Hack sidechain into Valentine #903

Workflow file for this run

.github/workflows/cmake_ctest.yml at d629947

	name: Valentine

	on:
	workflow_dispatch: # lets you run a build from the UI
	push:

	# When pushing new commits, cancel any running builds on that branch
	concurrency:
	group: ${{ github.ref }}
	cancel-in-progress: true

	env:
	PROJECT_NAME: Valentine
	BUILD_TYPE: Release
	BUILD_DIR: Builds
	SCRIPTS_DIR: scripts
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	DISPLAY: :0 # linux pluginval needs this
	CMAKE_BUILD_PARALLEL_LEVEL: 3 # Use up to 3 cpus to build juceaide, etc
	HOMEBREW_NO_INSTALL_CLEANUP: 1

	# jobs are run in paralell on different machines
	# all steps run in series
	jobs:
	build_and_test:
	name: ${{ matrix.name }}
	runs-on: ${{ matrix.os }}
	strategy:
	fail-fast: false # show all errors for each platform (vs. cancel jobs on error)
	matrix:
	include:
	- name: Linux
	os: ubuntu-22.04
	pluginval-binary: ./pluginval
	pluginval-strictness: 10
	- name: macOS
	os: macos-12
	pluginval-binary: pluginval.app/Contents/MacOS/pluginval
	pluginval-strictness: 10
	- name: windows
	os: windows-latest
	pluginval-binary: ./pluginval.exe
	pluginval-strictness: 10

	steps:
	- name: Set up Clang
	if: ${{ matrix.name != 'macOS' }}
	uses: egor-tensin/setup-clang@v1.4

	- name: Install JUCE's Linux Deps
	if: runner.os == 'Linux'
	# Thanks to McMartin & co https://forum.juce.com/t/list-of-juce-dependencies-under-linux/15121/44
	run: \|
	sudo apt-get update && sudo apt install libasound2-dev libx11-dev libxinerama-dev libxext-dev libfreetype6-dev libwebkit2gtk-4.0-dev libglu1-mesa-dev xvfb fluxbox ninja-build
	sudo /usr/bin/Xvfb $DISPLAY &

	# This lets us use sscache on Windows
	# We need to install ccache here for Windows to grab the right version
	- name: Install Ninja (Windows)
	if: runner.os == 'Windows'
	shell: bash
	run: choco install ninja ccache

	- name: Install macOS Deps
	if: ${{ matrix.name == 'macOS' }}
	run: brew install ninja osxutils

	- name: Checkout
	uses: actions/checkout@v3.3.0
	with:
	submodules: true # Gotta get JUCE populated

	- name: Setup Environment Variables
	shell: bash
	run: \|
	VERSION=$(cat VERSION)
	echo "ARTIFACTS_PATH=${{ env.BUILD_DIR }}/${{ env.PROJECT_NAME }}_artefacts/${{ env.BUILD_TYPE }}" >> $GITHUB_ENV
	echo "VST3_PATH=${{ env.PROJECT_NAME }}_artefacts/${{ env.BUILD_TYPE }}/VST3/${{ env.PROJECT_NAME }}.vst3" >> $GITHUB_ENV
	echo "AU_PATH=${{ env.PROJECT_NAME }}_artefacts/${{ env.BUILD_TYPE }}/AU/${{ env.PROJECT_NAME }}.component" >> $GITHUB_ENV
	echo "AUV3_PATH=${{ env.PROJECT_NAME }}_artefacts/${{ env.BUILD_TYPE }}/AUv3/${{ env.PROJECT_NAME }}.appex" >> $GITHUB_ENV
	PRODUCTFILE=`echo ${{ env.PROJECT_NAME }} \| tr ' ' '-' \| tr '[:upper:]' '[:lower:]'`
	echo "OUTPUT_FILENAME=$PRODUCTFILE-$VERSION-${{ matrix.name }}" >> $GITHUB_ENV
	echo "VERSION_NUMBER=$VERSION" >> $GITHUB_ENV

	- name: Ccache for gh actions
	uses: hendrikmuhs/ccache-action@v1.2.8
	with:
	key: v2-${{ matrix.os }}-${{ matrix.type }}

