Skip to content

Merge pull request #307 from ptarmiganlabs/release-please--branches--… #6

Merge pull request #307 from ptarmiganlabs/release-please--branches--…

Merge pull request #307 from ptarmiganlabs/release-please--branches--… #6

Workflow file for this run

name: ci
on:
workflow_dispatch:
push:
branches:
- main
jobs:
release-please:
runs-on: ubuntu-latest
outputs:
releases_created: ${{ steps.release.outputs.releases_created }}
release_tag_name: ${{ steps.release.outputs['tag_name'] }}
release_upload_url: ${{ steps.release.outputs['upload_url'] }}
env:
GITHUB_REF: ${{ github.ref }}
GITHUB_TOKEN: ${{ secrets.PAT }}
DIST_FILE_NAME: ctrl-q
steps:
- name: Show github.ref
run: echo "$GITHUB_REF"
- uses: google-github-actions/release-please-action@v3
id: release
if: |
github.repository_owner == 'ptarmiganlabs'
with:
# command: manifest
# bootstrap-sha: e0fd792f506ad88db030972c1baa201907844d6a
# last-release-sha: e0fd792f506ad88db030972c1baa201907844d6a
# release-as: 3.13.0
release-type: node
package-name: ctrl-q
default-branch: main
prerelease: false
release-search-depth: 5
commit-search-depth: 200
draft: true
changelog-types: '[{"type": "feat","section": "Features","hidden": false},{"type": "fix","section": "Bug Fixes","hidden": false},{"type": "chore","section": "Miscellaneous","hidden": false},{"type": "refactor","section": "Refactoring","hidden": false},{"type": "docs","section": "Documentation","hidden": false},{"type": "build","section": "Miscellaneous","hidden": false}]'
- name: Show output from Release-Please
if: always()
env:
RELEASE_PLEASE_OUTPUT: ${{ toJSON(steps.release.outputs) }}
run: echo "$RELEASE_PLEASE_OUTPUT"
- name: Show output from Release-Please
run: |
echo "releases_created: ${{ steps.release.outputs.releases_created }}"
echo "release_created : ${{ steps.release.outputs.release_created }}"
echo "draft : ${{ steps.release.outputs['draft'] }}"
echo "path : ${{ steps.release.outputs['path'] }}"
echo "upload_url : ${{ steps.release.outputs['upload_url'] }}"
echo "html_url : ${{ steps.release.outputs['html_url'] }}"
echo "tag_name : ${{ steps.release.outputs['tag_name'] }}"
echo "version : ${{ steps.release.outputs['version'] }}"
echo "major : ${{ steps.release.outputs['major'] }}"
echo "minor : ${{ steps.release.outputs['minor'] }}"
echo "patch : ${{ steps.release.outputs['patch'] }}"
echo "sha : ${{ steps.release.outputs['sha'] }}"
#####################
release-macos:
needs: release-please
runs-on:
- self-hosted
- x64
- macos
- sp53
# timeout-minutes: 15
if: ${{ needs.release-please.outputs.releases_created }}
env:
DIST_FILE_NAME: ctrl-q
GITHUB_TOKEN: ${{ secrets.PAT }}
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE_BASE64_CODESIGN }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_CODESIGN_PWD }}
MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_CODESIGN_NAME }}
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
steps:
- name: Release tag and upload url from previous job
run: |
echo "tag_name : ${{ needs.release-please.outputs.release_tag_name }}"
echo "upload_url : ${{ needs.release-please.outputs.release_upload_url }}"
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: lts/*
- name: Install tool for creating stand-alone executables
run: |
npm install pkg --location=global
npm install --save-exact esbuild
- name: Install dependencies
run: |
pwd
npm ci
- name: Build binaries
run: |
pwd
./node_modules/.bin/esbuild src/ctrl-q.js --bundle --external:axios --external:xdg-open --external:enigma.js --outfile=build.cjs --format=cjs --platform=node --target=node18 --minify
pkg --output "./${DIST_FILE_NAME}" -t node18-macos-x64 ./build.cjs --config package.json --compress GZip
chmod +x "${DIST_FILE_NAME}"
security delete-keychain build.keychain || true
# Turn our base64-encoded certificate back to a regular .p12 file
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
# We need to create a new keychain, otherwise using the certificate will prompt
# with a UI dialog asking for the certificate password, which we can't
# use in a headless CI environment
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security list-keychains -d user -s build.keychain
