fixup! windows wip #9
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: windows-test | |
on: | |
push: | |
tags: | |
- 'v[0-9]*vfs*' # matches "v<number><any characters>vfs<any characters>" | |
permissions: | |
id-token: write | |
contents: write | |
jobs: | |
# Check prerequisites for the workflow | |
prereqs: | |
runs-on: ubuntu-latest | |
environment: release | |
env: | |
AZ_SUB: ${{ secrets.AZURE_SUBSCRIPTION }} | |
AZ_CREDS: ${{ secrets.AZURE_CREDENTIALS }} | |
outputs: | |
tag_name: ${{ steps.tag.outputs.name }} # The full name of the tag, e.g. v2.32.0.vfs.0.0 | |
tag_version: ${{ steps.tag.outputs.version }} # The version number (without preceding "v"), e.g. 2.32.0.vfs.0.0 | |
deb_signable: ${{ steps.deb.outputs.signable }} # Whether the credentials needed to sign the .deb package are available | |
steps: | |
- name: Validate tag | |
run: | | |
echo "$GITHUB_REF" | | |
grep '^refs/tags/v2\.\(0\|[1-9][0-9]*\)\.\(0\|[1-9][0-9]*\)\.vfs\.0\.\(0\|[1-9][0-9]*\)$' || { | |
echo "::error::${GITHUB_REF#refs/tags/} is not of the form v2.<X>.<Y>.vfs.0.<W>" >&2 | |
exit 1 | |
} | |
- name: Determine tag to build | |
run: | | |
echo "name=${GITHUB_REF#refs/tags/}" >>$GITHUB_OUTPUT | |
echo "version=${GITHUB_REF#refs/tags/v}" >>$GITHUB_OUTPUT | |
id: tag | |
- name: Determine whether signing certificates are present | |
run: echo "signable=$([[ $AZ_SUB != '' && $AZ_CREDS != '' ]] && echo 'true' || echo 'false')" >>$GITHUB_OUTPUT | |
id: deb | |
- name: Clone git | |
uses: actions/checkout@v3 | |
- name: Validate the tag identified with trigger | |
run: | | |
die () { | |
echo "::error::$*" >&2 | |
exit 1 | |
} | |
# `actions/checkout` only downloads the peeled tag (i.e. the commit) | |
git fetch origin +$GITHUB_REF:$GITHUB_REF | |
# Verify that the tag is annotated | |
test $(git cat-file -t "$GITHUB_REF") == "tag" || die "Tag ${{ steps.tag.outputs.name }} is not annotated" | |
# Verify tag follows rules in GIT-VERSION-GEN (i.e., matches the specified "DEF_VER" in | |
# GIT-VERSION-FILE) and matches tag determined from trigger | |
make GIT-VERSION-FILE | |
test "${{ steps.tag.outputs.version }}" == "$(sed -n 's/^GIT_VERSION = //p'< GIT-VERSION-FILE)" || die "GIT-VERSION-FILE tag does not match ${{ steps.tag.outputs.name }}" | |
# End check prerequisites for the workflow | |
# Build and sign Windows installers & upload artifacts | |
windows_pkg: | |
runs-on: windows-2019 | |
environment: release | |
needs: prereqs | |
env: | |
GPG_OPTIONS: "--batch --yes --no-tty --list-options no-show-photos --verify-options no-show-photos --pinentry-mode loopback" | |
HOME: "${{github.workspace}}\\home" | |
USERPROFILE: "${{github.workspace}}\\home" | |
steps: | |
- name: Configure user | |
shell: bash | |
run: | |
USER_NAME="${{github.actor}}" && | |
USER_EMAIL="${{github.actor}}@users.noreply.github.com" && | |
mkdir -p "$HOME" && | |
git config --global user.name "$USER_NAME" && | |
git config --global user.email "$USER_EMAIL" && | |
echo "PACKAGER=$USER_NAME <$USER_EMAIL>" >>$GITHUB_ENV | |
- uses: git-for-windows/setup-git-for-windows-sdk@v1 | |
with: | |
flavor: build-installers | |
- name: Clone build-extra | |
shell: bash | |
run: | | |
git clone --filter=blob:none --single-branch -b main https://github.com/git-for-windows/build-extra /usr/src/build-extra | |
- name: Clone git | |
shell: bash | |
run: | | |
# Since we cannot directly clone a specified tag (as we would a branch with `git clone -b <branch name>`), | |
# this clone has to be done manually (via init->fetch->reset). | |
tag_name="${{ needs.prereqs.outputs.tag_name }}" && | |
git -c init.defaultBranch=main init && | |
git remote add -f origin https://github.com/git-for-windows/git && | |
git fetch "https://github.com/${{github.repository}}" refs/tags/${tag_name}:refs/tags/${tag_name} && | |
git reset --hard ${tag_name} | |
- name: Log into Azure | |
uses: azure/login@v1 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: Prepare for GPG signing | |
env: | |
AZURE_VAULT: ${{ secrets.AZURE_VAULT }} | |
GPG_KEY_SECRET_NAME: ${{ secrets.GPG_KEY_SECRET_NAME }} | |