	- name: Setup Keychain and Import Signing Certificates
	if: ${{ matrix.name == 'macOS' }}
	shell: bash
	env:
	TEAM_ID: ${{ secrets.TEAM_ID }}
	APP_SPECIFIC_PWD: ${{ secrets.NOTARIZATION_PASSWORD }}
	APP_CERT_PWD: ${{ secrets.DEV_ID_APP_PASSWORD }}
	APP_CERT_BASE64: ${{ secrets.DEV_ID_APP_CERT}}
	APP_CERT_PATH: ${{ runner.temp }}/app_certificate.p12
	INSTALL_CERT_PWD: ${{ secrets. DEV_ID_INSTALL_PASSWORD }}
	INSTALL_CERT_BASE64: ${{ secrets.DEV_ID_INSTALL_CERT }}
	INSTALL_CERT_PATH: ${{ runner.temp }}/install_certificate.p12
	KEYCHAINPWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
	KEYCHAINPATH: ${{ runner.temp }}/app-signing.keychain-db
	# create and setup a temporary keychain, then decode the certificate and setup creditials for codesigning and notarization
	run: \|
	security create-keychain -p "$KEYCHAINPWD" "$KEYCHAINPATH"

	# lock the keychain after a 6 hour timeout
	security set-keychain-settings -lut 21600 "$KEYCHAINPATH"

	# prevent keychain access from prompting for password when importing our certificate
	security unlock-keychain -p "$KEYCHAINPWD" "$KEYCHAINPATH"

	# certificates need to be decoded before use
	echo -n "$APP_CERT_BASE64" \| base64 --decode --output $APP_CERT_PATH
	echo -n "$INSTALL_CERT_BASE64" \| base64 --decode --output $INSTALL_CERT_PATH

	# import certificates into the temp keychain
	security import "$APP_CERT_PATH" -P "$APP_CERT_PWD" -t cert -f pkcs12 -k "$KEYCHAINPATH" -A -T /usr/bin/codesign -T /usr/bin/security
	security import "$INSTALL_CERT_PATH" -P "$INSTALL_CERT_PWD" -t cert -f pkcs12 -k "$KEYCHAINPATH" -A -T /usr/bin/codesign -T /usr/bin/security

	# allow codesign to access keychain without password prompt
	security set-key-partition-list -S apple-tool:,apple:, -k "$KEYCHAINPWD" "$KEYCHAINPATH"

	# Update the keychain list with our newly created temp keychain
	security list-keychains -d user -s "$KEYCHAINPATH" login.keychain

	- name: Configure
	shell: bash
	run: cmake -B ${{ env.BUILD_DIR }} -G Ninja -DCMAKE_BUILD_TYPE=${{ env.BUILD_TYPE}} -DCMAKE_C_COMPILER_LAUNCHER=ccache -DCMAKE_CXX_COMPILER_LAUNCHER=ccache -DCMAKE_OSX_ARCHITECTURES="arm64;x86_64" .

	- name: Build
	shell: bash
	run: cmake --build ${{ env.BUILD_DIR }} --config ${{ env.BUILD_TYPE }} --parallel 4

	- name: Test
	working-directory: ${{ env.BUILD_DIR }}
	run: ctest --output-on-failure -j4

	- name: Pluginval
	working-directory: ${{ env.BUILD_DIR }}
	shell: bash
	run: \|
	curl -LO "https://github.com/Tracktion/pluginval/releases/download/v1.0.3/pluginval_${{ matrix.name }}.zip"
	7z x pluginval_${{ matrix.name }}.zip
	${{ matrix.pluginval-binary }} --strictness-level ${{ matrix.pluginval-strictness }} --verbose --validate "${{ env.VST3_PATH }}"

	- name: Codesign (macOS)
	working-directory: ${{ env.BUILD_DIR }}
	if: ${{ matrix.name == 'macOS' }}
	run: \|
	# Each plugin must be code signed
	codesign --force -s "${{ secrets.DEVELOPER_ID_APPLICATION}}" -v ${{ env.VST3_PATH }} --deep --strict --options=runtime --timestamp
	codesign --force -s "${{ secrets.DEVELOPER_ID_APPLICATION}}" -v ${{ env.AU_PATH }} --deep --strict --options=runtime --timestamp

	- name: Create Installer Package (macOS)
	if: ${{ matrix.name == 'macOS' }}
	shell: bash
	env:
	INSTALLER_DIR: "${{env.SCRIPTS_DIR}}/installer_mac"
	PRODUCT: ${{ env.PROJECT_NAME }}
	INPUT_DIR: ${{ env.ARTIFACTS_PATH }}
	RESOURCES_DIR: "${{env.SCRIPTS_DIR}}/installer_mac/resources"
	OUTPUT_DIR: "${{ runner.temp }}/mac_installer_output"
	VERSION: ${{ env.VERSION_NUMBER }}
	SIGNING_ID: ${{ secrets.DEVELOPER_ID_INSTALLER}}
	run: \|

	mkdir -p "$OUTPUT_DIR"

