github/libhalo
1
1
Fork 0
mirror of https://github.com/arx-research/libhalo.git synced 2026-01-10 05:38:10 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
65768baf654be2be3bb5b9aba89e0686d344f23c
libhalo/.github/workflows/prod_build_cli.yml

318 lines
15 KiB
YAML
Raw Blame History

name: Release halo-tools
on:
push:
tags:
- 'halotools-v*'
jobs:
create_release:
name: Create halo-tools release
runs-on: ubuntu-latest
steps:
- name: Prepare version number
id: parse_version
run: |
( echo -n "version=" && ( echo "$GITHUB_REF" | cut -f2 -d- | tr -d '\n' ) ) >> "$GITHUB_OUTPUT"
- name: Draft release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
release_name: HaLo Tools ${{ steps.parse_version.outputs.version }}
draft: true
prerelease: false
body: |
Set of standalone HaLo tools: [halocli](https://github.com/arx-research/libhalo/blob/master/docs/desktop-cli.md), [halo-bridge](https://github.com/arx-research/libhalo/blob/master/docs/halo-bridge.md), [halo-gateway](https://github.com/arx-research/libhalo/blob/master/docs/halo-gateway.md).
Release contents:
* `halo-tools-linux-x64.tgz` - Linux x64 build (elf files; tar-gzip compressed)
* `halo-tools-win-x64.exe` - Windows 64 build (exe files; signed; zipped)
* `halo-tools-macos-x64.pkg` - Mac OS x64 build (installer; signed)
**Note:** The files `*-keyless.sig` and `*-keyless.pem` constitute a part of [build audit trail](https://github.com/arx-research/libhalo/blob/master/docs/build-audit-trail.md).
- name: Store release upload URL
run: |
echo -n "${{ steps.create_release.outputs.upload_url }}" > release-upload-url.txt
- name: Store release upload URL artifact
uses: actions/upload-artifact@v3
with:
name: release-upload-url
path: release-upload-url.txt
build_cli_tool:
permissions:
id-token: write
strategy:
matrix:
include:
- os: ubuntu-latest
- os: windows-latest
- os: macos-latest
name: Build halo-tools (${{ matrix.os }})
runs-on: ${{ matrix.os }}
needs: create_release
steps:
- name: Install native dependencies (Linux)
if: matrix.os == 'ubuntu-latest'
run: |
sudo apt-get update && sudo apt-get install -y libpcsclite-dev
- name: Install native dependencies (MacOS)
if: matrix.os == 'macos-latest'
run: |
brew install python@3.11
brew unlink python@3.11
brew link --overwrite python@3.11
brew install pcsc-lite
- name: Checkout the repository
uses: actions/checkout@v3
- name: Install Node.JS
uses: actions/setup-node@v3
with:
node-version: 18
- name: Install dependencies (root)
shell: bash
run: |
npm --include=dev ci
- name: Install dependencies (cli)
shell: bash
run: |
cd cli
npm --include=dev ci
- name: Build libhalo with webpack
shell: bash
run: |
cd web
../node_modules/.bin/webpack
- name: Package HaLo CLI tool (Linux)
if: matrix.os == 'ubuntu-latest'
shell: bash
run: |
cd cli
node build/ci_scripts.js --platform linux --product cli
node_modules/.bin/pkg --compress GZip -t node18-linux-x64 -c package.json -o dist/halocli entry_cli.js
node build/ci_scripts.js --platform linux --product bridge
node_modules/.bin/pkg --compress GZip -t node18-linux-x64 -c package.json -o dist/halo-bridge entry_bridge.js
node build/ci_scripts.js --platform linux --product gateway
node_modules/.bin/pkg --compress GZip -t node18-linux-x64 -c package.json -o dist/halo-gateway entry_gateway.js
- name: Package HaLo CLI tool (Windows)
if: matrix.os == 'windows-latest'
shell: bash
run: |
cd cli
node build/ci_scripts.js --platform windows --product cli
cat halotools_version.json
export PKG_PATCHED_BIN='1'
export PKG_CACHE_PATH='./.pkg-cache/'
export PKG_IGNORE_TAG='1'
node_modules/.bin/pkg --compress GZip -t node18-win-x64 -c package.json -o dist/halocli.exe entry_cli.js
- name: Package HaLo Bridge tool (Windows)
if: matrix.os == 'windows-latest'
shell: bash
run: |
cd cli
node build/ci_scripts.js --platform windows --product bridge
export PKG_PATCHED_BIN='1'
export PKG_CACHE_PATH='./.pkg-cache/'
export PKG_IGNORE_TAG='1'
node_modules/.bin/pkg --compress GZip -t node18-win-x64 -c package.json -o dist/halo-bridge.exe entry_bridge.js
- name: Package HaLo Gateway tool (Windows)
if: matrix.os == 'windows-latest'
shell: bash
run: |
cd cli
node build/ci_scripts.js --platform windows --product gateway
export PKG_PATCHED_BIN='1'
export PKG_CACHE_PATH='./.pkg-cache/'
export PKG_IGNORE_TAG='1'
node_modules/.bin/pkg --compress GZip -t node18-win-x64 -c package.json -o dist/halo-gateway.exe entry_gateway.js
- name: Package HaLo CLI tool (MacOS)
if: matrix.os == 'macos-latest'
shell: bash
run: |
cd cli
node build/ci_scripts.js --platform macos --product cli
node_modules/.bin/pkg --compress GZip -t node18-macos-x64 -c package.json -o dist/halocli entry_cli.js
node build/ci_scripts.js --platform macos --product bridge
node_modules/.bin/pkg --compress GZip -t node18-macos-x64 -c package.json -o dist/halo-bridge entry_bridge.js
node build/ci_scripts.js --platform macos --product gateway
node_modules/.bin/pkg --compress GZip -t node18-macos-x64 -c package.json -o dist/halo-gateway entry_gateway.js
mv "macos_bridge_app" "dist/HaLo CLI Bridge Server.app"
mv "macos_pkgbuild_scripts" "dist/macos_pkgbuild_scripts"
mv "Entitlements.plist" "dist/Entitlements.plist"
- name: Compress dist files
shell: bash
run: |
cd cli/dist
tar -pczf ../dist.tgz .