GPG_PASSPHRASE_SECRET_NAME: ${{ secrets.GPG_PASSPHRASE_SECRET_NAME }} | |
GPG_KEYGRIP_SECRET_NAME: ${{ secrets.GPG_KEYGRIP_SECRET_NAME }} | |
shell: bash | |
run: | | |
# Download GPG key, passphrase, and keygrip from Azure Key Vault | |
key=$(az keyvault secret show --name $GPG_KEY_SECRET_NAME --vault-name $AZURE_VAULT --query "value") | |
passphrase=$(az keyvault secret show --name $GPG_PASSPHRASE_SECRET_NAME --vault-name $AZURE_VAULT --query "value") | |
keygrip=$(az keyvault secret show --name $GPG_KEYGRIP_SECRET_NAME --vault-name $AZURE_VAULT --query "value") | |
# Remove quotes from downloaded values | |
key=$(sed -e 's/^"//' -e 's/"$//' <<<"$key") | |
passphrase=$(sed -e 's/^"//' -e 's/"$//' <<<"$passphrase") | |
keygrip=$(sed -e 's/^"//' -e 's/"$//' <<<"$keygrip") | |
# Import GPG key | |
echo "$key" | base64 -d | gpg $GPG_OPTIONS --import | |
# Configure GPG | |
echo "allow-preset-passphrase" > ~/.gnupg/gpg-agent.conf | |
gpg-connect-agent RELOADAGENT /bye | |
gpg-connect-agent 'PRESET_PASSPHRASE "$keygrip" -1 "$passphrase"' /bye | |
- name: Prepare home directory for GPG signing | |
if: env.GPG_FINGERPRINT_SECRET_NAME != '' | |
shell: bash | |
run: | | |
# This section ensures that the identity for the GPG key matches the git user identity, otherwise | |
# signing will fail | |
# Get GPG key fingerprint from Azure Key Vault | |
GPGKEY=$(az keyvault secret show --name "$GPG_FINGERPRINT_SECRET_NAME" \ | |
--vault-name "$AZURE_VAULT" --query "value" \ | |
| sed -e 's/^"//' -e 's/"$//') | |
info="$(gpg --list-keys --with-colons "${GPGKEY%% *}" | cut -d : -f 1,10 | sed -n '/^uid/{s|uid:||p;q}')" && | |
git config --global user.name "${info% <*}" && | |
git config --global user.email "<${info#*<}" | |
env: | |
AZURE_VAULT: ${{ secrets.AZURE_VAULT }} | |
GPG_FINGERPRINT_SECRET_NAME: ${{secrets.GPG_FINGERPRINT_SECRET_NAME}} | |
- name: Build mingw-w64-x86_64-git | |
env: | |
AZURE_VAULT: ${{ secrets.AZURE_VAULT }} | |
GPG_FINGERPRINT_SECRET_NAME: ${{secrets.GPG_FINGERPRINT_SECRET_NAME}} | |
shell: bash | |
run: | | |
set -x | |
# Get GPG key fingerprint from Azure Key Vault | |
GPGKEY=$(az keyvault secret show --name "$GPG_FINGERPRINT_SECRET_NAME" \ | |
--vault-name "$AZURE_VAULT" --query "value" \ | |
| sed -e 's/^"//' -e 's/"$//') | |
# Make sure that there is a `/usr/bin/git` that can be used by `makepkg-mingw` | |
printf '#!/bin/sh\n\nexec /mingw64/bin/git.exe "$@"\n' >/usr/bin/git && | |
# Restrict `PATH` to MSYS2 and to Visual Studio (to let `cv2pdb` find the relevant DLLs) | |
PATH="/mingw64/bin:/usr/bin:/C/Program Files (x86)/Microsoft Visual Studio 14.0/VC/bin/amd64:/C/Windows/system32" | |
type -p mspdb140.dll || exit 1 | |
sh -x /usr/src/build-extra/please.sh build-mingw-w64-git --only-64-bit --build-src-pkg -o artifacts HEAD | |
- name: Sign payload files with Azure Code Signing | |
uses: azure/azure-code-signing-action@v0.2.21 | |
with: | |
endpoint: https://wus2.codesigning.azure.net/ | |
code-signing-account-name: git-fundamentals-signing | |
certificate-profile-name: git-fundamentals-windows-signing | |
files-folder: ${{ github.workspace }}\artifacts | |
files-folder-filter: exe,dll | |
file-digest: SHA256 | |
timestamp-rfc3161: http://timestamp.acs.microsoft.com | |
timestamp-digest: SHA256 | |
- name: Sign tarballs with GPG | |
shell: bash | |
run: | | |
if test -n "$GPGKEY" | |
then | |
for tar in artifacts/*.tar* | |
do | |
/usr/src/build-extra/gnupg-with-gpgkey.sh --detach-sign --no-armor $tar | |
done | |
fi && | |
b=$PWD/artifacts && | |
version=${{ needs.prereqs.outputs.tag_name }} && | |
(cd /usr/src/MINGW-packages/mingw-w64-git && | |
cp PKGBUILD.$version PKGBUILD && | |
git commit -s -m "mingw-w64-git: new version ($version)" PKGBUILD && | |
git bundle create "$b"/MINGW-packages.bundle origin/main..main) | |
- name: Publish mingw-w64-x86_64-git | |
uses: actions/upload-artifact@v3 | |
with: | |
name: pkg-x86_64 | |
path: artifacts | |
- name: action-tmate | |
if: failure() | |
uses: mxschmitt/action-tmate@v3 | |
# End build Windows installers |