Skip to content

Commit

Permalink
get golden hash into package
Browse files Browse the repository at this point in the history
  • Loading branch information
artoonie committed Feb 22, 2024
1 parent 29e91b2 commit 400c8ba
Show file tree
Hide file tree
Showing 3 changed files with 101 additions and 104 deletions.
37 changes: 17 additions & 20 deletions .github/actions/sha-of-zip.bat
Original file line number Diff line number Diff line change
Expand Up @@ -14,18 +14,19 @@ echo %date% %time%

setlocal EnableExtensions EnableDelayedExpansion

set "HASHFILE=all_hashes.txt"
set "TEMPHASHFILE=all_hashes_temp.txt"
set "EXTRACTIONDIR=.\rcv\modules_extracted"

if exist %HASHFILE% (
echo Deleting existing hash file, %HASHFILE% ...
del %HASHFILE%
set "HASHFILE_UNSORTED=all_hashes_unsorted.txt"
set "HASHFILE_PATH_STRIPPED=all_hashes_path_stripped.txt"
set "HASHFILE_SORTED=all_hashes_sorted.txt"
set "EXTRACTIONDIR=.\rcv\zip_extracted"

if exist %HASHFILE_UNSORTED% (
echo Deleting existing hash file, %HASHFILE_UNSORTED% ...
del %HASHFILE_UNSORTED%
)

if exist %EXTRACTIONDIR% (
echo Deleting existing extracted modules directory, %EXTRACTIONDIR% ...
rmdir /s /q %EXTRACTIONDIR%
echo Deleting existing extracted zip directory, %EXTRACTIONDIR% ...
rmdir /s /q %EXTRACTIONDIR%
)

echo Extracting contents of modules file...
Expand All @@ -36,29 +37,25 @@ cd %EXTRACTIONDIR%
:: Calculate the hash for every file here and in all subdirectories, appending to the file (format "(filename) = (hash)")
echo Calculating hashes...
for /r . %%f in (*) do (
<NUL set /p ="%%f = " >> %HASHFILE%
C:\Windows\System32\certutil.exe -hashfile "%%f" SHA%SHA_A% | findstr /v ":" >> %HASHFILE%
<NUL set /p ="%%f = " >> %HASHFILE_UNSORTED%
C:\Windows\System32\certutil.exe -hashfile "%%f" SHA%SHA_A% | findstr /v ":" >> %HASHFILE_UNSORTED%
C:\Windows\System32\certutil.exe -hashfile "%%f" SHA%SHA_A% | findstr /v ":"
)

:: Replace the absolute paths to each file with relative paths (e.g. C:\temp\rcv => .\rcv)

echo Replacing absolute paths with relative paths in hash file...
set "SEARCHTEXT=%cd%"
set "REPLACETEXT=."
for /f "delims=" %%A in ('type "%HASHFILE%"') do (
for /f "delims=" %%A in ('type "%HASHFILE_UNSORTED%"') do (
set "string=%%A"
set "modified=!string:%SEARCHTEXT%=%REPLACETEXT%!"
echo !modified!>>"%TEMPHASHFILE%"
echo !modified!>>"%HASHFILE_PATH_STRIPPED%"
)
del "%HASHFILE%"
rename "%TEMPHASHFILE%" "%HASHFILE%"

echo Sorting the hash file...
sort "%HASHFILE%" > "%TEMPHASHFILE%"
del "%HASHFILE%"
rename "%TEMPHASHFILE%" "%HASHFILE%"
sort "%HASHFILE_PATH_STRIPPED%" > "%HASHFILE_SORTED%"

echo Calculating the hash of the entire sorted hash file...
C:\Windows\System32\certutil.exe -hashfile %HASHFILE% SHA%SHA_A%
C:\Windows\System32\certutil.exe -hashfile %HASHFILE_SORTED% SHA%SHA_A%

endlocal
2 changes: 1 addition & 1 deletion .github/actions/sha-of-zip.sh
Original file line number Diff line number Diff line change
Expand Up @@ -28,4 +28,4 @@ for filename in $(find * -type f | sort); do
done

# Echo the checksum of the checksums
echo $($parentPath/sha.sh $tempAllChecksumsFile $os $a)
echo $($parentPath/../workflows/sha.sh $tempAllChecksumsFile $os $a)
166 changes: 83 additions & 83 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ] # add macos-latest-xlarge for silicon (a paid feature)
os: [ windows-latest ] # add macos-latest-xlarge for silicon (a paid feature)
steps:
- name: "Create base filename for all artifacts"
id: basefn
Expand Down Expand Up @@ -77,100 +77,100 @@ jobs:
intermediate-filepath: build/rcv.zip
final-filepath: ${{ steps.zipfn.outputs.FILEPATH }}

- name: "Create caches filename"
id: cachefn
shell: bash
run: |
echo "FILEPATH=${{ steps.basefn.outputs.FILEPATH }}.cache.zip" >> $GITHUB_OUTPUT
- name: "Generate SHA1 and SHA256 for each maven dependency"
shell: bash
run: ./.github/workflows/generate-dependency-hashes.sh ${{ runner.os }} >> ~/.gradle/caches/checksums.csv

- name: "Create dependency zip"
uses: ./.github/actions/zip
with:
# Build, then remove all non-essential files
command: ./gradlew assemble && ./gradlew --stop
input: "~/.gradle/caches"
zipFilename: ${{steps.cachefn.outputs.FILEPATH}}

