Build release assets #52

Workflow file for this run

.github/workflows/build_release_assets.yml at 9a71fb7

	name: Build release assets

	# This workflow is used by the ci and tag workflows to build all release
	# assets. It can also be triggered manually.

	on:
	workflow_call:
	inputs:
	release_mode:
	description: 'Release mode (signed binaries, no commit sha in version number)'
	type: boolean
	default: false
	workflow_dispatch:
	inputs:
	release_mode:
	description: 'Release mode (signed binaries, no commit sha in version number)'
	type: boolean
	default: false

	jobs:
	build_wheel_sdist:
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Install packaging tools
	run: \|
	pip install build

	- name: Create packages
	run: \|
	python -m build

	- name: Upload packages
	uses: actions/upload-artifact@v4
	with:
	name: dist
	path: \|
	dist

	build_os_packages:
	name: Build packages
	runs-on: ${{ matrix.os }}
	container: ${{ matrix.os == 'ubuntu-22.04' && 'rockylinux/rockylinux:8.8' \|\| null }}
	strategy:
	fail-fast: false
	matrix:
	include:
	- os: ubuntu-22.04
	- os: windows-2022
	- os: macos-13
	arch: x86_64
	sha256sum:
	python: 6378dfd22f58bb553ddb02be28304d739cd730c1f95c15c74955c923a1bc3d6a
	rcodesign: bca6e648afaddd48f1c3d5dd25aa516659992cbbd2ba7131ba6add739aa895d3
	- os: macos-14
	arch: aarch64
	sha256sum:
	python: 5fdc0f6a5b5a90fd3c528e8b1da8e3aac931ea8690126c2fdb4254c84a3ff04a
	rcodesign: 163520079cd6ad1427791c792735a6ddfcb8eca0187bbcf0cc0bebfa4a62153d
	steps:
	- uses: actions/checkout@v4
	with:
	# Get enough commits to run `ggshield secret scan commit-range` on ourselves
	fetch-depth: 10

	- name: Set up Python 3.10 (Windows 1/2)
	if: matrix.os == 'windows-2022'
	uses: actions/setup-python@v5
	with:
	python-version: '3.10'

	- name: Set up Python 3.10 (Windows 2/2)
	if: matrix.os == 'windows-2022'
	shell: bash
	run: \|
	echo PYTHON_CMD=python >> $GITHUB_ENV

	- name: Install Linux specific dependencies
	if: matrix.os == 'ubuntu-22.04'
	run: \|
	# Install necessary packages
	yum install -y \
	python3.9 \
	git-core \
	findutils

	echo PYTHON_CMD=/usr/bin/python3.9 >> $GITHUB_ENV

	# Install NFPM
	NFPM_VERSION=2.36.1
	NFPM_CHECKSUM=9f8effa24bc6033b509611dbe68839542a63e825525b195672298c369051ef0b

	scripts/download \
	https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz \
	nfpm.tar.gz \
	$NFPM_CHECKSUM

	tar xf nfpm.tar.gz nfpm
	cp nfpm /usr/local/bin

	# Avoid "dubious permission" git error
	git config --global --add safe.directory '*'

	- name: Install macOS specific dependencies
	if: startsWith(matrix.os, 'macos-')
	run: \|
	# scripts/download needs the `sha256sum` command
	brew install coreutils

	# Install Python. We don't use actions/setup-python because on M1
	# macs it installs the Framework version of Python, and the binaries
	# produced with that version do not pass Apple notarization step.
	# (tested with actions/setup-python@v4 and @v5)
	PYTHON_VERSION=3.10.13
	PYTHON_BUILD=20240224

	scripts/download \
	https://github.com/indygreg/python-build-standalone/releases/download/${PYTHON_BUILD}/cpython-${PYTHON_VERSION}+${PYTHON_BUILD}-${{ matrix.arch }}-apple-darwin-install_only.tar.gz \
	python.tar.gz \
	${{ matrix.sha256sum.python }}

	tar xf python.tar.gz

	# Make Python available
	echo PATH=$PWD/python/bin:$PATH >> $GITHUB_ENV
	echo PYTHON_CMD=$PWD/python/bin/python >> $GITHUB_ENV

	# Install rcodesign
	RCODESIGN_VERSION=0.27.0

	scripts/download \
	https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${RCODESIGN_VERSION}/apple-codesign-${RCODESIGN_VERSION}-${{ matrix.arch }}-apple-darwin.tar.gz \
	rcodesign.tar.gz \
	${{ matrix.sha256sum.rcodesign }}

	tar --strip-components=1 -xzf rcodesign.tar.gz

	# Make it available
	cp rcodesign /usr/local/bin

	- name: Install dependencies
	shell: bash
	run: \|
	$PYTHON_CMD -m pip install --upgrade pip
	$PYTHON_CMD -m pip install --upgrade \
	pipenv==2023.12.1

	pipenv install --dev
	pipenv run pip install pyinstaller==6.7.0
	env:
	# Disable lock otherwise Windows-only dependencies like colorama are not installed
	PIPENV_SKIP_LOCK: 1

