Build @ironfish binaries #149
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build @ironfish binaries | |
on: | |
workflow_dispatch: | |
inputs: | |
checkout_ref: | |
description: 'Git ref (branch, tag, commit SHA)' | |
required: false | |
release: | |
types: | |
- published | |
jobs: | |
build: | |
strategy: | |
fail-fast: false | |
matrix: | |
settings: | |
- host: macos-latest | |
arch: x86_64 | |
system: apple | |
- host: windows-latest | |
arch: x86_64 | |
system: windows | |
# requires 20.04 because ironfish depends on openssl 1.1.1, new ubuntu only allows 3.x | |
- host: ubuntu-20.04 | |
arch: x86_64 | |
system: linux | |
- host: macos-latest-xlarge | |
arch: arm64 | |
system: apple | |
# currently no way to build arm64 | |
# - host: ubuntu-20.04 | |
# arch: aarch64 | |
# system: linux | |
# - host: ubuntu-20.04 | |
# target: aarch64-apple-darwin | |
name: Build ${{ matrix.settings.system }} ${{ matrix.settings.arch }} | |
runs-on: ${{ matrix.settings.host }} | |
steps: | |
- name: Check runner architecture | |
shell: bash | |
run: | | |
if [[ "$(uname -m)" != "${{ matrix.settings.arch }}" ]]; then | |
echo "Runner architecture does not match specified architecture" | |
exit 1 | |
fi | |
# needed for distutils, which is used by nodegyp, arm64 mac runners have 3.12 | |
- name: Set up Python | |
uses: actions/setup-python@v3 | |
with: | |
python-version: 3.11 | |
- name: Use node.js | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 18 | |
- name: Use go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: '1.20.6' | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.event.inputs.checkout_ref }} | |
# New step to checkout tools/ directory from a different branch | |
- name: Checkout tools directory from different branch | |
run: | | |
git fetch origin fix-add-dispatch-param | |
git checkout origin/fix-add-dispatch-param tools | |
- name: Create random identifier so binary extraction will be unique | |
id: identifier | |
shell: bash | |
run: | | |
identifier=$(awk 'BEGIN { | |
srand(); | |
chars = "abcdefghijklmnopqrstuvwxyz0123456789"; | |
for (i = 1; i <= 10; i++) { | |
printf "%s", substr(chars, int(rand() * length(chars)) + 1, 1); | |
} | |
print ""; | |
}') | |
echo "identifier=${identifier}" >> $GITHUB_OUTPUT | |
- name: Create build.tar.gz for binary | |
id: build | |
run: | | |
mkdir build | |
cd build | |
cp $(node -e "console.log(process.execPath)") ${{ matrix.settings.system != 'windows' && 'node' || 'node.exe' }} | |
npm init -y | |
npm install ironfish@${{ github.event_name == 'release' && github.event.release.tag_name || github.event.inputs.checkout_ref }} | |
tar -czf ../tools/build.tar.gz -C . . | |
- name: Create binary | |
id: binary | |
run: | | |
go build -ldflags "-X 'main.Identifier=${{ steps.identifier.outputs.identifier }}' -X 'main.Command={{caxac}}/${{ matrix.settings.system != 'windows' && 'node' || 'node.exe' }} --enable-source-maps {{caxac}}/node_modules/ironfish/bin/run' -X 'main.UncompressionMessage=Unpackaging ironfish application, this may take a minute when run for the first time.'" -o tools/${{ matrix.settings.system != 'windows' && 'ironfish' || 'ironfish.exe' }} tools/build-binary.go | |
- name: Set paths | |
id: set_paths | |
shell: bash | |
run: | | |
name="ironfish-standalone-${{ matrix.settings.system }}-${{ matrix.settings.arch }}-${{ github.event_name == 'release' && github.event.release.tag_name || github.event.inputs.checkout_ref }}" | |
echo "name=${name}" >> $GITHUB_OUTPUT | |
echo "zip=${name}.zip" >> $GITHUB_OUTPUT | |
echo "binary=${{ matrix.settings.system != 'windows' && 'ironfish' || 'ironfish.exe' }}" >> $GITHUB_OUTPUT | |
- name: chmod binary | |
working-directory: tools | |
if: matrix.settings.system != 'windows' | |
