diff --git a/.github/macos-installer/Makefile b/.github/macos-installer/Makefile
new file mode 100644
index 00000000000000..df339bd921df23
--- /dev/null
+++ b/.github/macos-installer/Makefile
@@ -0,0 +1,116 @@
+SHELL := /bin/bash
+SUDO := sudo
+C_INCLUDE_PATH := /usr/include
+CPLUS_INCLUDE_PATH := /usr/include
+LD_LIBRARY_PATH := /usr/lib
+
+OSX_VERSION := $(shell sw_vers -productVersion)
+TARGET_FLAGS := -mmacosx-version-min=$(OSX_VERSION) -DMACOSX_DEPLOYMENT_TARGET=$(OSX_VERSION)
+
+ARCH := x86_64
+ARCH_CODE := x86_64
+ARCH_FLAGS_x86_64 := -arch x86_64
+
+CFLAGS := $(TARGET_FLAGS) $(ARCH_FLAGS_${ARCH_CODE})
+LDFLAGS := $(TARGET_FLAGS) $(ARCH_FLAGS_${ARCH_CODE})
+
+PREFIX := /usr/local
+GIT_PREFIX := $(PREFIX)/git
+
+BUILD_CODE := intel-$(ARCH_CODE)
+BUILD_DIR := $(GITHUB_WORKSPACE)/payload
+DESTDIR := $(PWD)/stage/git-$(BUILD_CODE)-$(VERSION)
+ARTIFACTDIR := build_artifacts
+SUBMAKE := $(MAKE) C_INCLUDE_PATH="$(C_INCLUDE_PATH)" CPLUS_INCLUDE_PATH="$(CPLUS_INCLUDE_PATH)" LD_LIBRARY_PATH="$(LD_LIBRARY_PATH)" TARGET_FLAGS="$(TARGET_FLAGS)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" NO_GETTEXT=1 NO_DARWIN_PORTS=1 prefix=$(GIT_PREFIX) GIT_BUILT_FROM_COMMIT="$(GIT_BUILT_FROM_COMMIT)" DESTDIR=$(DESTDIR)
+CORES := $(shell bash -c "sysctl hw.ncpu | awk '{print \$$2}'")
+
+.PHONY: image pkg payload
+
+.SECONDARY:
+
+$(DESTDIR)$(GIT_PREFIX)/VERSION-$(VERSION)-$(BUILD_CODE):
+ rm -f $(BUILD_DIR)/git-$(VERSION)/osx-installed*
+ mkdir -p $(DESTDIR)$(GIT_PREFIX)
+ touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-built-keychain:
+ cd $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain; $(SUBMAKE) CFLAGS="$(CFLAGS) -g -O2 -Wall"
+ touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-built:
+ [ -d $(DESTDIR)$(GIT_PREFIX) ] && $(SUDO) rm -rf $(DESTDIR) || echo ok
+ cd $(BUILD_DIR)/git-$(VERSION); $(SUBMAKE) -j $(CORES) all strip
+ touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed-bin: $(BUILD_DIR)/git-$(VERSION)/osx-built $(BUILD_DIR)/git-$(VERSION)/osx-built-keychain
+ cd $(BUILD_DIR)/git-$(VERSION); $(SUBMAKE) install
+ cp $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain $(DESTDIR)$(GIT_PREFIX)/bin/git-credential-osxkeychain
+ mkdir -p $(DESTDIR)$(GIT_PREFIX)/contrib/completion
+ cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-completion.bash $(DESTDIR)$(GIT_PREFIX)/contrib/completion/
+ cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-completion.zsh $(DESTDIR)$(GIT_PREFIX)/contrib/completion/
+ cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-prompt.sh $(DESTDIR)$(GIT_PREFIX)/contrib/completion/
+ # This is needed for Git-Gui, GitK
+ mkdir -p $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl
+ [ ! -f $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl/Error.pm ] && cp $(BUILD_DIR)/git-$(VERSION)/perl/private-Error.pm $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl/Error.pm || echo done
+ touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed-man: $(BUILD_DIR)/git-$(VERSION)/osx-installed-bin
