Skip to content

Maintenance locks and interactivity (#598) #119

Maintenance locks and interactivity (#598)

Maintenance locks and interactivity (#598) #119

name: build-git-installers
on:
push:
tags:
- 'v[0-9]*vfs*' # matches "v<number><any characters>vfs<any characters>"
jobs:
# Check prerequisites for the workflow
prereqs:
runs-on: ubuntu-latest
environment: release
env:
AZ_SUB: ${{ secrets.AZURE_SUBSCRIPTION }}
AZ_CREDS: ${{ secrets.AZURE_CREDENTIALS }}
outputs:
tag_name: ${{ steps.tag.outputs.name }} # The full name of the tag, e.g. v2.32.0.vfs.0.0
tag_version: ${{ steps.tag.outputs.version }} # The version number (without preceding "v"), e.g. 2.32.0.vfs.0.0
deb_signable: ${{ steps.deb.outputs.signable }} # Whether the credentials needed to sign the .deb package are available
steps:
- name: Validate tag
run: |
echo "$GITHUB_REF" |
grep '^refs/tags/v2\.\(0\|[1-9][0-9]*\)\.\(0\|[1-9][0-9]*\)\.vfs\.0\.\(0\|[1-9][0-9]*\)$' || {
echo "::error::${GITHUB_REF#refs/tags/} is not of the form v2.<X>.<Y>.vfs.0.<W>" >&2
exit 1
}
- name: Determine tag to build
run: |
echo "name=${GITHUB_REF#refs/tags/}" >>$GITHUB_OUTPUT
echo "version=${GITHUB_REF#refs/tags/v}" >>$GITHUB_OUTPUT
id: tag
- name: Determine whether signing certificates are present
run: echo "signable=$([[ $AZ_SUB != '' && $AZ_CREDS != '' ]] && echo 'true' || echo 'false')" >>$GITHUB_OUTPUT
id: deb
- name: Clone git
uses: actions/checkout@v3
- name: Validate the tag identified with trigger
run: |
die () {
echo "::error::$*" >&2
exit 1
}
# `actions/checkout` only downloads the peeled tag (i.e. the commit)
git fetch origin +$GITHUB_REF:$GITHUB_REF
# Verify that the tag is annotated
test $(git cat-file -t "$GITHUB_REF") == "tag" || die "Tag ${{ steps.tag.outputs.name }} is not annotated"
# Verify tag follows rules in GIT-VERSION-GEN (i.e., matches the specified "DEF_VER" in
# GIT-VERSION-FILE) and matches tag determined from trigger
make GIT-VERSION-FILE
test "${{ steps.tag.outputs.version }}" == "$(sed -n 's/^GIT_VERSION = //p'< GIT-VERSION-FILE)" || die "GIT-VERSION-FILE tag does not match ${{ steps.tag.outputs.name }}"
# End check prerequisites for the workflow
# Build Windows installers (x86_64 installer & portable)
windows_pkg:
runs-on: windows-2019
environment: release
needs: prereqs
env:
GPG_OPTIONS: "--batch --yes --no-tty --list-options no-show-photos --verify-options no-show-photos --pinentry-mode loopback"
HOME: "${{github.workspace}}\\home"
USERPROFILE: "${{github.workspace}}\\home"
steps:
- name: Configure user
shell: bash
run:
USER_NAME="${{github.actor}}" &&
USER_EMAIL="${{github.actor}}@users.noreply.github.com" &&
mkdir -p "$HOME" &&
git config --global user.name "$USER_NAME" &&
git config --global user.email "$USER_EMAIL" &&
echo "PACKAGER=$USER_NAME <$USER_EMAIL>" >>$GITHUB_ENV
- uses: git-for-windows/setup-git-for-windows-sdk@v1
with:
flavor: build-installers
- name: Clone build-extra
shell: bash
run: |
git clone --filter=blob:none --single-branch -b main https://github.com/git-for-windows/build-extra /usr/src/build-extra
