fix(ci): switch osx build to codesign and notarytool (#1078) #722
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- master | |
pull_request: | |
branches: | |
- master | |
workflow_dispatch: | |
inputs: | |
dist_root: | |
description: 'DIST_ROOT' | |
required: true | |
default: '/ipns/dist.ipfs.tech' | |
env: | |
DIST_ROOT: ${{ github.event.inputs.custom_dist_root || '/ipns/dist.ipfs.tech' }} # content root used for calculating diff to build | |
KUBO_VER: 'v0.27.0' # kubo daemon used for chunking and applying diff | |
CLUSTER_CTL_VER: 'v1.0.8' # ipfs-cluster-ctl used for pinning | |
concurrency: | |
# we want only one job running at the time because it is expensive | |
# expecially when building artifact for multiple platforms | |
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
# IMPORTANT: we want to save resources and cancell old builds on PRs, | |
# but we can't cancel jobs in master branch because they update DNSLink | |
# which is used as DIST_ROOT of the next job, so if we cancel a master job | |
# we will "forget" about releases added in skipped build. | |
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} | |
jobs: | |
build: | |
runs-on: ${{ fromJSON(vars.CI_BUILD_RUNS_ON || '"ubuntu-latest"') }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: '16' | |
- env: | |
CLUSTER_USER: ${{ secrets.CLUSTER_USER }} | |
CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }} | |
uses: ./.github/actions/setup-ipfs | |
timeout-minutes: 30 | |
- name: Build any new ./releases | |
run: ./dockerized make all_dists | |
- name: Inspect git status and contents of ./releases | |
run: git status && ls -Rhl ./releases | |
- name: Temporarily save ./releases artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: releases-unsigned-diff | |
path: releases | |
retention-days: 3 | |
lint: | |
runs-on: "ubuntu-latest" | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: '16' | |
- run: npm ci --no-audit --progress=false | |
- run: npm run lint | |
sign-macos: | |
runs-on: "macos-latest" | |
needs: build | |
concurrency: | |
# notarization depends on remote HTTP service provided by Apple | |
# and we want to have only one instance at a time, across all branches | |
# and PRs to avoid triggering throttling / blacklisting when multiple | |
# jobs try to notarize at the same time | |
group: sign-macos | |
# never cancel ongoing notarization, it could me one for master branch | |
cancel-in-progress: false | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Retrieve unsigned artifacts | |
uses: actions/download-artifact@v3 | |
with: | |
name: releases-unsigned-diff | |
path: releases | |
continue-on-error: true # skip if no releases | |
- name: List ./releases before | |
run: ls -Rhl ./releases || echo "No ./releases" | |
- name: Install dependencies of sign-new-macos-releases.sh | |
run: | | |
brew install ipfs coreutils gawk gnu-sed jq | |
- name: Set up rcodesign rust tool (TODO) | |
if: false | |
run: | | |
cargo install apple-codesign | |
- name: Import Keychain Certs | |
# if this ever breaks, we should replace this magic with epxlicit security commands executed inside of it via.. nodejs | |
# prior art: https://github.com/lando/code-sign-action/blob/f35d0b777ee592c758351252fa3f0d58f21e5129/action.yml#L106-L123 | |
uses: apple-actions/import-codesign-certs@8f3fb608891dd2244cdab3d69cd68c0d37a7fe93 # v2 | |
with: | |
p12-file-base64: ${{ secrets.APPLE_CERTS_P12 }} | |
p12-password: ${{ secrets.APPLE_CERTS_PASS }} | |
- name: Verify identity used for signing | |
run: security find-identity -v | |
- name: Secrets for signing (TODO rcodesign) | |
# TODO: revisit switch to rcodesign once we have to switch mode due to move to new org | |
# we dont use this yet, we use codesign from Apple and run on macOS | |
# because rcodesign errored on 'invalid password' | |
if: false | |
run: | | |
echo -n "${{ secrets.APPLE_CERTS_P12 }}" | base64 --decode > ~/.apple-certs.p12 | |
echo -n "{{ secrets.APPLE_CERTS_PASS }}" > ~/.apple-certs.pass | |