- name: "Generate SHA512 for plugins cache"
shell: bash
run: |
./.github/workflows/sha.sh ${{steps.cachefn.outputs.FILEPATH}} ${{ runner.os }} 512 > ${{steps.cachefn.outputs.FILEPATH}}.sha512
# - name: "Create caches filename"
# id: cachefn
# shell: bash
# run: |
# echo "FILEPATH=cache/${{ steps.basefn.outputs.FILEPATH }}.cache.zip" >> $GITHUB_OUTPUT
#
# - name: "Generate SHA1 and SHA256 for each maven dependency"
# shell: bash
# run: ./.github/workflows/generate-dependency-hashes.sh ${{ runner.os }} >> ~/.gradle/caches/checksums.csv
#
# - name: "Create dependency zip"
# uses: ./.github/actions/zip
# with:
# # Build, then remove all non-essential files
# command: ./gradlew assemble && ./gradlew --stop
# input: "~/.gradle/caches"
# zipFilename: ${{steps.cachefn.outputs.FILEPATH}}
#
# - name: "Generate SHA512 for plugins cache"
# shell: bash
# run: |
# ./.github/workflows/sha.sh ${{steps.cachefn.outputs.FILEPATH}} ${{ runner.os }} 512 > ${{steps.cachefn.outputs.FILEPATH}}.sha512
#
- name: "Generate Golden SHA512 for jlinkZip"
uses: ./.github/actions/sha-of-zip
with:
zipFilename: ${{ steps.zipfn.outputs.FILEPATH }}
shaA: 512

- name: "Generate Golden SHA512 for plugins cache"
uses: ./.github/actions/sha-of-zip
with:
zipFilename: ${{steps.cachefn.outputs.FILEPATH}}
shaA: 512

- name: "Prepare keychain"
if: matrix.os == 'macOS-latest'
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
export TEMP_PWD=temporary-password-to-avoid-GUI-prompt
echo "Decode Base64 certificates"
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
echo "Create and unlock keychain"
security create-keychain -p $TEMP_PWD build.keychain
security unlock-keychain -p $TEMP_PWD build.keychain
echo "Import certificates into keychain"
# Note: in the next command, the -A should not be used outside of github actions.
# It allows any application to read the keychain, which is fine in an ephemeral environment,
# but not fine if you run this on your own machine.
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -A -T /usr/bin/codesign -T /usr/bin/productbuild -T /usr/bin/security
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $TEMP_PWD build.keychain
- name: "Create executable with jpackage (and sign, on MacOS)"
uses: ./.github/actions/gradle-and-sha
with:
gradle-command: jpackage
intermediate-filepath: ${{ steps.jpackagefn.outputs.FILEPATH }}
final-filepath: ${{ steps.exefn.outputs.FILEPATH }}

- name: "Notarize app bundle"
if: matrix.os == 'macOS-latest'
env:
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
IDENTITY_PUBLIC_KEY: A257HB4NS4
run: |
echo "Unlock keychain"
security unlock-keychain -p temporary-password-to-avoid-GUI-prompt build.keychain
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k temporary-password-to-avoid-GUI-prompt build.keychain
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
echo "Creating temp notarization archive"
ditto -c -k --sequesterRsrc --keepParent ${{ steps.exefn.outputs.FILEPATH }} "notarization.zip"
echo "Notarize app -- this may take a few minutes"
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
echo "Attach staple"
xcrun stapler staple ${{ steps.exefn.outputs.FILEPATH }}
#
# - name: "Generate Golden SHA512 for plugins cache"
# uses: ./.github/actions/sha-of-zip
# with:
# zipFilename: ${{steps.cachefn.outputs.FILEPATH}}
# shaA: 512
#
# - name: "Prepare keychain"
# if: matrix.os == 'macOS-latest'
# env:
# MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
# MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
# run: |
# export TEMP_PWD=temporary-password-to-avoid-GUI-prompt
# echo "Decode Base64 certificates"
# echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
# echo "Create and unlock keychain"
# security create-keychain -p $TEMP_PWD build.keychain
# security unlock-keychain -p $TEMP_PWD build.keychain
# echo "Import certificates into keychain"
# # Note: in the next command, the -A should not be used outside of github actions.
# # It allows any application to read the keychain, which is fine in an ephemeral environment,
# # but not fine if you run this on your own machine.
# security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -A -T /usr/bin/codesign -T /usr/bin/productbuild -T /usr/bin/security
# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $TEMP_PWD build.keychain
#
# - name: "Create executable with jpackage (and sign, on MacOS)"
# uses: ./.github/actions/gradle-and-sha
# with:
# gradle-command: jpackage
# intermediate-filepath: ${{ steps.jpackagefn.outputs.FILEPATH }}
# final-filepath: ${{ steps.exefn.outputs.FILEPATH }}
#
# - name: "Notarize app bundle"
# if: matrix.os == 'macOS-latest'
# env:
# MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
# MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
# MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
# IDENTITY_PUBLIC_KEY: A257HB4NS4
# run: |
# echo "Unlock keychain"
# security unlock-keychain -p temporary-password-to-avoid-GUI-prompt build.keychain
# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k temporary-password-to-avoid-GUI-prompt build.keychain
# echo "Create keychain profile"
# xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD"
# echo "Creating temp notarization archive"
# ditto -c -k --sequesterRsrc --keepParent ${{ steps.exefn.outputs.FILEPATH }} "notarization.zip"
# echo "Notarize app -- this may take a few minutes"
# xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
# echo "Attach staple"
# xcrun stapler staple ${{ steps.exefn.outputs.FILEPATH }}

- uses: actions/upload-artifact@v3
with:
name: Package
if-no-files-found: error
path: |
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.sha512
#${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}
#${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.sha512
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.golden.sha512
${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}
${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}.sha512
${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}
${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}.sha512
${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}.golden.sha512
#${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}
#${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}.sha512
#${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}
#${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}.sha512
#${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}.golden.sha512
retention-days: 1

- name: "Upload binaries to release"
Expand Down

0 comments on commit 400c8ba

Please sign in to comment.