github/libhalo
1
1
Fork 0
mirror of https://github.com/arx-research/libhalo.git synced 2026-01-08 20:58:02 -05:00
Code Issues Packages Projects Releases Wiki Activity

Refactor CI permissions (#93)

Browse Source
This commit is contained in:
Michał Leszczyński
2023-03-06 20:14:48 +01:00
committed by GitHub
parent b277bc4c3b
commit 1b206be626
7 changed files with 207 additions and 100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
.github/CODEOWNERS vendored
View File

@@ -1 +1,2 @@
.github/ @icedevml
.github/ @icedevml @ccamrobertson
.github/workflows/ @icedevml

40
.github/workflows/check_cli.yml vendored Normal file
View File

@@ -0,0 +1,40 @@
name: Check halocli tool
on:
push:
paths-ignore:
- 'README.md'
- 'cli/README.md'
- 'docs/**'
pull_request:
paths-ignore:
- 'README.md'
- 'cli/README.md'
- 'docs/**'
branches:
- master
jobs:
check_cli_tool:
runs-on: ubuntu-latest
steps:
- name: Install native dependencies (Linux)
run: |
sudo apt-get update && sudo apt-get install -y libpcsclite-dev
- name: Checkout the repository
uses: actions/checkout@v3
- name: Install Node.JS
uses: actions/setup-node@v3
with:
node-version: 16
- name: Install dependencies (root)
run: |
npm --include=dev install
- name: Install dependencies (cli)
run: |
cd cli
npm --include=dev install
- name: Package HaLo CLI tool (Linux)
run: |
cd cli
node_modules/.bin/pkg -t node16-linux-x64 package.json

33
.github/workflows/check_lib.yml vendored Normal file
View File

@@ -0,0 +1,33 @@
name: Check libhalo.js
on:
push:
paths-ignore:
- 'README.md'
- 'cli/README.md'
- 'docs/**'
pull_request:
paths-ignore:
- 'README.md'
- 'cli/README.md'
- 'docs/**'
branches:
- master
jobs:
check_js_lib:
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v3
- name: Install Node.JS
uses: actions/setup-node@v3
with:
node-version: 16
- name: Install dependencies (root)
run: |
npm --include=dev install
- name: Run webpack
run: |
cd web
webpack

29
.github/workflows/check_npm.yml vendored Normal file
View File

@@ -0,0 +1,29 @@
name: Check libhalo package
on:
push:
paths-ignore:
- 'README.md'
- 'cli/README.md'
- 'docs/**'
pull_request:
paths-ignore:
- 'README.md'
- 'cli/README.md'
- 'docs/**'
branches:
- master
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@v3
- name: Setup Node.JS
uses: actions/setup-node@v3
with:
node-version: '16.x'
registry-url: 'https://registry.npmjs.org'
- name: Run npm ci
run: npm ci

160
.github/workflows/build_cli.yml → .github/workflows/prod_build_cli.yml vendored
View File

