diff --git a/.github/workflows/pull_request_check.yml b/.github/workflows/pull_request_check.yml index eec5f4ec..c8de3498 100644 --- a/.github/workflows/pull_request_check.yml +++ b/.github/workflows/pull_request_check.yml @@ -91,7 +91,7 @@ jobs: if: matrix.os == 'windows-latest' uses: actions/upload-artifact@v4 with: - name: aspect-model-editor-vDEV-SNAPSHOT-win + name: ame-backend-win path: | aspect-model-editor-runtime/target/ame-backend-DEV-SNAPSHOT-win.exe aspect-model-editor-runtime/target/*.dll @@ -102,7 +102,7 @@ jobs: if: matrix.os == 'ubuntu-20.04' uses: actions/upload-artifact@v4 with: - name: ame-backend-${{ matrix.os }} + name: ame-backend-linux path: | aspect-model-editor-runtime/target/ame-backend-DEV-SNAPSHOT-linux aspect-model-editor-runtime/target/*.so @@ -111,5 +111,5 @@ jobs: if: matrix.os == 'macos-12' uses: actions/upload-artifact@v4 with: - name: ame-backend-${{ matrix.os }} + name: ame-backend-mac path: aspect-model-editor-runtime/target/ame-backend-DEV-SNAPSHOT-mac diff --git a/.github/workflows/tagged_release.yml b/.github/workflows/tagged_release.yml index 8b8cadb6..7f9320ae 100644 --- a/.github/workflows/tagged_release.yml +++ b/.github/workflows/tagged_release.yml @@ -8,7 +8,7 @@ on: required: true jobs: - gh_tagged_release: + build: name: Create tagged release runs-on: ${{ matrix.os }} strategy: @@ -126,29 +126,21 @@ jobs: aspect-model-editor-runtime/target/*.bat aspect-model-editor-runtime/target/lib/ - # Release Mac and Linux executables - - name: Create GitHub release (Mac) - if: ${{ (matrix.os == 'macos-12') && (!contains( github.ref, '-M' )) }} - uses: svenstaro/upload-release-action@latest + - name: Upload binary (Mac) + if: matrix.os == 'macos-12' + uses: actions/upload-artifact@v4 with: - file_glob: true - overwrite: true - prerelease: false - repo_token: ${{ secrets.GITHUB_TOKEN }} - file: aspect-model-editor-runtime/target/ame-backend!(*.txt)-mac - tag: v${{ github.event.inputs.release_version }} + name: ame-backend-v${{ github.event.inputs.release_version }}-mac + path: aspect-model-editor-runtime/target/ame-backend-${{ github.event.inputs.release_version }}-mac - - name: Create GitHub pre-release (Mac) - if: ${{ (matrix.os == 'macos-12') && (contains( github.ref, '-M' )) }} - uses: svenstaro/upload-release-action@latest + - name: Upload binary (Linux) + if: matrix.os == 'ubuntu-20.04' + uses: actions/upload-artifact@v4 with: - file_glob: true - overwrite: true - prerelease: true - repo_token: ${{ secrets.GITHUB_TOKEN }} - file: aspect-model-editor-runtime/target/ame-backend!(*.txt)-mac - tag: v${{ github.event.inputs.release_version }} + name: ame-backend-v${{ github.event.inputs.release_version }}-linux + path: aspect-model-editor-runtime/target/ame-backend-${{ github.event.inputs.release_version }}-linux + # Release Linux executables - name: Create GitHub release (Linux) if: ${{ (matrix.os == 'ubuntu-20.04') && (!contains( github.ref, '-M' )) }} uses: svenstaro/upload-release-action@latest @@ -157,7 +149,7 @@ jobs: overwrite: true prerelease: false repo_token: ${{ secrets.GITHUB_TOKEN }} - file: aspect-model-editor-runtime/target/ame-backend!(*.txt)-linux + file: aspect-model-editor-runtime/target/ame-backend-${{ github.event.inputs.release_version }}-linux tag: v${{ github.event.inputs.release_version }} - name: Create GitHub pre-release (Linux) @@ -168,54 +160,56 @@ jobs: overwrite: true prerelease: true repo_token: ${{ secrets.GITHUB_TOKEN }} - file: aspect-model-editor-runtime/target/ame-backend!(*.txt)-linux + file: aspect-model-editor-runtime/target/ame-backend-${{ github.event.inputs.release_version }}-linux tag: v${{ github.event.inputs.release_version }} - - name: Setup Git - run: | - git config user.name github-actions - git config user.email github-actions@github.com + release: + needs: build + runs-on: ubuntu-latest + steps: + - name: Checkout project + uses: actions/checkout@v3 - # Sign Windows executable - - name: Get Artifact ID (Windows) - if: matrix.os == 'windows-latest' + # Sign (Windows & Mac) executable + - name: Get Artifact ID (Windows & Mac) shell: bash run: | # Get the list of artifacts for the specified workflow run response=$(curl -H "Authorization: Bearer $TOKEN" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${{ github.repository_owner }}/$(echo '${{ github.repository }}' | cut -d'/' -f2)/actions/runs/${{ github.run_id }}/artifacts") - # Filter out the ID of the artifact with a name that contains "windows" - artifact_id=$(echo "$response" | jq -r '.artifacts[] | select(.name | contains("win")) | .id') + # Filter out the ID of the artifacts + artifact_id_win=$(echo "$response" | jq -r '.artifacts[] | select(.name | contains("win")) | .id') + artifact_id_mac=$(echo "$response" | jq -r '.artifacts[] | select(.name | contains("mac")) | .id') # Save the artifact ID in an environment variable - echo "ARTIFACT_ID=$artifact_id" >> $GITHUB_ENV + echo "ARTIFACT_ID_WIN=$artifact_id_win" >> $GITHUB_ENV + echo "ARTIFACT_ID_MAC=$artifact_id_mac" >> $GITHUB_ENV env: TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Commit Artifact url and version changes and push to pre release branch for jenkins (Windows) - if: matrix.os == 'windows-latest' + - name: Commit Artifact url and version changes and push to pre release branch for jenkins (Windows & Mac) shell: bash run: | - ARTIFACT_URL_WIN="https://api.github.com/repos/eclipse-esmf/esmf-aspect-model-editor-backend/actions/artifacts/$ARTIFACT_ID/zip" + ARTIFACT_URL_WIN="https://api.github.com/repos/eclipse-esmf/esmf-aspect-model-editor-backend/actions/artifacts/$ARTIFACT_ID_WIN/zip" + ARTIFACT_URL_MAC="https://api.github.com/repos/eclipse-esmf/esmf-aspect-model-editor-backend/actions/artifacts/$ARTIFACT_ID_MAC/zip" BRANCH_NAME="pre_release_configuration" echo "artifact_url_win=$ARTIFACT_URL_WIN" > parameters.txt + echo "artifact_url_mac=$ARTIFACT_URL_MAC" >> parameters.txt echo "version=${{ github.event.inputs.release_version }}" >> parameters.txt git config --global user.email "github-actions@github.com" git config --global user.name "github-actions" git checkout -b $BRANCH_NAME git add parameters.txt - git commit -m "Add parameters.txt with artifact_url_win and version" + git commit -m "Add parameters.txt with artifact_url_win, artifact_url_mac and version" git push origin $BRANCH_NAME env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Trigger Jenkins Job, for signing executable - if: matrix.os == 'windows-latest' shell: bash run: | DATA='{"repository": {"url": "https://github.com/eclipse-esmf/esmf-aspect-model-editor-backend", "html_url": "https://github.com/eclipse-esmf/esmf-aspect-model-editor-backend", "owner": { "name": "ESMF"}}, "pusher": { "name": "GitHub Action", "email": "esmf-dev@eclipse.org"}}' SHA1="$(echo -n "${DATA}" | openssl dgst -sha1 -hmac "${WEBHOOK_SECRET}" | sed 's/SHA1(stdin)= //')" curl -X POST https://ci.eclipse.org/esmf/github-webhook/ -H "Content-Type: application/json" -H "X-GitHub-Event: push" -H "X-Hub-Signature: sha1=${SHA1}" -d "${DATA}" - diff --git a/.jenkins/Jenkinsfile b/.jenkins/Jenkinsfile index aaf46c42..1bf45f01 100644 --- a/.jenkins/Jenkinsfile +++ b/.jenkins/Jenkinsfile @@ -1,3 +1,5 @@ +import groovy.json.JsonSlurper; + pipeline { agent any @@ -24,7 +26,8 @@ pipeline { } } - echo "Artifact URL: ${env.artifact_url_win}" + echo "Artifact URL Win: ${env.artifact_url_win}" + echo "Artifact URL Mac: ${env.artifact_url_mac}" echo "Version: ${env.version}" } else { echo "Error: parameters.txt does not exist." @@ -33,37 +36,98 @@ pipeline { } } - stage('Download and unpack artifact') { + stage('Download and unpack Windows artifact') { steps { script { + def winOsFile = "ame-backend-v${env.version}-win.zip" sh "curl -L -H 'Accept: application/vnd.github.v3+json' \ -H 'Authorization: Bearer ${GITHUB_BOT_TOKEN}' \ '${env.artifact_url_win}' \ - --output 'aspect-model-editor-v${env.version}-win.zip'" + --output '${winOsFile}'" sh "mkdir -p unpack_dir" - sh "unzip -o aspect-model-editor-v${env.version}-win.zip -d unpack_dir" + sh "unzip -o ame-backend-v${env.version}-win.zip -d unpack_dir" + sh "rm '${winOsFile}'" sh "ls -a unpack_dir" } } } - stage('Sign Applications') { + stage('Sign Windows Applications') { steps { script { sh "mkdir -p signed_dir" sh "find unpack_dir -name '*.dll' -exec mv {} signed_dir \\;" sh "curl -o