- name: Clone git
shell: bash
run: |
# Since we cannot directly clone a specified tag (as we would a branch with `git clone -b <branch name>`),
# this clone has to be done manually (via init->fetch->reset).
tag_name="${{ needs.prereqs.outputs.tag_name }}" &&
git -c init.defaultBranch=main init &&
git remote add -f origin https://github.com/git-for-windows/git &&
git fetch "https://github.com/${{github.repository}}" refs/tags/${tag_name}:refs/tags/${tag_name} &&
git reset --hard ${tag_name}
- name: Prepare home directory for code-signing
env:
CODESIGN_P12: ${{secrets.CODESIGN_P12}}
CODESIGN_PASS: ${{secrets.CODESIGN_PASS}}
if: env.CODESIGN_P12 != '' && env.CODESIGN_PASS != ''
shell: bash
run: |
cd home &&
mkdir -p .sig &&
echo -n "$CODESIGN_P12" | tr % '\n' | base64 -d >.sig/codesign.p12 &&
echo -n "$CODESIGN_PASS" >.sig/codesign.pass
git config --global alias.signtool '!sh "/usr/src/build-extra/signtool.sh"'
- name: Prepare home directory for GPG signing
if: env.GPGKEY != ''
shell: bash
run: |
# This section ensures that the identity for the GPG key matches the git user identity, otherwise
# signing will fail
echo '${{secrets.PRIVGPGKEY}}' | tr % '\n' | gpg $GPG_OPTIONS --import &&
info="$(gpg --list-keys --with-colons "${GPGKEY%% *}" | cut -d : -f 1,10 | sed -n '/^uid/{s|uid:||p;q}')" &&
git config --global user.name "${info% <*}" &&
git config --global user.email "<${info#*<}"
env:
GPGKEY: ${{secrets.GPGKEY}}
- name: Build mingw-w64-x86_64-git
env:
GPGKEY: "${{secrets.GPGKEY}}"
shell: bash
run: |
set -x
# Make sure that there is a `/usr/bin/git` that can be used by `makepkg-mingw`
printf '#!/bin/sh\n\nexec /mingw64/bin/git.exe "$@"\n' >/usr/bin/git &&
# Restrict `PATH` to MSYS2 and to Visual Studio (to let `cv2pdb` find the relevant DLLs)
PATH="/mingw64/bin:/usr/bin:/C/Program Files (x86)/Microsoft Visual Studio 14.0/VC/bin/amd64:/C/Windows/system32"
type -p mspdb140.dll || exit 1
sh -x /usr/src/build-extra/please.sh build-mingw-w64-git --only-64-bit --build-src-pkg -o artifacts HEAD &&
if test -n "$GPGKEY"
then
for tar in artifacts/*.tar*
do
/usr/src/build-extra/gnupg-with-gpgkey.sh --detach-sign --no-armor $tar
done
fi &&
b=$PWD/artifacts &&
version=${{ needs.prereqs.outputs.tag_name }} &&
(cd /usr/src/MINGW-packages/mingw-w64-git &&
cp PKGBUILD.$version PKGBUILD &&
git commit -s -m "mingw-w64-git: new version ($version)" PKGBUILD &&
git bundle create "$b"/MINGW-packages.bundle origin/main..main)
- name: Publish mingw-w64-x86_64-git
uses: actions/upload-artifact@v3
with:
name: pkg-x86_64
path: artifacts
windows_artifacts:
runs-on: windows-2019
environment: release
needs: [prereqs, windows_pkg]
env:
HOME: "${{github.workspace}}\\home"
strategy:
matrix:
artifact:
- name: installer
fileprefix: Git
- name: portable
fileprefix: PortableGit
fail-fast: false
steps:
- name: Download pkg-x86_64
uses: actions/download-artifact@v3
with:
name: pkg-x86_64
path: pkg-x86_64
- uses: git-for-windows/setup-git-for-windows-sdk@v1
with:
flavor: build-installers
- name: Clone build-extra
shell: bash
run: |
git clone --filter=blob:none --single-branch -b main https://github.com/git-for-windows/build-extra /usr/src/build-extra
- name: Prepare home directory for code-signing
env:
CODESIGN_P12: ${{secrets.CODESIGN_P12}}
CODESIGN_PASS: ${{secrets.CODESIGN_PASS}}
if: env.CODESIGN_P12 != '' && env.CODESIGN_PASS != ''
shell: bash
run: |
mkdir -p home/.sig &&
echo -n "$CODESIGN_P12" | tr % '\n' | base64 -d >home/.sig/codesign.p12 &&
echo -n "$CODESIGN_PASS" >home/.sig/codesign.pass &&
git config --global alias.signtool '!sh "/usr/src/build-extra/signtool.sh"'
- name: Retarget auto-update to microsoft/git
shell: bash
run: |
set -x
b=/usr/src/build-extra &&
filename=$b/git-update-git-for-windows.config
tr % '\t' >$filename <<-\EOF &&
[update]
%fromFork = microsoft/git
EOF
sed -i -e '/^#include "file-list.iss"/a\
Source: {#SourcePath}\\..\\git-update-git-for-windows.config; DestDir: {app}\\mingw64\\bin; Flags: replacesameversion; AfterInstall: DeleteFromVirtualStore' \
-e '/^Type: dirifempty; Name: {app}\\{#MINGW_BITNESS}$/i\
Type: files; Name: {app}\\{#MINGW_BITNESS}\\bin\\git-update-git-for-windows.config\