@@ -1,25 +1,13 @@
name: Build halocli tool
name: Release halocli tool
on:
push:
paths-ignore:
- 'README.md'
- 'cli/README.md'
- 'docs/**'
branches:
- master
tags:
- 'halocli-v*'
pull_request:
paths-ignore:
- 'README.md'
- 'cli/README.md'
- 'docs/**'
branches:
- master
jobs:
create_release:
name: Create halocli release
runs-on: ubuntu-latest
steps:
- name: Prepare version number
@@ -28,7 +16,6 @@ jobs:
( echo -n "version=" && ( echo "$GITHUB_REF" | cut -f2 -d- | tr -d '\n' ) ) >> "$GITHUB_OUTPUT"
- name: Draft release
id: create_release
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/halocli-v')
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -45,11 +32,10 @@ jobs:
* `halocli-win-x64.zip` - Windows 64 build (exe; zipped)
* `halocli-macos-x64.pkg` - MacOS x64 build (installer; signed)
- name: Store release upload URL
if: startsWith(github.ref, 'refs/tags/halocli-v')
run: |
echo -n "${{ steps.create_release.outputs.upload_url }}" > release-upload-url.txt
- uses: actions/upload-artifact@v2
if: startsWith(github.ref, 'refs/tags/halocli-v')
- name: Store release upload URL artifact
uses: actions/upload-artifact@v2
with:
name: release-upload-url
path: release-upload-url.txt
@@ -59,116 +45,158 @@ jobs:
matrix:
include:
- os: ubuntu-latest
bin_name: halocli-linux-x64.zip
bin_name: halocli
- os: windows-latest
bin_name: halocli-win-x64.zip
bin_name: halocli.exe
- os: macos-latest
bin_name: halocli-macos-x64.pkg
bin_name: halocli
name: Build halocli (${{ matrix.os }})
runs-on: ${{ matrix.os }}
needs: create_release
steps:
- name: Install native dependencies (Ubuntu)
- name: Install native dependencies (Linux)
if: matrix.os == 'ubuntu-latest'
run: |
sudo apt-get update && sudo apt-get install -y libpcsclite-dev
- name: Install native dependencies (MacOS)
if: matrix.os == 'macos-latest' && startsWith(github.ref, 'refs/tags/halocli-v')
if: matrix.os == 'macos-latest'
run: |
brew install pcsc-lite
- name: Import codesign certificates for application (Mac OS)
if: matrix.os == 'macos-latest' && startsWith(github.ref, 'refs/tags/halocli-v')
uses: apple-actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071
with:
p12-file-base64: ${{ secrets.MACOS_CERTIFICATES_P12 }}
p12-password: ${{ secrets.MACOS_CERTIFICATES_P12_PASSWORD }}
- name: Checkout the repository
if: github.event_name != 'pull_request' || matrix.os == 'ubuntu-latest'
uses: actions/checkout@v3
- name: Load code signing certificate (Windows)
if: matrix.os == 'windows-latest' && startsWith(github.ref, 'refs/tags/halocli-v')
uses: timheuer/base64-to-file@48657ba25c726c2e3dcf02efa3639fff9b3d587e
with:
fileName: authenticode.p12
fileDir: ${{ env.RUNNER_TEMP }}
encodedString: ${{ secrets.WINDOWS_AUTHENTICODE_P12 }}
- name: Install Node.JS
if: github.event_name != 'pull_request' || matrix.os == 'ubuntu-latest'
uses: actions/setup-node@v3
with:
node-version: 16
- name: Install dependencies (root)
if: github.event_name != 'pull_request' || matrix.os == 'ubuntu-latest'
run: |
npm --include=dev install
- name: Install dependencies (cli)
if: github.event_name != 'pull_request' || matrix.os == 'ubuntu-latest'
run: |
cd cli
npm --include=dev install
- name: Package HaLo CLI tool (Linux)
if: github.event_name != 'pull_request' && matrix.os == 'ubuntu-latest'
if: matrix.os == 'ubuntu-latest'
run: |
cd cli
node_modules/.bin/pkg -t node16-linux-x64 package.json
- name: Compress application (Linux)
if: github.event_name != 'pull_request' && matrix.os == 'ubuntu-latest'
if: matrix.os == 'ubuntu-latest'
run: |
cd ./cli/dist
zip halocli-linux-x64.zip halocli
- name: Package HaLo CLI tool (Windows)
if: matrix.os == 'windows-latest' && startsWith(github.ref, 'refs/tags/halocli-v')
if: matrix.os == 'windows-latest'
run: |
cd cli
node_modules/.bin/pkg -t node16-win-x64 package.json
- name: Package HaLo CLI tool (MacOS)
if: matrix.os == 'macos-latest' && startsWith(github.ref, 'refs/tags/halocli-v')
if: matrix.os == 'macos-latest'
run: |
cd cli
node_modules/.bin/pkg -t node16-macos-x64 package.json
- name: Sign application for Windows
if: matrix.os == 'windows-latest' && startsWith(github.ref, 'refs/tags/halocli-v')
- name: Store Entitlements.plist as artifact
if: matrix.os == 'macos-latest'
uses: actions/upload-artifact@v2
with:
name: entitlements-macos
path: ./cli/Entitlements.plist
- name: Store binary as artifact
uses: actions/upload-artifact@v2
with:
name: binary-${{ matrix.os }}
path: ./cli/dist/${{ matrix.bin_name }}
sign_cli_tool:
environment: production
strategy:
matrix:
include:
- os: ubuntu-latest
bin_name: halocli
out_name: halocli-linux-x64.zip
- os: windows-latest
bin_name: halocli.exe