+ mkdir -p $(DESTDIR)$(GIT_PREFIX)/share/man
+ cp -R $(GITHUB_WORKSPACE)/manpages/ $(DESTDIR)$(GIT_PREFIX)/share/man
+ touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-built-subtree:
+ cd $(BUILD_DIR)/git-$(VERSION)/contrib/subtree; $(SUBMAKE) XML_CATALOG_FILES="$(XML_CATALOG_FILES)" all git-subtree.1
+ touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed-subtree: $(BUILD_DIR)/git-$(VERSION)/osx-built-subtree
+ mkdir -p $(DESTDIR)
+ cd $(BUILD_DIR)/git-$(VERSION)/contrib/subtree; $(SUBMAKE) XML_CATALOG_FILES="$(XML_CATALOG_FILES)" install install-man
+ touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed-assets: $(BUILD_DIR)/git-$(VERSION)/osx-installed-bin
+ mkdir -p $(DESTDIR)$(GIT_PREFIX)/etc
+ cat assets/etc/gitconfig.osxkeychain >> $(DESTDIR)$(GIT_PREFIX)/etc/gitconfig
+ cp assets/uninstall.sh $(DESTDIR)$(GIT_PREFIX)/uninstall.sh
+ sh -c "echo .DS_Store >> $(DESTDIR)$(GIT_PREFIX)/share/git-core/templates/info/exclude"
+
+symlinks:
+ mkdir -p $(ARTIFACTDIR)$(PREFIX)/bin
+ cd $(ARTIFACTDIR)$(PREFIX)/bin; find ../git/bin -type f -exec ln -sf {} \;
+ for man in man1 man3 man5 man7; do mkdir -p $(ARTIFACTDIR)$(PREFIX)/share/man/$$man; (cd $(ARTIFACTDIR)$(PREFIX)/share/man/$$man; ln -sf ../../../git/share/man/$$man/* ./); done
+ ruby ../scripts/symlink-git-hardlinks.rb $(ARTIFACTDIR)
+ touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed: $(DESTDIR)$(GIT_PREFIX)/VERSION-$(VERSION)-$(BUILD_CODE) $(BUILD_DIR)/git-$(VERSION)/osx-installed-man $(BUILD_DIR)/git-$(VERSION)/osx-installed-assets $(BUILD_DIR)/git-$(VERSION)/osx-installed-subtree
+ find $(DESTDIR)$(GIT_PREFIX) -type d -exec chmod ugo+rx {} \;
+ find $(DESTDIR)$(GIT_PREFIX) -type f -exec chmod ugo+r {} \;
+ touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-built-assert-$(ARCH_CODE): $(BUILD_DIR)/git-$(VERSION)/osx-built
+ifeq ("$(ARCH_CODE)", "universal")
+ File $(BUILD_DIR)/git-$(VERSION)/git
+ File $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain
+else
+ [ "$$(File $(BUILD_DIR)/git-$(VERSION)/git | cut -f 5 -d' ')" == "$(ARCH_CODE)" ]
+ [ "$$(File $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain | cut -f 5 -d' ')" == "$(ARCH_CODE)" ]
+endif
+ touch $@
+
+disk-image/VERSION-$(VERSION)-$(ARCH_CODE):
+ rm -f disk-image/*.pkg disk-image/VERSION-* disk-image/.DS_Store
+ mkdir disk-image
+ touch "$@"
+
+disk-image/git-$(VERSION)-$(BUILD_CODE).pkg: disk-image/VERSION-$(VERSION)-$(ARCH_CODE) symlinks
+ pkgbuild --identifier com.git.pkg --version $(VERSION) --root $(ARTIFACTDIR)$(PREFIX) --scripts assets/scripts --install-location $(PREFIX) --component-plist ./assets/git-components.plist disk-image/git-$(VERSION)-$(BUILD_CODE).pkg
+
+git-%-$(BUILD_CODE).dmg:
+ hdiutil create git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg -fs HFS+ -srcfolder disk-image -volname "Git $(VERSION) Intel $(ARCH)" -ov
+ hdiutil convert -format UDZO -o $@ git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg
+ rm -f git-$(VERSION)-$(BUILD_CODE).uncompressed.dmg
+
