Skip to content

Build release assets #57

Build release assets

Build release assets #57

name: Build release assets
# This workflow is used by the ci and tag workflows to build all release
# assets. It can also be triggered manually.
on:
workflow_call:
inputs:
release_mode:
description: 'Release mode (signed binaries, no commit sha in version number)'
type: boolean
default: false
workflow_dispatch:
inputs:
release_mode:
description: 'Release mode (signed binaries, no commit sha in version number)'
type: boolean
default: false
jobs:
build_wheel_sdist:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install packaging tools
run: |
pip install build
- name: Create packages
run: |
python -m build
- name: Upload packages
uses: actions/upload-artifact@v4
with:
name: dist
path: |
dist
build_os_packages:
name: Build packages
runs-on: ${{ matrix.os }}
container: ${{ matrix.os == 'ubuntu-22.04' && 'rockylinux/rockylinux:8.8' || null }}
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-22.04
- os: windows-2022
- os: macos-13
arch: x86_64
sha256sum:
python: 6378dfd22f58bb553ddb02be28304d739cd730c1f95c15c74955c923a1bc3d6a
rcodesign: bca6e648afaddd48f1c3d5dd25aa516659992cbbd2ba7131ba6add739aa895d3
- os: macos-14
arch: aarch64
sha256sum:
python: 5fdc0f6a5b5a90fd3c528e8b1da8e3aac931ea8690126c2fdb4254c84a3ff04a
rcodesign: 163520079cd6ad1427791c792735a6ddfcb8eca0187bbcf0cc0bebfa4a62153d
steps:
- uses: actions/checkout@v4
with:
# Get enough commits to run `ggshield secret scan commit-range` on ourselves
fetch-depth: 10
- name: Set up Python 3.10 (Windows 1/2)
if: matrix.os == 'windows-2022'
uses: actions/setup-python@v5
with:
python-version: '3.10'
- name: Set up Python 3.10 (Windows 2/2)
if: matrix.os == 'windows-2022'
shell: bash
run: |
echo PYTHON_CMD=python >> $GITHUB_ENV
- name: Install Linux specific dependencies
if: matrix.os == 'ubuntu-22.04'
run: |
# Install necessary packages
yum install -y \
python3.9 \
git-core \
findutils
echo PYTHON_CMD=/usr/bin/python3.9 >> $GITHUB_ENV
# Install NFPM
NFPM_VERSION=2.36.1
NFPM_CHECKSUM=9f8effa24bc6033b509611dbe68839542a63e825525b195672298c369051ef0b
scripts/download \
https://github.com/goreleaser/nfpm/releases/download/v${NFPM_VERSION}/nfpm_${NFPM_VERSION}_Linux_x86_64.tar.gz \
nfpm.tar.gz \
$NFPM_CHECKSUM
tar xf nfpm.tar.gz nfpm
cp nfpm /usr/local/bin
- name: Install macOS specific dependencies
if: startsWith(matrix.os, 'macos-')
run: |
# scripts/download needs the `sha256sum` command
brew install coreutils
# Install Python. We don't use actions/setup-python because on M1
# macs it installs the Framework version of Python, and the binaries
# produced with that version do not pass Apple notarization step.
# (tested with actions/setup-python@v4 and @v5)
PYTHON_VERSION=3.10.13
PYTHON_BUILD=20240224
scripts/download \
https://github.com/indygreg/python-build-standalone/releases/download/${PYTHON_BUILD}/cpython-${PYTHON_VERSION}+${PYTHON_BUILD}-${{ matrix.arch }}-apple-darwin-install_only.tar.gz \
python.tar.gz \
${{ matrix.sha256sum.python }}
tar xf python.tar.gz
# Make Python available
echo PATH=$PWD/python/bin:$PATH >> $GITHUB_ENV
echo PYTHON_CMD=$PWD/python/bin/python >> $GITHUB_ENV
# Install rcodesign
RCODESIGN_VERSION=0.27.0
scripts/download \
https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F${RCODESIGN_VERSION}/apple-codesign-${RCODESIGN_VERSION}-${{ matrix.arch }}-apple-darwin.tar.gz \
rcodesign.tar.gz \
${{ matrix.sha256sum.rcodesign }}
tar --strip-components=1 -xzf rcodesign.tar.gz
# Make it available
cp rcodesign /usr/local/bin
- name: Install dependencies
shell: bash
run: |
$PYTHON_CMD -m pip install --upgrade pip
$PYTHON_CMD -m pip install --upgrade \
pipenv==2023.12.1
pipenv install --dev
pipenv run pip install pyinstaller==6.7.0
env:
# Disable lock otherwise Windows-only dependencies like colorama are not installed
PIPENV_SKIP_LOCK: 1
- name: Prepare macOS secrets
if: startsWith(matrix.os, 'macos-') && inputs.release_mode
run: |
set -euo pipefail
SECRETS_DIR=$TMPDIR/secrets
mkdir "$SECRETS_DIR"
# Prepare our secret files
# The p12-file is base64-encoded because it's binary
echo "$MACOS_P12_FILE" | base64 --decode > "$SECRETS_DIR/cert.p12"
echo "$MACOS_P12_PASSWORD" > "$SECRETS_DIR/cert.pwd"