Type: dirifempty; Name: {app}\\{#MINGW_BITNESS}\\bin' \
$b/installer/install.iss
- name: Set alerts to continue until upgrade is taken
shell: bash
run: |
set -x
b=/mingw64/bin &&
sed -i -e '6 a use_recently_seen=no' \
$b/git-update-git-for-windows
- name: Set the installer Publisher to the Git Fundamentals team
shell: bash
run: |
b=/usr/src/build-extra &&
sed -i -e 's/^\(AppPublisher=\).*/\1The Git Fundamentals Team at GitHub/' $b/installer/install.iss
- name: Let the installer configure Visual Studio to use the installed Git
shell: bash
run: |
set -x
b=/usr/src/build-extra &&
sed -i -e '/^ *InstallAutoUpdater();$/a\
CustomPostInstall();' \
-e '/^ *UninstallAutoUpdater();$/a\
CustomPostUninstall();' \
$b/installer/install.iss &&
cat >>$b/installer/helpers.inc.iss <<\EOF
procedure CustomPostInstall();
begin
if not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\15.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or
not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\16.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or
not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\17.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or
not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\18.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or
not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\19.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or
not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\20.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) then
LogError('Could not register TeamFoundation\GitSourceControl');
end;
procedure CustomPostUninstall();
begin
if not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\15.0\TeamFoundation\GitSourceControl','GitPath') or
not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\16.0\TeamFoundation\GitSourceControl','GitPath') or
not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\17.0\TeamFoundation\GitSourceControl','GitPath') or
not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\18.0\TeamFoundation\GitSourceControl','GitPath') or
not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\19.0\TeamFoundation\GitSourceControl','GitPath') or
not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\20.0\TeamFoundation\GitSourceControl','GitPath') then
LogError('Could not register TeamFoundation\GitSourceControl');
end;
EOF
- name: Enable Scalar/C and the auto-updater in the installer by default
shell: bash
run: |
set -x
b=/usr/src/build-extra &&
sed -i -e "/ChosenOptions:=''/a\\
if (ExpandConstant('{param:components|/}')='/') then begin\n\
WizardSelectComponents('autoupdate');\n\
#ifdef WITH_SCALAR\n\
WizardSelectComponents('scalar');\n\
#endif\n\
end;" $b/installer/install.iss
- name: Build 64-bit ${{matrix.artifact.name}}
shell: bash
run: |
set -x
# Copy the PDB archive to the directory where `--include-pdbs` expects it
b=/usr/src/build-extra &&
mkdir -p $b/cached-source-packages &&
cp pkg-x86_64/*-pdb* $b/cached-source-packages/ &&
# Build the installer, embedding PDBs
eval $b/please.sh make_installers_from_mingw_w64_git --include-pdbs \
--version=${{ needs.prereqs.outputs.tag_version }} \
-o artifacts --${{matrix.artifact.name}} \
--pkg=pkg-x86_64/mingw-w64-x86_64-git-[0-9]*.tar.xz \
--pkg=pkg-x86_64/mingw-w64-x86_64-git-doc-html-[0-9]*.tar.xz &&
if test portable = '${{matrix.artifact.name}}' && test -n "$(git config alias.signtool)"
then
git signtool artifacts/PortableGit-*.exe
fi &&
openssl dgst -sha256 artifacts/${{matrix.artifact.fileprefix}}-*.exe | sed "s/.* //" >artifacts/sha-256.txt
- name: Verify that .exe files are code-signed
if: env.CODESIGN_P12 != '' && env.CODESIGN_PASS != ''
shell: bash
run: |
PATH=$PATH:"/c/Program Files (x86)/Windows Kits/10/App Certification Kit/" \
signtool verify //pa artifacts/${{matrix.artifact.fileprefix}}-*.exe
- name: Publish ${{matrix.artifact.name}}-x86_64
uses: actions/upload-artifact@v3
with:
name: win-${{matrix.artifact.name}}-x86_64
path: artifacts
# End build Windows installers
# Build and sign Mac OSX installers & upload artifacts
osx_build:
runs-on: macos-latest
needs: prereqs
env:
# `gettext` is keg-only
LDFLAGS: -L/usr/local/opt/gettext/lib
CFLAGS: -I/usr/local/opt/gettext/include
# To make use of the catalogs...
XML_CATALOG_FILES: /usr/local/etc/xml/catalog
VERSION: "${{ needs.prereqs.outputs.tag_version }}"
steps:
- name: Check out repository
uses: actions/checkout@v3
with:
path: 'git'
- name: Install Git dependencies
run: |
set -x
brew install automake asciidoc xmlto docbook
brew link --force gettext
- name: Build payload
run: |
# Configure the environment
set -x
PATH=/usr/local/bin:$PATH
export CURL_LDFLAGS=$(curl-config --libs)
# Write to "version" file to force match with trigger payload version
echo "${{ needs.prereqs.outputs.tag_version }}" >>git/version
make -C git -j$(sysctl -n hw.physicalcpu) GIT-VERSION-FILE dist dist-doc
export GIT_BUILT_FROM_COMMIT=$(gunzip -c git/git-$VERSION.tar.gz | git get-tar-commit-id) ||
die "Could not determine commit for build"
# Extract tarballs
mkdir payload manpages
tar -xvf git/git-$VERSION.tar.gz -C payload
tar -xvf git/git-manpages-$VERSION.tar.gz -C manpages
# Lay out payload
make -C git/.github/macos-installer V=1 payload
# This step is necessary because we cannot use the $VERSION
# environment variable or the tag_version output from the prereqs
# job in the upload-artifact task.
mkdir -p build_artifacts
cp -R stage/git-intel-x86_64-$VERSION/ build_artifacts
# We keep a list of executable files because their executable bits are
# removed when they are zipped, and we need to re-add.
find build_artifacts -type f -a -perm -u=x >executable-files.txt
- name: Upload macOS artifacts
uses: actions/upload-artifact@v3
with:
name: tmp.osx-build
path: |
build_artifacts
- name: Upload list of executable files
uses: actions/upload-artifact@v3
with:
name: tmp.executable-files
path: |
executable-files.txt
osx_sign_payload:
# ESRP service requires signing to run on Windows
runs-on: windows-latest
environment: release
needs: osx_build
steps:
- name: Check out repository
uses: actions/checkout@v3
with:
path: 'git'
- name: Download unsigned build artifiacts
uses: actions/download-artifact@v3
with:
name: tmp.osx-build
path: build_artifacts
- name: Zip unsigned build artifacts
shell: pwsh
run: |
Compress-Archive -Path build_artifacts build_artifacts/build_artifacts.zip
cd build_artifacts
Get-ChildItem -Exclude build_artifacts.zip | Remove-Item -Recurse -Force
- uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Set up ESRP client
shell: pwsh
env:
AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
run: |
git\.github\scripts\set-up-esrp.ps1
- name: Run ESRP client
shell: pwsh
env:
AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
APPLE_KEY_CODE: ${{ secrets.APPLE_KEY_CODE }}
APPLE_SIGNING_OP_CODE: ${{ secrets.APPLE_SIGNING_OPERATION_CODE }}
run: |
python git\.github\scripts\run-esrp-signing.py build_artifacts `
$env:APPLE_KEY_CODE $env:APPLE_SIGNING_OP_CODE `
--params 'Hardening' '--options=runtime'
- name: Unzip signed build artifacts
shell: pwsh
run: |
Expand-Archive signed/build_artifacts.zip -DestinationPath signed
Remove-Item signed/build_artifacts.zip
- name: Upload signed payload
uses: actions/upload-artifact@v3
with:
name: osx-signed-payload
path: |
signed
osx_pack:
runs-on: macos-latest
needs: [prereqs, osx_sign_payload]
steps:
- name: Check out repository
uses: actions/checkout@v3
with:
path: 'git'
- name: Download signed artifacts
uses: actions/download-artifact@v3
with:
name: osx-signed-payload
- name: Download list of executable files
uses: actions/download-artifact@v3
with:
name: tmp.executable-files
- name: Build macOS pkg
env:
VERSION: "${{ needs.prereqs.outputs.tag_version }}"
run: |
# Install findutils to use gxargs below
brew install findutils
# Configure the environment
export CURL_LDFLAGS=$(curl-config --libs)
