Skip to content

try a thing

try a thing #574

Workflow file for this run

name: Valentine
on:
workflow_dispatch: # lets you run a build from the UI
push:
# When pushing new commits, cancel any running builds on that branch
concurrency:
group: ${{ github.ref }}
cancel-in-progress: true
env:
PROJECT_NAME: Valentine
BUILD_TYPE: Release
BUILD_DIR: Builds
SCRIPTS_DIR: scripts
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DISPLAY: :0 # linux pluginval needs this
CMAKE_BUILD_PARALLEL_LEVEL: 3 # Use up to 3 cpus to build juceaide, etc
HOMEBREW_NO_INSTALL_CLEANUP: 1
# jobs are run in paralell on different machines
# all steps run in series
jobs:
build_and_test:
name: ${{ matrix.name }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false # show all errors for each platform (vs. cancel jobs on error)
matrix:
include:
- name: Linux
os: ubuntu-22.04
pluginval-binary: ./pluginval
pluginval-strictness: 10
- name: macOS
os: macos-12
pluginval-binary: pluginval.app/Contents/MacOS/pluginval
pluginval-strictness: 10
- name: windows
os: windows-latest
pluginval-binary: ./pluginval.exe
pluginval-strictness: 10
steps:
- name: Set up Clang
if: ${{ matrix.name != 'macOS' }}
uses: egor-tensin/setup-clang@v1.4
- name: Install JUCE's Linux Deps
if: runner.os == 'Linux'
# Thanks to McMartin & co https://forum.juce.com/t/list-of-juce-dependencies-under-linux/15121/44
run: |
sudo apt-get update && sudo apt install libasound2-dev libx11-dev libxinerama-dev libxext-dev libfreetype6-dev libwebkit2gtk-4.0-dev libglu1-mesa-dev xvfb fluxbox ninja-build
# downgrade gcc to workaround 22.04 and C++20 issue
# see: https://github.com/actions/runner-images/issues/8659
sudo rm -f /etc/apt/sources.list.d/ubuntu-toolchain-r-ubuntu-test-jammy.list
sudo apt-get update
sudo apt-get install -y --allow-downgrades libc6=2.35-0ubuntu3.5 libc6-dev=2.35-0ubuntu3.5 libstdc++6=12.3.0-1ubuntu1~22.04 libgcc-s1=12.3.0-1ubuntu1~22.04
sudo /usr/bin/Xvfb $DISPLAY &
# This lets us use sscache on Windows
# We need to install ccache here for Windows to grab the right version
- name: Install Ninja (Windows)
if: runner.os == 'Windows'
shell: bash
run: choco install ninja ccache
- name: Install macOS Deps
if: ${{ matrix.name == 'macOS' }}
run: brew install ninja osxutils
- name: Checkout
uses: actions/checkout@v3.3.0
with:
submodules: true # Gotta get JUCE populated
- name: Setup Environment Variables
shell: bash
run: |
VERSION=$(cat VERSION)
echo "ARTIFACTS_PATH=${{ env.BUILD_DIR }}/${{ env.PROJECT_NAME }}_artefacts/${{ env.BUILD_TYPE }}" >> $GITHUB_ENV
echo "VST3_PATH=${{ env.PROJECT_NAME }}_artefacts/${{ env.BUILD_TYPE }}/VST3/${{ env.PROJECT_NAME }}.vst3" >> $GITHUB_ENV
echo "AU_PATH=${{ env.PROJECT_NAME }}_artefacts/${{ env.BUILD_TYPE }}/AU/${{ env.PROJECT_NAME }}.component" >> $GITHUB_ENV
echo "AUV3_PATH=${{ env.PROJECT_NAME }}_artefacts/${{ env.BUILD_TYPE }}/AUv3/${{ env.PROJECT_NAME }}.appex" >> $GITHUB_ENV
PRODUCTFILE=`echo ${{ env.PROJECT_NAME }} | tr ' ' '-' | tr '[:upper:]' '[:lower:]'`
echo "OUTPUT_FILENAME=$PRODUCTFILE-$VERSION-${{ matrix.name }}" >> $GITHUB_ENV
echo "VERSION_NUMBER=$VERSION" >> $GITHUB_ENV
- name: Ccache for gh actions
uses: hendrikmuhs/ccache-action@v1.2.8
with:
key: v2-${{ matrix.os }}-${{ matrix.type }}
- name: Setup Keychain and Import Signing Certificates
if: ${{ matrix.name == 'macOS' }}
shell: bash
env:
TEAM_ID: ${{ secrets.TEAM_ID }}
APP_SPECIFIC_PWD: ${{ secrets.NOTARIZATION_PASSWORD }}
APP_CERT_PWD: ${{ secrets.DEV_ID_APP_PASSWORD }}
APP_CERT_BASE64: ${{ secrets.DEV_ID_APP_CERT}}
APP_CERT_PATH: ${{ runner.temp }}/app_certificate.p12
INSTALL_CERT_PWD: ${{ secrets. DEV_ID_INSTALL_PASSWORD }}
INSTALL_CERT_BASE64: ${{ secrets.DEV_ID_INSTALL_CERT }}
INSTALL_CERT_PATH: ${{ runner.temp }}/install_certificate.p12
KEYCHAINPWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
KEYCHAINPATH: ${{ runner.temp }}/app-signing.keychain-db
# create and setup a temporary keychain, then decode the certificate and setup creditials for codesigning and notarization
run: |
security create-keychain -p "$KEYCHAINPWD" "$KEYCHAINPATH"
# lock the keychain after a 6 hour timeout
security set-keychain-settings -lut 21600 "$KEYCHAINPATH"
# prevent keychain access from prompting for password when importing our certificate
security unlock-keychain -p "$KEYCHAINPWD" "$KEYCHAINPATH"
# certificates need to be decoded before use
echo -n "$APP_CERT_BASE64" | base64 --decode --output $APP_CERT_PATH
echo -n "$INSTALL_CERT_BASE64" | base64 --decode --output $INSTALL_CERT_PATH
# import certificates into the temp keychain
security import "$APP_CERT_PATH" -P "$APP_CERT_PWD" -t cert -f pkcs12 -k "$KEYCHAINPATH" -A -T /usr/bin/codesign -T /usr/bin/security
security import "$INSTALL_CERT_PATH" -P "$INSTALL_CERT_PWD" -t cert -f pkcs12 -k "$KEYCHAINPATH" -A -T /usr/bin/codesign -T /usr/bin/security
# allow codesign to access keychain without password prompt
security set-key-partition-list -S apple-tool:,apple:, -k "$KEYCHAINPWD" "$KEYCHAINPATH"
# Update the keychain list with our newly created temp keychain
security list-keychains -d user -s "$KEYCHAINPATH" login.keychain
- name: Configure
shell: bash
run: cmake -B ${{ env.BUILD_DIR }} -G Ninja -DCMAKE_BUILD_TYPE=${{ env.BUILD_TYPE}} -DCMAKE_C_COMPILER_LAUNCHER=ccache -DCMAKE_CXX_COMPILER_LAUNCHER=ccache -DCMAKE_OSX_ARCHITECTURES="arm64;x86_64" .
- name: Build
shell: bash
run: cmake --build ${{ env.BUILD_DIR }} --config ${{ env.BUILD_TYPE }} --parallel 4
- name: Test
working-directory: ${{ env.BUILD_DIR }}
run: ctest --output-on-failure -j4
- name: Pluginval
working-directory: ${{ env.BUILD_DIR }}
shell: bash
run: |
curl -LO "https://github.com/Tracktion/pluginval/releases/download/v1.0.3/pluginval_${{ matrix.name }}.zip"
7z x pluginval_${{ matrix.name }}.zip
${{ matrix.pluginval-binary }} --strictness-level ${{ matrix.pluginval-strictness }} --verbose --validate "${{ env.VST3_PATH }}"
- name: Codesign (macOS)
working-directory: ${{ env.BUILD_DIR }}
if: ${{ matrix.name == 'macOS' }}
run: |
# Each plugin must be code signed
codesign --force -s "${{ secrets.DEVELOPER_ID_APPLICATION}}" -v ${{ env.VST3_PATH }} --deep --strict --options=runtime --timestamp
codesign --force -s "${{ secrets.DEVELOPER_ID_APPLICATION}}" -v ${{ env.AU_PATH }} --deep --strict --options=runtime --timestamp
- name: Create Installer Package (macOS)
if: ${{ matrix.name == 'macOS' }}
shell: bash
env:
INSTALLER_DIR: "${{env.SCRIPTS_DIR}}/installer_mac"
PRODUCT: ${{ env.PROJECT_NAME }}
INPUT_DIR: ${{ env.ARTIFACTS_PATH }}
RESOURCES_DIR: "${{env.SCRIPTS_DIR}}/installer_mac/resources"
OUTPUT_DIR: "${{ runner.temp }}/mac_installer_output"
VERSION: ${{ env.VERSION_NUMBER }}
SIGNING_ID: ${{ secrets.DEVELOPER_ID_INSTALLER}}
run: |
mkdir -p "$OUTPUT_DIR"
