diff --git a/.github/workflows/windows-test.yml b/.github/workflows/windows-test.yml index c86e9b3bf19935..20f3a4a1837fc4 100644 --- a/.github/workflows/windows-test.yml +++ b/.github/workflows/windows-test.yml @@ -1,9 +1,5 @@ name: build-git-installers -permissions: - id-token: write - contents: write - on: push: tags: @@ -75,6 +71,23 @@ jobs: with: flavor: build-installers + - name: Run tmate + shell: bash + run: | + # install tmate + pacman -Sy --noconfirm tmate openssh && + + # Generate an SSH key (needed for tmate) + echo -e 'y\n' | ssh-keygen -q -t rsa -N '' -f ~/.ssh/id_rsa && + + # Start tmate session + export CHERE_INVOKING=1 && + tmate -S /tmp/tmate.sock -a ~/.ssh/authorized_keys new-session -d && + tmate -S /tmp/tmate.sock wait tmate-ready && + + # Print SSH invocation every 5 seconds, until tmate session has terminated + tmate -S /tmp/tmate.sock display -p '#{tmate_ssh}' + - name: Clone build-extra shell: bash run: | @@ -100,52 +113,7 @@ jobs: - name: Configure Azure Code Signing shell: bash run: | - git config alias.signtool '!f() { printf "%s\n" "$@" >./catalog && /c/Windows/System32/WindowsPowerShell/v1.0/powershell -command "Invoke-AzureCodeSigning -Endpoint https://wus2.codesigning.azure.net/ -CodeSigningAccountName git-fundamentals-signing -CertificateProfileName git-fundamentals-windows-signing -FilesCatalog ./catalog -FileDigest SHA256 -TimestampRfc3161 http://timestamp.acs.microsoft.com -TimestampDigest SHA256"; };f' - - - name: Prepare for GPG signing - env: - AZURE_VAULT: ${{ secrets.AZURE_VAULT }} - GPG_KEY_SECRET_NAME: ${{ secrets.GPG_KEY_SECRET_NAME }} - GPG_PASSPHRASE_SECRET_NAME: ${{ secrets.GPG_PASSPHRASE_SECRET_NAME }} - GPG_KEYGRIP_SECRET_NAME: ${{ secrets.GPG_KEYGRIP_SECRET_NAME }} - shell: bash - run: | - # Download GPG key, passphrase, and keygrip from Azure Key Vault - key=$(az keyvault secret show --name $GPG_KEY_SECRET_NAME --vault-name $AZURE_VAULT --query "value") - passphrase=$(az keyvault secret show --name $GPG_PASSPHRASE_SECRET_NAME --vault-name $AZURE_VAULT --query "value") - keygrip=$(az keyvault secret show --name $GPG_KEYGRIP_SECRET_NAME --vault-name $AZURE_VAULT --query "value") - - # Remove quotes from downloaded values - key=$(sed -e 's/^"//' -e 's/"$//' <<<"$key") - passphrase=$(sed -e 's/^"//' -e 's/"$//' <<<"$passphrase") - keygrip=$(sed -e 's/^"//' -e 's/"$//' <<<"$keygrip") - - # Import GPG key - echo "$key" | base64 -d | gpg $GPG_OPTIONS --import - - # Configure GPG - echo "allow-preset-passphrase" > ~/.gnupg/gpg-agent.conf - gpg-connect-agent RELOADAGENT /bye - gpg-connect-agent 'PRESET_PASSPHRASE "$keygrip" -1 "$passphrase"' /bye - - - name: Prepare home directory for GPG signing - if: env.GPG_FINGERPRINT_SECRET_NAME != '' - shell: bash - run: | - # This section ensures that the identity for the GPG key matches the git user identity, otherwise - # signing will fail - - # Get GPG key fingerprint from Azure Key Vault - GPGKEY=$(az keyvault secret show --name "$GPG_FINGERPRINT_SECRET_NAME" \ - --vault-name "$AZURE_VAULT" --query "value" \ - | sed -e 's/^"//' -e 's/"$//') - - info="$(gpg --list-keys --with-colons "${GPGKEY%% *}" | cut -d : -f 1,10 | sed -n '/^uid/{s|uid:||p;q}')" && - git config --global user.name "${info% <*}" && - git config --global user.email "<${info#*<}" - env: - AZURE_VAULT: ${{ secrets.AZURE_VAULT }} - GPG_FINGERPRINT_SECRET_NAME: ${{secrets.GPG_FINGERPRINT_SECRET_NAME}} + git config alias.signtool '!f() { printf "%s\n" "$@" >./catalog && cat ./catalog && /c/Windows/System32/WindowsPowerShell/v1.0/powershell -command "Invoke-AzureCodeSigning -Endpoint https://wus2.codesigning.azure.net/ -CodeSigningAccountName git-fundamentals-signing -CertificateProfileName git-fundamentals-windows-signing -FilesCatalog ./catalog -FileDigest