- name: Install cosign
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
- name: Sign output with cosign
run: |
echo y | cosign sign-blob ./cli/dist.tgz --output-certificate ./cli/dist.tgz-keyless.pem --output-signature ./cli/dist.tgz-keyless.sig
- name: Store binary as artifact
uses: actions/upload-artifact@v3
with:
name: binary-${{ matrix.os }}
path: |
./cli/dist.tgz
./cli/dist.tgz-keyless.pem
./cli/dist.tgz-keyless.sig
sign_cli_tool:
environment: production
permissions:
contents: write
id-token: write
strategy:
matrix:
include:
- os: ubuntu-latest
out_name: halo-tools-linux-x64.tgz
- os: windows-latest
out_name: halo-tools-win-x64.zip
- os: macos-latest
out_name: halo-tools-macos-x64.pkg
name: Sign halo-tools and release (${{ matrix.os }})
runs-on: ${{ matrix.os }}
needs: build_cli_tool
steps:
- name: Download binary from artifact
uses: actions/download-artifact@v3
with:
name: binary-${{ matrix.os }}
- name: Install cosign
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
- name: Validate signatures from previous stage
shell: bash
run: |
cosign verify-blob --cert ./dist.tgz-keyless.pem --signature ./dist.tgz-keyless.sig --certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_cli.yml@${GITHUB_REF}" --certificate-oidc-issuer https://token.actions.githubusercontent.com ./dist.tgz
- name: Uncompress previous stage
run: |
tar -xopf dist.tgz
- name: Compress application (Linux)
if: matrix.os == 'ubuntu-latest'
run: |
chmod +x halocli
chmod +x halo-bridge
chmod +x halo-gateway
tar -pczf halo-tools-linux-x64.tgz halocli halo-bridge halo-gateway
- name: Write certificate file (Windows)
if: matrix.os == 'windows-latest'
uses: DamianReeves/write-file-action@0a7fcbe1960c53fc08fe789fa4850d24885f4d84
with:
path: ./chain.cer
write-mode: overwrite
contents: ${{ vars.WINDOWS_CODE_SIGN_CERT_CHAIN }}
- name: Download jsign and verify (Windows)
if: matrix.os == 'windows-latest'
shell: bash
run: |
curl -s -L -o jsign.jar https://github.com/ebourg/jsign/releases/download/4.2/jsign-4.2.jar
echo "290377fc4f593256200b3ea4061b7409e8276255f449d4c6de7833faf0850cc1 jsign.jar" > jsign.sum
sha256sum -c jsign.sum
- name: Authenticate with gcloud (Windows)
if: matrix.os == 'windows-latest'
uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d
with:
credentials_json: ${{ secrets.GCLOUD_SERVICE_ACCOUNT_KEY }}
- name: Set up Cloud SDK (Windows)
uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587
if: matrix.os == 'windows-latest'
with:
install_components: 'gcloud'
project_id: ${{ secrets.GCLOUD_PROJECT_ID }}
- name: Sign application (Windows)
if: matrix.os == 'windows-latest'
shell: bash
run: |
java -jar jsign.jar --storetype GOOGLECLOUD --storepass "$(gcloud auth print-access-token)" --keystore "${{ vars.WINDOWS_CODE_SIGN_KEYSTORE }}" --alias "${{ vars.WINDOWS_CODE_SIGN_KEY_ALIAS }}" --certfile "chain.cer" --tsmode RFC3161 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 halocli.exe
java -jar jsign.jar --storetype GOOGLECLOUD --storepass "$(gcloud auth print-access-token)" --keystore "${{ vars.WINDOWS_CODE_SIGN_KEYSTORE }}" --alias "${{ vars.WINDOWS_CODE_SIGN_KEY_ALIAS }}" --certfile "chain.cer" --tsmode RFC3161 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 halo-bridge.exe
java -jar jsign.jar --storetype GOOGLECLOUD --storepass "$(gcloud auth print-access-token)" --keystore "${{ vars.WINDOWS_CODE_SIGN_KEYSTORE }}" --alias "${{ vars.WINDOWS_CODE_SIGN_KEY_ALIAS }}" --certfile "chain.cer" --tsmode RFC3161 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 halo-gateway.exe
- name: Compress application (Windows)
if: matrix.os == 'windows-latest'
run: |
