TO-DROP: build-git-installers: trigger on push #160
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build-git-installers | |
| on: | |
| push: | |
| jobs: | |
| # Build and sign Mac OSX installers & upload artifacts | |
| create-macos-artifacts: | |
| strategy: | |
| matrix: | |
| arch: | |
| - name: arm64 | |
| runner: macos-latest-xl-arm64 | |
| runs-on: ${{ matrix.arch.runner }} | |
| env: | |
| VERSION: "2.42.0.vfs.0.0-universal" | |
| environment: release | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v3 | |
| with: | |
| path: 'git' | |
| - name: Install Git dependencies | |
| run: | | |
| set -ex | |
| # Install x86_64 packages | |
| arch -x86_64 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" | |
| arch -x86_64 /usr/local/bin/brew install gettext curl | |
| # Install arm64 packages | |
| brew install automake asciidoc xmlto docbook | |
| brew link --force gettext | |
| # Make universal gettext and curl library | |
| lipo -create -output libintl.a /usr/local/opt/gettext/lib/libintl.a /opt/homebrew/opt/gettext/lib/libintl.a | |
| lipo -create -output libcurl.dylib /opt/homebrew/opt/curl/lib/libcurl.4.dylib /usr/local/opt/curl/lib/libcurl.4.dylib | |
| - name: Set up signing/notarization infrastructure | |
| env: | |
| A1: ${{ secrets.APPLICATION_CERTIFICATE_BASE64 }} | |
| A2: ${{ secrets.APPLICATION_CERTIFICATE_PASSWORD }} | |
| I1: ${{ secrets.INSTALLER_CERTIFICATE_BASE64 }} | |
| I2: ${{ secrets.INSTALLER_CERTIFICATE_PASSWORD }} | |
| N1: ${{ secrets.APPLE_TEAM_ID }} | |
| N2: ${{ secrets.APPLE_DEVELOPER_ID }} | |
| N3: ${{ secrets.APPLE_DEVELOPER_PASSWORD }} | |
| N4: ${{ secrets.APPLE_KEYCHAIN_PROFILE }} | |
| run: | | |
| echo "Setting up signing certificates" | |
| security create-keychain -p pwd $RUNNER_TEMP/buildagent.keychain | |
| security default-keychain -s $RUNNER_TEMP/buildagent.keychain | |
| security unlock-keychain -p pwd $RUNNER_TEMP/buildagent.keychain | |
| # Prevent re-locking | |
| security set-keychain-settings $RUNNER_TEMP/buildagent.keychain | |
| echo "$A1" | base64 -D > $RUNNER_TEMP/cert.p12 | |
| security import $RUNNER_TEMP/cert.p12 \ | |
| -k $RUNNER_TEMP/buildagent.keychain \ | |
| -P "$A2" \ | |
| -T /usr/bin/codesign | |
| security set-key-partition-list \ | |
| -S apple-tool:,apple:,codesign: \ | |
| -s -k pwd \ | |
| $RUNNER_TEMP/buildagent.keychain | |
| echo "$I1" | base64 -D > $RUNNER_TEMP/cert.p12 | |
| security import $RUNNER_TEMP/cert.p12 \ | |
| -k $RUNNER_TEMP/buildagent.keychain \ | |
| -P "$I2" \ | |
| -T /usr/bin/pkgbuild | |
| security set-key-partition-list \ | |
| -S apple-tool:,apple:,pkgbuild: \ | |
| -s -k pwd \ | |
| $RUNNER_TEMP/buildagent.keychain | |
| echo "Setting up notarytool" | |
| xcrun notarytool store-credentials \ | |
| --team-id "$N1" \ | |
| --apple-id "$N2" \ | |
| --password "$N3" \ | |
| "$N4" | |
| - name: Build, sign, and notarize artifacts | |
| env: | |
| A3: ${{ secrets.APPLE_APPLICATION_SIGNING_IDENTITY }} | |
| I3: ${{ secrets.APPLE_INSTALLER_SIGNING_IDENTITY }} | |
| N4: ${{ secrets.APPLE_KEYCHAIN_PROFILE }} | |
| run: | | |
| die () { | |
| echo "$*" >&2 | |
| exit 1 | |
| } | |
| # Trace execution, stop on error | |
| set -ex | |
| # Write to "version" file to force match with trigger payload version | |
| echo "2.42.0.vfs.0.0-universal" >>git/version | |
| # Configure universal build | |
| cat >git/config.mak <<EOF | |
| # Create universal binaries. HOST_CPU is a bit of a lie and only | |
| # used in 'git version --build-options'. We'll fix that in code. | |
| HOST_CPU = universal | |
| BASIC_CFLAGS += -arch arm64 -arch x86_64 | |
| EOF | |
| # Configure the Git build to pick up gettext | |
| homebrew_prefix="$(brew --prefix)" | |
| cat >>git/config.mak <<EOF | |
| CFLAGS = -I$homebrew_prefix/include -I/usr/local/opt/gettext/include | |
| LDFLAGS = -L"$(pwd)" | |
| EOF | |
| # Configure the Git build to pick up the universal `libcurl.dylib` | |
