try to run hash.bat #205
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Generate Releases" | |
on: | |
release: | |
types: [ release ] | |
## To test this workflow without creating a release, uncomment the following and add a branch name (making sure "push" | |
## is at the same indent level as "release": | |
push: | |
branches: | |
- 'feature/issue-759_idempotent-sha' | |
jobs: | |
release: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [ windows-latest ] | |
steps: | |
- name: "Create base filename for all artifacts" | |
id: basefn | |
shell: bash | |
run: | | |
FILEPATH=$(echo rctab_${{ github.ref_name }}_${{ runner.os }} | sed -e 's/\//_/g') | |
echo "FILEPATH=$FILEPATH" >> $GITHUB_OUTPUT | |
# Normalize platform-specific filepaths generated by gradle | |
- name: "Create .zip filename" | |
id: zipfn | |
shell: bash | |
run: echo "FILEPATH=build/${{ steps.basefn.outputs.FILEPATH }}.zip" >> $GITHUB_OUTPUT | |
- name: "Get extension" | |
id: ext | |
shell: bash | |
run: | | |
if [ ${{ runner.os }} == 'Windows' ]; then | |
echo "EXT=.exe" >> $GITHUB_OUTPUT | |
elif [ ${{ runner.os }} == 'Linux' ]; then | |
echo "EXT=.deb" >> $GITHUB_OUTPUT | |
else | |
echo "EXT=.dmg" >> $GITHUB_OUTPUT | |
fi | |
- name: "Get jpackage output filepath" | |
id: jpackagefn | |
shell: bash | |
run: | | |
# TODO Sync version number with Main.java and build.gradle (github.com/BrightSpots/rcv/issues/662) | |
# The version numbers are hardcoded because the files below include the version number in them, | |
# and while we could use some regex to figure out the version number automatically, it seems cleaner | |
# to know the expected version number upfront. | |
if [ ${{ runner.os }} == 'Windows' ]; then | |
echo "FILEPATH=build/jpackage/RCTab-1.3.999.exe" >> $GITHUB_OUTPUT | |
elif [ ${{ runner.os }} == 'Linux' ]; then | |
echo "FILEPATH=build/jpackage/rctab_1.3.999-1_amd64.deb" >> $GITHUB_OUTPUT | |
else | |
echo "FILEPATH=build/jpackage/RCTab-1.3.999.dmg" >> $GITHUB_OUTPUT | |
fi | |
- name: "Create executable filename" | |
id: exefn | |
shell: bash | |
run: echo "FILEPATH=build/${{ steps.basefn.outputs.FILEPATH }}${{ steps.ext.outputs.EXT }}" >> $GITHUB_OUTPUT | |
- uses: actions/checkout@v3 | |
- name: "Set up JDK 20.0.1" | |
uses: actions/setup-java@v3 | |
with: | |
java-version: '20.0.1' | |
distribution: 'temurin' | |
- name: "Validate Gradle wrapper" | |
uses: gradle/wrapper-validation-action@ccb4328a959376b642e027874838f60f8e596de3 | |
- name: "Create zip with jlinkZip" | |
uses: ./.github/actions/gradle-and-sha | |
with: | |
gradle-command: jlinkZip | |
intermediate-filepath: build/rcv.zip | |
final-filepath: ${{ steps.zipfn.outputs.FILEPATH }} | |
- name: "Prepare keychain" | |
if: matrix.os == 'macOS-latest' | |
env: | |
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | |
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} | |
run: | | |
export TEMP_PWD=temporary-password-to-avoid-GUI-prompt | |
echo "Decode Base64 certificates" | |
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12 | |
echo "Create and unlock keychain" | |
security create-keychain -p $TEMP_PWD build.keychain | |
security unlock-keychain -p $TEMP_PWD build.keychain | |
echo "Import certificates into keychain" | |
# Note: in the next command, the -A should not be used outside of github actions. | |
# It allows any application to read the keychain, which is fine in an ephemeral environment, | |
# but not fine if you run this on your own machine. | |
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -A -T /usr/bin/codesign -T /usr/bin/productbuild -T /usr/bin/security | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $TEMP_PWD build.keychain | |
- name: "Create executable with jpackage (and sign, on MacOS)" | |
uses: ./.github/actions/gradle-and-sha | |
with: | |
gradle-command: jpackage | |
intermediate-filepath: ${{ steps.jpackagefn.outputs.FILEPATH }} | |
final-filepath: ${{ steps.exefn.outputs.FILEPATH }} | |
- name: "Notarize app bundle" | |
if: matrix.os == 'macOS-latest' | |
env: | |
MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} | |
MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} | |
MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }} | |
IDENTITY_PUBLIC_KEY: A257HB4NS4 | |
run: | | |
echo "Unlock keychain" | |
security unlock-keychain -p temporary-password-to-avoid-GUI-prompt build.keychain | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k temporary-password-to-avoid-GUI-prompt build.keychain | |
echo "Create keychain profile" | |
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" | |
echo "Creating temp notarization archive" | |
ditto -c -k --sequesterRsrc --keepParent ${{ steps.exefn.outputs.FILEPATH }} "notarization.zip" | |
echo "Notarize app -- this may take a few minutes" | |
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait | |
echo "Attach staple" | |
xcrun stapler staple ${{ steps.exefn.outputs.FILEPATH }} | |
#- name: "Create idempotent hash on Windows" | |
# if: matrix.os == 'Windows' | |
# run: | | |
# ./idempotent_hash.bat | |
- name: "Generate Idempotent SHA512 for Windows" | |
working-directory: ${{env.GITHUB_WORKSPACE}} | |
if: runner.os == 'Windows' | |
run: | | |
cd ${{ github.workspace }} && | |
move .github\workflows\hash.bat build\ && | |
cd build && | |
.\hash.bat >> idempotent-hash.sha512 && | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: Package | |
if-no-files-found: error | |
path: | | |
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }} | |
${{ github.workspace }}/${{ steps.zipfn.outputs.FILEPATH }}.sha512 | |
${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }} | |
${{ github.workspace }}/${{ steps.exefn.outputs.FILEPATH }}.sha512 | |
build/idempotent-hash.sha512 | |
retention-days: 90 | |
- name: "Upload binaries to release" | |
uses: svenstaro/upload-release-action@v2 | |
if: github.event_name == 'release' | |
with: | |
repo_token: ${{ secrets.GITHUB_TOKEN }} | |
file: build/${{ steps.basefn.outputs.FILEPATH }}* | |
tag: ${{ github.ref_name }} | |
overwrite: true | |
file_glob: true |