets #62
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build release assets | |
# This workflow is used by the ci and tag workflows to build all release | |
# assets. It can also be triggered manually. | |
on: | |
workflow_call: | |
inputs: | |
release_mode: | |
description: 'Release mode (signed binaries, no commit sha in version number)' | |
type: boolean | |
default: false | |
workflow_dispatch: | |
inputs: | |
release_mode: | |
description: 'Release mode (signed binaries, no commit sha in version number)' | |
type: boolean | |
default: false | |
jobs: | |
build_wheel_sdist: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install packaging tools | |
run: | | |
pip install build | |
- name: Create packages | |
run: | | |
python -m build | |
- name: Upload packages | |
uses: actions/upload-artifact@v4 | |
with: | |
name: dist | |
path: | | |
dist | |
build_os_packages: | |
name: Build packages | |
runs-on: ${{ matrix.os }} | |
container: ${{ matrix.os == 'ubuntu-22.04' && 'rockylinux/rockylinux:8.8' || null }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: ubuntu-22.04 | |
- os: windows-2022 | |
- os: macos-13 | |
arch: x86_64 | |
sha256sum: | |
python: 6378dfd22f58bb553ddb02be28304d739cd730c1f95c15c74955c923a1bc3d6a | |
rcodesign: bca6e648afaddd48f1c3d5dd25aa516659992cbbd2ba7131ba6add739aa895d3 | |
- os: macos-14 | |
arch: aarch64 | |
sha256sum: | |
python: 5fdc0f6a5b5a90fd3c528e8b1da8e3aac931ea8690126c2fdb4254c84a3ff04a | |
rcodesign: 163520079cd6ad1427791c792735a6ddfcb8eca0187bbcf0cc0bebfa4a62153d | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# Get enough commits to run `ggshield secret scan commit-range` on ourselves | |
fetch-depth: 10 | |
- name: Set up Python 3.10 (Windows 1/2) | |
if: matrix.os == 'windows-2022' | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.10' | |
- name: Set up Python 3.10 (Windows 2/2) | |
if: matrix.os == 'windows-2022' | |
shell: bash | |
run: | | |
echo PYTHON_CMD=python >> $GITHUB_ENV | |
- name: Install Linux specific dependencies | |
if: matrix.os == 'ubuntu-22.04' | |
run: | | |
# Install necessary packages | |
yum install -y \ | |
python3.9 \ | |
git-core \ | |
findutils | |
echo PYTHON_CMD=/usr/bin/python3.9 >> $GITHUB_ENV | |
# Install NFPM | |
NFPM_VERSION=2.36.1 | |
NFPM_CHECKSUM=9f8effa24bc6033b509611dbe68839542a63e825525b195672298c369051ef0b | |
scripts/download \ | |
https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz \ | |
nfpm.tar.gz \ | |
$NFPM_CHECKSUM | |
tar xf nfpm.tar.gz nfpm | |
cp nfpm /usr/local/bin | |
- name: Install macOS specific dependencies | |
if: startsWith(matrix.os, 'macos-') | |
run: | | |
# scripts/download needs the `sha256sum` command | |
brew install coreutils | |
# Install Python. We don't use actions/setup-python because on M1 | |
# macs it installs the Framework version of Python, and the binaries | |
# produced with that version do not pass Apple notarization step. | |
# (tested with actions/setup-python@v4 and @v5) | |
PYTHON_VERSION=3.10.13 | |
PYTHON_BUILD=20240224 | |
scripts/download \ | |
https://github.com/indygreg/python-build-standalone/releases/download/${PYTHON_BUILD}/cpython-${PYTHON_VERSION}+${PYTHON_BUILD}-${{ matrix.arch }}-apple-darwin-install_only.tar.gz \ | |
python.tar.gz \ | |
${{ matrix.sha256sum.python }} | |
tar xf python.tar.gz | |
# Make Python available | |
echo PATH=$PWD/python/bin:$PATH >> $GITHUB_ENV | |
echo PYTHON_CMD=$PWD/python/bin/python >> $GITHUB_ENV | |
# Install rcodesign | |
RCODESIGN_VERSION=0.27.0 | |
scripts/download \ | |
https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${RCODESIGN_VERSION}/apple-codesign-${RCODESIGN_VERSION}-${{ matrix.arch }}-apple-darwin.tar.gz \ | |
rcodesign.tar.gz \ | |
${{ matrix.sha256sum.rcodesign }} | |
tar --strip-components=1 -xzf rcodesign.tar.gz | |
# Make it available | |
cp rcodesign /usr/local/bin | |
- name: Install dependencies | |
shell: bash | |
run: | | |
$PYTHON_CMD -m pip install --upgrade pip | |
$PYTHON_CMD -m pip install --upgrade \ | |
pipenv==2023.12.1 | |
pipenv install --dev | |
pipenv run pip install pyinstaller==6.7.0 | |
env: | |
# Disable lock otherwise Windows-only dependencies like colorama are not installed | |
PIPENV_SKIP_LOCK: 1 | |
- name: Prepare macOS secrets | |
if: startsWith(matrix.os, 'macos-') && inputs.release_mode | |
run: | | |
set -euo pipefail | |
SECRETS_DIR=$TMPDIR/secrets | |
mkdir "$SECRETS_DIR" | |
# Prepare our secret files | |
# The p12-file is base64-encoded because it's binary | |
echo "$MACOS_P12_FILE" | base64 --decode > "$SECRETS_DIR/cert.p12" | |
