Skip to content

Commit

Permalink
[CI] MacOS codesignging + notarization (#340)
Browse files Browse the repository at this point in the history
  • Loading branch information
@iamazeem
iamazeem authored Dec 17, 2024
1 parent 3711621 commit ef63e5a
Show file tree
Hide file tree
Showing 3 changed files with 219 additions and 85 deletions.
150 changes: 67 additions & 83 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,14 +116,9 @@ jobs:
- name: Run shellcheck
run: ./scripts/ci-run-shellcheck.sh

ci:
ci-linux:
needs: [tag, clang-format, cppcheck, shellcheck]

strategy:
matrix:
os: [ubuntu-22.04, macos-13, macos-14]

runs-on: ${{ matrix.os }}
runs-on: ubuntu-22.04
timeout-minutes: 15

env:
Expand All @@ -133,23 +128,13 @@ jobs:
- name: Checkout
uses: actions/checkout@v4

- name: Set up Linux
if: runner.os == 'Linux'
- name: Set up apt dependencies
run: |
sudo apt update
sudo apt install -y rpm alien tmux
sudo apt remove -y jq
- name: Set up macOS (AMD64 and ARM64)
if: runner.os == 'macOS'
run: |
brew install --quiet coreutils tree autoconf automake libtool tmux sqlite3
brew uninstall jq
# --- Build ---

- name: Build on Linux (${{ env.AMD64_LINUX_GCC }})
if: runner.os == 'Linux'
env:
PREFIX: ${{ env.AMD64_LINUX_GCC }}
CC: gcc
Expand All @@ -161,7 +146,6 @@ jobs:
./scripts/ci-create-rpm-package.sh
- name: Build on Linux (${{ env.AMD64_LINUX_CLANG }})
if: runner.os == 'Linux'
env:
PREFIX: ${{ env.AMD64_LINUX_CLANG }}
CC: clang
Expand All @@ -172,26 +156,6 @@ jobs:
./scripts/ci-create-debian-package.sh
./scripts/ci-create-rpm-package.sh
- name: Build on macOS (${{ env.AMD64_MACOSX_GCC }})
if: matrix.os == 'macos-13'
env:
PREFIX: ${{ env.AMD64_MACOSX_GCC }}
CC: gcc-13
MAKE: make
RUN_TESTS: true
run: ./scripts/ci-build.sh

- name: Build on macOS (${{ env.ARM64_MACOSX_GCC }})
if: matrix.os == 'macos-14'
env:
PREFIX: ${{ env.ARM64_MACOSX_GCC }}
CC: gcc-13
MAKE: make
RUN_TESTS: true
run: ./scripts/ci-build.sh

# --- Upload build artifacts ---

- name: Prepare build artifacts for upload
run: ./scripts/ci-prepare-artifacts-for-upload.sh

Expand All @@ -206,7 +170,6 @@ jobs:
run: ./scripts/ci-verify-attestations.sh

- name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.zip)
if: runner.os == 'Linux'
uses: actions/upload-artifact@v4
env:
ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.zip
Expand All @@ -217,7 +180,6 @@ jobs:
if-no-files-found: error

- name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.zip)
if: runner.os == 'Linux'
uses: actions/upload-artifact@v4
env:
ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.zip
Expand All @@ -228,7 +190,6 @@ jobs:
if-no-files-found: error

- name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.deb)
if: runner.os == 'Linux'
uses: actions/upload-artifact@v4
env:
ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.deb
Expand All @@ -239,7 +200,6 @@ jobs:
if-no-files-found: error

- name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.deb)
if: runner.os == 'Linux'
uses: actions/upload-artifact@v4
env:
ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.deb
Expand All @@ -250,7 +210,6 @@ jobs:
if-no-files-found: error

- name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.rpm)
if: runner.os == 'Linux'
uses: actions/upload-artifact@v4
env:
ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.rpm
Expand All @@ -261,7 +220,6 @@ jobs:
if-no-files-found: error

- name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.rpm)
if: runner.os == 'Linux'
uses: actions/upload-artifact@v4
env:
ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.rpm
Expand All @@ -271,30 +229,7 @@ jobs:
retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}
if-no-files-found: error

- name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_MACOSX_GCC }}.zip)
if: matrix.os == 'macos-13'
uses: actions/upload-artifact@v4
env:
ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_MACOSX_GCC }}.zip
with:
name: ${{ env.ARTIFACT_NAME }}
path: ${{ env.ARTIFACT_DIR }}/${{ env.ARTIFACT_NAME }}
retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}
if-no-files-found: error

- name: Upload (zsv-${{ env.TAG }}-${{ env.ARM64_MACOSX_GCC }}.zip)
if: matrix.os == 'macos-14'
uses: actions/upload-artifact@v4
env:
ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.ARM64_MACOSX_GCC }}.zip
with:
name: ${{ env.ARTIFACT_NAME }}
path: ${{ env.ARTIFACT_DIR }}/${{ env.ARTIFACT_NAME }}
retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}
if-no-files-found: error