SHA256 -TimestampRfc3161 http://timestamp.acs.microsoft.com -TimestampDigest SHA256"; };f' - name: Build mingw-w64-x86_64-git env: @@ -170,210 +138,17 @@ jobs: # Install Azure Code Signing Module /c/Windows/System32/WindowsPowerShell/v1.0/powershell -command "Install-Module -Name AzureCodeSigning -RequiredVersion 0.2.24 -Force -Repository PSGallery" + cp /mingw64/bin/git.exe ./g.exe && git signtool g.exe sh -x /usr/src/build-extra/please.sh build-mingw-w64-git --only-64-bit --build-src-pkg -o artifacts HEAD - - name: Sign tarballs with GPG - shell: bash - run: | - if test -n "$GPGKEY" - then - for tar in artifacts/*.tar* - do - /usr/src/build-extra/gnupg-with-gpgkey.sh --detach-sign --no-armor $tar - done - fi && - - b=$PWD/artifacts && - version=${{ needs.prereqs.outputs.tag_name }} && - (cd /usr/src/MINGW-packages/mingw-w64-git && - cp PKGBUILD.$version PKGBUILD && - git commit -s -m "mingw-w64-git: new version ($version)" PKGBUILD && - git bundle create "$b"/MINGW-packages.bundle origin/main..main) - - - name: action-tmate - if: failure() - uses: mxschmitt/action-tmate@v3 - - - name: Publish mingw-w64-x86_64-git - uses: actions/upload-artifact@v3 - with: - name: pkg-x86_64 - path: artifacts - - create-windows-artifacts: - runs-on: windows-2019 - environment: release - needs: [prereqs, windows_pkg] - env: - HOME: "${{github.workspace}}\\home" - strategy: - matrix: - artifact: - - name: installer - fileprefix: Git - - name: portable - fileprefix: PortableGit - fail-fast: false - steps: - - name: Download pkg-x86_64 - uses: actions/download-artifact@v3 - with: - name: pkg-x86_64 - path: pkg-x86_64 - - - uses: git-for-windows/setup-git-for-windows-sdk@v1 - with: - flavor: build-installers - - - name: Clone build-extra - shell: bash - run: | - git clone --filter=blob:none --single-branch -b main https://github.com/git-for-windows/build-extra /usr/src/build-extra - - - name: Retarget auto-update to microsoft/git + - name: wait for tmate to be done + if: always() shell: bash run: | - set -x - - b=/usr/src/build-extra && - - filename=$b/git-update-git-for-windows.config - tr % '\t' >$filename <<-\EOF && - [update] - %fromFork = microsoft/git - EOF - - sed -i -e '/^#include "file-list.iss"/a\ - Source: {#SourcePath}\\..\\git-update-git-for-windows.config; DestDir: {app}\\mingw64\\bin; Flags: replacesameversion; AfterInstall: DeleteFromVirtualStore' \ - -e '/^Type: dirifempty; Name: {app}\\{#MINGW_BITNESS}$/i\ - Type: files; Name: {app}\\{#MINGW_BITNESS}\\bin\\git-update-git-for-windows.config\ - Type: dirifempty; Name: {app}\\{#MINGW_BITNESS}\\bin' \ - $b/installer/install.iss - - - name: Set alerts to continue until upgrade is taken - shell: bash - run: | - set -x - - b=/mingw64/bin && - - sed -i -e '6 a use_recently_seen=no' \ - $b/git-update-git-for-windows - - - name: Set the installer Publisher to the Git Fundamentals team - shell: bash - run: | - b=/usr/src/build-extra && - sed -i -e 's/^\(AppPublisher=\).*/\1The Git Fundamentals Team at GitHub/' $b/installer/install.iss - - - name: Let the installer configure Visual Studio to use the installed Git - shell: bash - run: | - set -x - - b=/usr/src/build-extra && - - sed -i -e '/^ *InstallAutoUpdater();$/a\ - CustomPostInstall();' \ - -e '/^ *UninstallAutoUpdater();$/a\ - CustomPostUninstall();' \ - $b/installer/install.iss && - - cat >>$b/installer/helpers.inc.iss <<\EOF - - procedure CustomPostInstall(); - begin - if not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\15.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or - not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\16.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or - not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\17.