Skip to content
build-git-installers

build-git-installers #271

Sign in to view logs

build-git-installers

build-git-installers #271

Workflow file for this run

.github/workflows/build-git-installers.yml at 852f7c3
name: build-git-installers
on:
push:
tags:
- 'v[0-9]*vfs*' # matches "v<number><any characters>vfs<any characters>"
permissions:
id-token: write # required for Azure login via OIDC
env:
DO_WIN_CODESIGN: ${{ secrets.WIN_CODESIGN_CERT_SECRET_NAME != '' && secrets.WIN_CODESIGN_PASS_SECRET_NAME != '' }}
DO_WIN_GPGSIGN: ${{ secrets.WIN_GPG_KEYGRIP_SECRET_NAME != '' && secrets.WIN_GPG_PRIVATE_SECRET_NAME != '' && secrets.WIN_GPG_PASSPHRASE_SECRET_NAME != '' }}
jobs:
# Check prerequisites for the workflow
prereqs:
runs-on: ubuntu-latest
outputs:
tag_name: ${{ steps.tag.outputs.name }} # The full name of the tag, e.g. v2.32.0.vfs.0.0
tag_version: ${{ steps.tag.outputs.version }} # The version number (without preceding "v"), e.g. 2.32.0.vfs.0.0
steps:
- name: Validate tag
run: |
echo "$GITHUB_REF" |
grep -E '^refs/tags/v2\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.vfs\.0\.(0|[1-9][0-9]*)(\.rc[0-9])?$' || {
echo "::error::${GITHUB_REF#refs/tags/} is not of the form v2.<X>.<Y>.vfs.0.<W>[.rc<N>]" >&2
exit 1
}
- name: Determine tag to build
run: |
echo "name=${GITHUB_REF#refs/tags/}" >>$GITHUB_OUTPUT
echo "version=${GITHUB_REF#refs/tags/v}" >>$GITHUB_OUTPUT
id: tag
- name: Clone git
uses: actions/checkout@v4
- name: Validate the tag identified with trigger
run: |
die () {
echo "::error::$*" >&2
exit 1
}
# `actions/checkout` only downloads the peeled tag (i.e. the commit)
git fetch origin +$GITHUB_REF:$GITHUB_REF
# Verify that the tag is annotated
test $(git cat-file -t "$GITHUB_REF") == "tag" || die "Tag ${{ steps.tag.outputs.name }} is not annotated"
# Verify tag follows rules in GIT-VERSION-GEN (i.e., matches the specified "DEF_VER" in
# GIT-VERSION-FILE) and matches tag determined from trigger
make GIT-VERSION-FILE
test "${{ steps.tag.outputs.version }}" == "$(sed -n 's/^GIT_VERSION *= *//p'< GIT-VERSION-FILE)" || die "GIT-VERSION-FILE tag ($(cat GIT-VERSION-FILE)) does not match ${{ steps.tag.outputs.name }}"
# End check prerequisites for the workflow
# Build and sign Mac OSX installers & upload artifacts
create-macos-artifacts:
runs-on: macos-latest-xl-arm64
needs: prereqs
env:
VERSION: "${{ needs.prereqs.outputs.tag_version }}"
environment: release
steps:
- name: Check out repository
uses: actions/checkout@v4
with:
path: 'git'
- name: Log in to Azure
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- uses: mxschmitt/action-tmate@v3
with:
detached: true
- name: Download signing secrets
id: signing-secrets
uses: ./git/.github/actions/akv-secret
with:
vault: ${{ secrets.AZURE_VAULT }}
secrets: |
${{ secrets.APPLE_APPSIGN_ID_SECRET_NAME }} > $output:appsign-id
${{ secrets.APPLE_INSTSIGN_ID_SECRET_NAME }} > $output:instsign-id
${{ secrets.APPLE_TEAM_ID_SECRET_NAME }} > $output:team-id
${{ secrets.APPLE_DEVELOPER_ID_SECRET_NAME }} > $output:dev-id
${{ secrets.APPLE_DEVELOPER_PASSWORD_SECRET_NAME }} > $output:dev-pass
${{ secrets.APPLE_APPCERT_PASS_SECRET_NAME }} > $output:appcert-pass
${{ secrets.APPLE_INSTCERT_PASS_SECRET_NAME }} > $output:instcert-pass
${{ secrets.APPLE_APPCERT_SECRET_NAME }} base64> appcert.p12
${{ secrets.APPLE_INSTCERT_SECRET_NAME }} base64> instcert.p12
- shell: bash
run: |
cat >/tmp/a1 <<-\EOF
echo "Setting up signing certificates"
security create-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
security default-keychain -s $RUNNER_TEMP/buildagent.keychain
security unlock-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
# Prevent re-locking
security set-keychain-settings $RUNNER_TEMP/buildagent.keychain
security import appcert.p12 \
-k $RUNNER_TEMP/buildagent.keychain \
-P '${{ steps.signing-secrets.outputs.appcert-pass }}' \
-T /usr/bin/codesign
security set-key-partition-list \
-S apple-tool:,apple:,codesign: \
-s -k pwd \
$RUNNER_TEMP/buildagent.keychain
security import instcert.p12 \
-k $RUNNER_TEMP/buildagent.keychain \
-P '${{ steps.signing-secrets.outputs.instcert-pass }}' \
-T /usr/bin/pkgbuild
security set-key-partition-list \
-S apple-tool:,apple:,pkgbuild: \
-s -k pwd \
$RUNNER_TEMP/buildagent.keychain
echo "Setting up notarytool"
xcrun notarytool store-credentials \
--team-id '${{ steps.signing-secrets.outputs.team-id }}' \
--apple-id '${{ steps.signing-secrets.outputs.dev-id }}' \
--password '${{ steps.signing-secrets.outputs.dev-pass }}' \
"msftgit"
EOF
- name: Set up signing/notarization infrastructure
run: |
echo "Setting up signing certificates"
security create-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
security default-keychain -s $RUNNER_TEMP/buildagent.keychain
security unlock-keychain -p pwd $RUNNER_TEMP/buildagent.keychain
# Prevent re-locking
security set-keychain-settings $RUNNER_TEMP/buildagent.keychain
security import appcert.p12 \
-k $RUNNER_TEMP/buildagent.keychain \
-P '${{ steps.signing-secrets.outputs.appcert-pass }}' \
-T /usr/bin/codesign
security set-key-partition-list \
-S apple-tool:,apple:,codesign: \
-s -k pwd \
$RUNNER_TEMP/buildagent.keychain
security import instcert.p12 \
-k $RUNNER_TEMP/buildagent.keychain \
-P '${{ steps.signing-secrets.outputs.instcert-pass }}' \
-T /usr/bin/pkgbuild
security set-key-partition-list \
-S apple-tool:,apple:,pkgbuild: \
-s -k pwd \
$RUNNER_TEMP/buildagent.keychain
echo "Setting up notarytool"
xcrun notarytool store-credentials \
--team-id '${{ steps.signing-secrets.outputs.team-id }}' \
--apple-id '${{ steps.signing-secrets.outputs.dev-id }}' \
--password '${{ steps.signing-secrets.outputs.dev-pass }}' \
"msftgit"