Build release assets #44
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build release assets | |
# This workflow is used by the ci and tag workflows to build all release | |
# assets. It can also be triggered manually. | |
on: | |
workflow_call: | |
inputs: | |
release_mode: | |
description: 'Release mode (signed binaries, no commit sha in version number)' | |
type: boolean | |
default: false | |
workflow_dispatch: | |
inputs: | |
release_mode: | |
description: 'Release mode (signed binaries, no commit sha in version number)' | |
type: boolean | |
default: false | |
jobs: | |
build_wheel_sdist: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Install packaging tools | |
run: | | |
pip install build | |
- name: Create packages | |
run: | | |
python -m build | |
- name: Upload packages | |
uses: actions/upload-artifact@v4 | |
with: | |
name: dist | |
path: | | |
dist | |
build_os_packages: | |
name: Build packages | |
runs-on: ${{ matrix.os }} | |
container: ${{ matrix.os == 'ubuntu-22.04' && 'rockylinux/rockylinux:8.8' || null }} | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- os: ubuntu-22.04 | |
- os: windows-2022 | |
- os: macos-13 | |
arch: x86_64 | |
sha256sum: | |
python: 6378dfd22f58bb553ddb02be28304d739cd730c1f95c15c74955c923a1bc3d6a | |
rcodesign: bca6e648afaddd48f1c3d5dd25aa516659992cbbd2ba7131ba6add739aa895d3 | |
- os: macos-14 | |
arch: aarch64 | |
sha256sum: | |
python: 5fdc0f6a5b5a90fd3c528e8b1da8e3aac931ea8690126c2fdb4254c84a3ff04a | |
rcodesign: 163520079cd6ad1427791c792735a6ddfcb8eca0187bbcf0cc0bebfa4a62153d | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# Get enough commits to run `ggshield secret scan commit-range` on ourselves | |
fetch-depth: 10 | |
- name: Set up Python 3.10 (Windows 1/2) | |
if: matrix.os == 'windows-2022' | |
uses: actions/setup-python@v5 | |
with: | |
python-version: '3.10' | |
- name: Set up Python 3.10 (Windows 2/2) | |
if: matrix.os == 'windows-2022' | |
shell: bash | |
run: | | |
echo PYTHON_CMD=python >> $GITHUB_ENV | |
- name: Install Linux specific dependencies | |
if: matrix.os == 'ubuntu-22.04' | |
run: | | |
# Install Python and git | |
yum install -y \ | |
python3.9 \ | |
git-core | |
echo PYTHON_CMD=/usr/bin/python3.9 >> $GITHUB_ENV | |
# Install NFPM | |
NFPM_VERSION=2.36.1 | |
NFPM_CHECKSUM=9f8effa24bc6033b509611dbe68839542a63e825525b195672298c369051ef0b | |
scripts/download \ | |
https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz \ | |
nfpm.tar.gz \ | |
$NFPM_CHECKSUM | |
tar xf nfpm.tar.gz nfpm | |
cp nfpm /usr/local/bin | |
# Avoid "dubious permission" git error | |
git config --global --add safe.directory '*' | |
- name: Install macOS specific dependencies | |
if: startsWith(matrix.os, 'macos-') | |
run: | | |
# scripts/download needs the `sha256sum` command | |
brew install coreutils | |
# Install Python. We don't use actions/setup-python because on M1 | |
# macs it installs the Framework version of Python, and the binaries | |
# produced with that version do not pass Apple notarization step. | |
# (tested with actions/setup-python@v4 and @v5) | |
PYTHON_VERSION=3.10.13 | |
PYTHON_BUILD=20240224 | |
scripts/download \ | |
https://github.com/indygreg/python-build-standalone/releases/download/${PYTHON_BUILD}/cpython-${PYTHON_VERSION}+${PYTHON_BUILD}-${{ matrix.arch }}-apple-darwin-install_only.tar.gz \ | |
python.tar.gz \ | |
${{ matrix.sha256sum.python }} | |
tar xf python.tar.gz | |
# Make Python available | |
echo PATH=$PWD/python/bin:$PATH >> $GITHUB_ENV | |
echo PYTHON_CMD=$PWD/python/bin/python >> $GITHUB_ENV | |
# Install rcodesign | |
RCODESIGN_VERSION=0.27.0 | |
scripts/download \ | |
https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${RCODESIGN_VERSION}/apple-codesign-${RCODESIGN_VERSION}-${{ matrix.arch }}-apple-darwin.tar.gz \ | |
rcodesign.tar.gz \ | |
${{ matrix.sha256sum.rcodesign }} | |