out_name: halocli-win-x64.zip
- os: macos-latest
bin_name: halocli
out_name: halocli-macos-x64.pkg
name: Sign halocli and release (${{ matrix.os }})
runs-on: ${{ matrix.os }}
needs: build_cli_tool
steps:
- name: Download binary from artifact
uses: actions/download-artifact@v2
with:
name: binary-${{ matrix.os }}
- name: Download binary from artifact
if: matrix.os == 'macos-latest'
uses: actions/download-artifact@v2
with:
name: entitlements-macos
- name: Compress application (Linux)
if: matrix.os == 'ubuntu-latest'
run: |
& "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /v /fd SHA256 /f "$Env:RUNNER_TEMP\authenticode.p12" /t http://timestamp.sectigo.com ".\cli\dist\halocli.exe"
zip halocli-linux-x64.zip halocli
- name: Load signing credentials (Windows)
if: matrix.os == 'windows-latest'
uses: timheuer/base64-to-file@48657ba25c726c2e3dcf02efa3639fff9b3d587e
with:
fileName: windows_sign.p12
fileDir: ${{ env.RUNNER_TEMP }}
encodedString: ${{ secrets.WINDOWS_SIGN_P12 }}
- name: Sign application (Windows)
if: matrix.os == 'windows-latest'
run: |
& "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /v /fd SHA256 /f "$Env:RUNNER_TEMP\windows_sign.p12" /t http://timestamp.sectigo.com ".\halocli.exe"
rm "$Env:RUNNER_TEMP\windows_sign.p12"
- name: Compress application (Windows)
if: matrix.os == 'windows-latest' && startsWith(github.ref, 'refs/tags/halocli-v')
if: matrix.os == 'windows-latest'
run: |
cd ./cli/dist
Compress-Archive halocli.exe halocli-win-x64.zip
- name: Sign application for Mac OS
if: matrix.os == 'macos-latest' && startsWith(github.ref, 'refs/tags/halocli-v')
- name: Load signing credentials (Mac OS)
if: matrix.os == 'macos-latest'
uses: apple-actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071
with:
p12-file-base64: ${{ secrets.MACOS_SIGN_P12 }}
p12-password: ${{ secrets.MACOS_SIGN_P12_PASSWORD }}
- name: Sign application (Mac OS)
if: matrix.os == 'macos-latest'
run: |
mkdir -p cli/dist/root/usr/local/bin/
mv cli/dist/halocli cli/dist/root/usr/local/bin/halocli
/usr/bin/codesign --deep --force --options=runtime --entitlements ./cli/Entitlements.plist --sign "${{ secrets.MACOS_IDENTITY }}" --timestamp ./cli/dist/root/usr/local/bin/halocli
pkgbuild --root ./cli/dist/root --identifier "org.arx.halo.halocli" --version "1.0.$(date +%s)" --install-location "/" --sign "${{ secrets.MACOS_IDENTITY_INSTALLER }}" ./cli/dist/halocli-macos-x64.pkg
mkdir -p root/usr/local/bin/
mv halocli root/usr/local/bin/halocli
/usr/bin/codesign --deep --force --options=runtime --entitlements ./Entitlements.plist --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp ./root/usr/local/bin/halocli
pkgbuild --root ./root --identifier "org.arx.halo.halocli" --version "1.0.$(date +%s)" --install-location "/" --sign "${{ secrets.MACOS_SIGN_IDENTITY_INSTALLER }}" ./halocli-macos-x64.pkg
- name: Notarize application for Mac OS
if: matrix.os == 'macos-latest' && startsWith(github.ref, 'refs/tags/halocli-v')
if: matrix.os == 'macos-latest'
run: |
xcrun notarytool submit "--apple-id=${{ secrets.MACOS_APPLE_ID }}" "--password=${{ secrets.MACOS_PWD_ALTOOL }}" "--team-id=${{ secrets.MACOS_TEAM_ID }}" --progress --wait ./cli/dist/halocli-macos-x64.pkg
- name: Staple notarized application for Mac OS
if: matrix.os == 'macos-latest' && startsWith(github.ref, 'refs/tags/halocli-v')
xcrun notarytool submit "--apple-id=${{ secrets.MACOS_NOTARIZE_APPLE_ID }}" "--password=${{ secrets.MACOS_NOTARIZE_PASSWORD }}" "--team-id=${{ secrets.MACOS_NOTARIZE_TEAM_ID }}" --progress --wait ./halocli-macos-x64.pkg
- name: Staple notarized application (Mac OS)
if: matrix.os == 'macos-latest'
run: |
xcrun stapler staple -v ./cli/dist/halocli-macos-x64.pkg
rm -rf ./cli/dist/root/
xcrun stapler staple ./halocli-macos-x64.pkg
rm -rf ./root/
- name: Download release upload URL
if: startsWith(github.ref, 'refs/tags/halocli-v')
uses: actions/download-artifact@v2
with:
name: release-upload-url
- name: Store release upload URL output
id: out_store
if: startsWith(github.ref, 'refs/tags/halocli-v')
shell: bash
run: |
echo "release_upload_url=$(cat release-upload-url.txt)" >> "$GITHUB_OUTPUT"
- name: Upload release asset
id: upload-release-asset
if: startsWith(github.ref, 'refs/tags/halocli-v')
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ./cli/dist/${{ matrix.bin_name }}
asset_name: ${{ matrix.bin_name }}
asset_path: ./${{ matrix.out_name }}
asset_name: ${{ matrix.out_name }}
asset_content_type: application/octet-stream
- name: Delete binary artifact
if: always()
uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af
with:
name: binary-${{ matrix.os }}

