Skip to content

fix line endings for reproducible SHAs #327

fix line endings for reproducible SHAs

fix line endings for reproducible SHAs #327

Workflow file for this run

name: "Generate Releases"
on:
release:
types: [ published ]
# To test this workflow without creating a release, uncomment the following and add a branch name (making sure "push"
# is at the same indent level as "release":
push:
branches:
- 'feature/issue-756_airgap'
jobs:
release:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ] # add macos-latest-xlarge for silicon (a paid feature)
steps:
- name: "Create base filename for all artifacts"
id: basefn
shell: bash
run: |
FILEPATH=$(echo rctab_${{ github.ref_name }}_${{ runner.os }}_${{ runner.arch }} | sed -e 's/\//_/g')
echo "FILEPATH=$FILEPATH" >> $GITHUB_OUTPUT
# Normalize platform-specific filepaths generated by gradle
- name: "Create .zip filename"
id: zipfn
shell: bash
run: echo "FILEPATH=build/${{ steps.basefn.outputs.FILEPATH }}.zip" >> $GITHUB_OUTPUT
- name: "Get extension"
id: ext
shell: bash
run: |
if [ ${{ runner.os }} == 'Windows' ]; then
echo "EXT=.exe" >> $GITHUB_OUTPUT
elif [ ${{ runner.os }} == 'Linux' ]; then
echo "EXT=.deb" >> $GITHUB_OUTPUT
else
echo "EXT=.dmg" >> $GITHUB_OUTPUT
fi
- name: "Get jpackage output filepath"
id: jpackagefn
shell: bash
run: |
# TODO Sync version number with Main.java and build.gradle (github.com/BrightSpots/rcv/issues/662)
# The version numbers are hardcoded because the files below include the version number in them,
# and while we could use some regex to figure out the version number automatically, it seems cleaner
# to know the expected version number upfront.
if [ ${{ runner.os }} == 'Windows' ]; then
echo "FILEPATH=build/jpackage/RCTab-1.3.999.exe" >> $GITHUB_OUTPUT
elif [ ${{ runner.os }} == 'Linux' ]; then
echo "FILEPATH=build/jpackage/rctab_1.3.999_amd64.deb" >> $GITHUB_OUTPUT
else
echo "FILEPATH=build/jpackage/RCTab-1.3.999.dmg" >> $GITHUB_OUTPUT
fi
- name: "Create executable filename"
id: exefn
shell: bash
run: echo "FILEPATH=build/${{ steps.basefn.outputs.FILEPATH }}${{ steps.ext.outputs.EXT }}" >> $GITHUB_OUTPUT
- uses: actions/checkout@v3
- name: "Set up JDK 20.0.1"
uses: actions/setup-java@v3
with:
java-version: '20.0.1'
distribution: 'temurin'
- name: "Validate Gradle wrapper"
uses: gradle/wrapper-validation-action@ccb4328a959376b642e027874838f60f8e596de3
- name: "Create zip with jlinkZip"
uses: ./.github/actions/gradle-and-sha
with:
gradle-command: jlinkZip
intermediate-filepath: build/rcv.zip
final-filepath: ${{ steps.zipfn.outputs.FILEPATH }}
- name: "Create caches filename"
id: cachefn
shell: bash
run: |
mkdir cache
echo "FILEPATH=cache/${{ steps.basefn.outputs.FILEPATH }}.cache.zip" >> $GITHUB_OUTPUT
- name: "Create checksum filename"
id: checksumsfn
shell: bash
run: |
echo "FILEPATH=cache/checksums.csv" >> $GITHUB_OUTPUT
- name: "Generate SHA1 and SHA256 for each maven dependency"
shell: bash
run: ./.github/workflows/generate-dependency-hashes.sh ${{ runner.os }} >> ${{steps.checksumsfn.outputs.FILEPATH}}
- name: "Create dependency zip"
uses: ./.github/actions/zip
with:
# Build, then remove all non-essential files
command: ./gradlew assemble && ./gradlew --stop
input: "~/.gradle/caches"
zipFilename: ${{steps.cachefn.outputs.FILEPATH}}
- name: "Generate SHA512 for plugins cache"
shell: bash
run: |
./.github/workflows/sha.sh ${{steps.cachefn.outputs.FILEPATH}} ${{ runner.os }} 512 > ${{steps.cachefn.outputs.FILEPATH}}.sha512
- name: "Generate SHA512 for plugins' checksums"
shell: bash
run: |
./.github/workflows/sha.sh ${{steps.checksumsfn.outputs.FILEPATH}} ${{ runner.os }} 512 > ${{steps.checksumsfn.outputs.FILEPATH}}.sha512
- name: "Generate Golden SHA512 for jlinkZip"
uses: ./.github/actions/sha-of-zip
with:
zipFilename: ${{ steps.zipfn.outputs.FILEPATH }}
shaA: 512
- name: "Prepare keychain"
if: matrix.os == 'macOS-latest'
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
export TEMP_PWD=temporary-password-to-avoid-GUI-prompt
echo "Decode Base64 certificates"
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
echo "Create and unlock keychain"
security create-keychain -p $TEMP_PWD build.keychain
security unlock-keychain -p $TEMP_PWD build.keychain
echo "Import certificates into keychain"
# Note: in the next command, the -A should not be used outside of github actions.
# It allows any application to read the keychain, which is fine in an ephemeral environment,
# but not fine if you run this on your own machine.
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -A -T /usr/bin/codesign -T /usr/bin/productbuild -T /usr/bin/security
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $TEMP_PWD build.keychain
- name: "Create executable with jpackage (and sign, on MacOS)"
uses: ./.github/actions/gradle-and-sha
with:
gradle-command: jpackage
intermediate-filepath: ${{ steps.jpackagefn.outputs.FILEPATH }}
final-filepath: ${{ steps.exefn.outputs.FILEPATH }}
- name: "Notarize app bundle"
if: matrix.os == 'macOS-latest'
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
IDENTITY_PUBLIC_KEY: A257HB4NS4
run: |
echo "Unlock keychain"
security unlock-keychain -p temporary-password-to-avoid-GUI-prompt build.keychain
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k temporary-password-to-avoid-GUI-prompt build.keychain
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
echo "Creating temp notarization archive"
ditto -c -k --sequesterRsrc --keepParent ${{ steps.exefn.outputs.FILEPATH }} "notarization.zip"
echo "Notarize app -- this may take a few minutes"
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
echo "Attach staple"
xcrun stapler staple ${{ steps.exefn.outputs.FILEPATH }}
- uses: actions/upload-artifact@v3
with:
name: Package
if-no-files-found: error
path: |
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.sha512
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.golden.sha512
${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}
${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}.sha512
${{ github.workspace }}/${{ steps.cachefn.outputs.FILEPATH }}
${{ github.workspace }}/${{ steps.cachefn.outputs.FILEPATH }}.sha512
${{ github.workspace }}/${{ steps.checksumsfn.outputs.FILEPATH }}
${{ github.workspace }}/${{ steps.checksumsfn.outputs.FILEPATH }}.sha512
retention-days: 1
- name: "Upload binaries to release"
uses: svenstaro/upload-release-action@v2
if: github.event_name == 'release'
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: build/${{ steps.basefn.outputs.FILEPATH }}*
tag: ${{ github.ref_name }}
overwrite: true
file_glob: true