build-git-installers #266
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build-git-installers | |
| on: | |
| push: | |
| tags: | |
| - 'v[0-9]*vfs*' # matches "v<number><any characters>vfs<any characters>" | |
| permissions: | |
| id-token: write # required for Azure login via OIDC | |
| env: | |
| DO_WIN_CODESIGN: ${{ secrets.WIN_CODESIGN_CERT_SECRET_NAME != '' && secrets.WIN_CODESIGN_PASS_SECRET_NAME != '' }} | |
| DO_WIN_GPGSIGN: ${{ secrets.WIN_GPG_KEYGRIP_SECRET_NAME != '' && secrets.WIN_GPG_PRIVATE_SECRET_NAME != '' && secrets.WIN_GPG_PASSPHRASE_SECRET_NAME != '' }} | |
| jobs: | |
| # Check prerequisites for the workflow | |
| prereqs: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| tag_name: ${{ steps.tag.outputs.name }} # The full name of the tag, e.g. v2.32.0.vfs.0.0 | |
| tag_version: ${{ steps.tag.outputs.version }} # The version number (without preceding "v"), e.g. 2.32.0.vfs.0.0 | |
| steps: | |
| - name: Validate tag | |
| run: | | |
| echo "$GITHUB_REF" | | |
| grep -E '^refs/tags/v2\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.vfs\.0\.(0|[1-9][0-9]*)(\.rc[0-9])?$' || { | |
| echo "::error::${GITHUB_REF#refs/tags/} is not of the form v2.<X>.<Y>.vfs.0.<W>[.rc<N>]" >&2 | |
| exit 1 | |
| } | |
| - name: Determine tag to build | |
| run: | | |
| echo "name=${GITHUB_REF#refs/tags/}" >>$GITHUB_OUTPUT | |
| echo "version=${GITHUB_REF#refs/tags/v}" >>$GITHUB_OUTPUT | |
| id: tag | |
| - name: Clone git | |
| uses: actions/checkout@v4 | |
| - name: Validate the tag identified with trigger | |
| run: | | |
| die () { | |
| echo "::error::$*" >&2 | |
| exit 1 | |
| } | |
| # `actions/checkout` only downloads the peeled tag (i.e. the commit) | |
| git fetch origin +$GITHUB_REF:$GITHUB_REF | |
| # Verify that the tag is annotated | |
| test $(git cat-file -t "$GITHUB_REF") == "tag" || die "Tag ${{ steps.tag.outputs.name }} is not annotated" | |
| # Verify tag follows rules in GIT-VERSION-GEN (i.e., matches the specified "DEF_VER" in | |
| # GIT-VERSION-FILE) and matches tag determined from trigger | |
| make GIT-VERSION-FILE | |
| test "${{ steps.tag.outputs.version }}" == "$(sed -n 's/^GIT_VERSION *= *//p'< GIT-VERSION-FILE)" || die "GIT-VERSION-FILE tag ($(cat GIT-VERSION-FILE)) does not match ${{ steps.tag.outputs.name }}" | |
| # End check prerequisites for the workflow | |
| # Build Windows installers (x86_64 & aarch64; installer & portable) | |
| windows_pkg: | |
| environment: release | |
| needs: prereqs | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| arch: | |
| - name: x86_64 | |
| artifact: pkg-x86_64 | |
| toolchain: x86_64 | |
| mingwprefix: mingw64 | |
| runner: windows-2019 | |
| runs-on: ${{ matrix.arch.runner }} | |
| env: | |
| GPG_OPTIONS: "--batch --yes --no-tty --list-options no-show-photos --verify-options no-show-photos --pinentry-mode loopback" | |
| HOME: "${{github.workspace}}\\home" | |
| USERPROFILE: "${{github.workspace}}\\home" | |
| steps: | |
| - uses: mxschmitt/action-tmate@v3 | |
| with: | |
| detached: true | |
| - name: Configure user | |
| shell: bash | |
| run: | |
| USER_NAME="${{github.actor}}" && | |
| USER_EMAIL="${{github.actor}}@users.noreply.github.com" && | |
| mkdir -p "$HOME" && | |
| git config --global user.name "$USER_NAME" && | |
| git config --global user.email "$USER_EMAIL" && | |
| echo "PACKAGER=$USER_NAME <$USER_EMAIL>" >>$GITHUB_ENV | |
| - uses: git-for-windows/setup-git-for-windows-sdk@v1 | |
| with: | |
| flavor: build-installers | |
| architecture: ${{ matrix.arch.name }} | |
| - name: Log in to Azure | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Download GPG secrets | |
| id: gpg-secrets | |
| if: env.DO_WIN_GPGSIGN == 'true' | |
| uses: ./.github/actions/akv-secret | |
| with: | |
| vault: ${{ secrets.AZURE_VAULT }} | |
| secrets: | | |
| ${{ secrets.WIN_GPG_KEYGRIP_SECRET_NAME }} > $output:keygrip | |
| ${{ secrets.WIN_GPG_PRIVATE_SECRET_NAME }} > $output:private-key | |
| ${{ secrets.WIN_GPG_PASSPHRASE_SECRET_NAME }} > $output:passphrase | |
| - name: debug | |
| shell: bash | |
| run: | | |
| cat >/tmp/a1 <<-EOF | |
| # This section ensures that the identity for the GPG key matches the git user identity, otherwise | |
| # signing will fail | |
| # Import the GPG private key | |
| echo -n '${{ steps.gpg-secrets.outputs.private-key }}' | gpg $GPG_OPTIONS --import && | |
| info="$(gpg --list-keys --with-colons '${{ steps.gpg-secrets.outputs.keygrip }}' | cut -d : -f 1,10 | sed -n '/^uid/{s|uid:||p;q}')" && | |
| git config --global user.name "${info% <*}" && | |
| git config --global user.email "<${info#*<}" | |
| EOF | |
| - name: Prepare home directory for GPG signing | |
| if: ${{ steps.gpg-secrets.outputs.keygrip != '' && steps.gpg-secrets.outputs.private-key != '' }} | |
| shell: bash | |
| run: | | |
| # This section ensures that the identity for the GPG key matches the git user identity, otherwise | |
| # signing will fail | |
| # Import the GPG private key | |
| echo -n '${{ steps.gpg-secrets.outputs.private-key }}' | gpg $GPG_OPTIONS --import && | |
| info="$(gpg --list-keys --with-colons '${{ steps.gpg-secrets.outputs.keygrip }}' | cut -d : -f 1,10 | sed -n '/^uid/{s|uid:||p;q}')" && | |
| git config --global user.name "${info% <*}" && | |
| git config --global user.email "<${info#*<}" |