fix line endings for reproducible SHAs #327
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Generate Releases" | |
on: | |
release: | |
types: [ published ] | |
# To test this workflow without creating a release, uncomment the following and add a branch name (making sure "push" | |
# is at the same indent level as "release": | |
push: | |
branches: | |
- 'feature/issue-756_airgap' | |
jobs: | |
release: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ ubuntu-latest, windows-latest, macos-latest ] # add macos-latest-xlarge for silicon (a paid feature) | |
steps: | |
- name: "Create base filename for all artifacts" | |
id: basefn | |
shell: bash | |
run: | | |
FILEPATH=$(echo rctab_${{ github.ref_name }}_${{ runner.os }}_${{ runner.arch }} | sed -e 's/\//_/g') | |
echo "FILEPATH=$FILEPATH" >> $GITHUB_OUTPUT | |
# Normalize platform-specific filepaths generated by gradle | |
- name: "Create .zip filename" | |
id: zipfn | |
shell: bash | |
run: echo "FILEPATH=build/${{ steps.basefn.outputs.FILEPATH }}.zip" >> $GITHUB_OUTPUT | |
- name: "Get extension" | |
id: ext | |
shell: bash | |
run: | | |
if [ ${{ runner.os }} == 'Windows' ]; then | |
echo "EXT=.exe" >> $GITHUB_OUTPUT | |
elif [ ${{ runner.os }} == 'Linux' ]; then | |
echo "EXT=.deb" >> $GITHUB_OUTPUT | |
else | |
echo "EXT=.dmg" >> $GITHUB_OUTPUT | |
fi | |
- name: "Get jpackage output filepath" | |
id: jpackagefn | |
shell: bash | |
run: | | |
# TODO Sync version number with Main.java and build.gradle (github.com/BrightSpots/rcv/issues/662) | |
# The version numbers are hardcoded because the files below include the version number in them, | |
# and while we could use some regex to figure out the version number automatically, it seems cleaner | |
# to know the expected version number upfront. | |
if [ ${{ runner.os }} == 'Windows' ]; then | |
echo "FILEPATH=build/jpackage/RCTab-1.3.999.exe" >> $GITHUB_OUTPUT | |
elif [ ${{ runner.os }} == 'Linux' ]; then | |
echo "FILEPATH=build/jpackage/rctab_1.3.999_amd64.deb" >> $GITHUB_OUTPUT | |
else | |
echo "FILEPATH=build/jpackage/RCTab-1.3.999.dmg" >> $GITHUB_OUTPUT | |
fi | |
- name: "Create executable filename" | |
id: exefn | |
shell: bash | |
run: echo "FILEPATH=build/${{ steps.basefn.outputs.FILEPATH }}${{ steps.ext.outputs.EXT }}" >> $GITHUB_OUTPUT | |
- uses: actions/checkout@v3 | |
- name: "Set up JDK 20.0.1" | |
uses: actions/setup-java@v3 | |
with: | |
java-version: '20.0.1' | |
distribution: 'temurin' | |
- name: "Validate Gradle wrapper" | |
uses: gradle/wrapper-validation-action@ccb4328a959376b642e027874838f60f8e596de3 | |
- name: "Create zip with jlinkZip" | |
uses: ./.github/actions/gradle-and-sha | |
with: | |
gradle-command: jlinkZip | |
intermediate-filepath: build/rcv.zip | |
final-filepath: ${{ steps.zipfn.outputs.FILEPATH }} | |
- name: "Create caches filename" | |
id: cachefn | |
shell: bash | |
run: | | |
mkdir cache | |
echo "FILEPATH=cache/${{ steps.basefn.outputs.FILEPATH }}.cache.zip" >> $GITHUB_OUTPUT | |
- name: "Create checksum filename" | |
id: checksumsfn | |
shell: bash | |
run: | | |
echo "FILEPATH=cache/checksums.csv" >> $GITHUB_OUTPUT | |
- name: "Generate SHA1 and SHA256 for each maven dependency" | |
shell: bash | |
run: ./.github/workflows/generate-dependency-hashes.sh ${{ runner.os }} >> ${{steps.checksumsfn.outputs.FILEPATH}} | |
- name: "Create dependency zip" | |
uses: ./.github/actions/zip | |
with: | |
# Build, then remove all non-essential files | |
command: ./gradlew assemble && ./gradlew --stop | |
input: "~/.gradle/caches" | |
zipFilename: ${{steps.cachefn.outputs.FILEPATH}} | |
- name: "Generate SHA512 for plugins cache" | |
shell: bash | |
run: | | |