# creates a signed package and outputs it in a disk image, ready for notarization and staple.
$INSTALLER_DIR/make_installer.sh "$PRODUCT" \
"$INPUT_DIR" \
"$RESOURCES_DIR" \
"$OUTPUT_DIR" \
"$VERSION" \
"$SIGNING_ID"
- name: Create Installer dmg (macOS)
if: ${{ matrix.name == 'macOS' }}
run: |
hdiutil create /tmp/tmp.dmg -ov -volname "${{ env.OUTPUT_FILENAME }}" -fs HFS+ -srcfolder "${{ runner.temp }}/mac_installer_output/"
hdiutil convert /tmp/tmp.dmg -format UDZO -o "${{ runner.temp }}/${{ env.OUTPUT_FILENAME }}.dmg"
- name: Notarize and Staple (macOS)
if: ${{ matrix.name == 'macOS' }}
run: |
codesign -s "${{ secrets.DEVELOPER_ID_APPLICATION}}" --timestamp -i com.ToteBagLabs.Valentine --force "${{ runner.temp }}/${{ env.OUTPUT_FILENAME }}.dmg"
xcrun notarytool submit "${{ runner.temp }}/${{ env.OUTPUT_FILENAME }}.dmg" --apple-id ${{ secrets.NOTARIZATION_USERNAME }} --password ${{ secrets.NOTARIZATION_PASSWORD }} --team-id ${{ secrets.TEAM_ID }} --wait
xcrun stapler staple "${{ runner.temp }}/${{ env.OUTPUT_FILENAME }}.dmg"
- name: Cleanup Keychain
if: ${{ matrix.name == 'macOS' }}
shell: bash
env:
KEYCHAINPATH: ${{ runner.temp }}/app-signing.keychain-db
run: |
security delete-keychain "$KEYCHAINPATH"
# default to user login keychain
security list-keychains -d user -s login.keychain
- name: Zip
if: ${{ matrix.name == 'Linux' }}
working-directory: ${{ env.ARTIFACTS_PATH }}
run: 7z a -tzip ${{ env.OUTPUT_FILENAME }}.zip .
- name: Generate Installer (Windows) # and Sign with EV cert on Azure (Windows)
if: ${{ matrix.name == 'Windows' }}
shell: bash
env:
INSTALLER_DIR: "scripts/installer_win"
run: |
iscc "$INSTALLER_DIR/installer.iss"
mv "$INSTALLER_DIR/Output/${{ env.OUTPUT_FILENAME }}.exe" "${{ env.ARTIFACTS_PATH }}/"
# dotnet tool install --global AzureSignTool
# AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "${{ env.ARTIFACTS_PATH }}/${{ env.OUTPUT_FILENA }}.exe"
- name: Upload Exe (Windows)
if: ${{ matrix.name == 'Windows' }}
uses: actions/upload-artifact@v3
with:
name: ${{ env.OUTPUT_FILENAME }}.exe
path: '${{ env.ARTIFACTS_PATH }}/${{ env.OUTPUT_FILENAME }}.exe'
- name: Upload Zip (Linux)
if: ${{ matrix.name == 'Linux' }}
uses: actions/upload-artifact@v3
with:
name: ${{ env.OUTPUT_FILENAME }}.zip
path: '${{ env.ARTIFACTS_PATH }}/${{ env.OUTPUT_FILENAME }}.zip'
- name: Upload DMG (MacOS)
if: ${{ matrix.name == 'macOS' }}
uses: actions/upload-artifact@v3
with:
name: ${{ env.OUTPUT_FILENAME }}.dmg
path: ${{ runner.temp }}/${{ env.OUTPUT_FILENAME }}.dmg
release:
if: contains(github.ref, 'tags/v')
runs-on: ubuntu-latest
needs: build_and_test
steps:
- name: Get Artifacts
uses: actions/download-artifact@v3
- name: Create Release
uses: softprops/action-gh-release@v0.1.15
with:
prerelease: true
# download-artifact puts these files in their own dirs...
# Using globs sidesteps having to pass the version around
files: |
*/*.exe
*/*.zip
*/*.dmg