Build and Release #23

Workflow file for this run

.github/workflows/release.yml at f4363f4

	name: Build and Release

	on: workflow_dispatch

	defaults:
	run:
	# necessary for windows
	shell: bash

	jobs:
	test:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/[email protected]
	- uses: actions-rust-lang/setup-rust-toolchain@v1
	- uses: arduino/setup-protoc@v3
	with:
	repo-token: ${{ secrets.GITHUB_TOKEN }}
	- name: Running examples
	run: \|
	cargo run

	prepare-release:
	needs: test
	runs-on: ubuntu-latest
	outputs:
	sha: ${{ steps.commit.outputs.sha }}
	version: ${{ steps.store-version.outputs.version }}
	steps:
	- uses: actions/[email protected]
	name: Fetch entire history (for conventional commits)
	with:
	fetch-depth: 0
	- name: Configure Git
	run: \|
	git config --global user.name GitHub Actions
	git config user.email [email protected]
	- name: Install Knope
	uses: knope-dev/[email protected]
	with:
	version: 0.18.0
	- run: knope prepare-release --verbose
	name: Update versioned files and changelog
	- name: Store commit
	id: commit
	run: echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
	- name: Store version
	id: store-version
	run: echo "version=$(knope get-version)" >> $GITHUB_OUTPUT

	build-artifacts:
	needs: prepare-release
	strategy:
	matrix:
	include:
	- target: x86_64-unknown-linux-gnu
	os: ubuntu-latest
	- target: x86_64-unknown-linux-musl
	os: ubuntu-latest
	- target: aarch64-apple-darwin
	os: macos-latest
	- target: x86_64-pc-windows-msvc
	os: windows-latest
	runs-on: ${{ matrix.os }}
	permissions:
	contents: read
	id-token: write
	env:
	archive_name: rhai-test
	steps:
	- uses: actions/checkout@v4
	with:
	ref: ${{ needs.prepare-release.outputs.sha }}

	- uses: actions-rust-lang/setup-rust-toolchain@v1
	with:
	target: ${{ matrix.target }}

	- uses: arduino/setup-protoc@v3
	with:
	repo-token: ${{ secrets.GITHUB_TOKEN }}

	# Authenticate to GCP using Workload Identity Federation.
	# We set up the WI provider in the `github_actions_federation` resource in the
	# `platform-infrastructure` repository.
	- id: google-auth
	uses: "google-github-actions/auth@v2"
	with:
	workload_identity_provider: "projects/865738624352/locations/global/workloadIdentityPools/github-d8bck/providers/github-d8bck"
	service_account: apollosolutions-rhai-test@platform-mgmt-service-e0izz.iam.gserviceaccount.com
	project_id: platform-cross-environment

	# Gets some secrets from Google Secret Manager.
	- id: gsm-secrets
	uses: "google-github-actions/get-secretmanager-secrets@v2"
	with:
	# The format of each line here is OUTPUTNAME:PROJECT/SECRET; you can
	# read the secrets later in this file with
	# `steps.gsm-secrets.outputs.OUTPUTNAME`. These secrets are created in
	# the `argo` resource in the `domain-deployment` repository.
	secrets: \|-
	MACOS_CERT_BUNDLE_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_CERT_BUNDLE_PASSWORD
	MACOS_CERT_BUNDLE_BASE64:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_CERT_BUNDLE_BASE64
	MACOS_NOTARIZATION_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_NOTARIZATION_PASSWORD
	MACOS_KEYCHAIN_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_KEYCHAIN_PASSWORD

	- name: Build
	run: cargo build --release --target ${{ matrix.target }}

	- name: Sign Apple Binary
	if: ${{ matrix.os == 'macos-latest' }}
	run: \|
	MACOS_CERT_BUNDLE_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_CERT_BUNDLE_PASSWORD}}
	MACOS_CERT_BUNDLE_BASE64=${{steps.gsm-secrets.outputs.MACOS_CERT_BUNDLE_BASE64}}
	MACOS_KEYCHAIN_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_KEYCHAIN_PASSWORD}}
	MACOS_NOTARIZATION_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_NOTARIZATION_PASSWORD}}

	APPLE_TEAM_ID="YQK948L752"
	APPLE_USERNAME="[email protected]"

	echo "Pre-check: Valid Codesigning Identify"
	security find-identity -v -p codesigning
	echo "Pre-check: Codesigning Identify"
	security find-identity -p codesigning
	echo "Pre-check: Any Identify"
	security find-identity

	echo "\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|"