	- name: Prepare macOS secrets
	if: startsWith(matrix.os, 'macos-') && inputs.release_mode
	run: \|
	set -euo pipefail
	SECRETS_DIR=$TMPDIR/secrets
	mkdir "$SECRETS_DIR"
	# Prepare our secret files
	# The p12-file is base64-encoded because it's binary
	echo "$MACOS_P12_FILE" \| base64 --decode > "$SECRETS_DIR/cert.p12"
	echo "$MACOS_P12_PASSWORD" > "$SECRETS_DIR/cert.pwd"
	echo "$MACOS_API_KEY_FILE" > "$SECRETS_DIR/rcodesign-notarize-key.json"

	# Tell next steps where to find them
	cat >> $GITHUB_ENV <<EOF
	MACOS_P12_FILE=$SECRETS_DIR/cert.p12
	MACOS_P12_PASSWORD_FILE=$SECRETS_DIR/cert.pwd
	MACOS_API_KEY_FILE=$SECRETS_DIR/rcodesign-notarize-key.json
	EOF
	env:
	MACOS_P12_FILE: ${{ secrets.MACOS_P12_FILE }}
	MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }}
	MACOS_API_KEY_FILE: ${{ secrets.MACOS_API_KEY_FILE }}

	- name: Setup Windows environment
	if: startsWith(matrix.os, 'windows-') && inputs.release_mode
	shell: bash
	run: \|
	signtool_install_dir="/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64"
	smctl_install_dir="/c/Program Files/DigiCert/DigiCert Keylocker Tools"

	# Add signtool dir to $PATH
	if [ ! -x "$signtool_install_dir/signtool.exe" ] ; then
	echo "signtool.exe is not in '$signtool_install_dir'"
	exit 1
	fi
	echo "$signtool_install_dir" >> $GITHUB_PATH

	# Add smctl dir to $PATH
	# Don't test if smctl is there: it is installed by the next step
	echo "$smctl_install_dir" >> $GITHUB_PATH

	# Create our certificate file
	cert_file="$TMPDIR/cert.p12"
	echo "${{ secrets.SM_CLIENT_CERT_FILE }}" \| base64 --decode > "$cert_file"

	# Add secrets to env
	cat >> $GITHUB_ENV <<EOF
	WINDOWS_CERT_FINGERPRINT=${{ secrets.WINDOWS_CERT_FINGERPRINT }}
	SM_API_KEY=${{ secrets.SM_API_KEY }}
	SM_HOST=${{ secrets.SM_HOST }}
	SM_CLIENT_CERT_FILE=$cert_file
	SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}
	EOF

	- name: Install Windows dependencies
	if: startsWith(matrix.os, 'windows-') && inputs.release_mode
	shell: bash
	run: \|
	scripts/build-os-packages/install-keylockertools

	- name: Build
	shell: bash
	run: \|
	if [ "${{ inputs.release_mode }}" = "true" ] ; then
	args="--sign"
	else
	args="--suffix +${GITHUB_SHA:0:7}"
	fi
	pipenv run bash -c "scripts/build-os-packages/build-os-packages $args"

	- name: Override base Docker image used for functional tests on Windows
	if: matrix.os == 'windows-2022'
	# This is required because GitHub Windows runner is not configured to
	# run Linux-based Docker images
	shell: bash
	run: \|
	echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV

	- name: Functional tests
	shell: bash
	# See note about steps requiring the GITGUARDIAN_API at the top of this file
	if: ${{ !github.event.pull_request.head.repo.fork }}
	run: \|
	pipenv run bash -c scripts/build-os-packages/build-os-packages functests
	env:
	GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
	GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
	TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }}
	TEST_GG_VALID_TOKEN: ${{ secrets.TEST_GG_VALID_TOKEN }}
	TEST_GG_VALID_TOKEN_IGNORE_SHA: ${{ secrets.TEST_GG_VALID_TOKEN_IGNORE_SHA }}
	TEST_UNKNOWN_SECRET: ${{ secrets.TEST_UNKNOWN_SECRET }}

	- name: Upload artifacts
	uses: actions/upload-artifact@v4
	with:
	name: os-packages-${{ matrix.os }}
	path: \|
	packages/ggshield-*.gz
	packages/ggshield-*.pkg
	packages/ggshield-*.zip
	packages/ggshield-*.rpm
	packages/ggshield_*.deb

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build release assets #52

Workflow file

Build release assets #52

Jobs

Run details

Workflow file for this run