Skip to content

Merge pull request #126 from subspace/windows-code-signing #56

Merge pull request #126 from subspace/windows-code-signing

Merge pull request #126 from subspace/windows-code-signing #56

Workflow file for this run

# This action enables building release executables/installers and can be triggered manually or by release creation.
#
# Executables are built both for releases and for manually triggered runs, uploaded to artifacts and assets.
name: Release
on:
workflow_dispatch:
push:
tags:
- "*"
# Incremental compilation here isn't helpful
env:
CARGO_INCREMENTAL: 0
jobs:
release:
strategy:
matrix:
build:
- os: ubuntu-22.04
target: x86_64-unknown-linux-gnu
suffix: ubuntu-x86_64-skylake-${{ github.ref_name }}
rustflags: "-C target-cpu=skylake"
# TODO: Package for more Linux distributions/packaging formats/architectures and macOS
# - os: ubuntu-22.04
# target: aarch64-unknown-linux-gnu
# suffix: ubuntu-aarch64-${{ github.ref_name }}
# # TODO: AES flag is such that we have decent performance on ARMv8, remove once `aes` crate bumps MSRV to
# # at least 1.61: https://github.com/RustCrypto/block-ciphers/issues/373
# rustflags: "-C linker=aarch64-linux-gnu-gcc --cfg aes_armv8"
# - os: macos-14
# target: aarch64-apple-darwin
# suffix: macos-aarch64-${{ github.ref_name }}
# # TODO: AES flag is such that we have decent performance on ARMv8, remove once `aes` crate bumps MSRV to
# # at least 1.61: https://github.com/RustCrypto/block-ciphers/issues/373
# rustflags: "--cfg aes_armv8"
- os: windows-2022
target: x86_64-pc-windows-msvc
suffix: windows-x86_64-skylake-${{ github.ref_name }}
rustflags: "-C target-cpu=skylake"
runs-on: ${{ matrix.build.os }}
env:
RUSTFLAGS: ${{ matrix.build.rustflags }}
steps:
- name: Checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # @v3.1.0
- name: Install GTK4 and libfuse2 (Linux)
# libfuse2 is needed for AppImage to run
run: sudo apt-get install --no-install-recommends -y libgtk-4-dev libfuse2
if: runner.os == 'Linux'
- name: Configure GTK4 cache (Windows)
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # @v3.3.2
id: cache
with:
path: C:\gtk-build\gtk\x64\release
key: ${{ runner.os }}-gtk4
if: runner.os == 'Windows'
- name: Install GTK4 (macOS)
run: brew install gtk4
if: runner.os == 'macOS'
# TODO: This is a workaround for https://github.com/wingtk/gvsbuild/issues/984, remove once fixed upstream
- name: Move git binary (Windows)
run: |
Move-Item "C:\Program Files\Git\usr\bin" "C:\Program Files\Git\usr\notbin"
Move-Item "C:\Program Files\Git\bin" "C:\Program Files\Git\notbin"
if: runner.os == 'Windows' && steps.cache.outputs.cache-hit != 'true'
- name: Install GTK4 (Windows)
run: |
pipx install gvsbuild
gvsbuild build gtk4 librsvg
if: runner.os == 'Windows' && steps.cache.outputs.cache-hit != 'true'
# TODO: This is a workaround for https://github.com/wingtk/gvsbuild/issues/984, remove once fixed upstream
- name: Restore git binary (Windows)
run: |
Move-Item "C:\Program Files\Git\usr\notbin" "C:\Program Files\Git\usr\bin"
Move-Item "C:\Program Files\Git\notbin" "C:\Program Files\Git\bin"
if: runner.os == 'Windows' && steps.cache.outputs.cache-hit != 'true'
- name: Configure GTK4 (Windows)
run: |
Add-Content $env:GITHUB_ENV "PKG_CONFIG_PATH=C:\gtk-build\gtk\x64\release\lib\pkgconfig"
Add-Content $env:GITHUB_ENV ("LIB=" + $env:LIB + ";" + "C:\gtk-build\gtk\x64\release\lib")
Add-Content $env:GITHUB_PATH "C:\gtk-build\gtk\x64\release\bin"
# We have hardcoded list of libraries in space-acres.wxs, make sure it didn't change unexpectedly
Get-ChildItem C:\gtk-build\gtk\x64\release\bin\*.dll | ForEach-Object { $_.Name } > actual-dlls.log
