Merge pull request #126 from subspace/windows-code-signing #56
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This action enables building release executables/installers and can be triggered manually or by release creation. | |
# | |
# Executables are built both for releases and for manually triggered runs, uploaded to artifacts and assets. | |
name: Release | |
on: | |
workflow_dispatch: | |
push: | |
tags: | |
- "*" | |
# Incremental compilation here isn't helpful | |
env: | |
CARGO_INCREMENTAL: 0 | |
jobs: | |
release: | |
strategy: | |
matrix: | |
build: | |
- os: ubuntu-22.04 | |
target: x86_64-unknown-linux-gnu | |
suffix: ubuntu-x86_64-skylake-${{ github.ref_name }} | |
rustflags: "-C target-cpu=skylake" | |
# TODO: Package for more Linux distributions/packaging formats/architectures and macOS | |
# - os: ubuntu-22.04 | |
# target: aarch64-unknown-linux-gnu | |
# suffix: ubuntu-aarch64-${{ github.ref_name }} | |
# # TODO: AES flag is such that we have decent performance on ARMv8, remove once `aes` crate bumps MSRV to | |
# # at least 1.61: https://github.com/RustCrypto/block-ciphers/issues/373 | |
# rustflags: "-C linker=aarch64-linux-gnu-gcc --cfg aes_armv8" | |
# - os: macos-14 | |
# target: aarch64-apple-darwin | |
# suffix: macos-aarch64-${{ github.ref_name }} | |
# # TODO: AES flag is such that we have decent performance on ARMv8, remove once `aes` crate bumps MSRV to | |
# # at least 1.61: https://github.com/RustCrypto/block-ciphers/issues/373 | |
# rustflags: "--cfg aes_armv8" | |
- os: windows-2022 | |
target: x86_64-pc-windows-msvc | |
suffix: windows-x86_64-skylake-${{ github.ref_name }} | |
rustflags: "-C target-cpu=skylake" | |
runs-on: ${{ matrix.build.os }} | |
env: | |
RUSTFLAGS: ${{ matrix.build.rustflags }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # @v3.1.0 | |
- name: Install GTK4 and libfuse2 (Linux) | |
# libfuse2 is needed for AppImage to run | |
run: sudo apt-get install --no-install-recommends -y libgtk-4-dev libfuse2 | |
if: runner.os == 'Linux' | |
- name: Configure GTK4 cache (Windows) | |
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # @v3.3.2 | |
id: cache | |
with: | |
path: C:\gtk-build\gtk\x64\release | |
key: ${{ runner.os }}-gtk4 | |
if: runner.os == 'Windows' | |
- name: Install GTK4 (macOS) | |
run: brew install gtk4 | |
if: runner.os == 'macOS' | |
# TODO: This is a workaround for https://github.com/wingtk/gvsbuild/issues/984, remove once fixed upstream | |
- name: Move git binary (Windows) | |
run: | | |
Move-Item "C:\Program Files\Git\usr\bin" "C:\Program Files\Git\usr\notbin" | |
Move-Item "C:\Program Files\Git\bin" "C:\Program Files\Git\notbin" | |
if: runner.os == 'Windows' && steps.cache.outputs.cache-hit != 'true' | |
- name: Install GTK4 (Windows) | |
run: | | |
pipx install gvsbuild | |
gvsbuild build gtk4 librsvg | |
if: runner.os == 'Windows' && steps.cache.outputs.cache-hit != 'true' | |
# TODO: This is a workaround for https://github.com/wingtk/gvsbuild/issues/984, remove once fixed upstream | |
- name: Restore git binary (Windows) | |
run: | | |
Move-Item "C:\Program Files\Git\usr\notbin" "C:\Program Files\Git\usr\bin" | |
Move-Item "C:\Program Files\Git\notbin" "C:\Program Files\Git\bin" | |
if: runner.os == 'Windows' && steps.cache.outputs.cache-hit != 'true' | |
- name: Configure GTK4 (Windows) | |
run: | | |
Add-Content $env:GITHUB_ENV "PKG_CONFIG_PATH=C:\gtk-build\gtk\x64\release\lib\pkgconfig" | |
Add-Content $env:GITHUB_ENV ("LIB=" + $env:LIB + ";" + "C:\gtk-build\gtk\x64\release\lib") | |
Add-Content $env:GITHUB_PATH "C:\gtk-build\gtk\x64\release\bin" | |
# We have hardcoded list of libraries in space-acres.wxs, make sure it didn't change unexpectedly | |
Get-ChildItem C:\gtk-build\gtk\x64\release\bin\*.dll | ForEach-Object { $_.Name } > actual-dlls.log | |