+payload: $(BUILD_DIR)/git-$(VERSION)/osx-installed $(BUILD_DIR)/git-$(VERSION)/osx-built-assert-$(ARCH_CODE)
+
+pkg: disk-image/git-$(VERSION)-$(BUILD_CODE).pkg
+
+image: git-$(VERSION)-$(BUILD_CODE).dmg
diff --git a/.github/macos-installer/assets/etc/gitconfig.osxkeychain b/.github/macos-installer/assets/etc/gitconfig.osxkeychain
new file mode 100644
index 00000000000000..788266b3a40a9d
--- /dev/null
+++ b/.github/macos-installer/assets/etc/gitconfig.osxkeychain
@@ -0,0 +1,2 @@
+[credential]
+ helper = osxkeychain
diff --git a/.github/macos-installer/assets/git-components.plist b/.github/macos-installer/assets/git-components.plist
new file mode 100644
index 00000000000000..78db36777df3ed
--- /dev/null
+++ b/.github/macos-installer/assets/git-components.plist
@@ -0,0 +1,18 @@
+
+
+
+
+
+ BundleHasStrictIdentifier
+
+ BundleIsRelocatable
+
+ BundleIsVersionChecked
+
+ BundleOverwriteAction
+ upgrade
+ RootRelativeBundlePath
+ git/share/git-gui/lib/Git Gui.app
+
+
+
diff --git a/.github/macos-installer/assets/scripts/postinstall b/.github/macos-installer/assets/scripts/postinstall
new file mode 100644
index 00000000000000..94056db9b7b864
--- /dev/null
+++ b/.github/macos-installer/assets/scripts/postinstall
@@ -0,0 +1,62 @@
+#!/bin/bash
+INSTALL_DST="$2"
+SCALAR_C_CMD="$INSTALL_DST/git/bin/scalar"
+SCALAR_DOTNET_CMD="/usr/local/scalar/scalar"
+SCALAR_UNINSTALL_SCRIPT="/usr/local/scalar/uninstall_scalar.sh"
+
+function cleanupScalar()
+{
+ echo "checking whether Scalar was installed"
+ if [ ! -f "$SCALAR_C_CMD" ]; then
+ echo "Scalar not installed; exiting..."
+ return 0
+ fi
+ echo "Scalar is installed!"
+
+ echo "looking for Scalar.NET"
+ if [ ! -f "$SCALAR_DOTNET_CMD" ]; then
+ echo "Scalar.NET not found; exiting..."
+ return 0
+ fi
+ echo "Scalar.NET found!"
+
+ currentUser=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }')
+
+ # Re-register Scalar.NET repositories with the newly-installed Scalar
+ for repo in $($SCALAR_DOTNET_CMD list); do
+ (
+ PATH="$INSTALL_DST/git/bin:$PATH"
+ sudo -u "$currentUser" scalar register $repo || \
+ echo "warning: skipping re-registration of $repo"
+ )
+ done
+
+ # Uninstall Scalar.NET
+ echo "removing Scalar.NET"
+
+ # Add /usr/local/bin to path - default install location of Homebrew
+ PATH="/usr/local/bin:$PATH"
+ if (sudo -u "$currentUser" brew list --cask scalar); then
+ # Remove from Homebrew
+ sudo -u "$currentUser" brew remove --cask scalar || echo "warning: Scalar.NET uninstall via Homebrew completed with code $?"
+ echo "Scalar.NET uninstalled via Homebrew!"
+ elif (sudo -u "$currentUser" brew list --cask scalar-azrepos); then
+ sudo -u "$currentUser" brew remove --cask scalar-azrepos || echo "warning: Scalar.NET with GVFS uninstall via Homebrew completed with code $?"
+ echo "Scalar.NET with GVFS uninstalled via Homebrew!"
+ elif [ -f $SCALAR_UNINSTALL_SCRIPT ]; then
+ # If not installed with Homebrew, manually remove package
+ sudo -S sh $SCALAR_UNINSTALL_SCRIPT || echo "warning: Scalar.NET uninstall completed with code $?"
+ echo "Scalar.NET uninstalled!"
