Skip to content
macos-test

macos wip #6

Sign in to view logs

macos wip

macos wip #6

Workflow file for this run

.github/workflows/macos-updates.yml at 450071f
name: macos-test
on:
push:
tags:
- 'v[0-9]*vfs*' # matches "v<number><any characters>vfs<any characters>"
jobs:
# Check prerequisites for the workflow
prereqs:
runs-on: ubuntu-latest
environment: release
env:
AZ_SUB: ${{ secrets.AZURE_SUBSCRIPTION }}
AZ_CREDS: ${{ secrets.AZURE_CREDENTIALS }}
outputs:
tag_name: ${{ steps.tag.outputs.name }} # The full name of the tag, e.g. v2.32.0.vfs.0.0
tag_version: ${{ steps.tag.outputs.version }} # The version number (without preceding "v"), e.g. 2.32.0.vfs.0.0
deb_signable: ${{ steps.deb.outputs.signable }} # Whether the credentials needed to sign the .deb package are available
steps:
- name: Validate tag
run: |
echo "$GITHUB_REF" |
grep '^refs/tags/v2\.\(0\|[1-9][0-9]*\)\.\(0\|[1-9][0-9]*\)\.vfs\.0\.\(0\|[1-9][0-9]*\)$' || {
echo "::error::${GITHUB_REF#refs/tags/} is not of the form v2.<X>.<Y>.vfs.0.<W>" >&2
exit 1
}
- name: Determine tag to build
run: |
echo "name=${GITHUB_REF#refs/tags/}" >>$GITHUB_OUTPUT
echo "version=${GITHUB_REF#refs/tags/v}" >>$GITHUB_OUTPUT
id: tag
- name: Determine whether signing certificates are present
run: echo "signable=$([[ $AZ_SUB != '' && $AZ_CREDS != '' ]] && echo 'true' || echo 'false')" >>$GITHUB_OUTPUT
id: deb
- name: Clone git
uses: actions/checkout@v3
- name: Validate the tag identified with trigger
run: |
die () {
echo "::error::$*" >&2
exit 1
}
# `actions/checkout` only downloads the peeled tag (i.e. the commit)
git fetch origin +$GITHUB_REF:$GITHUB_REF
# Verify that the tag is annotated
test $(git cat-file -t "$GITHUB_REF") == "tag" || die "Tag ${{ steps.tag.outputs.name }} is not annotated"
# Verify tag follows rules in GIT-VERSION-GEN (i.e., matches the specified "DEF_VER" in
# GIT-VERSION-FILE) and matches tag determined from trigger
make GIT-VERSION-FILE
test "${{ steps.tag.outputs.version }}" == "$(sed -n 's/^GIT_VERSION = //p'< GIT-VERSION-FILE)" || die "GIT-VERSION-FILE tag does not match ${{ steps.tag.outputs.name }}"
# End check prerequisites for the workflow
# Build and sign Mac OSX installers & upload artifacts
osx_build:
runs-on: macos-latest
needs: prereqs
env:
# `gettext` is keg-only
LDFLAGS: -L/usr/local/opt/gettext/lib
CFLAGS: -I/usr/local/opt/gettext/include
# To make use of the catalogs...
XML_CATALOG_FILES: /usr/local/etc/xml/catalog
VERSION: "${{ needs.prereqs.outputs.tag_version }}"
environment: release
steps:
- name: Check out repository
uses: actions/checkout@v3
with:
path: 'git'
- name: Install Git dependencies
run: |
set -x
brew install automake asciidoc xmlto docbook
brew link --force gettext
- name: Set up signing/notarization infrastructure
env:
A1: ${{ secrets.APPLICATION_CERTIFICATE_BASE64 }}
A2: ${{ secrets.APPLICATION_CERTIFICATE_PASSWORD }}
I1: ${{ secrets.INSTALLER_CERTIFICATE_BASE64 }}
I2: ${{ secrets.INSTALLER_CERTIFICATE_PASSWORD }}
N1: ${{ secrets.APPLE_TEAM_ID }}
N2: ${{ secrets.APPLE_DEVELOPER_ID }}
N3: ${{ secrets.APPLE_DEVELOPER_PASSWORD }}
N4: ${{ secrets.APPLE_KEYCHAIN_PROFILE }}
run: |
echo "Setting up signing certificates"
security create-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
security default-keychain -s $RUNNER_TEMP/buildagent.keychain
security unlock-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
echo $A1 | base64 -D > $RUNNER_TEMP/cert.p12
security import $RUNNER_TEMP/cert.p12 \
-k $RUNNER_TEMP/buildagent.keychain \
-P $A2 \
-T /usr/bin/codesign
security set-key-partition-list \
-S apple-tool:,apple:,codesign: \
-s -k pwd \
$RUNNER_TEMP/buildagent.keychain
echo $I1 | base64 -D > $RUNNER_TEMP/cert.p12
security import $RUNNER_TEMP/cert.p12 \
-k $RUNNER_TEMP/buildagent.keychain \
-P $I2 \
-T /usr/bin/productbuild
security set-key-partition-list \
-S apple-tool:,apple:,productbuild: \
-s -k pwd \
$RUNNER_TEMP/buildagent.keychain
echo "Setting up notarytool"
xcrun notarytool store-credentials \
--team-id $N1 \
--apple-id $N2 \
--password $N3 \
"$N4"
- name: Build, sign, and notarize artifacts
env:
A3: ${{ secrets.APPLE_APPLICATION_SIGNING_IDENTITY }}
I3: ${{ secrets.APPLE_INSTALLER_SIGNING_IDENTITY }}
N4: ${{ secrets.APPLE_KEYCHAIN_PROFILE }}
run: |
# Configure the environment
set -x
PATH=/usr/local/bin:$PATH
export CURL_LDFLAGS=$(curl-config --libs)
# Write to "version" file to force match with trigger payload version
echo "${{ needs.prereqs.outputs.tag_version }}" >>git/version
make -C git -j$(sysctl -n hw.physicalcpu) GIT-VERSION-FILE dist dist-doc
export GIT_BUILT_FROM_COMMIT=$(gunzip -c git/git-$VERSION.tar.gz | git get-tar-commit-id) ||
die "Could not determine commit for build"
# Extract tarballs
mkdir payload manpages
tar -xvf git/git-$VERSION.tar.gz -C payload
tar -xvf git/git-manpages-$VERSION.tar.gz -C manpages
# Build and codesign payload
make -C git/.github/macos-installer V=1 codesign \
APPLE_APP_IDENTITY=echo "$A3" || die "Creating signed payload failed"
# Build, sign, and notarize pkg
PATH=/usr/local/bin:$PATH \
make -C git/.github/macos-installer V=1 notarize \
APPLE_INSTALLER_IDENTITY=echo "$I3" APPLE_KEYCHAIN_PROFILE=echo "$N4" \
|| die "Creating signed and notarized pkg failed"
# Move disk-image into the same directory as Makefile
mv disk-image git/.github/macos-installer/
# Create DMG
make -C git/.github/macos-installer V=1 image || die "Creating DMG failed"
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
name: osx-dmg
path: git/.github/macos-installer/*.dmg
# End build and sign Mac OSX installers