echo "$MACOS_P12_PASSWORD" > "$SECRETS_DIR/cert.pwd" | |
echo "$MACOS_API_KEY_FILE" > "$SECRETS_DIR/rcodesign-notarize-key.json" | |
# Tell next steps where to find them | |
cat >> $GITHUB_ENV <<EOF | |
MACOS_P12_FILE=$SECRETS_DIR/cert.p12 | |
MACOS_P12_PASSWORD_FILE=$SECRETS_DIR/cert.pwd | |
MACOS_API_KEY_FILE=$SECRETS_DIR/rcodesign-notarize-key.json | |
EOF | |
env: | |
MACOS_P12_FILE: ${{ secrets.MACOS_P12_FILE }} | |
MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }} | |
MACOS_API_KEY_FILE: ${{ secrets.MACOS_API_KEY_FILE }} | |
- name: Setup Windows environment | |
if: startsWith(matrix.os, 'windows-') && inputs.release_mode | |
shell: bash | |
run: | | |
signtool_install_dir="/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64" | |
smctl_install_dir="/c/Program Files/DigiCert/DigiCert Keylocker Tools" | |
# Add signtool dir to $PATH | |
if [ ! -x "$signtool_install_dir/signtool.exe" ] ; then | |
echo "signtool.exe is not in '$signtool_install_dir'" | |
exit 1 | |
fi | |
echo "$signtool_install_dir" >> $GITHUB_PATH | |
# Add smctl dir to $PATH | |
# Don't test if smctl is there: it is installed by the next step | |
echo "$smctl_install_dir" >> $GITHUB_PATH | |
# Create our certificate file | |
cert_file="$TMPDIR/cert.p12" | |
echo "${{ secrets.SM_CLIENT_CERT_FILE }}" | base64 --decode > "$cert_file" | |
# Add secrets to env | |
cat >> $GITHUB_ENV <<EOF | |
WINDOWS_CERT_FINGERPRINT=${{ secrets.WINDOWS_CERT_FINGERPRINT }} | |
SM_API_KEY=${{ secrets.SM_API_KEY }} | |
SM_HOST=${{ secrets.SM_HOST }} | |
SM_CLIENT_CERT_FILE=$cert_file | |
SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }} | |
EOF | |
- name: Install Windows dependencies | |
if: startsWith(matrix.os, 'windows-') && inputs.release_mode | |
shell: bash | |
run: | | |
scripts/build-os-packages/install-keylockertools | |
- name: Build | |
shell: bash | |
run: | | |
if [ "${{ inputs.release_mode }}" = "true" ] ; then | |
args="--sign" | |
else | |
args="--suffix +${GITHUB_SHA:0:7}" | |
fi | |
# Run the script with `bash -c` because `pipenv run` does not | |
# automatically do it on Windows | |
pipenv run bash -c "scripts/build-os-packages/build-os-packages $args" | |
- name: Override base Docker image used for functional tests on Windows | |
if: matrix.os == 'windows-2022' | |
# This is required because GitHub Windows runner is not configured to | |
# run Linux-based Docker images | |
shell: bash | |
run: | | |
echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV | |
- name: Functional tests | |
shell: bash | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
run: | | |
pipenv run bash -c "scripts/build-os-packages/build-os-packages functests" | |
env: | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }} | |
TEST_GG_VALID_TOKEN: ${{ secrets.TEST_GG_VALID_TOKEN }} | |
TEST_GG_VALID_TOKEN_IGNORE_SHA: ${{ secrets.TEST_GG_VALID_TOKEN_IGNORE_SHA }} | |
TEST_UNKNOWN_SECRET: ${{ secrets.TEST_UNKNOWN_SECRET }} | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: os-packages-${{ matrix.os }} | |
path: | | |
packages/ggshield-*.gz | |
packages/ggshield-*.pkg | |
packages/ggshield-*.zip | |
packages/ggshield-*.rpm | |
packages/ggshield_*.deb | |
# Run some basic tests, the goal is to verify the ggshield binary has all the | |
# libraries it needs to run | |
linux_package_smoke_tests: | |
needs: build_os_packages | |
runs-on: ubuntu-22.04 | |
container: ${{ matrix.image }} | |
strategy: | |
fail-fast: false | |
matrix: | |
image: | |
- debian:stable | |
- ubuntu:latest | |
- rockylinux/rockylinux:8.8 | |
- opensuse/leap | |
# Test a distribution with no deb or rpm support | |
- clearlinux:latest | |
steps: | |
- name: Download OS packages | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: os-packages-ubuntu-22.04 | |
path: packages | |
merge-multiple: true | |
- name: Setup | |
# Install ggshield dependencies and the package itself | |
run: | | |
case "${{ matrix.image }}" in | |
debian:*|ubuntu:*) | |
apt update | |
apt install --no-install-recommends -y git | |
dpkg -i packages/*.deb | |
;; | |
rockylinux*) | |
yum install -y git | |
rpm -i packages/*.rpm | |
;; | |
opensuse*) | |
zypper install -y git | |
rpm -i packages/*.rpm | |
;; | |
clearlinux*) | |
swupd bundle-add git | |
# Unpack ggshield in /usr/local/ggshield | |
pkg_dir=$PWD/packages | |
mkdir /usr/local/ggshield | |
cd /usr/local/ggshield | |
tar --strip-components 1 -xf $pkg_dir/*.tar.gz | |
# Add ggshield to $PATH | |
mkdir /usr/local/bin | |
ln -s $PWD/ggshield /usr/local/bin/ggshield | |
;; | |
esac | |
- name: Smoke test | |
run: | | |
ggshield --version | |
ggshield --help |