security default-keychain -d user -s build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
codesign --force -s "$MACOS_CERTIFICATE_NAME" -v "./${DIST_FILE_NAME}" --deep --strict --options=runtime --timestamp --entitlements ./release-config/${DIST_FILE_NAME}.entitlements
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
# Notarize release binary
echo "Creating temp notarization archive for release binary"
# ditto -c -k --keepParent "./${DIST_FILE_NAME}" "./${DIST_FILE_NAME}.zip"
ditto -c -k --keepParent "./${DIST_FILE_NAME}" "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-macos.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "Notarize release app"
xcrun notarytool submit "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-macos.zip" --keychain-profile "notarytool-profile" --wait
# Delete build keychain
security delete-keychain build.keychain
- name: Upload to existing release
uses: ncipollo/release-action@v1
with:
allowUpdates: true
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
artifactContentType: raw
# artifactContentType: application/zip
draft: true
tag: ${{ needs.release-please.outputs.release_tag_name }}
artifacts: ./ctrl-q-${{ needs.release-please.outputs.release_tag_name }}-macos.zip
token: ${{ github.token }}
- name: Tidy up before existing
run: |
pwd
ls -la
rm build.cjs
rm "./${DIST_FILE_NAME}"
rm "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-macos.zip"
#####################
release-win64:
needs: release-please
runs-on:
- self-hosted
- x64
- windows
- sp53
# timeout-minutes: 15
if: ${{ needs.release-please.outputs.releases_created }}
env:
DIST_FILE_NAME: ctrl-q
GITHUB_TOKEN: ${{ secrets.PAT }}
CODESIGN_PWD: ${{ secrets.WIN_CODESIGN_PWD}}
CODESIGN_INTERMEDIATE_BASE64: ${{ secrets.WIN_CODESIGN_INTERMEDIATE_BASE64 }}
CODESIGN_BASE64: ${{ secrets.WIN_CODESIGN_BASE64}}
steps:
- name: Release tag and upload url from previous job
run: |
Write-Output 'tag_name : ${{ needs.release-please.outputs.release_tag_name }}'
Write-Output 'upload_url : ${{ needs.release-please.outputs.release_upload_url }}'
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: lts/*
- name: Install tool for creating stand-alone executables
run: |
npm install pkg --location=global
- name: Install dependencies
run: |
pwd
npm ci
- name: Build binaries
run: |
./node_modules/.bin/esbuild src/ctrl-q.js --bundle --external:axios --external:xdg-open --external:enigma.js --outfile=build.cjs --format=cjs --platform=node --target=node18 --minify
pkg --output "./${env:DIST_FILE_NAME}.exe" -t node18-win-x64 ./build.cjs --config package.json --compress GZip
# Sign the executable
New-Item -ItemType directory -Path certificate
Set-Content -Path certificate\certificate.txt -Value $env:CODESIGN_BASE64
certutil -decode certificate\certificate.txt certificate\certificate.pfx
Set-Content -Path certificate\intermediate.txt -Value $env:CODESIGN_INTERMEDIATE_BASE64
certutil -decode certificate\intermediate.txt certificate\intermediate.crt
$processOptions = @{
FilePath = "C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe"
Wait = $true
ArgumentList = "sign", "/fd", "SHA256", "/p", "$env:CODESIGN_PWD", "/ac", "certificate\intermediate.crt", "/f", "certificate\certificate.pfx", "/tr", "http://timestamp.sectigo.com/rfc3161", "/td", "sha256", "./${env:DIST_FILE_NAME}.exe"
WorkingDirectory = "."
NoNewWindow = $true
}
Start-Process @processOptions
Remove-Item -Recurse -Force certificate
# Create release binary zip
$compress = @{
Path = "./${env:DIST_FILE_NAME}.exe"
CompressionLevel = "Fastest"
DestinationPath = "${env:DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-win.zip"
}
Compress-Archive @compress
- name: Upload to existing release
uses: ncipollo/release-action@v1
with:
allowUpdates: true
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
artifactContentType: raw
# artifactContentType: application/zip
draft: true
