Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sign releases, dev builds, and nuget package #4189

Merged
merged 4 commits into from
Sep 22, 2024
Merged

Sign releases, dev builds, and nuget package #4189

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a7a29f5
Sign releases, dev builds, and nuget package
HebaruSan Sep 21, 2024
e8c84f3
Let the smoke test call build
HebaruSan Sep 22, 2024
b541342
Pack the Release folder
HebaruSan Sep 22, 2024
d5e9447
Thank SignPath in the README
HebaruSan Sep 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 16 additions & 5 deletions .github/workflows/build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ on:
type: string
default: Debug
outputs:
repack-artifact-id:
description: "Artifact ID of the repack"
value: ${{ jobs.build.outputs.repack-artifact-id }}
unsigned-artifact-id:
description: Artifact ID of the assets to be signed
value: ${{ jobs.build.outputs.unsigned-artifact-id }}

jobs:
build:
runs-on: ubuntu-latest
outputs:
repack-artifact-id: ${{ steps.upload-repack-artifact.outputs.artifact-id }}
unsigned-artifact-id: ${{ steps.upload-unsigned-artifact.outputs.artifact-id }}
steps:
- uses: actions/checkout@v4
- name: Restore cache for _build/tools
Expand Down Expand Up @@ -50,10 +50,21 @@ jobs:
name: ${{ inputs.configuration }}-out-unsigned
path: _build/out/
retention-days: 1
- name: Bundle assets for signing
if: inputs.configuration == 'Release'
run: ./build Prepare-SignPath --configuration=${{ inputs.configuration }} --exclusive
- name: Upload unsigned artifact
id: upload-unsigned-artifact
if: inputs.configuration == 'Release'
uses: actions/upload-artifact@v4
with:
name: unsigned
path: _build/signpath/Release
retention-days: 7
- name: Upload ckan.exe artifact
if: inputs.configuration == 'Release'
uses: actions/upload-artifact@v4
with:
name: ckan.exe
path: _build/repack/Release/ckan.exe
retention-days: 7
if: inputs.configuration == 'Release'
74 changes: 40 additions & 34 deletions .github/workflows/deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,8 @@ env:
AWS_S3_BUCKET: ksp-ckan

jobs:
test-release:
uses: ./.github/workflows/test.yml

smoke-inflator:
uses: ./.github/workflows/smoke.yml
sign-assets:
uses: ./.github/workflows/sign.yml

check-dev-build:
runs-on: ubuntu-latest
Expand All @@ -40,13 +37,12 @@ jobs:

upload-release-s3:
needs:
- test-release
- smoke-inflator
- sign-assets
if: github.event_name != 'repository_dispatch'
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
if: github.event_name != 'repository_dispatch'
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
Expand All @@ -55,11 +51,15 @@ jobs:
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- uses: actions/checkout@v4
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed exes into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/*.exe _build/repack/Release
- uses: actions/setup-python@v5
with:
python-version: 3.11
Expand All @@ -70,14 +70,13 @@ jobs:
pip install gitpython
git config --global --add safe.directory '*'
python bin/version_info.py > _build/repack/Release/version.json
- name: Push ckan.exe, netkan.exe, and version.json to S3
- name: Push ckan.exe, AutoUpdater.exe, netkan.exe, and version.json to S3
run: aws s3 sync _build/repack/Release s3://${AWS_S3_BUCKET} --follow-symlinks

upload-dmg:
needs:
- check-dev-build
- test-release
- smoke-inflator
- sign-assets
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
Expand All @@ -93,11 +92,15 @@ jobs:
- name: Install OSX build dependencies
run: sudo apt-get install -y libplist-utils xorriso
- uses: actions/checkout@v4
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed exe into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/ckan.exe _build/repack/Release
- name: Build dmg
run: ./build osx --configuration=Release --exclusive
- name: Push dmg to S3
Expand All @@ -106,8 +109,7 @@ jobs:
upload-deb:
needs:
- check-dev-build
- test-release
- smoke-inflator
- sign-assets
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
Expand All @@ -121,11 +123,15 @@ jobs:
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- uses: actions/checkout@v4
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed exe into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/ckan.exe _build/repack/Release
- name: Build deb
env:
CODENAME: nightly
Expand Down Expand Up @@ -160,8 +166,7 @@ jobs:
upload-rpm:
needs:
- check-dev-build
- test-release
- smoke-inflator
- sign-assets
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
Expand All @@ -177,11 +182,15 @@ jobs:
- uses: actions/checkout@v4
- name: Install rpm build dependencies
run: sudo apt-get install -y createrepo-c
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed exe into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/ckan.exe _build/repack/Release
- name: Build rpm
run: ./build rpm --configuration=Release --exclusive
- name: Import GPG key
Expand All @@ -202,10 +211,9 @@ jobs:

upload-inflator:
needs:
- test-release
- smoke-inflator
runs-on: ubuntu-latest
- sign-assets
if: github.event_name != 'repository_dispatch'
runs-on: ubuntu-latest
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
Expand Down Expand Up @@ -239,8 +247,7 @@ jobs:

upload-metadata-tester:
needs:
- test-release
- smoke-inflator
- sign-assets
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand All @@ -266,8 +273,7 @@ jobs:

notify-discord:
needs:
- test-release
- smoke-inflator
- sign-assets
- upload-release-s3
- upload-dmg
- upload-deb
Expand Down
90 changes: 37 additions & 53 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,64 +9,44 @@ env:
AWS_S3_BUCKET: ksp-ckan

jobs:
test-release:
uses: ./.github/workflows/test.yml

smoke-inflator:
uses: ./.github/workflows/smoke.yml

sign-release:
runs-on: ubuntu-latest
needs:
- test-release
- smoke-inflator
outputs:
artifact-url: ${{steps.sign.outputs.signing-request-id }}
steps:
- uses: signpath/github-action-submit-signing-request@v1
id: sign
with:
api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
organization-id: 0cd9fc3f-b78d-4214-b152-b2e93c952e14
project-slug: CKAN
signing-policy-slug: test-signing
github-artifact-id: ${{ needs.smoke-inflator.outputs.repack-artifact-id }}
artifact-configuration-slug: release
wait-for-completion: true
sign-assets:
uses: ./.github/workflows/sign.yml

upload-nuget:
runs-on: ubuntu-latest
needs:
- test-release
- smoke-inflator
- sign-assets
steps:
- name: Download out artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-out-unsigned
path: _build/out/
name: signed
path: _build/signed
- name: Publish ckan.dll to NuGet
env:
NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
if: env.NUGET_API_KEY
run: |
curl -o nuget.exe -L 'https://dist.nuget.org/win-x86-commandline/v5.6.0/nuget.exe'
mono nuget.exe push _build/out/CKAN/Release/bin/*.nupkg ${{ secrets.NUGET_API_KEY }} -Source https://api.nuget.org/v3/index.json -SkipDuplicate
mono nuget.exe push _build/signed/*.nupkg ${{ secrets.NUGET_API_KEY }} -Source https://api.nuget.org/v3/index.json -SkipDuplicate

build-dmg:
runs-on: ubuntu-latest
needs:
- test-release
- smoke-inflator
- sign-assets
steps:
- uses: actions/checkout@v4
- name: Install OSX build dependencies
run: sudo apt-get install -y libplist-utils xorriso
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed ckan.exe into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/ckan.exe _build/repack/Release
- name: Build dmg
run: ./build osx --configuration=Release --exclusive
- name: Upload OSX release asset
Expand All @@ -77,8 +57,7 @@ jobs:
build-deb:
runs-on: ubuntu-latest
needs:
- test-release
- smoke-inflator
- sign-assets
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
Expand All @@ -87,11 +66,15 @@ jobs:
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- uses: actions/checkout@v4
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed ckan.exe into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/ckan.exe _build/repack/Release
- name: Set deb version
run: |
VERSION=$(echo "${{ github.event.release.tag_name }}" | tr -d "v")
Expand Down Expand Up @@ -125,8 +108,7 @@ jobs:
build-rpm:
runs-on: ubuntu-latest
needs:
- test-release
- smoke-inflator
- sign-assets
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
Expand All @@ -137,11 +119,15 @@ jobs:
- uses: actions/checkout@v4
- name: Install rpm build dependencies
run: sudo apt-get install -y createrepo-c
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed ckan.exe into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/ckan.exe _build/repack/Release
- name: Set rpm version
run: |
VERSION=$(echo "${{ github.event.release.tag_name }}" | tr -d v)
Expand Down Expand Up @@ -170,23 +156,21 @@ jobs:
upload-binaries:
runs-on: ubuntu-latest
needs:
- test-release
- smoke-inflator
- sign-assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Upload ckan.exe and AutoUpdater.exe release assets
run: gh release upload ${{ github.event.release.tag_name }} _build/repack/Release/ckan.exe _build/repack/Release/AutoUpdater.exe
run: gh release upload ${{ github.event.release.tag_name }} _build/signed/ckan.exe _build/signed/AutoUpdater.exe

notify-discord:
needs:
- test-release
- smoke-inflator
- sign-assets
- build-dmg
- build-deb
- build-rpm
Expand Down
Loading