- name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.tar.gz)
if: runner.os == 'Linux'
uses: actions/upload-artifact@v4
env:
ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_GCC }}.tar.gz
Expand All @@ -305,7 +240,6 @@ jobs:
if-no-files-found: error

- name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.tar.gz)
if: runner.os == 'Linux'
uses: actions/upload-artifact@v4
env:
ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_LINUX_CLANG }}.tar.gz
Expand All @@ -315,22 +249,72 @@ jobs:
retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}
if-no-files-found: error

- name: Upload (zsv-${{ env.TAG }}-${{ env.AMD64_MACOSX_GCC }}.tar.gz)
if: matrix.os == 'macos-13'
uses: actions/upload-artifact@v4
- name: Upload release artifacts
if: startsWith(github.ref, 'refs/tags/v')
run: ./scripts/ci-upload-release-artifacts.sh

ci-macos:
needs: [tag, clang-format, cppcheck, shellcheck]

strategy:
matrix:
os: [macos-13, macos-14]

runs-on: ${{ matrix.os }}
timeout-minutes: 30

env:
TAG: ${{ needs.tag.outputs.TAG }}

steps:
- name: Checkout
uses: actions/checkout@v4

- name: Set up homebrew dependencies
run: brew install --quiet coreutils tree autoconf automake libtool tmux sqlite3

- name: Set PREFIX and ZIP env var
env:
ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.AMD64_MACOSX_GCC }}.tar.gz
PREFIX: ${{ runner.arch == 'X64' && env.AMD64_MACOSX_GCC || env.ARM64_MACOSX_GCC }}
run: |
{
echo "PREFIX=$PREFIX"
echo "ZIP=zsv-$TAG-$PREFIX.zip"
} | tee -a "$GITHUB_ENV"
- name: Build on macOS (${{ env.AMD64_MACOSX_GCC }})
env:
CC: gcc-13
MAKE: make
RUN_TESTS: true
SKIP_TAR_ARCHIVE: true
run: ./scripts/ci-build.sh

- name: Prepare build artifacts for upload
run: ./scripts/ci-prepare-artifacts-for-upload.sh

- name: Codesign and notarize (${{ env.PREFIX }})
if: startsWith(github.ref, 'refs/tags/v')
env:
MACOS_CERT_P12: ${{ secrets.MACOS_CERT_P12 }}
MACOS_CERT_PASSWORD: ${{ secrets.MACOS_CERT_PASSWORD }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
run: ./scripts/ci-macos-codesign-and-notarize.sh "$PWD/$ARTIFACT_DIR/$ZIP"

- name: Attest build artifacts for release
if: startsWith(github.ref, 'refs/tags/v')
uses: actions/attest-build-provenance@v2
with:
name: ${{ env.ARTIFACT_NAME }}
path: ${{ env.ARTIFACT_DIR }}/${{ env.ARTIFACT_NAME }}
retention-days: ${{ env.ARTIFACT_RETENTION_DAYS }}
if-no-files-found: error
subject-path: ${{ env.ARTIFACT_DIR }}/*

- name: Verify attestations of release artifacts
if: startsWith(github.ref, 'refs/tags/v')
run: ./scripts/ci-verify-attestations.sh

- name: Upload (zsv-${{ env.TAG }}-${{ env.ARM64_MACOSX_GCC }}.tar.gz)
if: matrix.os == 'macos-14'
- name: Upload (${{ env.ZIP }})
uses: actions/upload-artifact@v4
env:
ARTIFACT_NAME: zsv-${{ env.TAG }}-${{ env.ARM64_MACOSX_GCC }}.tar.gz
ARTIFACT_NAME: ${{ env.ZIP }}
with:
name: ${{ env.ARTIFACT_NAME }}
path: ${{ env.ARTIFACT_DIR }}/${{ env.ARTIFACT_NAME }}
Expand Down Expand Up @@ -533,7 +517,7 @@ jobs:
steps:
- name: Set up dependencies
shell: sh
run: apk add bash gcc make musl-dev perl ncurses-dev ncurses-static tmux file sqlite curl zip wget tar
run: apk add bash gcc make musl-dev perl ncurses-dev ncurses-static tmux file sqlite curl zip wget tar git

- name: Checkout
uses: actions/checkout@v4
Expand Down Expand Up @@ -710,8 +694,8 @@ jobs:
with:
path: playground

deploy-playground:
if: ${{ github.ref_name == 'main' }}
deploy-wasm-playground:
if: ${{ github.ref_name == 'main' || startsWith(github.ref, 'refs/tags/v') }}
needs: ci-wasm
runs-on: ubuntu-22.04

Expand Down
Loading

0 comments on commit ef63e5a

Please sign in to comment.