+ else
+ echo "warning: Scalar.NET uninstall script not found"
+ fi
+
+ # Re-create the Scalar symlink, in case it was removed by the Scalar.NET uninstall operation
+ mkdir -p $INSTALL_DST/bin
+ /bin/ln -Fs "$SCALAR_C_CMD" "$INSTALL_DST/bin/scalar"
+}
+
+# Run Scalar cleanup (will exit if not applicable)
+cleanupScalar
+
+exit 0
\ No newline at end of file
diff --git a/.github/macos-installer/assets/uninstall.sh b/.github/macos-installer/assets/uninstall.sh
new file mode 100755
index 00000000000000..4fc79fbaa2e652
--- /dev/null
+++ b/.github/macos-installer/assets/uninstall.sh
@@ -0,0 +1,34 @@
+#!/bin/bash -e
+if [ ! -r "/usr/local/git" ]; then
+ echo "Git doesn't appear to be installed via this installer. Aborting"
+ exit 1
+fi
+
+if [ "$1" != "--yes" ]; then
+ echo "This will uninstall git by removing /usr/local/git/, and symlinks"
+ printf "Type 'yes' if you are sure you wish to continue: "
+ read response
+else
+ response="yes"
+fi
+
+if [ "$response" == "yes" ]; then
+ # remove all of the symlinks we've created
+ pkgutil --files com.git.pkg | grep bin | while read f; do
+ if [ -L /usr/local/$f ]; then
+ sudo rm /usr/local/$f
+ fi
+ done
+
+ # forget receipts.
+ pkgutil --packages | grep com.git.pkg | xargs -I {} sudo pkgutil --forget {}
+ echo "Uninstalled"
+
+ # The guts all go here.
+ sudo rm -rf /usr/local/git/
+else
+ echo "Aborted"
+ exit 1
+fi
+
+exit 0
diff --git a/.github/scripts/run-esrp-signing.py b/.github/scripts/run-esrp-signing.py
new file mode 100644
index 00000000000000..f61a97d2582547
--- /dev/null
+++ b/.github/scripts/run-esrp-signing.py
@@ -0,0 +1,138 @@
+import argparse
+import json
+import os
+import glob
+import pprint
+import subprocess
+import sys
+import re
+
+parser = argparse.ArgumentParser(description='Sign binaries for macOS')
+parser.add_argument('path', help='Path to file for signing')
+parser.add_argument('keycode', help='Platform-specific key code for signing')
+parser.add_argument('opcode', help='Platform-specific operation code for signing')
+# Setting nargs=argparse.REMAINDER allows us to pass in params that begin with `--`
+parser.add_argument('--params', nargs=argparse.REMAINDER, help='Parameters for signing')
+args = parser.parse_args()
+
+esrp_tool = os.path.join("esrp", "tools", "EsrpClient.exe")
+
+aad_id = os.environ['AZURE_AAD_ID'].strip()
+# We temporarily need two AAD IDs, as we're using an SSL certificate associated
+# with an older App Registration until we have the required hardware to approve
+# the new certificate in SSL Admin.
+aad_id_ssl = os.environ['AZURE_AAD_ID_SSL'].strip()
+workspace = os.environ['GITHUB_WORKSPACE'].strip()
+
+source_location = args.path
+files = glob.glob(os.path.join(source_location, "*"))
+
+print("Found files:")
+pprint.pp(files)
+
+auth_json = {
+ "Version": "1.0.0",
+ "AuthenticationType": "AAD_CERT",
+ "TenantId": "72f988bf-86f1-41af-91ab-2d7cd011db47",
+ "ClientId": f"{aad_id}",
+ "AuthCert": {
+ "SubjectName": f"CN={aad_id_ssl}.microsoft.com",
+ "StoreLocation": "LocalMachine",
+ "StoreName": "My"
+ },
+ "RequestSigningCert": {
+ "SubjectName": f"CN={aad_id}",
+ "StoreLocation": "LocalMachine",
+ "StoreName": "My"
+ }
+}
+
+input_json = {
+ "Version": "1.0.0",
+ "SignBatches": [
+ {
+ "SourceLocationType": "UNC",
+ "SourceRootDirectory": source_location,
+ "DestinationLocationType": "UNC",
+ "DestinationRootDirectory": workspace,
+ "SignRequestFiles": [],
+ "SigningInfo": {
+ "Operations": [
+ {
+ "KeyCode": f"{args.keycode}",
+ "OperationCode": f"{args.opcode}",
+ "Parameters": {},
+ "ToolName": "sign",
+ "ToolVersion": "1.0",
+ }
+ ]
+ }
+ }
+ ]
+}
+
+# add files to sign
+for f in files:
+ name = os.path.basename(f)