Compress-Archive -Path halocli.exe,halo-bridge.exe,halo-gateway.exe halo-tools-win-x64.zip
- name: Load signing credentials (Mac OS)
if: matrix.os == 'macos-latest'
uses: apple-actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071
with:
p12-file-base64: ${{ secrets.MACOS_SIGN_P12 }}
p12-password: ${{ secrets.MACOS_SIGN_P12_PASSWORD }}
- name: Sign application (Mac OS)
if: matrix.os == 'macos-latest'
run: |
mkdir -p root/usr/local/bin/
mkdir -p root/Applications/
mv halocli root/usr/local/bin/halocli
mv halo-bridge root/usr/local/bin/halo-bridge
mv halo-gateway root/usr/local/bin/halo-gateway
mv "HaLo CLI Bridge Server.app" "root/Applications/HaLo CLI Bridge Server.app"
/usr/bin/codesign --deep --force --options=runtime --entitlements ./Entitlements.plist --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp ./root/usr/local/bin/halocli
/usr/bin/codesign --deep --force --options=runtime --entitlements ./Entitlements.plist --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp ./root/usr/local/bin/halo-bridge
/usr/bin/codesign --deep --force --options=runtime --entitlements ./Entitlements.plist --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp ./root/usr/local/bin/halo-gateway
/usr/bin/codesign --deep --force --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp "./root/Applications/HaLo CLI Bridge Server.app"
chmod +x ./root/usr/local/bin/halocli
chmod +x ./root/usr/local/bin/halo-bridge
chmod +x ./root/usr/local/bin/halo-gateway
chmod +x "./root/Applications/HaLo CLI Bridge Server.app/Contents/MacOS/halocli_bridge_launcher"
pkgbuild --root ./root --identifier "org.arx.halo.halocli" --version "1.0.$(date +%s)" --scripts "macos_pkgbuild_scripts/" --install-location "/" --sign "${{ secrets.MACOS_SIGN_IDENTITY_INSTALLER }}" ./halo-tools-macos-x64.pkg
- name: Notarize application for Mac OS
if: matrix.os == 'macos-latest'
run: |
xcrun notarytool submit "--apple-id=${{ secrets.MACOS_NOTARIZE_APPLE_ID }}" "--password=${{ secrets.MACOS_NOTARIZE_PASSWORD }}" "--team-id=${{ secrets.MACOS_NOTARIZE_TEAM_ID }}" --progress --wait ./halo-tools-macos-x64.pkg
- name: Staple notarized application (Mac OS)
if: matrix.os == 'macos-latest'
run: |
xcrun stapler staple ./halo-tools-macos-x64.pkg
rm -rf ./root/
- name: Download release upload URL
uses: actions/download-artifact@v3
with:
name: release-upload-url
- name: Store release upload URL output
id: out_store
shell: bash
run: |
echo "release_upload_url=$(cat release-upload-url.txt)" >> "$GITHUB_OUTPUT"
- name: Sign output binaries with cosign
run: |
echo y | cosign sign-blob ./${{ matrix.out_name }} --output-certificate ./${{ matrix.out_name }}-keyless.pem --output-signature ./${{ matrix.out_name }}-keyless.sig
- name: Upload release asset (binary)
id: upload-release-asset-binary
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ./${{ matrix.out_name }}
asset_name: ${{ matrix.out_name }}
asset_content_type: application/octet-stream
- name: Upload release asset (cosign pem)
id: upload-release-asset-cosign-pem
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ./${{ matrix.out_name }}-keyless.pem
asset_name: ${{ matrix.out_name }}-keyless.pem
asset_content_type: application/octet-stream
- name: Upload release asset (cosign sig)
id: upload-release-asset-cosign-sig
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ./${{ matrix.out_name }}-keyless.sig
asset_name: ${{ matrix.out_name }}-keyless.sig
asset_content_type: application/octet-stream
- name: Delete binary artifact
if: always()
uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af
with:
name: binary-${{ matrix.os }}
Reference in New Issue View Git Blame Copy Permalink