macos wip #5
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: macos-test | |
on: | |
push: | |
tags: | |
- 'v[0-9]*vfs*' # matches "v<number><any characters>vfs<any characters>" | |
jobs: | |
# Check prerequisites for the workflow | |
prereqs: | |
runs-on: ubuntu-latest | |
environment: release | |
env: | |
AZ_SUB: ${{ secrets.AZURE_SUBSCRIPTION }} | |
AZ_CREDS: ${{ secrets.AZURE_CREDENTIALS }} | |
outputs: | |
tag_name: ${{ steps.tag.outputs.name }} # The full name of the tag, e.g. v2.32.0.vfs.0.0 | |
tag_version: ${{ steps.tag.outputs.version }} # The version number (without preceding "v"), e.g. 2.32.0.vfs.0.0 | |
deb_signable: ${{ steps.deb.outputs.signable }} # Whether the credentials needed to sign the .deb package are available | |
steps: | |
- name: Validate tag | |
run: | | |
echo "$GITHUB_REF" | | |
grep '^refs/tags/v2\.\(0\|[1-9][0-9]*\)\.\(0\|[1-9][0-9]*\)\.vfs\.0\.\(0\|[1-9][0-9]*\)$' || { | |
echo "::error::${GITHUB_REF#refs/tags/} is not of the form v2.<X>.<Y>.vfs.0.<W>" >&2 | |
exit 1 | |
} | |
- name: Determine tag to build | |
run: | | |
echo "name=${GITHUB_REF#refs/tags/}" >>$GITHUB_OUTPUT | |
echo "version=${GITHUB_REF#refs/tags/v}" >>$GITHUB_OUTPUT | |
id: tag | |
- name: Determine whether signing certificates are present | |
run: echo "signable=$([[ $AZ_SUB != '' && $AZ_CREDS != '' ]] && echo 'true' || echo 'false')" >>$GITHUB_OUTPUT | |
id: deb | |
- name: Clone git | |
uses: actions/checkout@v3 | |
- name: Validate the tag identified with trigger | |
run: | | |
die () { | |
echo "::error::$*" >&2 | |
exit 1 | |
} | |
# `actions/checkout` only downloads the peeled tag (i.e. the commit) | |
git fetch origin +$GITHUB_REF:$GITHUB_REF | |
# Verify that the tag is annotated | |
test $(git cat-file -t "$GITHUB_REF") == "tag" || die "Tag ${{ steps.tag.outputs.name }} is not annotated" | |
# Verify tag follows rules in GIT-VERSION-GEN (i.e., matches the specified "DEF_VER" in | |
# GIT-VERSION-FILE) and matches tag determined from trigger | |
make GIT-VERSION-FILE | |
test "${{ steps.tag.outputs.version }}" == "$(sed -n 's/^GIT_VERSION = //p'< GIT-VERSION-FILE)" || die "GIT-VERSION-FILE tag does not match ${{ steps.tag.outputs.name }}" | |
# End check prerequisites for the workflow | |
# Build and sign Mac OSX installers & upload artifacts | |
osx_build: | |
runs-on: macos-latest | |
needs: prereqs | |
env: | |
# `gettext` is keg-only | |
LDFLAGS: -L/usr/local/opt/gettext/lib | |
CFLAGS: -I/usr/local/opt/gettext/include | |
# To make use of the catalogs... | |
XML_CATALOG_FILES: /usr/local/etc/xml/catalog | |
VERSION: "${{ needs.prereqs.outputs.tag_version }}" | |
environment: release | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@v3 | |
with: | |
path: 'git' | |
- name: Install Git dependencies | |
run: | | |
set -x | |
brew install automake asciidoc xmlto docbook | |
brew link --force gettext | |
- name: Set up signing/notarization infrastructure | |
env: | |
A1: ${{ secrets.APPLICATION_CERTIFICATE_BASE64 }} | |