# Add executable bits and move build_artifacts into
# the same directory as Makefile (so that executable bits
# will be recognized).
gxargs -r -d '\n' chmod a+x <executable-files.txt
mv build_artifacts git/.github/macos-installer/
# Create pkg
PATH=/usr/local/bin:$PATH \
make -C git/.github/macos-installer V=1 pkg ||
die "Build failed"
- name: Upload unsigned pkg
uses: actions/upload-artifact@v3
with:
name: tmp.osx-pkg
path: |
git/.github/macos-installer/disk-image
osx_sign_and_notarize_pkg:
# ESRP service requires signing to run on Windows
runs-on: windows-latest
environment: release
needs: osx_pack
steps:
- name: Check out repository
uses: actions/checkout@v3
with:
path: 'git'
- name: Download unsigned package
uses: actions/download-artifact@v3
with:
name: tmp.osx-pkg
path: pkg
- name: Zip unsigned package
shell: pwsh
run: |
Compress-Archive -Path pkg/*.pkg pkg/msft-git-pkg.zip
cd pkg
Get-ChildItem -Exclude msft-git-pkg.zip | Remove-Item -Recurse -Force
- uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Set up ESRP client
shell: pwsh
env:
AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
run: |
git\.github\scripts\set-up-esrp.ps1
- name: Sign package
shell: pwsh
env:
AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
APPLE_KEY_CODE: ${{ secrets.APPLE_KEY_CODE }}
APPLE_SIGNING_OP_CODE: ${{ secrets.APPLE_SIGNING_OPERATION_CODE }}
run: |
python git\.github\scripts\run-esrp-signing.py pkg $env:APPLE_KEY_CODE $env:APPLE_SIGNING_OP_CODE
- name: Unzip signed package
shell: pwsh
run: |
mkdir unsigned
Expand-Archive -LiteralPath signed\msft-git-pkg.zip -DestinationPath .\unsigned -Force
Remove-Item signed\msft-git-pkg.zip -Force
- name: Notarize signed package
shell: pwsh
env:
AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
APPLE_KEY_CODE: ${{ secrets.APPLE_KEY_CODE }}
APPLE_NOTARIZATION_OP_CODE: ${{ secrets.APPLE_NOTARIZATION_OPERATION_CODE }}
run: |
python git\.github\scripts\run-esrp-signing.py unsigned $env:APPLE_KEY_CODE `
$env:APPLE_NOTARIZATION_OP_CODE --params 'BundleId' 'com.microsoft.git'
- name: Upload signed and notarized pkg
uses: actions/upload-artifact@v3
with:
name: osx-signed-pkg
path: |
signed
osx_publish_dmg:
runs-on: macos-latest
needs: [prereqs, osx_sign_and_notarize_pkg]
steps:
- name: Check out repository
uses: actions/checkout@v3
with:
path: 'git'
- name: Download signed package
uses: actions/download-artifact@v3
with:
name: osx-signed-pkg
path: disk-image
- name: Build macOS disk image
env:
VERSION: "${{ needs.prereqs.outputs.tag_version }}"
run: |
# Move disk-image into the same directory as Makefile
mv disk-image git/.github/macos-installer/
PATH=/usr/local/bin:$PATH \
make -C git/.github/macos-installer V=1 image || die "Build failed"
- name: Publish disk image
uses: actions/upload-artifact@v3
with:
name: osx-dmg
path: git/.github/macos-installer/*.dmg
# End build and sign Mac OSX installers
# Build & sign Ubuntu package
ubuntu_build:
runs-on: ubuntu-20.04
needs: prereqs
steps:
- name: Install git dependencies
run: |
set -ex
sudo apt-get update -q
sudo apt-get install -y -q --no-install-recommends gettext libcurl4-gnutls-dev libpcre3-dev asciidoc xmlto
- name: Clone git
uses: actions/checkout@v3
with:
path: git
- name: Build and package .deb
run: |
set -ex
die () {
echo "$*" >&2
exit 1
}
echo "${{ needs.prereqs.outputs.tag_version }}" >>git/version
make -C git GIT-VERSION-FILE
VERSION="${{ needs.prereqs.outputs.tag_version }}"
ARCH="$(dpkg-architecture -q DEB_HOST_ARCH)"
if test -z "$ARCH"; then
die "Could not determine host architecture!"