+ input_json["SignBatches"][0]["SignRequestFiles"].append(
+ {
+ "SourceLocation": name,
+ "DestinationLocation": os.path.join("signed", name),
+ }
+ )
+
+# add parameters to input.json (e.g. enabling the hardened runtime for macOS)
+if args.params is not None:
+ i = 0
+ while i < len(args.params):
+ input_json["SignBatches"][0]["SigningInfo"]["Operations"][0]["Parameters"][args.params[i]] = args.params[i + 1]
+ i += 2
+
+policy_json = {
+ "Version": "1.0.0",
+ "Intent": "production release",
+ "ContentType": "binary",
+}
+
+configs = [
+ ("auth.json", auth_json),
+ ("input.json", input_json),
+ ("policy.json", policy_json),
+]
+
+for filename, data in configs:
+ with open(filename, 'w') as fp:
+ json.dump(data, fp)
+
+# Run ESRP Client
+esrp_out = "esrp_out.json"
+result = subprocess.run(
+ [esrp_tool, "sign",
+ "-a", "auth.json",
+ "-i", "input.json",
+ "-p", "policy.json",
+ "-o", esrp_out,
+ "-l", "Verbose"],
+ capture_output=True,
+ text=True,
+ cwd=workspace)
+
+# Scrub log before printing
+log = re.sub(r'^.+Uploading.*to\s*destinationUrl\s*(.+?),.+$',
+ '***',
+ result.stdout,
+ flags=re.IGNORECASE|re.MULTILINE)
+print(log)
+
+if result.returncode != 0:
+ print("Failed to run ESRPClient.exe")
+ sys.exit(1)
+
+if os.path.isfile(esrp_out):
+ print("ESRP output json:")
+ with open(esrp_out, 'r') as fp:
+ pprint.pp(json.load(fp))
+
+for file in files:
+ if os.path.isfile(os.path.join("signed", file)):
+ print(f"Success!\nSigned {file}")
\ No newline at end of file
diff --git a/.github/scripts/set-up-esrp.ps1 b/.github/scripts/set-up-esrp.ps1
new file mode 100644
index 00000000000000..9bc9699ae8b332
--- /dev/null
+++ b/.github/scripts/set-up-esrp.ps1
@@ -0,0 +1,12 @@
+# Install ESRP client
+az storage blob download --file esrp.zip --account-key "$env:AZURE_STORAGE_KEY" --account-name msftgitesrp --container microsoft-esrp-client --name microsoft.esrpclient.1.2.76.nupkg
+Expand-Archive -Path esrp.zip -DestinationPath .\esrp
+
+# Install certificates
+az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:AUTH_CERT" --file out.pfx
+certutil -f -importpfx out.pfx
+Remove-Item out.pfx
+
+az keyvault secret download --vault-name "$env:AZURE_VAULT" --name "$env:REQUEST_SIGNING_CERT" --file out.pfx
+certutil -f -importpfx out.pfx
+Remove-Item out.pfx
\ No newline at end of file
diff --git a/.github/scripts/symlink-git-hardlinks.rb b/.github/scripts/symlink-git-hardlinks.rb
new file mode 100644
index 00000000000000..174802ccc85d93
--- /dev/null
+++ b/.github/scripts/symlink-git-hardlinks.rb
@@ -0,0 +1,19 @@
+#!/usr/bin/env ruby
+
+install_prefix = ARGV[0]
+puts install_prefix
+git_binary = File.join(install_prefix, '/usr/local/git/bin/git')
+
+[
+ ['git' , File.join(install_prefix, '/usr/local/git/bin')],
+ ['../../bin/git', File.join(install_prefix, '/usr/local/git/libexec/git-core')]
+].each do |link, path|
+ Dir.glob(File.join(path, '*')).each do |file|
+ next if file == git_binary
+ puts "#{file} #{File.size(file)} == #{File.size(git_binary)}"
+ next unless File.size(file) == File.size(git_binary)
+ puts "Symlinking #{file}"
+ puts `ln -sf #{link} #{file}`
+ exit $?.exitstatus if $?.exitstatus != 0
+ end
+end
\ No newline at end of file
diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml
index f264af0efa9ff0..1b24accf990e05 100644
--- a/.github/workflows/build-git-installers.yml
+++ b/.github/workflows/build-git-installers.yml
@@ -292,8 +292,8 @@ jobs:
path: artifacts
# End build Windows installers
- # Build Mac OSX installers & upload artifacts
- mac_artifacts:
+ # Build and sign Mac OSX installers & upload artifacts
+ osx_build:
runs-on: macos-latest
needs: prereqs
env:
@@ -302,88 +302,286 @@ jobs:
CFLAGS: -I/usr/local/opt/gettext/include
# To make use of the catalogs...
XML_CATALOG_FILES: /usr/local/etc/xml/catalog
- # Enable a bit stricter compile flags
- DEVELOPER: 1
- # For the osx-installer build
- OSX_VERSION: 10.15
- V: 1
+ VERSION: "${{ needs.prereqs.outputs.tag_version }}"
steps:
- - name: Install git dependencies
+ - name: Check out repository
+ uses: actions/checkout@v3
+ with:
+ path: 'git'
+
+ - name: Install Git dependencies
run: |
set -x
- brew install automake asciidoc xmlto
+ brew install automake asciidoc xmlto docbook
brew link --force gettext
- - name: Clone git
- uses: actions/checkout@v2
- with:
- path: 'git'
- - name: Build GIT-VERSION-FILE and .tar.gz files
+
+ - name: Build payload
run: |
+ # Configure the environment
set -x
PATH=/usr/local/bin:$PATH
+ export CURL_LDFLAGS=$(curl-config --libs)
# Write to "version" file to force match with trigger payload version
echo "${{ needs.prereqs.outputs.tag_version }}" >>git/version
make -C git -j$(sysctl -n hw.physicalcpu) GIT-VERSION-FILE dist dist-doc
- - name: Clone installer repository
- uses: actions/checkout@v2
- with:
- path: 'git_osx_installer'
- repository: 'derrickstolee/git_osx_installer'
- - name: Bundle .dmg
- run: |
- die () {
- echo "$*" >&2
- exit 1
- }
- # Configure the environment
- export CURL_LDFLAGS=$(curl-config --libs)
- export VERSION="${{ needs.prereqs.outputs.tag_version }}"
+ export GIT_BUILT_FROM_COMMIT=$(gunzip -c git/git-$VERSION.tar.gz | git get-tar-commit-id) ||
+ die "Could not determine commit for build"
- dir=git_osx_installer/git-$VERSION
- test ! -e $dir ||
- rm $dir ||
- die "Could not remove $dir"
- ln -s .. $dir
+ # Extract tarballs
+ mkdir payload manpages
+ tar -xvf git/git-$VERSION.tar.gz -C payload
+ tar -xvf git/git-manpages-$VERSION.tar.gz -C manpages
- mkdir -p git_osx_installer/build &&
- cp git/git-$VERSION.tar.gz git/git-manpages-$VERSION.tar.gz git_osx_installer/build/ ||
- die "Could not copy .tar.gz files"
+ # Lay out payload
+ make -C git/.github/macos-installer V=1 payload
- GIT_BUILT_FROM_COMMIT=$(gunzip -c git/git-$VERSION.tar.gz | git get-tar-commit-id) ||
- die "Could not determine commit for build"
+ # This step is necessary because we cannot use the $VERSION
+ # environment variable or the tag_version output from the prereqs
+ # job in the upload-artifact task.
+ mkdir -p build_artifacts
+ cp -R stage/git-intel-x86_64-$VERSION/ build_artifacts
- # drop the -isysroot `GIT_SDK` hack
- sed -i .bak -e 's/ -isysroot .(SDK_PATH)//' git_osx_installer/Makefile || die "Could not drop the -isysroot hack"
+ # We keep a list of executable files because their executable bits are
+ # removed when they are zipped, and we need to re-add.