if (Compare-Object -ReferenceObject (Get-Content -Path res\windows\wix\expected-dlls.log) -DifferenceObject (Get-Content -Path actual-dlls.log)) { | |
Write-Output "Expected DLLs:" | |
Get-Content res\windows\wix\expected-dlls.log | |
Write-Output "Actual DLLs:" | |
Get-Content actual-dlls.log | |
Throw "Actual DLLs do not match expected" | |
} | |
if: runner.os == 'Windows' | |
# On macOS, we need a proper Clang version, not Apple's custom version without wasm32 support | |
# TODO: on macOS, the consensus/domain runtime build is not compatible with LLVM 15.0.7 and | |
# LLVM 15.0.{3, 4, 5, 6} is not released for macOS thus install LLVM 15.0.2 explicitly as a | |
# temporary workaround, and remove once incompatible is fixed. | |
- name: Install LLVM and Clang for macOS | |
uses: KyleMayes/install-llvm-action@c135b3937686fd69c2651507aabc9925a8f9eee8 # v1.8.3 | |
with: | |
version: "15.0.2" | |
if: runner.os == 'macOS' | |
# TODO: on Linux and Windows, the consensus/domain runtime build is not compatible with LLVM 16, | |
# thus install LLVM 15 explicitly as a temporary workaround, and remove once incompatible is fixed. | |
- name: Install LLVM and Clang for Linux and Windows | |
uses: KyleMayes/install-llvm-action@c135b3937686fd69c2651507aabc9925a8f9eee8 # v1.8.3 | |
with: | |
version: "15.0" | |
if: runner.os != 'macOS' | |
- name: Install Protoc | |
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 # v2.0.0 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
# Needed for hwloc | |
- name: Install automake (macOS) | |
run: brew install automake | |
if: runner.os == 'macOS' | |
# Workaround to resolve link error with C:\msys64\mingw64\bin\libclang.dll | |
- name: Remove msys64 | |
run: Remove-Item -LiteralPath "C:\msys64\" -Force -Recurse | |
if: runner.os == 'Windows' | |
# Doesn't exist on self-hosted runners | |
continue-on-error: true | |
- name: AArch64 cross-compile packages | |
run: sudo apt-get update && sudo apt-get install -y --no-install-recommends g++-aarch64-linux-gnu gcc-aarch64-linux-gnu libc6-dev-arm64-cross | |
if: matrix.build.target == 'aarch64-unknown-linux-gnu' | |
- name: Configure cache | |
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # @v3.3.2 | |
with: | |
path: | | |
~/.cargo/registry | |
~/.cargo/git | |
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }} | |
restore-keys: | | |
${{ runner.os }}-cargo- | |
- name: Build app (Linux and Windows) | |
run: cargo -Zgitoxide -Zgit build --locked -Z build-std --target ${{ matrix.build.target }} --profile production | |
if: runner.os != 'macOS' | |
- name: Build app (macOS) | |
run: cargo -Zgitoxide -Zgit build --locked -Z build-std --target ${{ matrix.build.target }} --profile production --no-default-features | |
if: runner.os == 'macOS' | |
# TODO: Package macOS | |
- name: Install cargo-wix (Windows) | |
uses: taiki-e/cache-cargo-install-action@1b76958d032c4d048c599f9fdfa48abe804d6319 # v1.2.2 | |
with: | |
tool: cargo-wix | |
if: runner.os == 'Windows' | |
- name: Package (Windows) | |
run: | | |
Remove-Item target\wix\gtk4 -Recurse -Confirm:$false -ErrorAction SilentlyContinue | |
New-Item target\wix\gtk4\bin -ItemType Directory | |
New-Item target\wix\gtk4\lib\gdk-pixbuf-2.0\2.10.0\loaders -ItemType Directory | |
New-Item target\wix\gtk4\share\glib-2.0\schemas -ItemType Directory | |
Copy-Item -Path C:\gtk-build\gtk\x64\release\bin\*.dll -Destination target\wix\gtk4\bin | |
Copy-Item -Path C:\gtk-build\gtk\x64\release\bin\gdbus.exe -Destination target\wix\gtk4\bin | |
Copy-Item -Path C:\gtk-build\gtk\x64\release\bin\gspawn-win64-helper.exe -Destination target\wix\gtk4\bin | |
Copy-Item -Path C:\gtk-build\gtk\x64\release\bin\gspawn-win64-helper-console.exe -Destination target\wix\gtk4\bin | |
Copy-Item -Path C:\gtk-build\gtk\x64\release\lib\gdk-pixbuf-2.0\2.10.0\loaders\*.dll -Destination target\wix\gtk4\lib\gdk-pixbuf-2.0\2.10.0\loaders | |
