-
Notifications
You must be signed in to change notification settings - Fork 19
172 lines (156 loc) · 7.54 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
name: "Generate Releases"
on:
release:
types: [ published ]
# To test this workflow without creating a release, uncomment the following and add a branch name (making sure "push"
# is at the same indent level as "release":
push:
branches:
- 'feature/issue-756_airgap'
jobs:
release:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ] # add macos-latest-xlarge for silicon (a paid feature)
steps:
- name: "Create base filename for all artifacts"
id: basefn
shell: bash
run: |
FILEPATH=$(echo rctab_${{ github.ref_name }}_${{ runner.os }}_${{ runner.arch }} | sed -e 's/\//_/g')
echo "FILEPATH=$FILEPATH" >> $GITHUB_OUTPUT
# Normalize platform-specific filepaths generated by gradle
- name: "Create .zip filename"
id: zipfn
shell: bash
run: echo "FILEPATH=build/${{ steps.basefn.outputs.FILEPATH }}.zip" >> $GITHUB_OUTPUT
- name: "Get extension"
id: ext
shell: bash
run: |
if [ ${{ runner.os }} == 'Windows' ]; then
echo "EXT=.exe" >> $GITHUB_OUTPUT
elif [ ${{ runner.os }} == 'Linux' ]; then
echo "EXT=.deb" >> $GITHUB_OUTPUT
else
echo "EXT=.dmg" >> $GITHUB_OUTPUT
fi
- name: "Get jpackage output filepath"
id: jpackagefn
shell: bash
run: |
# TODO Sync version number with Main.java and build.gradle (github.com/BrightSpots/rcv/issues/662)
# The version numbers are hardcoded because the files below include the version number in them,
# and while we could use some regex to figure out the version number automatically, it seems cleaner
# to know the expected version number upfront.
if [ ${{ runner.os }} == 'Windows' ]; then
echo "FILEPATH=build/jpackage/RCTab-1.3.999.exe" >> $GITHUB_OUTPUT
elif [ ${{ runner.os }} == 'Linux' ]; then
echo "FILEPATH=build/jpackage/rctab_1.3.999_amd64.deb" >> $GITHUB_OUTPUT
else
echo "FILEPATH=build/jpackage/RCTab-1.3.999.dmg" >> $GITHUB_OUTPUT
fi
- name: "Create executable filename"
id: exefn
shell: bash
run: echo "FILEPATH=build/${{ steps.basefn.outputs.FILEPATH }}${{ steps.ext.outputs.EXT }}" >> $GITHUB_OUTPUT
- uses: actions/checkout@v3
- name: "Set up JDK 20.0.1"
uses: actions/setup-java@v3
with:
java-version: '20.0.1'
distribution: 'temurin'
- name: "Validate Gradle wrapper"
uses: gradle/wrapper-validation-action@ccb4328a959376b642e027874838f60f8e596de3
- name: "Create zip with jlinkZip"
uses: ./.github/actions/gradle-and-sha
with:
gradle-command: jlinkZip
intermediate-filepath: build/rcv.zip
final-filepath: ${{ steps.zipfn.outputs.FILEPATH }}
- name: "Create caches filename"
id: cachefn
shell: bash
run: |
echo "FILEPATH=${{ steps.basefn.outputs.FILEPATH }}.cache.zip" >> $GITHUB_OUTPUT
- name: "Generate SHA1 and SHA256 for each maven dependency"
shell: bash
run: ./.github/workflows/generate-dependency-hashes.sh ${{ runner.os }} >> ~/.gradle/caches/checksums.csv
- name: "Create dependency zip"
uses: ./.github/actions/zip
with:
# Build, then remove all non-essential files
command: ./gradlew assemble && ./gradlew --stop
input: "~/.gradle/caches"
zipFilename: ${{steps.cachefn.outputs.FILEPATH}}
- name: "Generate SHA512 for plugins cache"
shell: bash
run: |
./.github/workflows/sha-of-zip.sh ${{steps.cachefn.outputs.FILEPATH}} ${{ runner.os }} 512
- name: "Prepare keychain"
if: matrix.os == 'macOS-latest'
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
export TEMP_PWD=temporary-password-to-avoid-GUI-prompt
echo "Decode Base64 certificates"
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
echo "Create and unlock keychain"
security create-keychain -p $TEMP_PWD build.keychain
security unlock-keychain -p $TEMP_PWD build.keychain
echo "Import certificates into keychain"
# Note: in the next command, the -A should not be used outside of github actions.
# It allows any application to read the keychain, which is fine in an ephemeral environment,
# but not fine if you run this on your own machine.
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -A -T /usr/bin/codesign -T /usr/bin/productbuild -T /usr/bin/security
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $TEMP_PWD build.keychain
- name: "Create executable with jpackage (and sign, on MacOS)"
uses: ./.github/actions/gradle-and-sha
with:
gradle-command: jpackage
intermediate-filepath: ${{ steps.jpackagefn.outputs.FILEPATH }}
final-filepath: ${{ steps.exefn.outputs.FILEPATH }}
- name: "Notarize app bundle"
if: matrix.os == 'macOS-latest'
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
IDENTITY_PUBLIC_KEY: A257HB4NS4
run: |
echo "Unlock keychain"
security unlock-keychain -p temporary-password-to-avoid-GUI-prompt build.keychain
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k temporary-password-to-avoid-GUI-prompt build.keychain
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
echo "Creating temp notarization archive"
ditto -c -k --sequesterRsrc --keepParent ${{ steps.exefn.outputs.FILEPATH }} "notarization.zip"
echo "Notarize app -- this may take a few minutes"
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
echo "Attach staple"
xcrun stapler staple ${{ steps.exefn.outputs.FILEPATH }}
- uses: actions/upload-artifact@v3
with:
name: Package
if-no-files-found: error
path: |
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.sha512
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.golden.sha512
${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}
${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}.sha512
${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}
${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}.sha512
${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}.golden.sha512
retention-days: 1
- name: "Upload binaries to release"
uses: svenstaro/upload-release-action@v2
if: github.event_name == 'release'
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: build/${{ steps.basefn.outputs.FILEPATH }}*
tag: ${{ github.ref_name }}
overwrite: true
file_glob: true