signed_dir/ame-backend-${env.version}-win.exe -F file=@unpack_dir/ame-backend-${env.version}-win.exe https://cbi.eclipse.org/authenticode/sign" - sh "zip -r aspect-model-editor-v${env.version}-win-signed.zip signed_dir" + sh "zip -r ame-backend-v${env.version}-win.zip signed_dir" + sh "ls -a signed_dir" + } + } + } + + stage('Download Mac artifact') { + steps { + script { + def macOsFile = "ame-backend-v${env.version}-mac.zip" + sh "curl -L -H 'Accept: application/vnd.github.v3+json' \ + -H 'Authorization: Bearer ${GITHUB_BOT_TOKEN}' \ + '${env.artifact_url_mac}' \ + --output '${macOsFile}'" + sh "unzip -o ame-backend-v${env.version}-mac.zip -d unpack_dir" + sh "rm '${macOsFile}'" + sh "ls -a unpack_dir" + } + } + } + + stage('Sign Mac Applications') { + steps { + script { + sh "mkdir -p signed_dir" + sh "curl -o signed_dir/ame-backend-${env.version}-mac -F file=@unpack_dir/ame-backend-${env.version}-mac -F entitlements=@entitlements.plist https://cbi.eclipse.org/macos/codesign/sign" + sh "ls -a signed_dir" + } + } + } + + stage('MacOS Notarization') { + steps { + script { + sh "zip -j ame-backend-${env.version}-mac.zip signed_dir/ame-backend-${env.version}-mac" + + def macOsFile = "ame-backend-${env.version}-mac.zip" + + def jsonOptions = "options={\"primaryBundleId\": \"org.eclipse.esmf\", \"staple\": true};type=application/json" + def response = sh(script: "curl -X POST -F file=@${macOsFile} -F '${jsonOptions}' https://cbi.eclipse.org/macos/xcrun/notarize", returnStdout: true).trim() + + def jsonSlurper = new JsonSlurper() + def json = jsonSlurper.parseText(response) + String uuid = json.uuid + + while (json.notarizationStatus.status == 'IN_PROGRESS') { + sleep(time: 1, unit: 'MINUTES') + response = sh(script: "curl https://cbi.eclipse.org/macos/xcrun/${uuid}/status", returnStdout: true).trim() + json = jsonSlurper.parseText(response) + } + + if (json.notarizationStatus.status != 'COMPLETE') { + echo "Notarization failed: ${response}" + error("Notarization failed.") + } + + sh "rm '${macOsFile}'" + + sh "curl -JO -o ame-backend-v${env.version}-mac.zip https://cbi.eclipse.org/macos/xcrun/${uuid}/download" } } } - stage('Release signed WINDOWS artifact to GitHub Releases') { + stage('Release signed Windows and Mac artifact to GitHub Releases') { steps { script { def repo = "eclipse-esmf/esmf-aspect-model-editor-backend" def tagName = "v${env.version}" - def fileName = "aspect-model-editor-v${env.version}-win-signed.zip" + def fileNameWin = "ame-backend-v${env.version}-win.zip" + def fileNameMac = "ame-backend-v${env.version}-mac.zip" def releaseId = "" def tagExists = sh(script: """ @@ -99,8 +163,18 @@ pipeline { -H "Accept: application/vnd.github+json" \\ -H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \ -H "Content-Type: application/octet-stream" \ - --data-binary @${fileName} \ - "https://uploads.github.com/repos/${repo}/releases/${releaseId}/assets?name=${fileName}" + --data-binary @${fileNameWin} \ + "https://uploads.github.com/repos/${repo}/releases/${releaseId}/assets?name=${fileNameWin}" + """ + + sh """ + curl -L \ + -X POST \ + -H "Accept: application/vnd.github+json" \\ + -H "Authorization: Bearer \$GITHUB_BOT_TOKEN" \ + -H "Content-Type: application/octet-stream" \ + --data-binary @${fileNameMac} \ + "https://uploads.github.com/repos/${repo}/releases/${releaseId}/assets?name=${fileNameMac}" """ sh """ diff --git a/entitlements.plist b/entitlements.plist new file mode 100644 index 00000000..8e77f041 --- /dev/null +++ b/entitlements.plist @@ -0,0 +1,51 @@ + + + + + + com.apple.security.cs.allow-jit + + + + com.apple.security.cs.allow-unsigned-executable-memory + + + + com.apple.security.cs.allow-dyld-environment-variables + + + + com.apple.security.cs.disable-library-validation + + + + com.apple.security.get-task-allow + + + + com.apple.security.network.client + + com.apple.security.network.server + + + + com.apple.security.files.user-selected.read-write + + com.apple.security.files.downloads.read-write + + com.apple.security.files.all.read-write + + + + com.apple.security.device.audio-input + + + + com.apple.security.device.camera + + + + com.apple.security.personal-information.location + + +