	VERSION=${{ needs.prepare-release.outputs.version }}
	BINARY_PATH=target/${{ matrix.target }}/release/${{ env.archive_name }}
	ENTITLEMENTS_PATH="macos-entitlements.plist"

	# Create a temporary keychain
	KEYCHAIN_NAME="rhaitest-keychain"
	mkdir $KEYCHAIN_NAME
	echo "Creating keychain..."
	security create-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME
	echo "Removing relock timeout on keychain..."
	security set-keychain-settings $KEYCHAIN_NAME

	echo "Decoding certificate bundle..."
	echo "${MACOS_CERT_BUNDLE_BASE64}" \| base64 --decode > $KEYCHAIN_NAME/certificate.p12

	echo "Importing codesigning certificate to build keychain..."
	security import $KEYCHAIN_NAME/certificate.p12 -k $KEYCHAIN_NAME -P "${MACOS_CERT_BUNDLE_PASSWORD}" -T /usr/bin/codesign

	echo "Adding the codesign tool to the security partition-list..."
	security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME

	echo "Setting default keychain..."
	security default-keychain -d user -s $KEYCHAIN_NAME

	echo "Unlocking keychain..."
	security unlock-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME

	echo "Verifying keychain is set up correctly..."
	security find-identity -v -p codesigning

	echo "\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|"

	echo "Post-check: Valid Codesigning Identify"
	security find-identity -v -p codesigning
	echo "Post-check: Codesigning Identify"
	security find-identity -p codesigning
	echo "Post-check: Any Identify"
	security find-identity

	echo "\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|\|"

	# Sign the binary
	echo "Signing code (step 1)..."
	codesign --sign "$APPLE_TEAM_ID" --options runtime --entitlements $ENTITLEMENTS_PATH --force --timestamp "$BINARY_PATH" -v

	echo "Signing code (step 2)..."
	codesign -vvv --deep --strict "$BINARY_PATH"

	echo "Zipping dist..."
	mkdir "$KEYCHAIN_NAME/dist"
	cp "$BINARY_PATH" "$KEYCHAIN_NAME/dist/rhaitest"
	zip -r "$KEYCHAIN_NAME/rhaitest-$VERSION.zip" "$KEYCHAIN_NAME/dist"

	echo "Beginning notarization process..."
	xcrun notarytool submit "$KEYCHAIN_NAME/rhaitest-$VERSION.zip" --apple-id "$APPLE_USERNAME" --password "$MACOS_NOTARIZATION_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait --timeout 20m

	- name: Create Archive Folder
	run: mkdir ${{ env.archive_name }}

	- name: Copy Unix Artifact
	if: ${{ matrix.os != 'windows-latest' }}
	run: cp target/${{ matrix.target }}/release/${{ env.archive_name }} ${{ env.archive_name }}

	- name: Copy Windows Artifact
	if: ${{ matrix.os == 'windows-latest' }}
	run: cp target/${{ matrix.target }}/release/${{ env.archive_name }}.exe ${{ env.archive_name }}

	- name: Create Tar Archive
	run: tar -czf ${{ env.archive_name }}-${{ matrix.target }}.tgz ${{ env.archive_name }}

	- name: Upload Artifact
	uses: actions/[email protected]
	with:
	name: ${{ matrix.target }}
	path: ${{ env.archive_name }}-${{ matrix.target }}.tgz
	if-no-files-found: error
	release:
	needs: [build-artifacts, prepare-release]
	runs-on: ubuntu-latest
	steps:
	- uses: actions/[email protected]
	with:
	ref: ${{ needs.prepare-release.outputs.sha }}
	- uses: actions/[email protected]
	with:
	path: artifacts
	merge-multiple: true
	- run: \|
	cd artifacts
	ls
	cd ..
	- name: Install the latest Knope
	uses: knope-dev/[email protected]
	with:
	version: 0.11.0
	- run: knope release --verbose
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Update Installer version
	run: \|
	VERSION=$(knope get-version)

	sed -i "s/PACKAGE_VERSION=\"v[0-9]\.[0-9]\.[0-9]*\"/PACKAGE_VERSION=\"v$VERSION\"/" installers/nix/install.sh

	git config --global user.name GitHub Actions
	git config user.email [email protected]

	git add .
	git commit -m "Update installer version to v$VERSION"
	git push

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build and Release #23

Workflow file

Build and Release #23

Jobs

Run details

Workflow file for this run