From 400c8ba3b608584d1309b806ca7e6da1cc10e034 Mon Sep 17 00:00:00 2001 From: Armin Samii Date: Wed, 21 Feb 2024 20:54:45 -0500 Subject: [PATCH] get golden hash into package --- .github/actions/sha-of-zip.bat | 37 ++++---- .github/actions/sha-of-zip.sh | 2 +- .github/workflows/release.yml | 166 ++++++++++++++++----------------- 3 files changed, 101 insertions(+), 104 deletions(-) diff --git a/.github/actions/sha-of-zip.bat b/.github/actions/sha-of-zip.bat index cfe3b562..9f6b58c7 100644 --- a/.github/actions/sha-of-zip.bat +++ b/.github/actions/sha-of-zip.bat @@ -14,18 +14,19 @@ echo %date% %time% setlocal EnableExtensions EnableDelayedExpansion -set "HASHFILE=all_hashes.txt" -set "TEMPHASHFILE=all_hashes_temp.txt" -set "EXTRACTIONDIR=.\rcv\modules_extracted" - -if exist %HASHFILE% ( - echo Deleting existing hash file, %HASHFILE% ... - del %HASHFILE% +set "HASHFILE_UNSORTED=all_hashes_unsorted.txt" +set "HASHFILE_PATH_STRIPPED=all_hashes_path_stripped.txt" +set "HASHFILE_SORTED=all_hashes_sorted.txt" +set "EXTRACTIONDIR=.\rcv\zip_extracted" + +if exist %HASHFILE_UNSORTED% ( + echo Deleting existing hash file, %HASHFILE_UNSORTED% ... + del %HASHFILE_UNSORTED% ) if exist %EXTRACTIONDIR% ( - echo Deleting existing extracted modules directory, %EXTRACTIONDIR% ... - rmdir /s /q %EXTRACTIONDIR% + echo Deleting existing extracted zip directory, %EXTRACTIONDIR% ... + rmdir /s /q %EXTRACTIONDIR% ) echo Extracting contents of modules file... @@ -36,29 +37,25 @@ cd %EXTRACTIONDIR% :: Calculate the hash for every file here and in all subdirectories, appending to the file (format "(filename) = (hash)") echo Calculating hashes... for /r . %%f in (*) do ( - > %HASHFILE% - C:\Windows\System32\certutil.exe -hashfile "%%f" SHA%SHA_A% | findstr /v ":" >> %HASHFILE% + > %HASHFILE_UNSORTED% + C:\Windows\System32\certutil.exe -hashfile "%%f" SHA%SHA_A% | findstr /v ":" >> %HASHFILE_UNSORTED% + C:\Windows\System32\certutil.exe -hashfile "%%f" SHA%SHA_A% | findstr /v ":" ) :: Replace the absolute paths to each file with relative paths (e.g. C:\temp\rcv => .\rcv) - echo Replacing absolute paths with relative paths in hash file... set "SEARCHTEXT=%cd%" set "REPLACETEXT=." -for /f "delims=" %%A in ('type "%HASHFILE%"') do ( +for /f "delims=" %%A in ('type "%HASHFILE_UNSORTED%"') do ( set "string=%%A" set "modified=!string:%SEARCHTEXT%=%REPLACETEXT%!" - echo !modified!>>"%TEMPHASHFILE%" + echo !modified!>>"%HASHFILE_PATH_STRIPPED%" ) -del "%HASHFILE%" -rename "%TEMPHASHFILE%" "%HASHFILE%" echo Sorting the hash file... -sort "%HASHFILE%" > "%TEMPHASHFILE%" -del "%HASHFILE%" -rename "%TEMPHASHFILE%" "%HASHFILE%" +sort "%HASHFILE_PATH_STRIPPED%" > "%HASHFILE_SORTED%" echo Calculating the hash of the entire sorted hash file... -C:\Windows\System32\certutil.exe -hashfile %HASHFILE% SHA%SHA_A% +C:\Windows\System32\certutil.exe -hashfile %HASHFILE_SORTED% SHA%SHA_A% endlocal diff --git a/.github/actions/sha-of-zip.sh b/.github/actions/sha-of-zip.sh index 9d72d893..9985cdc8 100755 --- a/.github/actions/sha-of-zip.sh +++ b/.github/actions/sha-of-zip.sh @@ -28,4 +28,4 @@ for filename in $(find * -type f | sort); do done # Echo the checksum of the checksums -echo $($parentPath/sha.sh $tempAllChecksumsFile $os $a) +echo $($parentPath/../workflows/sha.sh $tempAllChecksumsFile $os $a) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e6373e6e..90906f33 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ jobs: runs-on: ${{ matrix.os }} strategy: matrix: - os: [ ubuntu-latest, windows-latest, macos-latest ] # add macos-latest-xlarge for silicon (a paid feature) + os: [ windows-latest ] # add macos-latest-xlarge for silicon (a paid feature) steps: - name: "Create base filename for all artifacts" id: basefn @@ -77,100 +77,100 @@ jobs: intermediate-filepath: build/rcv.zip final-filepath: ${{ steps.zipfn.outputs.FILEPATH }} - - name: "Create caches filename" - id: cachefn - shell: bash - run: | - echo "FILEPATH=${{ steps.basefn.outputs.FILEPATH }}.cache.zip" >> $GITHUB_OUTPUT - - - name: "Generate SHA1 and SHA256 for each maven dependency" - shell: bash - run: ./.github/workflows/generate-dependency-hashes.sh ${{ runner.os }} >> ~/.gradle/caches/checksums.csv - - - name: "Create dependency zip" - uses: ./.github/actions/zip - with: - # Build, then remove all non-essential files - command: ./gradlew assemble && ./gradlew --stop - input: "~/.gradle/caches" - zipFilename: ${{steps.cachefn.outputs.FILEPATH}} - - - name: "Generate SHA512 for plugins cache" - shell: bash - run: | - ./.github/workflows/sha.sh ${{steps.cachefn.outputs.FILEPATH}} ${{ runner.os }} 512 > ${{steps.cachefn.outputs.FILEPATH}}.sha512 - + # - name: "Create caches filename" + # id: cachefn + # shell: bash + # run: | + # echo "FILEPATH=cache/${{ steps.basefn.outputs.FILEPATH }}.cache.zip" >> $GITHUB_OUTPUT + # + # - name: "Generate SHA1 and SHA256 for each maven dependency" + # shell: bash + # run: ./.github/workflows/generate-dependency-hashes.sh ${{ runner.os }} >> ~/.gradle/caches/checksums.csv + # + # - name: "Create dependency zip" + # uses: ./.github/actions/zip + # with: + # # Build, then remove all non-essential files + # command: ./gradlew assemble && ./gradlew --stop + # input: "~/.gradle/caches" + # zipFilename: ${{steps.cachefn.outputs.FILEPATH}} + # + # - name: "Generate SHA512 for plugins cache" + # shell: bash + # run: | + # ./.github/workflows/sha.sh ${{steps.cachefn.outputs.FILEPATH}} ${{ runner.os }} 512 > ${{steps.cachefn.outputs.FILEPATH}}.sha512 + # - name: "Generate Golden SHA512 for jlinkZip" uses: ./.github/actions/sha-of-zip with: zipFilename: ${{ steps.zipfn.outputs.FILEPATH }} shaA: 512 - - - name: "Generate Golden SHA512 for plugins cache" - uses: ./.github/actions/sha-of-zip - with: - zipFilename: ${{steps.cachefn.outputs.FILEPATH}} - shaA: 512 - - - name: "Prepare keychain" - if: matrix.os == 'macOS-latest' - env: - MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} - MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} - run: | - export TEMP_PWD=temporary-password-to-avoid-GUI-prompt - echo "Decode Base64 certificates" - echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 - echo "Create and unlock keychain" - security create-keychain -p $TEMP_PWD build.keychain - security unlock-keychain -p $TEMP_PWD build.keychain - echo "Import certificates into keychain" - # Note: in the next command, the -A should not be used outside of github actions. - # It allows any application to read the keychain, which is fine in an ephemeral environment, - # but not fine if you run this on your own machine. - security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -A -T /usr/bin/codesign -T /usr/bin/productbuild -T /usr/bin/security - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $TEMP_PWD build.keychain - - - name: "Create executable with jpackage (and sign, on MacOS)" - uses: ./.github/actions/gradle-and-sha - with: - gradle-command: jpackage - intermediate-filepath: ${{ steps.jpackagefn.outputs.FILEPATH }} - final-filepath: ${{ steps.exefn.outputs.FILEPATH }} - - - name: "Notarize app bundle" - if: matrix.os == 'macOS-latest' - env: - MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} - MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} - MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }} - IDENTITY_PUBLIC_KEY: A257HB4NS4 - run: | - echo "Unlock keychain" - security unlock-keychain -p temporary-password-to-avoid-GUI-prompt build.keychain - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k temporary-password-to-avoid-GUI-prompt build.keychain - echo "Create keychain profile" - xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" - echo "Creating temp notarization archive" - ditto -c -k --sequesterRsrc --keepParent ${{ steps.exefn.outputs.FILEPATH }} "notarization.zip" - echo "Notarize app -- this may take a few minutes" - xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait - echo "Attach staple" - xcrun stapler staple ${{ steps.exefn.outputs.FILEPATH }} + # + # - name: "Generate Golden SHA512 for plugins cache" + # uses: ./.github/actions/sha-of-zip + # with: + # zipFilename: ${{steps.cachefn.outputs.FILEPATH}} + # shaA: 512 + # + # - name: "Prepare keychain" + # if: matrix.os == 'macOS-latest' + # env: + # MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} + # MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} + # run: | + # export TEMP_PWD=temporary-password-to-avoid-GUI-prompt + # echo "Decode Base64 certificates" + # echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 + # echo "Create and unlock keychain" + # security create-keychain -p $TEMP_PWD build.keychain + # security unlock-keychain -p $TEMP_PWD build.keychain + # echo "Import certificates into keychain" + # # Note: in the next command, the -A should not be used outside of github actions. + # # It allows any application to read the keychain, which is fine in an ephemeral environment, + # # but not fine if you run this on your own machine. + # security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -A -T /usr/bin/codesign -T /usr/bin/productbuild -T /usr/bin/security + # security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $TEMP_PWD build.keychain + # + # - name: "Create executable with jpackage (and sign, on MacOS)" + # uses: ./.github/actions/gradle-and-sha + # with: + # gradle-command: jpackage + # intermediate-filepath: ${{ steps.jpackagefn.outputs.FILEPATH }} + # final-filepath: ${{ steps.exefn.outputs.FILEPATH }} + # + # - name: "Notarize app bundle" + # if: matrix.os == 'macOS-latest' + # env: + # MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} + # MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} + # MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }} + # IDENTITY_PUBLIC_KEY: A257HB4NS4 + # run: | + # echo "Unlock keychain" + # security unlock-keychain -p temporary-password-to-avoid-GUI-prompt build.keychain + # security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k temporary-password-to-avoid-GUI-prompt build.keychain + # echo "Create keychain profile" + # xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" + # echo "Creating temp notarization archive" + # ditto -c -k --sequesterRsrc --keepParent ${{ steps.exefn.outputs.FILEPATH }} "notarization.zip" + # echo "Notarize app -- this may take a few minutes" + # xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait + # echo "Attach staple" + # xcrun stapler staple ${{ steps.exefn.outputs.FILEPATH }} - uses: actions/upload-artifact@v3 with: name: Package if-no-files-found: error path: | - ${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }} - ${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.sha512 + #${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }} + #${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.sha512 ${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.golden.sha512 - ${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }} - ${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}.sha512 - ${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}} - ${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}.sha512 - ${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}.golden.sha512 + #${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }} + #${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}.sha512 + #${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}} + #${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}.sha512 + #${{ github.workspace }}/${{steps.cachefn.outputs.FILEPATH}}.golden.sha512 retention-days: 1 - name: "Upload binaries to release"