-
Notifications
You must be signed in to change notification settings - Fork 149
257 lines (219 loc) · 8.98 KB
/
build_release_assets.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
name: Build release assets
# This workflow is used by the ci and tag workflows to build all release
# assets. It can also be triggered manually.
on:
workflow_call:
inputs:
release_mode:
description: 'Release mode (signed binaries, no commit sha in version number)'
type: boolean
default: false
workflow_dispatch:
inputs:
release_mode:
description: 'Release mode (signed binaries, no commit sha in version number)'
type: boolean
default: false
jobs:
build_wheel_sdist:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install packaging tools
run: |
pip install build
- name: Create packages
run: |
python -m build
- name: Upload packages
uses: actions/upload-artifact@v4
with:
name: dist
path: |
dist
build_os_packages:
name: Build packages
runs-on: ${{ matrix.os }}
container: ${{ matrix.os == 'ubuntu-22.04' && 'rockylinux/rockylinux:8.8' || null }}
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-22.04
- os: windows-2022
- os: macos-13
arch: x86_64
sha256sum:
python: 6378dfd22f58bb553ddb02be28304d739cd730c1f95c15c74955c923a1bc3d6a
rcodesign: bca6e648afaddd48f1c3d5dd25aa516659992cbbd2ba7131ba6add739aa895d3
- os: macos-14
arch: aarch64
sha256sum:
python: 5fdc0f6a5b5a90fd3c528e8b1da8e3aac931ea8690126c2fdb4254c84a3ff04a
rcodesign: 163520079cd6ad1427791c792735a6ddfcb8eca0187bbcf0cc0bebfa4a62153d
steps:
- uses: actions/checkout@v4
with:
# Get enough commits to run `ggshield secret scan commit-range` on ourselves
fetch-depth: 10
- name: Set up Python 3.10 (Windows 1/2)
if: matrix.os == 'windows-2022'
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Set up Python 3.10 (Windows 2/2)
if: matrix.os == 'windows-2022'
shell: bash
run: |
echo PYTHON_CMD=python >> $GITHUB_ENV
- name: Install Linux specific dependencies
if: matrix.os == 'ubuntu-22.04'
run: |
# Install Python and git
yum install -y \
python3.9 \
git-core
echo PYTHON_CMD=/usr/bin/python3.9 >> $GITHUB_ENV
# Install NFPM
NFPM_VERSION=2.36.1
NFPM_CHECKSUM=9f8effa24bc6033b509611dbe68839542a63e825525b195672298c369051ef0b
scripts/download \
https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz \
nfpm.tar.gz \
$NFPM_CHECKSUM
tar xf nfpm.tar.gz nfpm
cp nfpm /usr/local/bin
# Avoid "dubious permission" git error
git config --global --add safe.directory '*'
- name: Install macOS specific dependencies
if: startsWith(matrix.os, 'macos-')