Copy-Item -Path C:\gtk-build\gtk\x64\release\lib\gdk-pixbuf-2.0\2.10.0\loaders.cache -Destination target\wix\gtk4\lib\gdk-pixbuf-2.0\2.10.0 | |
Copy-Item -Path C:\gtk-build\gtk\x64\release\share\glib-2.0\schemas\gschemas.compiled -Destination target\wix\gtk4\share\glib-2.0\schemas\gschemas.compiled | |
# TODO: Ideally something like this would have worked and we wouldn't need to hardcode stuff in `space-acres.wxs`: https://github.com/volks73/cargo-wix/issues/271 | |
# & "C:\Program Files (x86)\WiX Toolset v3.11\bin\heat.exe" dir target\wix\gtk4 -gg -sfrag -template:fragment -out target\wix\gtk4.wxs -cg GTK -dr GTK | |
cargo wix --target ${{ matrix.build.target }} --profile production --no-build --nocapture | |
Remove-Item target\wix\gtk4 -Recurse -Confirm:$false -ErrorAction SilentlyContinue | |
if: runner.os == 'Windows' | |
- name: Sign Application (Windows) | |
run: | | |
$ErrorActionPreference = "Stop" | |
dotnet tool install --global AzureSignTool | |
(Get-ChildItem -Path target\wix -Include space-acres-*.msi -Recurse) | ForEach-Object { | |
Write("Signing $($_)"); | |
AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v $($_); | |
} | |
# Allow code signing to fail on non-release builds and in non-subspace repos (forks) | |
continue-on-error: ${{ github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }} | |
if: runner.os == 'Windows' | |
- name: Upload installer to artifacts (Windows) | |
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # @v3.1.1 | |
with: | |
name: installer-${{ matrix.build.suffix }} | |
path: | | |
target/wix/*.msi | |
if-no-files-found: error | |
if: runner.os == 'Windows' | |
- name: Upload installer to assets (Windows) | |
uses: alexellis/upload-assets@259de5111cb56966d046ced998941e93f91d2c93 # @0.4.0 | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
with: | |
asset_paths: '["target/wix/*.msi"]' | |
if: runner.os == 'Windows' && github.event_name == 'push' && github.ref_type == 'tag' | |
- name: Install cargo-deb (Linux) | |
uses: taiki-e/cache-cargo-install-action@1b76958d032c4d048c599f9fdfa48abe804d6319 # v1.2.2 | |
with: | |
tool: cargo-deb | |
if: runner.os == 'Linux' | |
- name: Package (Linux) | |
run: | | |
# Build Debian package | |
cargo deb --target ${{ matrix.build.target }} --profile production --no-build --no-strip | |
# And build AppImage as well | |
wget https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-x86_64.AppImage | |
wget https://raw.githubusercontent.com/linuxdeploy/linuxdeploy-plugin-gtk/3b67a1d1c1b0c8268f57f2bce40fe2d33d409cea/linuxdeploy-plugin-gtk.sh | |
chmod +x linuxdeploy*.AppImage linuxdeploy-plugin-gtk.sh | |
NO_STRIP=1 ./linuxdeploy-x86_64.AppImage \ | |
--appdir AppDir \ | |
--plugin gtk \ | |
--executable target/${{ matrix.build.target }}/production/space-acres \ | |
--desktop-file res/linux/space-acres.desktop \ | |
--icon-file res/linux/space-acres.png \ | |
--output appimage | |
# Rename AppImage to be consistent with other files | |
version=$(grep -Po 'version = "\K.*?(?=")' -m 1 Cargo.toml) | |
mv Space_Acres-x86_64.AppImage space-acres-$version-x86_64.AppImage | |
if: runner.os == 'Linux' | |
- name: Upload installer to artifacts (Linux) | |
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # @v3.1.1 | |
with: | |
name: installer-${{ matrix.build.suffix }} | |
path: | | |
space-acres-*.AppImage | |
target/${{ matrix.build.target }}/debian/*.deb | |
if-no-files-found: error | |
if: runner.os == 'Linux' | |
- name: Upload installer to assets (Linux) | |
uses: alexellis/upload-assets@259de5111cb56966d046ced998941e93f91d2c93 # @0.4.0 | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
with: | |
asset_paths: '["space-acres-*.AppImage", "target/${{ matrix.build.target }}/debian/*.deb"]' | |
if: runner.os == 'Linux' && github.event_name == 'push' && github.ref_type == 'tag' |