A2: ${{ secrets.APPLICATION_CERTIFICATE_PASSWORD }} | |
I1: ${{ secrets.INSTALLER_CERTIFICATE_BASE64 }} | |
I2: ${{ secrets.INSTALLER_CERTIFICATE_PASSWORD }} | |
N1: ${{ secrets.APPLE_TEAM_ID }} | |
N2: ${{ secrets.APPLE_DEVELOPER_ID }} | |
N3: ${{ secrets.APPLE_DEVELOPER_PASSWORD }} | |
N4: ${{ secrets.APPLE_KEYCHAIN_PROFILE }} | |
run: | | |
echo "Setting up signing certificates" | |
security create-keychain -p pwd $RUNNER_TEMP/buildagent.keychain | |
security default-keychain -s $RUNNER_TEMP/buildagent.keychain | |
security unlock-keychain -p pwd $RUNNER_TEMP/buildagent.keychain | |
echo $A1 | base64 -D > $RUNNER_TEMP/cert.p12 | |
security import $RUNNER_TEMP/cert.p12 \ | |
-k $RUNNER_TEMP/buildagent.keychain \ | |
-P $A2 \ | |
-T /usr/bin/codesign | |
security set-key-partition-list \ | |
-S apple-tool:,apple:,codesign: \ | |
-s -k pwd \ | |
$RUNNER_TEMP/buildagent.keychain | |
echo $I1 | base64 -D > $RUNNER_TEMP/cert.p12 | |
security import $RUNNER_TEMP/cert.p12 \ | |
-k $RUNNER_TEMP/buildagent.keychain \ | |
-P $I2 \ | |
-T /usr/bin/productbuild | |
security set-key-partition-list \ | |
-S apple-tool:,apple:,productbuild: \ | |
-s -k pwd \ | |
$RUNNER_TEMP/buildagent.keychain | |
echo "Setting up notarytool" | |
xcrun notarytool store-credentials \ | |
--team-id $N1 \ | |
--apple-id $N2 \ | |
--password $N3 \ | |
"$N4" | |
- name: Build, sign, and notarize artifacts | |
env: | |
A3: ${{ secrets.APPLE_APPLICATION_SIGNING_IDENTITY }} | |
I3: ${{ secrets.APPLE_INSTALLER_SIGNING_IDENTITY }} | |
N4: ${{ secrets.APPLE_KEYCHAIN_PROFILE }} | |
run: | | |
# Configure the environment | |
set -x | |
PATH=/usr/local/bin:$PATH | |
export CURL_LDFLAGS=$(curl-config --libs) | |
# Write to "version" file to force match with trigger payload version | |
echo "${{ needs.prereqs.outputs.tag_version }}" >>git/version | |
make -C git -j$(sysctl -n hw.physicalcpu) GIT-VERSION-FILE dist dist-doc | |
export GIT_BUILT_FROM_COMMIT=$(gunzip -c git/git-$VERSION.tar.gz | git get-tar-commit-id) || | |
die "Could not determine commit for build" | |
# Extract tarballs | |
mkdir payload manpages | |
tar -xvf git/git-$VERSION.tar.gz -C payload | |
tar -xvf git/git-manpages-$VERSION.tar.gz -C manpages | |
# Build and codesign payload | |
make -C git/.github/macos-installer V=1 codesign \ | |
APPLE_APP_IDENTITY=echo "$A3" || die "Creating signed payload failed" | |
# Build, sign, and notarize pkg | |
PATH=/usr/local/bin:$PATH \ | |
make -C git/.github/macos-installer V=1 notarize \ | |
APPLE_INSTALLER_IDENTITY=echo "$I3" APPLE_KEYCHAIN_PROFILE=echo "$N4" \ | |
|| die "Creating signed and notarized pkg failed" | |
# Move disk-image into the same directory as Makefile | |
mv disk-image git/.github/macos-installer/ | |
# Create DMG | |
make -C git/.github/macos-installer V=1 image || die "Creating DMG failed" | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: osx-dmg | |
path: git/.github/macos-installer/*.dmg | |
# End build and sign Mac OSX installers |