- name: Secrets for notarization (TODO rcodesign) | |
# TODO: revisit switch to rcodesign once we have to switch mode due to move to new org | |
# we dont use this yet, we use notarytool from Apple and run on macOS | |
# because (afaik) rcodesign does not support App-specific password mode | |
# we use for legacy reasons | |
if: false | |
run: | | |
rcodesign encode-app-store-connect-api-key \ | |
"${{ secrets.APPLE_APIKEY_ISSUER_ID }}" \ | |
"${{ secrets.APPLE_APIKEY_ID }}" \ | |
"${{ secrets.APPLE_APIKEY_FILE }}" \ | |
> ~/.apple-api-key | |
- name: Kubo init | |
run: ipfs init --profile test # needed for calculating NEW_CID in sign-new-macos-releases.sh | |
- name: Sign any new releases | |
run: ./scripts/ci/sign-new-macos-releases.sh | |
env: | |
WORK_DIR: ${{ github.workspace }} | |
APPLE_AC_USERNAME: ${{ secrets.APPLE_AC_USERNAME }} | |
APPLE_AC_PASSWORD: ${{ secrets.APPLE_AC_PASSWORD }} | |
APPLE_AC_TEAM_ID: ${{ secrets.APPLE_AC_TEAM_ID }} | |
- name: List ./releases after | |
run: ls -Rhl ./releases || echo "No ./releases" | |
- name: Temporarily save notarized artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: releases-signed-macos-diff | |
path: releases | |
retention-days: 3 | |
continue-on-error: true # skip if no releases | |
persist: | |
runs-on: ${{ fromJSON(vars.CI_BUILD_RUNS_ON || '"ubuntu-latest"') }} | |
needs: sign-macos | |
environment: Deploy | |
steps: | |
- name: Setup node | |
uses: actions/setup-node@v4 | |
with: | |
node-version: '16' | |
- uses: actions/checkout@v4 | |
- name: Retrieve signed artifacts | |
uses: actions/download-artifact@v3 | |
continue-on-error: true # skip if no releases | |
with: | |
name: releases-signed-macos-diff | |
path: releases | |
- name: List ./releases | |
run: ls -Rhl ./releases || echo "No ./releases" | |
- env: | |
CLUSTER_USER: ${{ secrets.CLUSTER_USER }} | |
CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }} | |
uses: ./.github/actions/setup-ipfs | |
timeout-minutes: 30 | |
- run: ./dockerized make publish | |
- run: git status | |
- name: Read CID of updated DAG | |
id: cid-reader | |
run: echo "CID=$(tail -1 ./versions)" >> $GITHUB_OUTPUT | |
- name: Pin new website to ipfs-websites.collab.ipfscluster.io | |
run: ./scripts/ci/pin-to-cluster.sh | |
env: | |
PIN_CID: ${{ steps.cid-reader.outputs.CID }} | |
PIN_NAME: "https://github.com/ipfs/distributions/commits/${{ github.sha }}" | |
PIN_ADD_EXTRA_ARGS: "" | |
CLUSTER_USER: ${{ secrets.CLUSTER_USER }} | |
CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }} | |
timeout-minutes: 60 | |
- name: Update PR status with preview link | |
run: ./scripts/ci/github-preview-link.sh | |
env: | |
CONTENT_PATH: "/ipfs/${{ steps.cid-reader.outputs.CID }}/" | |
GIT_REVISION: ${{ github.sha }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- run: ./dockerized make diff | |
if: github.event_name == 'pull_request' | |
- uses: actions/upload-artifact@v3 | |
if: github.event_name == 'pull_request' | |
with: | |
name: diff | |
path: diff | |
- uses: actions/setup-go@v4 | |
if: github.ref == 'refs/heads/master' | |
with: | |
go-version: "1.20.x" | |
- name: Update _dnslink.dist.ipfs.tech (if on the main branch) | |
if: github.ref == 'refs/heads/master' | |
run: | | |
go install github.com/ipfs/[email protected] | |
dnslink-dnsimple --domain dist.ipfs.tech --record _dnslink --link /ipfs/${{ steps.cid-reader.outputs.CID }} | |
env: | |
DNSIMPLE_TOKEN: ${{ secrets.DNSIMPLE_TOKEN }} | |
diff: | |
needs: persist | |
if: github.event_name == 'pull_request' | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/download-artifact@v3 | |
with: | |
name: diff | |
- name: Create comment with the diff | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
const fs = require('fs').promises | |
const diff = await fs.readFile('diff', 'utf8') | |
await github.rest.issues.createComment({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
issue_number: ${{ github.event.number }}, | |
body: diff | |
}) |