fi
PKGNAME="microsoft-git_$VERSION"
PKGDIR="$(dirname $(pwd))/$PKGNAME"
rm -rf "$PKGDIR"
mkdir -p "$PKGDIR"
DESTDIR="$PKGDIR" make -C git -j5 V=1 DEVELOPER=1 \
USE_LIBPCRE=1 \
NO_CROSS_DIRECTORY_HARDLINKS=1 \
ASCIIDOC8=1 ASCIIDOC_NO_ROFF=1 \
ASCIIDOC='TZ=UTC asciidoc' \
prefix=/usr/local \
gitexecdir=/usr/local/lib/git-core \
libexecdir=/usr/local/lib/git-core \
htmldir=/usr/local/share/doc/git/html \
install install-doc install-html
cd ..
mkdir "$PKGNAME/DEBIAN"
# Based on https://packages.ubuntu.com/xenial/vcs/git
cat >"$PKGNAME/DEBIAN/control" <<EOF
Package: microsoft-git
Version: $VERSION
Section: vcs
Priority: optional
Architecture: $ARCH
Depends: libcurl3-gnutls, liberror-perl, libexpat1, libpcre2-8-0, perl, perl-modules, zlib1g
Maintainer: Git Fundamentals <git-fundamentals@github.com>
Description: Git client built from the https://github.com/microsoft/git repository,
specialized in supporting monorepo scenarios. Includes the Scalar CLI.
EOF
dpkg-deb --build "$PKGNAME"
mkdir $GITHUB_WORKSPACE/artifacts
mv "$PKGNAME.deb" $GITHUB_WORKSPACE/artifacts/
- name: Publish unsigned .deb package
uses: actions/upload-artifact@v3
with:
name: deb-package-unsigned
path: artifacts/
ubuntu_sign-artifacts:
runs-on: windows-latest # Must be run on Windows due to ESRP executable OS compatibility
environment: release
needs: [ubuntu_build, prereqs]
if: needs.prereqs.outputs.deb_signable == 'true'
env:
ARTIFACTS_DIR: artifacts
steps:
- name: Clone repository
uses: actions/checkout@v3
with:
path: 'git'
- name: Download unsigned packages
uses: actions/download-artifact@v3
with:
name: deb-package-unsigned
path: unsigned
- uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Set up ESRP client
shell: pwsh
env:
AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
run: |
git\.github\scripts\set-up-esrp.ps1
- name: Sign package
shell: pwsh
env:
AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
LINUX_KEY_CODE: ${{ secrets.LINUX_KEY_CODE }}
LINUX_OP_CODE: ${{ secrets.LINUX_OPERATION_CODE }}
run: |
python git\.github\scripts\run-esrp-signing.py unsigned $env:LINUX_KEY_CODE $env:LINUX_OP_CODE
- name: Upload signed artifact
uses: actions/upload-artifact@v3
with:
name: deb-package-signed
path: signed
# End build & sign Ubuntu package
# Validate installers
validate-installers:
name: Validate installers
strategy:
matrix:
component:
- os: ubuntu-latest
artifact: deb-package-signed
command: git
- os: macos-latest
artifact: osx-signed-pkg
command: git
- os: windows-latest
artifact: win-installer-x86_64
command: $PROGRAMFILES\Git\cmd\git.exe
runs-on: ${{ matrix.component.os }}
needs: [prereqs, windows_artifacts, osx_publish_dmg, ubuntu_sign-artifacts]
steps:
- name: Download artifacts
uses: actions/download-artifact@v3
with:
name: ${{ matrix.component.artifact }}
- name: Install Windows
if: contains(matrix.component.os, 'windows')
shell: pwsh
run: |
$exePath = Get-ChildItem -Path ./*.exe | %{$_.FullName}