+ find build_artifacts -type f -a -perm -u=x >executable-files.txt
- # make sure that .../usr/local/git/share/man/ exists
- sed -i .bak -e 's/\(tar .*-C \)\(.*\/share\/man\)$/mkdir -p \2 \&\& &/' git_osx_installer/Makefile || die "Could not edit git_osx_installer/Makefile"
- cat git_osx_installer/Makefile
+ - name: Upload macOS artifacts
+ uses: actions/upload-artifact@v3
+ with:
+ name: tmp.osx-build
+ path: |
+ build_artifacts
- make -C git_osx_installer vars
+ - name: Upload list of executable files
+ uses: actions/upload-artifact@v3
+ with:
+ name: tmp.executable-files
+ path: |
+ executable-files.txt
+
+ osx_sign_payload:
+ # ESRP service requires signing to run on Windows
+ runs-on: windows-latest
+ needs: osx_build
+ steps:
+ - name: Check out repository
+ uses: actions/checkout@v3
+ with:
+ path: 'git'
+
+ - name: Download unsigned build artifiacts
+ uses: actions/download-artifact@v3
+ with:
+ name: tmp.osx-build
+ path: build_artifacts
+
+ - name: Zip unsigned build artifacts
+ shell: pwsh
+ run: |
+ Compress-Archive -Path build_artifacts build_artifacts/build_artifacts.zip
+ cd build_artifacts
+ Get-ChildItem -Exclude build_artifacts.zip | Remove-Item -Recurse -Force
+
+ - uses: azure/login@v1
+ with:
+ creds: ${{ secrets.AZURE_CREDENTIALS }}
+
+ - name: Set up ESRP client
+ shell: pwsh
+ env:
+ AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }}
+ AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
+ AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }}
+ REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }}
+ run: |
+ git\.github\scripts\set-up-esrp.ps1
+
+ - name: Run ESRP client
+ shell: pwsh
+ env:
+ AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }}
+ # We temporarily need two AAD IDs, as we're using an SSL certificate associated
+ # with an older App Registration until we have the required hardware to approve
+ # the new certificate in SSL Admin.
+ AZURE_AAD_ID_SSL: ${{ secrets.AZURE_AAD_ID_SSL }}
+ APPLE_KEY_CODE: ${{ secrets.APPLE_KEY_CODE }}
+ APPLE_SIGNING_OP_CODE: ${{ secrets.APPLE_SIGNING_OPERATION_CODE }}
+ run: |
+ python git\.github\scripts\run-esrp-signing.py build_artifacts `
+ $env:APPLE_KEY_CODE $env:APPLE_SIGNING_OP_CODE `
+ --params 'Hardening' '--options=runtime'
+
+ - name: Unzip signed build artifacts
+ shell: pwsh
+ run: |
+ Expand-Archive signed/build_artifacts.zip -DestinationPath signed
+ Remove-Item signed/build_artifacts.zip
+
+ - name: Upload signed payload
+ uses: actions/upload-artifact@v3
+ with:
+ name: osx-signed-payload
+ path: |
+ signed
+
+ osx_pack:
+ runs-on: macos-latest
+ needs: [prereqs, osx_sign_payload]
+ steps:
+ - name: Check out repository
+ uses: actions/checkout@v3
+ with:
+ path: 'git'
- PATH=/usr/local/bin:/System/Library/Frameworks:$PATH \
- make -C git_osx_installer \
- OSX_VERSION=10.15 C_INCLUDE_PATH="$C_INCLUDE_PATH" V=1 \
- build/intel-x86_64-catalina/git-$VERSION/osx-built-keychain ||
- die "Build failed"
+ - name: Download signed artifacts
+ uses: actions/download-artifact@v3
+ with:
+ name: osx-signed-payload
+
+ - name: Download list of executable files
+ uses: actions/download-artifact@v3
+ with:
+ name: tmp.executable-files
+
+ - name: Build macOS pkg
+ env:
+ VERSION: "${{ needs.prereqs.outputs.tag_version }}"
+ run: |
+ # Install findutils to use gxargs below
+ brew install findutils
+ # Configure the environment
+ export CURL_LDFLAGS=$(curl-config --libs)
+
+ # Add executable bits and move build_artifacts into
+ # the same directory as Makefile (so that executable bits
+ # will be recognized).
+ gxargs -r -d '\n' chmod a+x