| cat >>git/config.mak <<EOF | |
| CURL_LDFLAGS := -L"$(pwd)" -lcurl | |
| CURL_CONFIG := /usr/bin/true | |
| EOF | |
| # Avoid even building the dashed built-ins; Those should be hard-linked | |
| # copies of the `git` executable but would end up as actual copies instead, | |
| # bloating the size of the `.dmg` indecently. | |
| echo 'SKIP_DASHED_BUILT_INS = YabbaDabbaDoo' >>git/config.mak | |
| # To make use of the catalogs... | |
| export XML_CATALOG_FILES=$homebrew_prefix/etc/xml/catalog | |
| make -C git -j$(sysctl -n hw.physicalcpu) GIT-VERSION-FILE dist dist-doc | |
| export GIT_BUILT_FROM_COMMIT=$(gunzip -c git/git-$VERSION.tar.gz | git get-tar-commit-id) || | |
| die "Could not determine commit for build" | |
| # Extract tarballs | |
| mkdir payload manpages | |
| tar -xvf git/git-$VERSION.tar.gz -C payload | |
| tar -xvf git/git-manpages-$VERSION.tar.gz -C manpages | |
| # Lay out payload | |
| cp git/config.mak payload/git-$VERSION/config.mak | |
| make -C git/.github/macos-installer V=1 payload | |
| # Codesign payload | |
| cp -R stage/git-universal-$VERSION/ \ | |
| git/.github/macos-installer/build-artifacts | |
| make -C git/.github/macos-installer V=1 codesign \ | |
| APPLE_APP_IDENTITY="$A3" || die "Creating signed payload failed" | |
| # Build and sign pkg | |
| make -C git/.github/macos-installer V=1 pkg \ | |
| APPLE_INSTALLER_IDENTITY="$I3" \ | |
| || die "Creating signed pkg failed" | |
| # Notarize pkg | |
| make -C git/.github/macos-installer V=1 notarize \ | |
| APPLE_INSTALLER_IDENTITY="$I3" APPLE_KEYCHAIN_PROFILE="$N4" \ | |
| || die "Creating signed and notarized pkg failed" | |
| # Create DMG | |
| make -C git/.github/macos-installer V=1 image || die "Creating DMG failed" | |
| # Move all artifacts into top-level directory | |
| mv git/.github/macos-installer/disk-image/*.pkg git/.github/macos-installer/ | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: macos-artifacts | |
| path: | | |
| git/.github/macos-installer/*.dmg | |
| git/.github/macos-installer/*.pkg | |
| # End build and sign Mac OSX installers | |
| # Validate installers | |
| validate-installers: | |
| name: Validate installers | |
| strategy: | |
| matrix: | |
| component: | |
| - os: macos-latest | |
| artifact: macos-artifacts | |
| command: git | |
| - os: macos-latest-xl-arm64 | |
| artifact: macos-artifacts | |
| command: git | |
| runs-on: ${{ matrix.component.os }} | |
| needs: [create-macos-artifacts] | |
| steps: | |
| - name: Download artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: ${{ matrix.component.artifact }} | |
| - name: Install Windows | |
| if: contains(matrix.component.os, 'windows') | |
| shell: pwsh | |
| run: | | |
| $exePath = Get-ChildItem -Path ./*.exe | %{$_.FullName} | |
| Start-Process -Wait -FilePath "$exePath" -ArgumentList "/SILENT /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /ALLOWDOWNGRADE=1" | |
| - name: Install Linux | |
| if: contains(matrix.component.os, 'ubuntu') | |
| run: | | |
| debpath=$(find ./*.deb) | |
| sudo apt install $debpath | |
| - name: Install macOS | |
| if: contains(matrix.component.os, 'macos') | |
| run: | | |
| # avoid letting Homebrew's `git` in `/opt/homebrew/bin` override `/usr/local/bin/git` | |
| arch="$(uname -m)" | |
| test arm64 != "$arch" || | |
| brew uninstall git | |
| pkgpath=$(find ./*universal*.pkg) | |
| sudo installer -pkg $pkgpath -target / | |
| - name: Validate | |
| shell: bash | |
| run: | | |
| "${{ matrix.component.command }}" --version | sed 's/git version //' >actual | |
| echo 2.42.0.vfs.0.0-universal >expect | |
| cmp expect actual || exit 1 | |
| - name: Validate universal binary CPU architecture | |
| if: contains(matrix.component.os, 'macos') | |
| shell: bash | |
| run: | | |
| set -ex | |
| git version --build-options >actual | |
| cat actual | |
| grep "cpu: $(uname -m)" actual | |
| # End validate installers |