forked from git-for-windows/git
-
Notifications
You must be signed in to change notification settings - Fork 97
235 lines (200 loc) · 8.28 KB
/
build-git-installers.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
name: build-git-installers
on:
push:
jobs:
# Build and sign Mac OSX installers & upload artifacts
create-macos-artifacts:
strategy:
matrix:
arch:
- name: arm64
runner: macos-latest-xl-arm64
runs-on: ${{ matrix.arch.runner }}
env:
VERSION: "2.42.0.vfs.0.0-universal"
environment: release
steps:
- name: Check out repository
uses: actions/checkout@v3
with:
path: 'git'
- name: Install Git dependencies
run: |
set -ex
# Install x86_64 packages
arch -x86_64 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
arch -x86_64 /usr/local/bin/brew install gettext curl
# Install arm64 packages
brew install automake asciidoc xmlto docbook
brew link --force gettext
# Make universal gettext and curl library
lipo -create -output libintl.a /usr/local/opt/gettext/lib/libintl.a /opt/homebrew/opt/gettext/lib/libintl.a
lipo -create -output libcurl.dylib /opt/homebrew/opt/curl/lib/libcurl.4.dylib /usr/local/opt/curl/lib/libcurl.4.dylib
- name: Set up signing/notarization infrastructure
env:
A1: ${{ secrets.APPLICATION_CERTIFICATE_BASE64 }}
A2: ${{ secrets.APPLICATION_CERTIFICATE_PASSWORD }}
I1: ${{ secrets.INSTALLER_CERTIFICATE_BASE64 }}
I2: ${{ secrets.INSTALLER_CERTIFICATE_PASSWORD }}
N1: ${{ secrets.APPLE_TEAM_ID }}
N2: ${{ secrets.APPLE_DEVELOPER_ID }}
N3: ${{ secrets.APPLE_DEVELOPER_PASSWORD }}
N4: ${{ secrets.APPLE_KEYCHAIN_PROFILE }}
run: |
echo "Setting up signing certificates"
security create-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
security default-keychain -s $RUNNER_TEMP/buildagent.keychain
security unlock-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
# Prevent re-locking
security set-keychain-settings $RUNNER_TEMP/buildagent.keychain
echo "$A1" | base64 -D > $RUNNER_TEMP/cert.p12
security import $RUNNER_TEMP/cert.p12 \
-k $RUNNER_TEMP/buildagent.keychain \
-P "$A2" \
-T /usr/bin/codesign
security set-key-partition-list \
-S apple-tool:,apple:,codesign: \
-s -k pwd \
$RUNNER_TEMP/buildagent.keychain
echo "$I1" | base64 -D > $RUNNER_TEMP/cert.p12
security import $RUNNER_TEMP/cert.p12 \
-k $RUNNER_TEMP/buildagent.keychain \
-P "$I2" \
-T /usr/bin/pkgbuild
security set-key-partition-list \
-S apple-tool:,apple:,pkgbuild: \
-s -k pwd \
$RUNNER_TEMP/buildagent.keychain
echo "Setting up notarytool"
xcrun notarytool store-credentials \
--team-id "$N1" \
--apple-id "$N2" \
--password "$N3" \
"$N4"
- name: Build, sign, and notarize artifacts
env:
