Skip to content

Build @ironfish binaries #149

Build @ironfish binaries

Build @ironfish binaries #149

name: Build @ironfish binaries
on:
workflow_dispatch:
inputs:
checkout_ref:
description: 'Git ref (branch, tag, commit SHA)'
required: false
release:
types:
- published
jobs:
build:
strategy:
fail-fast: false
matrix:
settings:
- host: macos-latest
arch: x86_64
system: apple
- host: windows-latest
arch: x86_64
system: windows
# requires 20.04 because ironfish depends on openssl 1.1.1, new ubuntu only allows 3.x
- host: ubuntu-20.04
arch: x86_64
system: linux
- host: macos-latest-xlarge
arch: arm64
system: apple
# currently no way to build arm64
# - host: ubuntu-20.04
# arch: aarch64
# system: linux
# - host: ubuntu-20.04
# target: aarch64-apple-darwin
name: Build ${{ matrix.settings.system }} ${{ matrix.settings.arch }}
runs-on: ${{ matrix.settings.host }}
steps:
- name: Check runner architecture
shell: bash
run: |
if [[ "$(uname -m)" != "${{ matrix.settings.arch }}" ]]; then
echo "Runner architecture does not match specified architecture"
exit 1
fi
# needed for distutils, which is used by nodegyp, arm64 mac runners have 3.12
- name: Set up Python
uses: actions/setup-python@v3
with:
python-version: 3.11
- name: Use node.js
uses: actions/setup-node@v4
with:
node-version: 18
- name: Use go
uses: actions/setup-go@v4
with:
go-version: '1.20.6'
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.inputs.checkout_ref }}
# New step to checkout tools/ directory from a different branch
- name: Checkout tools directory from different branch
run: |
git fetch origin fix-add-dispatch-param
git checkout origin/fix-add-dispatch-param tools
- name: Create random identifier so binary extraction will be unique
id: identifier
shell: bash
run: |
identifier=$(awk 'BEGIN {
srand();
chars = "abcdefghijklmnopqrstuvwxyz0123456789";
for (i = 1; i <= 10; i++) {
printf "%s", substr(chars, int(rand() * length(chars)) + 1, 1);
}
print "";
}')
echo "identifier=${identifier}" >> $GITHUB_OUTPUT
- name: Create build.tar.gz for binary
id: build
run: |
mkdir build
cd build
cp $(node -e "console.log(process.execPath)") ${{ matrix.settings.system != 'windows' && 'node' || 'node.exe' }}
npm init -y
npm install ironfish@${{ github.event_name == 'release' && github.event.release.tag_name || github.event.inputs.checkout_ref }}
tar -czf ../tools/build.tar.gz -C . .
- name: Create binary
id: binary
run: |
go build -ldflags "-X 'main.Identifier=${{ steps.identifier.outputs.identifier }}' -X 'main.Command={{caxac}}/${{ matrix.settings.system != 'windows' && 'node' || 'node.exe' }} --enable-source-maps {{caxac}}/node_modules/ironfish/bin/run' -X 'main.UncompressionMessage=Unpackaging ironfish application, this may take a minute when run for the first time.'" -o tools/${{ matrix.settings.system != 'windows' && 'ironfish' || 'ironfish.exe' }} tools/build-binary.go
- name: Set paths
id: set_paths
shell: bash
run: |
name="ironfish-standalone-${{ matrix.settings.system }}-${{ matrix.settings.arch }}-${{ github.event_name == 'release' && github.event.release.tag_name || github.event.inputs.checkout_ref }}"
echo "name=${name}" >> $GITHUB_OUTPUT
echo "zip=${name}.zip" >> $GITHUB_OUTPUT
echo "binary=${{ matrix.settings.system != 'windows' && 'ironfish' || 'ironfish.exe' }}" >> $GITHUB_OUTPUT
- name: chmod binary
working-directory: tools
if: matrix.settings.system != 'windows'
run: chmod +x ${{ steps.set_paths.outputs.binary }}
- name: Sign macOS
working-directory: tools
if: matrix.settings.system == 'apple'
env:
APPLE_DEVELOPER_ID_APPLICATION: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION }}
APPLE_IFLABS_SIGNING_CERT: ${{ secrets.APPLE_IFLABS_SIGNING_CERT }}
APPLE_IFLABS_SIGNING_CERT_PASSWORD: ${{ secrets.APPLE_IFLABS_SIGNING_CERT_PASSWORD }}
APPLE_PROVISIONING_PROFILE: ${{ secrets.APPLE_PROVISIONING_PROFILE }}
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
API_KEY_PATH=$RUNNER_TEMP/api_key.p8
# import certificate and provisioning profile from secrets
echo -n "$APPLE_IFLABS_SIGNING_CERT" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$APPLE_PROVISIONING_PROFILE" | base64 --decode -o $PP_PATH
echo -n "$APPLE_API_KEY" | base64 --decode -o $API_KEY_PATH
# create temporary keychain
security create-keychain -p "$APPLE_IFLABS_SIGNING_CERT_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$APPLE_IFLABS_SIGNING_CERT_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$APPLE_IFLABS_SIGNING_CERT_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# apply provisioning profile
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
ls $RUNNER_TEMP
APPLE_API_KEY="$RUNNER_TEMP/api_key.p8" codesign --deep --force --options=runtime --sign "${APPLE_DEVELOPER_ID_APPLICATION}" --timestamp ${{ steps.set_paths.outputs.binary }}
- name: Sign windows
working-directory: tools
if: matrix.settings.system == 'windows'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_CERT_NAME: ${{ secrets.AZURE_CERT_NAME }}
run: |
dotnet tool install --global AzureSignTool
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v ${{ steps.set_paths.outputs.binary }}
- name: Zip binary
uses: thedoctor0/[email protected]
with:
directory: tools
type: 'zip'
filename: ${{ steps.set_paths.outputs.zip }}
path: ${{ steps.set_paths.outputs.binary }}
- name: Notarize app bundle
working-directory: tools
if: matrix.settings.system == 'apple'
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARIZATION_PWD }}
run: |
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD"
echo "Notarize app"
xcrun notarytool submit "${{ steps.set_paths.outputs.zip }}" --keychain-profile "notarytool-profile" --wait
- name: Upload artifact
uses: actions/upload-artifact@v3
with:
name: ${{ steps.set_paths.outputs.name }}
path: tools/${{ steps.set_paths.outputs.zip }}
if-no-files-found: error
- name: Upload release asset
id: upload-release-asset
if: github.event_name == 'release'
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: "${{ github.event.release.upload_url }}?name=${{ steps.set_paths.outputs.zip }}"
asset_path: tools/${{ steps.set_paths.outputs.zip }}
asset_name: ${{ steps.set_paths.outputs.zip }}
asset_content_type: application/zip