Start-Process -Wait -FilePath "$exePath" -ArgumentList "/SILENT /VERYSILENT /NORESTART /SUPPRESSMSGBOXES /ALLOWDOWNGRADE=1"
- name: Install Linux
if: contains(matrix.component.os, 'ubuntu')
run: |
debpath=$(find ./*.deb)
sudo apt install $debpath
- name: Install macOS
if: contains(matrix.component.os, 'macos')
run: |
pkgpath=$(find ./*.pkg)
sudo installer -pkg $pkgpath -target /
- name: Validate
shell: bash
run: |
"${{ matrix.component.command }}" --version | sed 's/git version //' >actual
echo ${{ needs.prereqs.outputs.tag_version }} >expect
cmp expect actual || exit 1
# End validate installers
create-github-release:
runs-on: ubuntu-latest
needs: [validate-installers]
if: |
success() ||
(needs.ubuntu_sign-artifacts.result == 'skipped' &&
needs.osx_publish_dmg.result == 'success' &&
needs.windows_artifacts.result == 'success')
steps:
- name: Download Windows portable installer
uses: actions/download-artifact@v3
with:
name: win-portable-x86_64
path: win-portable-x86_64
- name: Download Windows x86_64 installer
uses: actions/download-artifact@v3
with:
name: win-installer-x86_64
path: win-installer-x86_64
- name: Download Mac dmg
uses: actions/download-artifact@v3
with:
name: osx-dmg
path: osx-dmg
- name: Download Mac pkg
uses: actions/download-artifact@v3
with:
name: osx-signed-pkg
path: osx-pkg
- name: Download Ubuntu package (signed)
if: needs.prereqs.outputs.deb_signable == 'true'
uses: actions/download-artifact@v3
with:
name: deb-package-signed
path: deb-package
- name: Download Ubuntu package (unsigned)
if: needs.prereqs.outputs.deb_signable != 'true'
uses: actions/download-artifact@v3
with:
name: deb-package-unsigned
path: deb-package
- uses: actions/github-script@v6
with:
script: |
const fs = require('fs');
const path = require('path');
var releaseMetadata = {
owner: context.repo.owner,
repo: context.repo.repo
};
// Create the release
var tagName = "${{ needs.prereqs.outputs.tag_name }}";
var createdRelease = await github.rest.repos.createRelease({
...releaseMetadata,
draft: true,
tag_name: tagName,
name: tagName
});
releaseMetadata.release_id = createdRelease.data.id;
// Uploads contents of directory to the release created above
async function uploadDirectoryToRelease(directory, includeExtensions=[]) {
return fs.promises.readdir(directory)
.then(async(files) => Promise.all(
files.filter(file => {
return includeExtensions.length==0 || includeExtensions.includes(path.extname(file).toLowerCase());
})
.map(async (file) => {
var filePath = path.join(directory, file);
github.rest.repos.uploadReleaseAsset({
...releaseMetadata,
name: file,
headers: {
"content-length": (await fs.promises.stat(filePath)).size
},
data: fs.createReadStream(filePath)
});
}))
);
}
await Promise.all([
// Upload Windows artifacts
uploadDirectoryToRelease('win-installer-x86_64', ['.exe']),
uploadDirectoryToRelease('win-portable-x86_64', ['.exe']),
// Upload Mac artifacts
uploadDirectoryToRelease('osx-dmg'),
uploadDirectoryToRelease('osx-pkg'),
// Upload Ubuntu artifacts
uploadDirectoryToRelease('deb-package')
]);