if (Compare-Object -ReferenceObject (Get-Content -Path res\windows\wix\expected-dlls.log) -DifferenceObject (Get-Content -Path actual-dlls.log)) {
Write-Output "Expected DLLs:"
Get-Content res\windows\wix\expected-dlls.log
Write-Output "Actual DLLs:"
Get-Content actual-dlls.log
Throw "Actual DLLs do not match expected"
}
if: runner.os == 'Windows'
# On macOS, we need a proper Clang version, not Apple's custom version without wasm32 support
# TODO: on macOS, the consensus/domain runtime build is not compatible with LLVM 15.0.7 and
# LLVM 15.0.{3, 4, 5, 6} is not released for macOS thus install LLVM 15.0.2 explicitly as a
# temporary workaround, and remove once incompatible is fixed.
- name: Install LLVM and Clang for macOS
uses: KyleMayes/install-llvm-action@c135b3937686fd69c2651507aabc9925a8f9eee8 # v1.8.3
with:
version: "15.0.2"
if: runner.os == 'macOS'
# TODO: on Linux and Windows, the consensus/domain runtime build is not compatible with LLVM 16,
# thus install LLVM 15 explicitly as a temporary workaround, and remove once incompatible is fixed.
- name: Install LLVM and Clang for Linux and Windows
uses: KyleMayes/install-llvm-action@c135b3937686fd69c2651507aabc9925a8f9eee8 # v1.8.3
with:
version: "15.0"
if: runner.os != 'macOS'
- name: Install Protoc
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 # v2.0.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
# Needed for hwloc
- name: Install automake (macOS)
run: brew install automake
if: runner.os == 'macOS'
# Workaround to resolve link error with C:\msys64\mingw64\bin\libclang.dll
- name: Remove msys64
run: Remove-Item -LiteralPath "C:\msys64\" -Force -Recurse
if: runner.os == 'Windows'
# Doesn't exist on self-hosted runners
continue-on-error: true
- name: AArch64 cross-compile packages
run: sudo apt-get update && sudo apt-get install -y --no-install-recommends g++-aarch64-linux-gnu gcc-aarch64-linux-gnu libc6-dev-arm64-cross
if: matrix.build.target == 'aarch64-unknown-linux-gnu'
- name: Configure cache
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # @v3.3.2
with:
path: |
~/.cargo/registry
~/.cargo/git
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}
restore-keys: |
${{ runner.os }}-cargo-
- name: Build app (Linux and Windows)
run: cargo -Zgitoxide -Zgit build --locked -Z build-std --target ${{ matrix.build.target }} --profile production
if: runner.os != 'macOS'
- name: Build app (macOS)
run: cargo -Zgitoxide -Zgit build --locked -Z build-std --target ${{ matrix.build.target }} --profile production --no-default-features
if: runner.os == 'macOS'
# TODO: Package macOS
- name: Install cargo-wix (Windows)
uses: taiki-e/cache-cargo-install-action@1b76958d032c4d048c599f9fdfa48abe804d6319 # v1.2.2
with:
tool: cargo-wix
if: runner.os == 'Windows'
- name: Package (Windows)
run: |
Remove-Item target\wix\gtk4 -Recurse -Confirm:$false -ErrorAction SilentlyContinue
New-Item target\wix\gtk4\bin -ItemType Directory
New-Item target\wix\gtk4\lib\gdk-pixbuf-2.0\2.10.0\loaders -ItemType Directory
New-Item target\wix\gtk4\share\glib-2.0\schemas -ItemType Directory
Copy-Item -Path C:\gtk-build\gtk\x64\release\bin\*.dll -Destination target\wix\gtk4\bin
Copy-Item -Path C:\gtk-build\gtk\x64\release\bin\gdbus.exe -Destination target\wix\gtk4\bin
Copy-Item -Path C:\gtk-build\gtk\x64\release\bin\gspawn-win64-helper.exe -Destination target\wix\gtk4\bin
Copy-Item -Path C:\gtk-build\gtk\x64\release\bin\gspawn-win64-helper-console.exe -Destination target\wix\gtk4\bin
Copy-Item -Path C:\gtk-build\gtk\x64\release\lib\gdk-pixbuf-2.0\2.10.0\loaders\*.dll -Destination target\wix\gtk4\lib\gdk-pixbuf-2.0\2.10.0\loaders