tar --strip-components=1 -xzf rcodesign.tar.gz | |
# Make it available | |
cp rcodesign /usr/local/bin | |
- name: Install dependencies | |
shell: bash | |
run: | | |
$PYTHON_CMD -m pip install --upgrade pip | |
$PYTHON_CMD -m pip install --upgrade \ | |
pipenv==2023.12.1 \ | |
pyinstaller==6.7.0 | |
pipenv install --dev | |
pipenv run pip install pyinstaller==6.7.0 | |
env: | |
# Disable lock otherwise Windows-only dependencies like colorama are not installed | |
PIPENV_SKIP_LOCK: 1 | |
- name: Prepare macOS secrets | |
if: startsWith(matrix.os, 'macos-') && inputs.release_mode | |
run: | | |
set -euo pipefail | |
SECRETS_DIR=$TMPDIR/secrets | |
mkdir "$SECRETS_DIR" | |
# Prepare our secret files | |
# The p12-file is base64-encoded because it's binary | |
echo "$MACOS_P12_FILE" | base64 --decode > "$SECRETS_DIR/cert.p12" | |
echo "$MACOS_P12_PASSWORD" > "$SECRETS_DIR/cert.pwd" | |
echo "$MACOS_API_KEY_FILE" > "$SECRETS_DIR/rcodesign-notarize-key.json" | |
# Tell next steps where to find them | |
cat >> $GITHUB_ENV <<EOF | |
MACOS_P12_FILE=$SECRETS_DIR/cert.p12 | |
MACOS_P12_PASSWORD_FILE=$SECRETS_DIR/cert.pwd | |
MACOS_API_KEY_FILE=$SECRETS_DIR/rcodesign-notarize-key.json | |
EOF | |
env: | |
MACOS_P12_FILE: ${{ secrets.MACOS_P12_FILE }} | |
MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }} | |
MACOS_API_KEY_FILE: ${{ secrets.MACOS_API_KEY_FILE }} | |
- name: Setup Windows environment | |
if: startsWith(matrix.os, 'windows-') && inputs.release_mode | |
shell: bash | |
run: | | |
signtool_install_dir="/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64" | |
smctl_install_dir="/c/Program Files/DigiCert/DigiCert Keylocker Tools" | |
# Add signtool dir to $PATH | |
if [ ! -x "$signtool_install_dir/signtool.exe" ] ; then | |
echo "signtool.exe is not in '$signtool_install_dir'" | |
exit 1 | |
fi | |
echo "$signtool_install_dir" >> $GITHUB_PATH | |
# Add smctl dir to $PATH | |
# Don't test if smctl is there: it is installed by the next step | |
echo "$smctl_install_dir" >> $GITHUB_PATH | |
# Create our certificate file | |
cert_file="$TMPDIR/cert.p12" | |
echo "${{ secrets.SM_CLIENT_CERT_FILE }}" | base64 --decode > "$cert_file" | |
# Add secrets to env | |
cat >> $GITHUB_ENV <<EOF | |
WINDOWS_CERT_FINGERPRINT=${{ secrets.WINDOWS_CERT_FINGERPRINT }} | |
SM_API_KEY=${{ secrets.SM_API_KEY }} | |
SM_HOST=${{ secrets.SM_HOST }} | |
SM_CLIENT_CERT_FILE=$cert_file | |
SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }} | |
EOF | |
- name: Install Windows dependencies | |
if: startsWith(matrix.os, 'windows-') && inputs.release_mode | |
shell: bash | |
run: | | |
scripts/build-os-packages/install-keylockertools | |
- name: Build | |
shell: bash | |
run: | | |
if [ "${{ inputs.release_mode }}" = "true" ] ; then | |
args="--sign" | |
else | |
args="--git-version" | |
fi | |
pwd | |
ls -al | |
pipenv run scripts/build-os-packages/build-os-packages $args | |
- name: Override base Docker image used for functional tests on Windows | |
if: matrix.os == 'windows-2022' | |
# This is required because GitHub Windows runner is not configured to | |
# run Linux-based Docker images | |
shell: bash | |
run: | | |
echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV | |
- name: Functional tests | |
shell: bash | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
run: | | |
pipenv run scripts/build-os-packages/build-os-packages functests | |
env: | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }} | |
TEST_GG_VALID_TOKEN: ${{ secrets.TEST_GG_VALID_TOKEN }} | |
TEST_GG_VALID_TOKEN_IGNORE_SHA: ${{ secrets.TEST_GG_VALID_TOKEN_IGNORE_SHA }} | |
TEST_UNKNOWN_SECRET: ${{ secrets.TEST_UNKNOWN_SECRET }} | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: os-packages-${{ matrix.os }} | |
path: | | |
packages/ggshield-*.gz | |
packages/ggshield-*.pkg | |
packages/ggshield-*.zip | |
packages/ggshield-*.rpm | |
packages/ggshield_*.deb |