Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

automatic release to GitHub #279

Merged
merged 9 commits into from
May 24, 2022
Merged

automatic release to GitHub #279

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
eb54376
chore: disable update mechanism
ZyanKLee May 21, 2022
40eb5c7
chore: remove upx
ZyanKLee May 21, 2022
6fd251a
feat: build dev artifact and upload
ZyanKLee May 21, 2022
e438799
fix: typo
ZyanKLee May 21, 2022
1c379a5
feat(signer): allow artifact file to be specified
ZyanKLee May 21, 2022
a4b38fa
feat(Makefile): append version to artifact name
ZyanKLee May 21, 2022
652c36a
feat(ci): create GH release on version tags
ZyanKLee May 21, 2022
8b50dcd
feat(release): signer.go with *.tgz, create md5sum
ZyanKLee May 23, 2022
536f5b3
chore: add sha512sum
ZyanKLee May 23, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions .github/workflows/build-artifact.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
name: build dev artifact

on:
pull_request:

permissions:
contents: read
pull-requests: read

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v3
with:
go-version: 1.18
- uses: actions/checkout@v3
- run: make dev
- uses: actions/upload-artifact@v3
with:
name: linux_x64
path: ${{ github.workspace }}/bin/noisetorch
34 changes: 34 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
---
name: release

on:
push:
tags:
- "v*.*.*"

permissions:
contents: write

jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-go@v3
with:
go-version: 1.18
- uses: actions/checkout@v3
- name: Build release artifact
run: |
mkdir -p ~/.config/noisetorch
echo '${{ secrets.NOISETORCH_SIGNER_PRIVKEY_BASE64 }}' | base64 -d > ~/.config/noisetorch/private.key
make release
rm -rf ~/.config/noisetorch/
for f in bin/NoiseTorch_x64_*.tgz ; do md5sum ${f} | tee ${f}.md5sum ; sha512sum ${f} | tee ${f}.sha512sum ; done
- name: Release
uses: softprops/action-gh-release@v1
with:
files: |
${{ github.workspace }}/bin/NoiseTorch_x64_*.tgz
${{ github.workspace }}/bin/NoiseTorch_x64_*.tgz.sig
${{ github.workspace }}/bin/NoiseTorch_x64_*.tgz.md5sum
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

md5sum's are more common and more people know how to use them to verify the integrity of files.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whoops, sorry, meant to do a comment, not a review, so I deleted that. I'm still partial to doing an sha256sum over an md5 or sha1, given the cheapness of those attacks. At the very least, could we include both md5 and sha256?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would agree, if this was used to secure anything vital. But it's only a checksum to verify if the file has been altered or is another file altogether. You think this is still a reason to use some more sophisticated checksum algorithm?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, well. why not? -> see 536f5b3

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! In reality, there probably isn't a huge amount of risk but it's something that doesn't hurt at all to add :)

I appreciate it getting added to the PR.

${{ github.workspace }}/bin/NoiseTorch_x64_*.tgz.sha512sum
12 changes: 5 additions & 7 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
UPDATE_URL=https://noisetorch.epicgamer.org
UPDATE_PUBKEY=3mL+rBi4yBZ1wGimQ/oSQCjxELzgTh+673H4JdzQBOk=
UPDATE_URL=
UPDATE_PUBKEY=Md2rdsS+b6W0trgcqa5lAWP978Zj0sFmubJ252OPKwc=
Copy link
Contributor Author

@ZyanKLee ZyanKLee May 23, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the public key that corresponds with the new signer key. They are used to in the end let update.go verify the integrity of our new release artifact.

VERSION := $(shell git describe --tags)

dev: rnnoise
Expand All @@ -18,13 +18,11 @@ release: rnnoise

mkdir -p tmp/.local/bin/
go generate
CGO_ENABLED=0 GOOS=linux go build -trimpath -tags release -a -ldflags '-s -w -extldflags "-static" -X main.version=${VERSION} -X main.distribution=official -X main.updateURL=${UPDATE_URL} -X main.publicKeyString=${UPDATE_PUBKEY}' .
upx noisetorch
CGO_ENABLED=0 GOOS=linux go build -trimpath -tags release -a -ldflags '-s -w -extldflags "-static" -X main.version=${VERSION} -X main.distribution=official' .
mv noisetorch tmp/.local/bin/
cd tmp/; \
tar cvzf ../bin/NoiseTorch_x64.tgz .
tar cvzf ../bin/NoiseTorch_x64_${VERSION}.tgz .
rm -rf tmp/
go run scripts/signer.go -s
git describe --tags > bin/version.txt
go run scripts/signer.go -s -f bin/NoiseTorch_x64_${VERSION}.tgz
rnnoise:
$(MAKE) -C c/ladspa
19 changes: 13 additions & 6 deletions scripts/signer.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,13 @@ func main() {
var publicKeyString string
flag.StringVar(&publicKeyString, "k", "", "Public key to verify against (runs verifier if set)")

var artifactFile string
flag.StringVar(&artifactFile, "f", "", "Artifact file name and path that should be signed")

flag.Parse()

signatureFile := artifactFile + ".sig"

if doGenerate {
generateKeypair()
os.Exit(0)
Expand All @@ -38,10 +43,10 @@ func main() {
os.Exit(0)
}

if doSign {
if doSign && artifactFile != "" {
_, priv := loadKeys()

file, err := ioutil.ReadFile("bin/NoiseTorch_x64.tgz")
file, err := ioutil.ReadFile(artifactFile)
if err != nil {
panic(err)
}
Expand All @@ -50,24 +55,26 @@ func main() {
if err != nil {
panic(err)
}
if err := ioutil.WriteFile("bin/NoiseTorch_x64.tgz.sig", sig, 0644); err != nil {

err = ioutil.WriteFile(signatureFile, sig, 0640)
if err != nil {
panic(err)
}
os.Exit(0)
}

if publicKeyString != "" {
if publicKeyString != "" && artifactFile != "" && signatureFile != "" {
pub, err := base64.StdEncoding.DecodeString(publicKeyString)
if err != nil {
panic(err)
}

file, err := ioutil.ReadFile("bin/NoiseTorch_x64.tgz")
file, err := ioutil.ReadFile(artifactFile)
if err != nil {
panic(err)
}

sig, err := ioutil.ReadFile("bin/NoiseTorch_x64.tgz.sig")
sig, err := ioutil.ReadFile(signatureFile)
if err != nil {
panic(err)
}
Expand Down