A3: ${{ secrets.APPLE_APPLICATION_SIGNING_IDENTITY }}
I3: ${{ secrets.APPLE_INSTALLER_SIGNING_IDENTITY }}
N4: ${{ secrets.APPLE_KEYCHAIN_PROFILE }}
run: |
die () {
echo "$*" >&2
exit 1
}
# Trace execution, stop on error
set -ex
# Write to "version" file to force match with trigger payload version
echo "2.42.0.vfs.0.0-universal" >>git/version
# Configure universal build
cat >git/config.mak <<EOF
# Create universal binaries. HOST_CPU is a bit of a lie and only
# used in 'git version --build-options'. We'll fix that in code.
HOST_CPU = universal
BASIC_CFLAGS += -arch arm64 -arch x86_64
EOF
# Configure the Git build to pick up gettext
homebrew_prefix="$(brew --prefix)"
cat >>git/config.mak <<EOF
CFLAGS = -I$homebrew_prefix/include -I/usr/local/opt/gettext/include
LDFLAGS = -L"$(pwd)"
EOF
# Configure the Git build to pick up the universal `libcurl.dylib`
cat >>git/config.mak <<EOF
CURL_LDFLAGS := -L"$(pwd)" -lcurl
CURL_CONFIG := /usr/bin/true
EOF
# Avoid even building the dashed built-ins; Those should be hard-linked
# copies of the `git` executable but would end up as actual copies instead,
# bloating the size of the `.dmg` indecently.
echo 'SKIP_DASHED_BUILT_INS = YabbaDabbaDoo' >>git/config.mak
# To make use of the catalogs...
export XML_CATALOG_FILES=$homebrew_prefix/etc/xml/catalog
make -C git -j$(sysctl -n hw.physicalcpu) GIT-VERSION-FILE dist dist-doc
export GIT_BUILT_FROM_COMMIT=$(gunzip -c git/git-$VERSION.tar.gz | git get-tar-commit-id) ||
die "Could not determine commit for build"
# Extract tarballs
mkdir payload manpages
tar -xvf git/git-$VERSION.tar.gz -C payload
tar -xvf git/git-manpages-$VERSION.tar.gz -C manpages
# Lay out payload
cp git/config.mak payload/git-$VERSION/config.mak
make -C git/.github/macos-installer V=1 payload
# Codesign payload
cp -R stage/git-universal-$VERSION/ \
git/.github/macos-installer/build-artifacts
make -C git/.github/macos-installer V=1 codesign \
APPLE_APP_IDENTITY="$A3" || die "Creating signed payload failed"
# Build and sign pkg
make -C git/.github/macos-installer V=1 pkg \
APPLE_INSTALLER_IDENTITY="$I3" \
|| die "Creating signed pkg failed"
# Notarize pkg
make -C git/.github/macos-installer V=1 notarize \
APPLE_INSTALLER_IDENTITY="$I3" APPLE_KEYCHAIN_PROFILE="$N4" \
|| die "Creating signed and notarized pkg failed"
# Create DMG
make -C git/.github/macos-installer V=1 image || die "Creating DMG failed"
# Move all artifacts into top-level directory
mv git/.github/macos-installer/disk-image/*.pkg git/.github/macos-installer/
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
name: macos-artifacts
path: |
git/.github/macos-installer/*.dmg
git/.github/macos-installer/*.pkg
# End build and sign Mac OSX installers
# Validate installers
validate-installers:
name: Validate installers
strategy:
matrix:
component:
- os: macos-latest
artifact: macos-artifacts
command: git
- os: macos-latest-xl-arm64
artifact: macos-artifacts
command: git
runs-on: ${{ matrix.component.os }}
needs: [create-macos-artifacts]
steps:
- name: Download artifacts
uses: actions/download-artifact@v3
with:
name: ${{ matrix.component.artifact }}
- name: Install Windows
if: contains(matrix.component.os, 'windows')
shell: pwsh
run: |
$exePath = Get-ChildItem -Path ./*.exe | %{$_.FullName}
Start-Process -Wait -FilePath "$exePath" -ArgumentList "/SILENT /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /ALLOWDOWNGRADE=1"
- name: Install Linux
if: contains(matrix.component.os, 'ubuntu')
run: |
debpath=$(find ./*.deb)
sudo apt install $debpath
- name: Install macOS
if: contains(matrix.component.os, 'macos')
run: |
# avoid letting Homebrew's `git` in `/opt/homebrew/bin` override `/usr/local/bin/git`
arch="$(uname -m)"
test arm64 != "$arch" ||
brew uninstall git
pkgpath=$(find ./*universal*.pkg)
sudo installer -pkg $pkgpath -target /
- name: Validate
shell: bash
run: |
"${{ matrix.component.command }}" --version | sed 's/git version //' >actual
echo 2.42.0.vfs.0.0-universal >expect
cmp expect actual || exit 1
- name: Validate universal binary CPU architecture
if: contains(matrix.component.os, 'macos')
shell: bash
run: |
set -ex
git version --build-options >actual
cat actual
grep "cpu: $(uname -m)" actual
# End validate installers