18
.github/workflows/build_lib.yml → .github/workflows/prod_build_lib.yml vendored
View File

@@ -1,25 +1,13 @@
name: Build libhalo.js
name: Release libhalo.js
on:
push:
paths-ignore:
- 'README.md'
- 'cli/README.md'
- 'docs/**'
branches:
- master
tags:
- 'libhalo-v*'
pull_request:
paths-ignore:
- 'README.md'
- 'cli/README.md'
- 'docs/**'
branches:
- master
jobs:
create_release:
name: Create libhalo release
runs-on: ubuntu-latest
steps:
- name: Prepare version number
@@ -28,7 +16,6 @@ jobs:
( echo -n "version=" && ( echo "$GITHUB_REF" | cut -f2 -d- | tr -d '\n' ) ) >> "$GITHUB_OUTPUT"
- name: Draft release
id: create_release
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/libhalo-v')
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -50,6 +37,7 @@ jobs:
path: release-upload-url.txt
build_js_lib:
name: Build libhalo and release
runs-on: ubuntu-latest
needs: create_release
steps:

24
.github/workflows/publish_npm.yml → .github/workflows/prod_publish_npm.yml vendored
View File

@@ -2,24 +2,13 @@ name: Publish libhalo package
on:
push:
paths-ignore:
- 'README.md'
- 'cli/README.md'
- 'docs/**'
branches:
- master
tags:
- 'libhalo-v*'
pull_request:
paths-ignore:
- 'README.md'
- 'cli/README.md'
- 'docs/**'
branches:
- master
jobs:
build:
name: Publish libhalo package
environment: prod-npm
runs-on: ubuntu-latest
permissions:
contents: read
@@ -32,19 +21,18 @@ jobs:
with:
node-version: '16.x'
registry-url: 'https://registry.npmjs.org'
- run: npm ci
- name: Run npm ci
run: npm ci
- name: Publish package to npmjs
run: npm publish
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/libhalo-v')
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Resetup Node.JS with GitHub pkg
NODE_AUTH_TOKEN: ${{ secrets.RELEASE_NPM_TOKEN }}
- name: Re-setup Node.JS with GitHub pkg
uses: actions/setup-node@v3
with:
node-version: '16.x'
registry-url: https://npm.pkg.github.com/
- name: Publish package to GitHub
run: npm publish
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/libhalo-v')
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}