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or - not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\18.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or - not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\19.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or - not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\20.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) then - LogError('Could not register TeamFoundation\GitSourceControl'); - end; - - procedure CustomPostUninstall(); - begin - if not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\15.0\TeamFoundation\GitSourceControl','GitPath') or - not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\16.0\TeamFoundation\GitSourceControl','GitPath') or - not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\17.0\TeamFoundation\GitSourceControl','GitPath') or - not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\18.0\TeamFoundation\GitSourceControl','GitPath') or - not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\19.0\TeamFoundation\GitSourceControl','GitPath') or - not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\20.0\TeamFoundation\GitSourceControl','GitPath') then - LogError('Could not register TeamFoundation\GitSourceControl'); - end; - EOF - - - name: Enable Scalar/C and the auto-updater in the installer by default - shell: bash - run: | - set -x - - b=/usr/src/build-extra && - - sed -i -e "/ChosenOptions:=''/a\\ - if (ExpandConstant('{param:components|/}')='/') then begin\n\ - WizardSelectComponents('autoupdate');\n\ - #ifdef WITH_SCALAR\n\ - WizardSelectComponents('scalar');\n\ - #endif\n\ - end;" $b/installer/install.iss - - - name: Build 64-bit ${{matrix.artifact.name}} - shell: bash - run: | - set -x - - # Copy the PDB archive to the directory where `--include-pdbs` expects it - b=/usr/src/build-extra && - mkdir -p $b/cached-source-packages && - cp pkg-x86_64/*-pdb* $b/cached-source-packages/ && - - # Build the installer, embedding PDBs - eval $b/please.sh make_installers_from_mingw_w64_git --include-pdbs \ - --version=${{ needs.prereqs.outputs.tag_version }} \ - -o artifacts --${{matrix.artifact.name}} \ - --pkg=pkg-x86_64/mingw-w64-x86_64-git-[0-9]*.tar.xz \ - --pkg=pkg-x86_64/mingw-w64-x86_64-git-doc-html-[0-9]*.tar.xz && - - if test portable = '${{matrix.artifact.name}}' && test -n "$(git config alias.signtool)" - then - git signtool artifacts/PortableGit-*.exe - fi && - openssl dgst -sha256 artifacts/${{matrix.artifact.fileprefix}}-*.exe | sed "s/.* //" >artifacts/sha-256.txt - - - name: Log into Azure - uses: azure/login@v1 - with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Install Azure Code Signing Module - shell: pwsh - run: | - Install-Module -Name AzureCodeSigning -RequiredVersion 0.2.24 -Force ` - -Repository PSGallery - - - name: Sign installers with Azure Code Signing - uses: azure/azure-code-signing-action@v0.2.21 - with: - endpoint: https://wus2.codesigning.azure.net/ - code-signing-account-name: git-fundamentals-signing - certificate-profile-name: git-fundamentals-windows-signing - files-folder: ${{ github.workspace }}\artifacts - files-folder-filter: exe - file-digest: SHA256 - timestamp-rfc3161: http://timestamp.acs.microsoft.com - timestamp-digest: SHA256 - - - name: Verify that .exe files are code-signed - shell: bash - run: | - PATH=$PATH:"/c/Program Files (x86)/Windows Kits/10/App Certification Kit/" \ - signtool verify //pa artifacts/${{matrix.artifact.fileprefix}}-*.exe - - - name: Publish ${{matrix.artifact.name}}-x86_64 - uses: actions/upload-artifact@v3 - with: - name: win-${{matrix.artifact.name}}-x86_64 - path: artifacts + PATH=$HOME/bin:$PATH + while test -e /tmp/tmate.sock + do + tmate -S /tmp/tmate.sock display -p '#{tmate_ssh}' + sleep 5 + done # End build Windows installers