./.github/workflows/sha.sh ${{steps.cachefn.outputs.FILEPATH}} ${{ runner.os }} 512 > ${{steps.cachefn.outputs.FILEPATH}}.sha512 | |
- name: "Generate SHA512 for plugins' checksums" | |
shell: bash | |
run: | | |
./.github/workflows/sha.sh ${{steps.checksumsfn.outputs.FILEPATH}} ${{ runner.os }} 512 > ${{steps.checksumsfn.outputs.FILEPATH}}.sha512 | |
- name: "Generate Golden SHA512 for jlinkZip" | |
uses: ./.github/actions/sha-of-zip | |
with: | |
zipFilename: ${{ steps.zipfn.outputs.FILEPATH }} | |
shaA: 512 | |
- name: "Prepare keychain" | |
if: matrix.os == 'macOS-latest' | |
env: | |
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | |
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} | |
run: | | |
export TEMP_PWD=temporary-password-to-avoid-GUI-prompt | |
echo "Decode Base64 certificates" | |
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 | |
echo "Create and unlock keychain" | |
security create-keychain -p $TEMP_PWD build.keychain | |
security unlock-keychain -p $TEMP_PWD build.keychain | |
echo "Import certificates into keychain" | |
# Note: in the next command, the -A should not be used outside of github actions. | |
# It allows any application to read the keychain, which is fine in an ephemeral environment, | |
# but not fine if you run this on your own machine. | |
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -A -T /usr/bin/codesign -T /usr/bin/productbuild -T /usr/bin/security | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $TEMP_PWD build.keychain | |
- name: "Create executable with jpackage (and sign, on MacOS)" | |
uses: ./.github/actions/gradle-and-sha | |
with: | |
gradle-command: jpackage | |
intermediate-filepath: ${{ steps.jpackagefn.outputs.FILEPATH }} | |
final-filepath: ${{ steps.exefn.outputs.FILEPATH }} | |
- name: "Notarize app bundle" | |
if: matrix.os == 'macOS-latest' | |
env: | |
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} | |
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} | |
MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }} | |
IDENTITY_PUBLIC_KEY: A257HB4NS4 | |
run: | | |
echo "Unlock keychain" | |
security unlock-keychain -p temporary-password-to-avoid-GUI-prompt build.keychain | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k temporary-password-to-avoid-GUI-prompt build.keychain | |
echo "Create keychain profile" | |
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" | |
echo "Creating temp notarization archive" | |
ditto -c -k --sequesterRsrc --keepParent ${{ steps.exefn.outputs.FILEPATH }} "notarization.zip" | |
echo "Notarize app -- this may take a few minutes" | |
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait | |
echo "Attach staple" | |
xcrun stapler staple ${{ steps.exefn.outputs.FILEPATH }} | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: Package | |
if-no-files-found: error | |
path: | | |
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }} | |
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.sha512 | |
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.golden.sha512 | |
${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }} | |
${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}.sha512 | |
${{ github.workspace }}/${{ steps.cachefn.outputs.FILEPATH }} | |
${{ github.workspace }}/${{ steps.cachefn.outputs.FILEPATH }}.sha512 | |
${{ github.workspace }}/${{ steps.checksumsfn.outputs.FILEPATH }} | |
${{ github.workspace }}/${{ steps.checksumsfn.outputs.FILEPATH }}.sha512 | |
retention-days: 1 | |
- name: "Upload binaries to release" | |
uses: svenstaro/upload-release-action@v2 | |
if: github.event_name == 'release' | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: build/${{ steps.basefn.outputs.FILEPATH }}* | |
tag: ${{ github.ref_name }} | |
overwrite: true | |
file_glob: true |