run: chmod +x ${{ steps.set_paths.outputs.binary }} | |
- name: Sign macOS | |
working-directory: tools | |
if: matrix.settings.system == 'apple' | |
env: | |
APPLE_DEVELOPER_ID_APPLICATION: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION }} | |
APPLE_IFLABS_SIGNING_CERT: ${{ secrets.APPLE_IFLABS_SIGNING_CERT }} | |
APPLE_IFLABS_SIGNING_CERT_PASSWORD: ${{ secrets.APPLE_IFLABS_SIGNING_CERT_PASSWORD }} | |
APPLE_PROVISIONING_PROFILE: ${{ secrets.APPLE_PROVISIONING_PROFILE }} | |
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} | |
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} | |
run: | | |
# create variables | |
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision | |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
API_KEY_PATH=$RUNNER_TEMP/api_key.p8 | |
# import certificate and provisioning profile from secrets | |
echo -n "$APPLE_IFLABS_SIGNING_CERT" | base64 --decode -o $CERTIFICATE_PATH | |
echo -n "$APPLE_PROVISIONING_PROFILE" | base64 --decode -o $PP_PATH | |
echo -n "$APPLE_API_KEY" | base64 --decode -o $API_KEY_PATH | |
# create temporary keychain | |
security create-keychain -p "$APPLE_IFLABS_SIGNING_CERT_PASSWORD" $KEYCHAIN_PATH | |
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
security unlock-keychain -p "$APPLE_IFLABS_SIGNING_CERT_PASSWORD" $KEYCHAIN_PATH | |
# import certificate to keychain | |
security import $CERTIFICATE_PATH -P "$APPLE_IFLABS_SIGNING_CERT_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security list-keychain -d user -s $KEYCHAIN_PATH | |
# apply provisioning profile | |
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles | |
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles | |
ls $RUNNER_TEMP | |
APPLE_API_KEY="$RUNNER_TEMP/api_key.p8" codesign --deep --force --options=runtime --sign "${APPLE_DEVELOPER_ID_APPLICATION}" --timestamp ${{ steps.set_paths.outputs.binary }} | |
- name: Sign windows | |
working-directory: tools | |
if: matrix.settings.system == 'windows' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }} | |
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} | |
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} | |
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} | |
AZURE_CERT_NAME: ${{ secrets.AZURE_CERT_NAME }} | |
run: | | |
dotnet tool install --global AzureSignTool | |
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v ${{ steps.set_paths.outputs.binary }} | |
- name: Zip binary | |
uses: thedoctor0/[email protected] | |
with: | |
directory: tools | |
type: 'zip' | |
filename: ${{ steps.set_paths.outputs.zip }} | |
path: ${{ steps.set_paths.outputs.binary }} | |
- name: Notarize app bundle | |
working-directory: tools | |
if: matrix.settings.system == 'apple' | |
env: | |
APPLE_ID: ${{ secrets.APPLE_ID }} | |
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} | |
APPLE_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARIZATION_PWD }} | |
run: | | |
echo "Create keychain profile" | |
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD" | |
echo "Notarize app" | |
xcrun notarytool submit "${{ steps.set_paths.outputs.zip }}" --keychain-profile "notarytool-profile" --wait | |
- name: Upload artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ steps.set_paths.outputs.name }} | |
path: tools/${{ steps.set_paths.outputs.zip }} | |
if-no-files-found: error | |
- name: Upload release asset | |
id: upload-release-asset | |
if: github.event_name == 'release' | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: "${{ github.event.release.upload_url }}?name=${{ steps.set_paths.outputs.zip }}" | |
asset_path: tools/${{ steps.set_paths.outputs.zip }} | |
asset_name: ${{ steps.set_paths.outputs.zip }} | |
asset_content_type: application/zip |