Copy-Item -Path C:\gtk-build\gtk\x64\release\lib\gdk-pixbuf-2.0\2.10.0\loaders.cache -Destination target\wix\gtk4\lib\gdk-pixbuf-2.0\2.10.0
Copy-Item -Path C:\gtk-build\gtk\x64\release\share\glib-2.0\schemas\gschemas.compiled -Destination target\wix\gtk4\share\glib-2.0\schemas\gschemas.compiled
# TODO: Ideally something like this would have worked and we wouldn't need to hardcode stuff in `space-acres.wxs`: https://github.com/volks73/cargo-wix/issues/271
# & "C:\Program Files (x86)\WiX Toolset v3.11\bin\heat.exe" dir target\wix\gtk4 -gg -sfrag -template:fragment -out target\wix\gtk4.wxs -cg GTK -dr GTK
cargo wix --target ${{ matrix.build.target }} --profile production --no-build --nocapture
Remove-Item target\wix\gtk4 -Recurse -Confirm:$false -ErrorAction SilentlyContinue
if: runner.os == 'Windows'
- name: Sign Application (Windows)
run: |
$ErrorActionPreference = "Stop"
dotnet tool install --global AzureSignTool
(Get-ChildItem -Path target\wix -Include space-acres-*.msi -Recurse) | ForEach-Object {
Write("Signing $($_)");
AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v $($_);
}
# Allow code signing to fail on non-release builds and in non-subspace repos (forks)
continue-on-error: ${{ github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }}
if: runner.os == 'Windows'
- name: Upload installer to artifacts (Windows)
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # @v3.1.1
with:
name: installer-${{ matrix.build.suffix }}
path: |
target/wix/*.msi
if-no-files-found: error
if: runner.os == 'Windows'
- name: Upload installer to assets (Windows)
uses: alexellis/upload-assets@259de5111cb56966d046ced998941e93f91d2c93 # @0.4.0
env:
GITHUB_TOKEN: ${{ github.token }}
with:
asset_paths: '["target/wix/*.msi"]'
if: runner.os == 'Windows' && github.event_name == 'push' && github.ref_type == 'tag'
- name: Install cargo-deb (Linux)
uses: taiki-e/cache-cargo-install-action@1b76958d032c4d048c599f9fdfa48abe804d6319 # v1.2.2
with:
tool: cargo-deb
if: runner.os == 'Linux'
- name: Package (Linux)
run: |
# Build Debian package
cargo deb --target ${{ matrix.build.target }} --profile production --no-build --no-strip
# And build AppImage as well
wget https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-x86_64.AppImage
wget https://raw.githubusercontent.com/linuxdeploy/linuxdeploy-plugin-gtk/3b67a1d1c1b0c8268f57f2bce40fe2d33d409cea/linuxdeploy-plugin-gtk.sh
chmod +x linuxdeploy*.AppImage linuxdeploy-plugin-gtk.sh
NO_STRIP=1 ./linuxdeploy-x86_64.AppImage \
--appdir AppDir \
--plugin gtk \
--executable target/${{ matrix.build.target }}/production/space-acres \
--desktop-file res/linux/space-acres.desktop \
--icon-file res/linux/space-acres.png \
--output appimage
# Rename AppImage to be consistent with other files
version=$(grep -Po 'version = "\K.*?(?=")' -m 1 Cargo.toml)
mv Space_Acres-x86_64.AppImage space-acres-$version-x86_64.AppImage
if: runner.os == 'Linux'
- name: Upload installer to artifacts (Linux)
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # @v3.1.1
with:
name: installer-${{ matrix.build.suffix }}
path: |
space-acres-*.AppImage
target/${{ matrix.build.target }}/debian/*.deb
if-no-files-found: error
if: runner.os == 'Linux'
- name: Upload installer to assets (Linux)
uses: alexellis/upload-assets@259de5111cb56966d046ced998941e93f91d2c93 # @0.4.0
env:
GITHUB_TOKEN: ${{ github.token }}
with:
asset_paths: '["space-acres-*.AppImage", "target/${{ matrix.build.target }}/debian/*.deb"]'
if: runner.os == 'Linux' && github.event_name == 'push' && github.ref_type == 'tag'