echo "$MACOS_API_KEY_FILE" > "$SECRETS_DIR/rcodesign-notarize-key.json"
# Tell next steps where to find them
cat >> $GITHUB_ENV <<EOF
MACOS_P12_FILE=$SECRETS_DIR/cert.p12
MACOS_P12_PASSWORD_FILE=$SECRETS_DIR/cert.pwd
MACOS_API_KEY_FILE=$SECRETS_DIR/rcodesign-notarize-key.json
EOF
env:
MACOS_P12_FILE: ${{ secrets.MACOS_P12_FILE }}
MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }}
MACOS_API_KEY_FILE: ${{ secrets.MACOS_API_KEY_FILE }}
- name: Setup Windows environment
if: startsWith(matrix.os, 'windows-') && inputs.release_mode
shell: bash
run: |
signtool_install_dir="/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64"
smctl_install_dir="/c/Program Files/DigiCert/DigiCert Keylocker Tools"
# Add signtool dir to $PATH
if [ ! -x "$signtool_install_dir/signtool.exe" ] ; then
echo "signtool.exe is not in '$signtool_install_dir'"
exit 1
fi
echo "$signtool_install_dir" >> $GITHUB_PATH
# Add smctl dir to $PATH
# Don't test if smctl is there: it is installed by the next step
echo "$smctl_install_dir" >> $GITHUB_PATH
# Create our certificate file
cert_file="$TMPDIR/cert.p12"
echo "${{ secrets.SM_CLIENT_CERT_FILE }}" | base64 --decode > "$cert_file"
# Add secrets to env
cat >> $GITHUB_ENV <<EOF
WINDOWS_CERT_FINGERPRINT=${{ secrets.WINDOWS_CERT_FINGERPRINT }}
SM_API_KEY=${{ secrets.SM_API_KEY }}
SM_HOST=${{ secrets.SM_HOST }}
SM_CLIENT_CERT_FILE=$cert_file
SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}
EOF
- name: Install Windows dependencies
if: startsWith(matrix.os, 'windows-') && inputs.release_mode
shell: bash
run: |
scripts/build-os-packages/install-keylockertools
- name: Build
shell: bash
run: |
if [ "${{ inputs.release_mode }}" = "true" ] ; then
args="--sign"
else
args="--suffix +${GITHUB_SHA:0:7}"
fi
# Run the script with `bash -c` because `pipenv run` does not
# automatically do it on Windows
pipenv run bash -c "scripts/build-os-packages/build-os-packages $args"
- name: Override base Docker image used for functional tests on Windows
if: matrix.os == 'windows-2022'
# This is required because GitHub Windows runner is not configured to
# run Linux-based Docker images
shell: bash
run: |
echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV
- name: Functional tests
shell: bash
# See note about steps requiring the GITGUARDIAN_API at the top of this file
if: ${{ !github.event.pull_request.head.repo.fork }}
run: |
pipenv run bash -c "scripts/build-os-packages/build-os-packages functests"
env:
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }}
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }}
TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }}
TEST_GG_VALID_TOKEN: ${{ secrets.TEST_GG_VALID_TOKEN }}
TEST_GG_VALID_TOKEN_IGNORE_SHA: ${{ secrets.TEST_GG_VALID_TOKEN_IGNORE_SHA }}
TEST_UNKNOWN_SECRET: ${{ secrets.TEST_UNKNOWN_SECRET }}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: os-packages-${{ matrix.os }}
path: |
packages/ggshield-*.gz
packages/ggshield-*.pkg
packages/ggshield-*.zip
packages/ggshield-*.rpm
packages/ggshield_*.deb
# Run some basic tests, the goal is to verify the ggshield binary has all the
# libraries it needs to run
linux_package_smoke_tests:
needs: build_os_packages
runs-on: ubuntu-22.04
container: ${{ matrix.image }}
strategy:
fail-fast: false
matrix:
image:
- debian:stable
- ubuntu:latest
- rockylinux/rockylinux:8.8
- opensuse/leap
# Test a distribution with no deb or rpm support
- clearlinux:latest
steps:
- name: Download OS packages
uses: actions/download-artifact@v4
with:
pattern: os-packages-ubuntu-22.04
path: packages
merge-multiple: true
- name: Setup
# Install ggshield dependencies and the package itself
run: |
case "${{ matrix.image }}" in
debian:*|ubuntu:*)
apt update
apt install --no-install-recommends -y git
dpkg -i packages/*.deb
;;
rockylinux*)
yum install -y git
rpm -i packages/*.rpm
;;
opensuse*)
zypper install -y git
rpm -i packages/*.rpm
;;
clearlinux*)
swupd bundle-add git
# Unpack ggshield in /usr/local/ggshield
pkg_dir=$PWD/packages
mkdir /usr/local/ggshield
cd /usr/local/ggshield
tar --strip-components 1 -xf $pkg_dir/*.tar.gz
# Add ggshield to $PATH
mkdir /usr/local/bin
ln -s $PWD/ggshield /usr/local/bin/ggshield
;;
esac
- name: Smoke test
run: |
ggshield --version
ggshield --help