	# creates a signed package and outputs it in a disk image, ready for notarization and staple.
	$INSTALLER_DIR/make_installer.sh "$PRODUCT" \
	"$INPUT_DIR" \
	"$RESOURCES_DIR" \
	"$OUTPUT_DIR" \
	"$VERSION" \
	"$SIGNING_ID"

	- name: Create Installer dmg (macOS)
	if: ${{ matrix.name == 'macOS' }}
	run: \|

	hdiutil create /tmp/tmp.dmg -ov -volname "${{ env.OUTPUT_FILENAME }}" -fs HFS+ -srcfolder "${{ runner.temp }}/mac_installer_output/"
	hdiutil convert /tmp/tmp.dmg -format UDZO -o "${{ runner.temp }}/${{ env.OUTPUT_FILENAME }}.dmg"

	- name: Notarize and Staple (macOS)
	if: ${{ matrix.name == 'macOS' }}
	run: \|

	codesign -s "${{ secrets.DEVELOPER_ID_APPLICATION}}" --timestamp -i com.ToteBagLabs.Valentine --force "${{ runner.temp }}/${{ env.OUTPUT_FILENAME }}.dmg"
	xcrun notarytool submit "${{ runner.temp }}/${{ env.OUTPUT_FILENAME }}.dmg" --apple-id ${{ secrets.NOTARIZATION_USERNAME }} --password ${{ secrets.NOTARIZATION_PASSWORD }} --team-id ${{ secrets.TEAM_ID }} --wait
	xcrun stapler staple "${{ runner.temp }}/${{ env.OUTPUT_FILENAME }}.dmg"

	- name: Cleanup Keychain
	if: ${{ matrix.name == 'macOS' }}
	shell: bash
	env:
	KEYCHAINPATH: ${{ runner.temp }}/app-signing.keychain-db
	run: \|
	security delete-keychain "$KEYCHAINPATH"

	# default to user login keychain
	security list-keychains -d user -s login.keychain

	- name: Zip
	if: ${{ matrix.name == 'Linux' }}
	working-directory: ${{ env.ARTIFACTS_PATH }}
	run: 7z a -tzip ${{ env.OUTPUT_FILENAME }}.zip .

	- name: Generate Installer (Windows) # and Sign with EV cert on Azure (Windows)
	if: ${{ matrix.name == 'Windows' }}
	shell: bash
	env:
	INSTALLER_DIR: "scripts/installer_win"
	run: \|
	iscc "$INSTALLER_DIR/installer.iss"
	mv "$INSTALLER_DIR/Output/${{ env.OUTPUT_FILENAME }}.exe" "${{ env.ARTIFACTS_PATH }}/"
	# dotnet tool install --global AzureSignTool
	# AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "${{ env.ARTIFACTS_PATH }}/${{ env.OUTPUT_FILENA }}.exe"

	- name: Upload Exe (Windows)
	if: ${{ matrix.name == 'Windows' }}
	uses: actions/upload-artifact@v3
	with:
	name: ${{ env.OUTPUT_FILENAME }}.exe
	path: '${{ env.ARTIFACTS_PATH }}/${{ env.OUTPUT_FILENAME }}.exe'

	- name: Upload Zip (Linux)
	if: ${{ matrix.name == 'Linux' }}
	uses: actions/upload-artifact@v3
	with:
	name: ${{ env.OUTPUT_FILENAME }}.zip
	path: '${{ env.ARTIFACTS_PATH }}/${{ env.OUTPUT_FILENAME }}.zip'

	- name: Upload DMG (MacOS)
	if: ${{ matrix.name == 'macOS' }}
	uses: actions/upload-artifact@v3
	with:
	name: ${{ env.OUTPUT_FILENAME }}.dmg
	path: ${{ runner.temp }}/${{ env.OUTPUT_FILENAME }}.dmg


	release:
	if: contains(github.ref, 'tags/v')
	runs-on: ubuntu-latest
	needs: build_and_test

	steps:
	- name: Get Artifacts
	uses: actions/download-artifact@v3

	- name: Create Release
	uses: softprops/action-gh-release@v0.1.15
	with:
	prerelease: true
	# download-artifact puts these files in their own dirs...
	# Using globs sidesteps having to pass the version around
	files: \|
	/.exe
	/.zip
	/.dmg

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Hack sidechain into Valentine #903

Workflow file

Hack sidechain into Valentine #903

Jobs

Run details

Workflow file for this run