run: |
# scripts/download needs the `sha256sum` command
brew install coreutils
# Install Python. We don't use actions/setup-python because on M1
# macs it installs the Framework version of Python, and the binaries
# produced with that version do not pass Apple notarization step.
# (tested with actions/setup-python@v4 and @v5)
PYTHON_VERSION=3.10.13
PYTHON_BUILD=20240224
scripts/download \
https://github.com/indygreg/python-build-standalone/releases/download/${PYTHON_BUILD}/cpython-${PYTHON_VERSION}+${PYTHON_BUILD}-${{ matrix.arch }}-apple-darwin-install_only.tar.gz \
python.tar.gz \
${{ matrix.sha256sum.python }}
tar xf python.tar.gz
# Make Python available
echo PATH=$PWD/python/bin:$PATH >> $GITHUB_ENV
echo PYTHON_CMD=$PWD/python/bin/python >> $GITHUB_ENV
# Install rcodesign
RCODESIGN_VERSION=0.27.0
scripts/download \
https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${RCODESIGN_VERSION}/apple-codesign-${RCODESIGN_VERSION}-${{ matrix.arch }}-apple-darwin.tar.gz \
rcodesign.tar.gz \
${{ matrix.sha256sum.rcodesign }}
tar --strip-components=1 -xzf rcodesign.tar.gz
# Make it available
cp rcodesign /usr/local/bin
- name: Install dependencies
shell: bash
run: |
$PYTHON_CMD -m pip install --upgrade pip
$PYTHON_CMD -m pip install --upgrade \
pipenv==2023.12.1 \
pyinstaller==6.7.0
pipenv install --dev
pipenv run pip install pyinstaller==6.7.0
env:
# Disable lock otherwise Windows-only dependencies like colorama are not installed
PIPENV_SKIP_LOCK: 1
- name: Prepare macOS secrets
if: startsWith(matrix.os, 'macos-') && inputs.release_mode
run: |
set -euo pipefail
SECRETS_DIR=$TMPDIR/secrets
mkdir "$SECRETS_DIR"
# Prepare our secret files
# The p12-file is base64-encoded because it's binary
echo "$MACOS_P12_FILE" | base64 --decode > "$SECRETS_DIR/cert.p12"
echo "$MACOS_P12_PASSWORD" > "$SECRETS_DIR/cert.pwd"
echo "$MACOS_API_KEY_FILE" > "$SECRETS_DIR/rcodesign-notarize-key.json"
# Tell next steps where to find them
cat >> $GITHUB_ENV <<EOF
MACOS_P12_FILE=$SECRETS_DIR/cert.p12
MACOS_P12_PASSWORD_FILE=$SECRETS_DIR/cert.pwd
MACOS_API_KEY_FILE=$SECRETS_DIR/rcodesign-notarize-key.json
EOF
env:
MACOS_P12_FILE: ${{ secrets.MACOS_P12_FILE }}
MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }}
MACOS_API_KEY_FILE: ${{ secrets.MACOS_API_KEY_FILE }}
- name: Setup Windows environment
if: startsWith(matrix.os, 'windows-') && inputs.release_mode
shell: bash
run: |
signtool_install_dir="/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64"
smctl_install_dir="/c/Program Files/DigiCert/DigiCert Keylocker Tools"
# Add signtool dir to $PATH
if [ ! -x "$signtool_install_dir/signtool.exe" ] ; then
echo "signtool.exe is not in '$signtool_install_dir'"
exit 1
fi
echo "$signtool_install_dir" >> $GITHUB_PATH
# Add smctl dir to $PATH
# Don't test if smctl is there: it is installed by the next step
echo "$smctl_install_dir" >> $GITHUB_PATH
# Create our certificate file
cert_file="$TMPDIR/cert.p12"
echo "${{ secrets.SM_CLIENT_CERT_FILE }}" | base64 --decode > "$cert_file"
# Add secrets to env
cat >> $GITHUB_ENV <<EOF
WINDOWS_CERT_FINGERPRINT=${{ secrets.WINDOWS_CERT_FINGERPRINT }}
SM_API_KEY=${{ secrets.SM_API_KEY }}
SM_HOST=${{ secrets.SM_HOST }}
SM_CLIENT_CERT_FILE=$cert_file
SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}
EOF
- name: Install Windows dependencies
if: startsWith(matrix.os, 'windows-') && inputs.release_mode
shell: bash
run: |
scripts/build-os-packages/install-keylockertools
- name: Build
shell: bash
run: |
if [ "${{ inputs.release_mode }}" = "true" ] ; then
args="--sign"
else
args="--git-version"
fi
pipenv run scripts/build-os-packages/build-os-packages $args
- name: Override base Docker image used for functional tests on Windows
if: matrix.os == 'windows-2022'
# This is required because GitHub Windows runner is not configured to
# run Linux-based Docker images
shell: bash
run: |
echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV
- name: Functional tests
shell: bash
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ !github.event.pull_request.head.repo.fork }}
run: |
pipenv run scripts/build-os-packages/build-os-packages functests
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }}
TEST_GG_VALID_TOKEN: ${{ secrets.TEST_GG_VALID_TOKEN }}
TEST_GG_VALID_TOKEN_IGNORE_SHA: ${{ secrets.TEST_GG_VALID_TOKEN_IGNORE_SHA }}
TEST_UNKNOWN_SECRET: ${{ secrets.TEST_UNKNOWN_SECRET }}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: os-packages-${{ matrix.os }}
path: |
packages/ggshield-*.gz
packages/ggshield-*.pkg
packages/ggshield-*.zip
packages/ggshield-*.rpm
packages/ggshield_*.deb