ci: update ci permission and limit their environment #2749
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package Neuron for Test | |
on: | |
issue_comment: | |
types: [created] | |
push: | |
jobs: | |
packaging: | |
if: ${{ (github.event_name == 'issue_comment' && github.event.issue.pull_request && startsWith(github.event.comment.body, '/package') && contains(fromJSON('["OWNER", "COLLABORATOR"]'), github.event.comment.author_association)) || github.event_name == 'push' }} | |
strategy: | |
matrix: | |
node: | |
- 18.12.0 | |
os: | |
- macos-latest | |
- ubuntu-20.04 | |
- windows-2019 | |
runs-on: ${{ matrix.os }} | |
permissions: | |
contents: read | |
pull-requests: read | |
name: ${{ matrix.os }}(Node.js ${{ matrix.node }}) | |
env: | |
MAC_SHOULD_CODE_SIGN: ${{ github.event_name != 'pull_request' && secrets.APPLE_ID != '' }} | |
WIN_CERTIFICATE_BASE64: ${{ secrets.WIN_CERTIFICATE_BASE64 }} | |
steps: | |
- name: Set git to use LF | |
run: | | |
git config --global core.autocrlf false | |
git config --global core.eol lf | |
- name: Checkout for push | |
uses: actions/checkout@v4 | |
if: ${{ github.event_name == 'push' }} | |
- name: Checkout for PR | |
uses: actions/checkout@v4 | |
if: ${{ github.event_name == 'issue_comment' }} | |
with: | |
ref: refs/pull/${{ github.event.issue.number }}/merge | |
- name: Setup Node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ matrix.node }} | |
cache: "yarn" | |
- name: Restore | |
uses: actions/cache@v3 | |
with: | |
path: | | |
node_modules | |
*/*/node_modules | |
key: 2022-12-21-${{ runner.os }}-${{ hashFiles('**/yarn.lock')}} | |
- name: Add msbuild to PATH | |
if: matrix.os == 'windows-2019' | |
uses: microsoft/[email protected] | |
env: | |
ACTIONS_ALLOW_UNSECURE_COMMANDS: "true" | |
- name: Setup Certificate | |
if: matrix.os == 'windows-2019' | |
run: | | |
echo "${{ secrets.SM_CLIENT_CERT_FILE_BASE64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 | |
shell: bash | |
- name: Set variables | |
if: matrix.os == 'windows-2019' | |
run: | | |
echo "SM_KEYPAIR_NAME=${{ secrets.SM_KEYPAIR_ALIAS }}" >> "$GITHUB_ENV" | |
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" | |
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" | |
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH | |
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH | |
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH | |
shell: bash | |
- name: Setting up the client tools | |
if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }} | |
run: | | |
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi | |
msiexec /i smtools-windows-x64.msi /quiet /qn | |
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user | |
shell: cmd | |
- name: Certificates Sync | |
if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }} | |
run: | | |
smctl windows certsync | |
shell: cmd | |
- name: Install libudev | |
if: matrix.os == 'ubuntu-20.04' | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y libudev-dev | |
- name: Install Lerna | |
run: yarn global add lerna | |
- name: Bootstrap | |
run: | | |
yarn | |
env: | |
CI: false | |
- name: Write electron-build Test yml | |
uses: actions/github-script@v7 | |
with: | |
script: | | |
const fs = require('node:fs') | |
const ympPath = 'packages/neuron-wallet/electron-builder.yml' | |
fs.writeFileSync(ympPath, fs.readFileSync(ympPath).toString().replace('asar: true', 'asar: false')) | |
- name: Package for MacOS | |
if: ${{ matrix.os == 'macos-latest' && env.MAC_SHOULD_CODE_SIGN == 'true' }} | |
run: | | |
./scripts/download-ckb.sh mac | |
yarn package:test mac | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
APPLE_ID: ${{ secrets.APPLE_ID }} | |
APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} | |
CSC_LINK: ${{ secrets.MAC_CERTIFICATE_BASE64 }} | |
CSC_KEY_PASSWORD: ${{ secrets.MAC_CERTIFICATE_PASSWORD }} | |
TEAM_ID: ${{ secrets.TEAM_ID }} | |
USE_HARD_LINKS: false | |
- name: Package for MacOS for skip code sign | |
if: ${{ matrix.os == 'macos-latest' && env.MAC_SHOULD_CODE_SIGN == 'false' }} | |
run: | | |
export CSC_IDENTITY_AUTO_DISCOVERY=false | |
./scripts/download-ckb.sh mac | |
yarn package:test mac | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
SKIP_NOTARIZE: true | |
USE_HARD_LINKS: false | |
- name: Package for Windows | |
if: matrix.os == 'windows-2019' | |
run: | | |
bash ./scripts/download-ckb.sh win | |
yarn build | |
bash ./scripts/copy-ui-files.sh | |
bash ./scripts/package-for-test.sh win | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Package for Linux | |
if: matrix.os == 'ubuntu-20.04' | |
run: | | |
./scripts/download-ckb.sh | |
yarn package:test linux | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
USE_HARD_LINKS: false | |
- name: Upload Neuron App Zip | |
if: matrix.os == 'macos-latest' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: Neuron-Mac-x64 | |
path: release/Neuron-*-mac-x64.zip | |
- name: Upload Neuron App Zip(arm64) | |
if: matrix.os == 'macos-latest' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: Neuron-Mac-arm64 | |
path: release/Neuron-*-mac-arm64.zip | |
- name: Upload Neuron Dmg | |
if: matrix.os == 'macos-latest' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: Neuron-Dmg-x64 | |
path: release/Neuron-*-x64.dmg | |
- name: Upload Neuron Dmg(arm64) | |
if: matrix.os == 'macos-latest' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: Neuron-Dmg-arm64 | |
path: release/Neuron-*-arm64.dmg | |
- name: Upload Neuron Win | |
if: matrix.os == 'windows-2019' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: Neuron-Win | |
path: release/Neuron-*-setup.exe | |
- name: Upload Neuron Linux | |
if: matrix.os == 'ubuntu-20.04' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: Neuron-Linux | |
path: release/Neuron-*.AppImage | |
comment_when_package_success: | |
needs: [packaging] | |
name: Append links to the Pull Request | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write | |
contents: write | |
steps: | |
- name: Comment by push event | |
if: ${{ github.event_name == 'push' }} | |
uses: peter-evans/commit-comment@v3 | |
with: | |
body: | | |
Packaging for test is done in [${{ github.run_id }}](https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}) | |
- name: Comment by pull request comment event | |
if: ${{ github.event_name == 'issue_comment' }} | |
uses: peter-evans/create-or-update-comment@v3 | |
with: | |
comment-id: ${{ github.event.comment.id }} | |
body: | | |
Packaging for test is done in [${{ github.run_id }}](https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}). @${{ github.event.comment.user.login }} | |
edit-mode: append | |
comment_when_package_failed: | |
needs: [packaging] | |
if: ${{ always() && needs.packaging.result == 'failure' }} | |
name: Append failed comment to the comment | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write | |
steps: | |
- name: Comment by pull request comment event when package failed | |
if: ${{ github.event_name == 'issue_comment' }} | |
uses: peter-evans/create-or-update-comment@v3 | |
with: | |
comment-id: ${{ github.event.comment.id }} | |
body: Packageing failed in [${{ github.run_id }}](https://github.com/${{github.repository}}/actions/runs/${{github.run_id}}). @${{ github.event.comment.user.login }} | |
edit-mode: append |