-
Notifications
You must be signed in to change notification settings - Fork 572
212 lines (183 loc) · 8.43 KB
/
publish-binaries.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
name: Build @ironfish binaries
on:
workflow_dispatch:
inputs:
checkout_ref:
description: 'Git ref (branch, tag, commit SHA)'
required: false
release:
types:
- published
jobs:
build:
strategy:
fail-fast: false
matrix:
settings:
- host: macos-13
arch: x86_64
system: apple
- host: windows-latest
arch: x86_64
system: windows
# requires 20.04 because ironfish depends on openssl 1.1.1, new ubuntu only allows 3.x
- host: ubuntu-20.04
arch: x86_64
system: linux
- host: macos-latest
arch: arm64
system: apple
# currently no way to build arm64
# - host: ubuntu-20.04
# arch: aarch64
# system: linux
# - host: ubuntu-20.04
# target: aarch64-apple-darwin
name: Build ${{ matrix.settings.system }} ${{ matrix.settings.arch }}
runs-on: ${{ matrix.settings.host }}
steps:
- name: Check runner architecture
shell: bash
run: |
if [[ "$(uname -m)" != "${{ matrix.settings.arch }}" ]]; then
echo "Runner architecture does not match specified architecture"
exit 1
fi
# needed for distutils, which is used by nodegyp, arm64 mac runners have 3.12
- name: Set up Python
uses: actions/setup-python@v3
with:
python-version: 3.11
- name: Use node.js
uses: actions/setup-node@v4
with:
node-version: 18
- name: Use go
uses: actions/setup-go@v4
with:
go-version: '1.20.6'
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.inputs.checkout_ref }}
- name: Create random identifier so binary extraction will be unique
id: identifier
shell: bash
run: |
identifier=$(awk 'BEGIN {
srand();
chars = "abcdefghijklmnopqrstuvwxyz0123456789";
for (i = 1; i <= 10; i++) {
printf "%s", substr(chars, int(rand() * length(chars)) + 1, 1);
}
print "";
}')
echo "identifier=${identifier}" >> $GITHUB_OUTPUT
- name: Create build.tar.gz for binary
id: build
run: |
mkdir build
cd build
cp $(node -e "console.log(process.execPath)") ${{ matrix.settings.system != 'windows' && 'node' || 'node.exe' }}
npm init -y
npm install ironfish@${{ github.event_name == 'release' && github.event.release.tag_name || github.event.inputs.checkout_ref }}
tar -czf ../tools/build.tar.gz -C . .
- name: Create binary
id: binary
run: |
go build -ldflags "-X 'main.Identifier=${{ steps.identifier.outputs.identifier }}' -X 'main.Command={{caxac}}/${{ matrix.settings.system != 'windows' && 'node' || 'node.exe' }} --enable-source-maps {{caxac}}/node_modules/ironfish/bin/run' -X 'main.UncompressionMessage=Unpackaging ironfish application, this may take a minute when run for the first time.'" -o tools/${{ matrix.settings.system != 'windows' && 'ironfish' || 'ironfish.exe' }} tools/build-binary.go
- name: Set paths
id: set_paths
shell: bash
run: |
name="ironfish-standalone-${{ matrix.settings.system }}-${{ matrix.settings.arch }}-${{ github.event_name == 'release' && github.event.release.tag_name || github.event.inputs.checkout_ref }}"
echo "name=${name}" >> $GITHUB_OUTPUT
echo "zip=${name}.zip" >> $GITHUB_OUTPUT
echo "binary=${{ matrix.settings.system != 'windows' && 'ironfish' || 'ironfish.exe' }}" >> $GITHUB_OUTPUT
- name: chmod binary
working-directory: tools
if: matrix.settings.system != 'windows'
run: chmod +x ${{ steps.set_paths.outputs.binary }}
- name: Sign macOS
working-directory: tools
if: matrix.settings.system == 'apple'
env:
APPLE_DEVELOPER_ID_APPLICATION: ${{ secrets.APPLE_DEVELOPER_ID_APPLICATION }}
APPLE_IFLABS_SIGNING_CERT: ${{ secrets.APPLE_IFLABS_SIGNING_CERT }}
APPLE_IFLABS_SIGNING_CERT_PASSWORD: ${{ secrets.APPLE_IFLABS_SIGNING_CERT_PASSWORD }}
APPLE_PROVISIONING_PROFILE: ${{ secrets.APPLE_PROVISIONING_PROFILE }}
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
PP_PATH=$RUNNER_TEMP/build_pp.mobileprovision
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
API_KEY_PATH=$RUNNER_TEMP/api_key.p8
# import certificate and provisioning profile from secrets
echo -n "$APPLE_IFLABS_SIGNING_CERT" | base64 --decode -o $CERTIFICATE_PATH
echo -n "$APPLE_PROVISIONING_PROFILE" | base64 --decode -o $PP_PATH
echo -n "$APPLE_API_KEY" | base64 --decode -o $API_KEY_PATH
# create temporary keychain
security create-keychain -p "$APPLE_IFLABS_SIGNING_CERT_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$APPLE_IFLABS_SIGNING_CERT_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$APPLE_IFLABS_SIGNING_CERT_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
# apply provisioning profile
mkdir -p ~/Library/MobileDevice/Provisioning\ Profiles
cp $PP_PATH ~/Library/MobileDevice/Provisioning\ Profiles
ls $RUNNER_TEMP
APPLE_API_KEY="$RUNNER_TEMP/api_key.p8" codesign --deep --force --options=runtime --sign "${APPLE_DEVELOPER_ID_APPLICATION}" --timestamp ${{ steps.set_paths.outputs.binary }}
- name: Sign windows
working-directory: tools
if: matrix.settings.system == 'windows'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_CERT_NAME: ${{ secrets.AZURE_CERT_NAME }}
run: |
dotnet tool install --global AzureSignTool
AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v ${{ steps.set_paths.outputs.binary }}
- name: Zip binary
uses: thedoctor0/[email protected]
with:
directory: tools
type: 'zip'
filename: ${{ steps.set_paths.outputs.zip }}
path: ${{ steps.set_paths.outputs.binary }}
- name: Notarize app bundle
working-directory: tools
if: matrix.settings.system == 'apple'
env:
APPLE_ID: ${{ secrets.APPLE_ID }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
APPLE_NOTARIZATION_PWD: ${{ secrets.APPLE_NOTARIZATION_PWD }}
run: |
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$APPLE_ID" --team-id "$APPLE_TEAM_ID" --password "$APPLE_NOTARIZATION_PWD"
echo "Notarize app"
xcrun notarytool submit "${{ steps.set_paths.outputs.zip }}" --keychain-profile "notarytool-profile" --wait
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: ${{ steps.set_paths.outputs.name }}
path: tools/${{ steps.set_paths.outputs.zip }}
if-no-files-found: error
- name: Upload release asset
id: upload-release-asset
if: github.event_name == 'release'
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: "${{ github.event.release.upload_url }}?name=${{ steps.set_paths.outputs.zip }}"
asset_path: tools/${{ steps.set_paths.outputs.zip }}
asset_name: ${{ steps.set_paths.outputs.zip }}
asset_content_type: application/zip