tag: ${{ needs.release-please.outputs.release_tag_name }}
artifacts: ./ctrl-q-${{ needs.release-please.outputs.release_tag_name }}-win.zip
token: ${{ github.token }}
- name: Tidy up before existing
run: |
dir
del build.cjs
del "./${env:DIST_FILE_NAME}.exe"
del "./${env:DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-win.zip"
#####################
release-linux:
needs: release-please
runs-on: ubuntu-latest
# timeout-minutes: 15
if: ${{ needs.release-please.outputs.releases_created }}
env:
DIST_FILE_NAME: ctrl-q
GITHUB_TOKEN: ${{ secrets.PAT }}
steps:
- name: Release tag and upload url from previous job
run: |
echo "tag_name : ${{ needs.release-please.outputs.release_tag_name }}"
echo "upload_url : ${{ needs.release-please.outputs.release_upload_url }}"
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: lts/*
- name: Install tool for creating stand-alone executables
run: |
npm install pkg --location=global
- name: Install dependencies
run: |
pwd
npm ci
- name: Build binaries
run: |
./node_modules/.bin/esbuild src/bundle.js --bundle --external:axios --external:xdg-open --external:enigma.js --outfile=build.cjs --format=cjs --platform=node --target=node18 --minify
pkg --output "./${DIST_FILE_NAME}" -t node18-linux-x64 ./build.cjs --config package.json --compress GZip
chmod +x ${DIST_FILE_NAME}
- name: Make binary executable
run: |
chmod +x ./${DIST_FILE_NAME}
- name: Compress release binary
run: |
ls -la
zip -9 -r ./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-linux.zip ${DIST_FILE_NAME}
- name: Debug
run: |
ls -la
- name: Upload to existing release
uses: ncipollo/release-action@v1
with:
allowUpdates: true
omitBodyDuringUpdate: true
omitNameDuringUpdate: true
artifactContentType: raw
# artifactContentType: application/zip
draft: true
tag: ${{ needs.release-please.outputs.release_tag_name }}
artifacts: ./ctrl-q-${{ needs.release-please.outputs.release_tag_name }}-linux.zip
token: ${{ github.token }}
- name: Tidy up before existing
run: |
pwd
ls -la
rm build.cjs
rm "./${DIST_FILE_NAME}"
rm "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-linux.zip"
#####################
#####################
#####################
#####################
#####################
#####################
# - name: Checkout repository
# uses: actions/checkout@v4
# - name: Install dependencies
# run: |
# pwd
# cd src
# npm install
# - name: Run Snyk to check for vulnerabilities
# uses: snyk/actions/node@master
# continue-on-error: true
# env:
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
# with:
# args: --file=./src/package.json --sarif-file-output=./snyk.sarif
# # command: test
# - name: Upload Snyk result to GitHub Code Scanning
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: ./snyk.sarif
# - name: Install tools for creating stand-alone executables
# if: ${{ steps.release.outputs.src--release_created }}
# run: |
# npm install -g pkg
# npm i -g @vercel/ncc
# - name: Package stand-alone binaries
# if: ${{ steps.release.outputs.src--release_created }}
# run: |
# pwd
# ls -la
# cd src
# mkdir build
# mkdir build/macos
# mkdir build/win
# mkdir build/linux
# ncc build -o build/lib -e enigma.js ./ctrl-q.js
# pkg --output build/macos/${DIST_FILE_NAME} --target node16-macos-x64 --compress GZip ./build/lib/index.js
# pkg --output build/win/${DIST_FILE_NAME}.exe --target node16-win-x64 --compress GZip ./build/lib/index.js
# pkg --output build/linux/${DIST_FILE_NAME} --target node16-linux-x64 --compress GZip ./build/lib/index.js
# - name: Debug
# if: ${{ steps.release.outputs.src--release_created }}
# run: |
# ls -la
# ls -la src/build
# ls -la src/build/macos
# ls -la src/build/win
# ls -la src/build/linux
# mkdir ghaction-virustotal
# - name: VirusTotal Scan
# if: ${{ steps.release.outputs.src--release_created }}
# uses: crazy-max/ghaction-virustotal@v3
# with:
# vt_api_key: ${{ secrets.VIRUSTOTAL_API_KEY }}
# request_rate: 4
# files: |
# ./src/build/macos/*
# ./src/build/win/*
# ./src/build/linux/*
# - name: Debug
# if: ${{ steps.release.outputs.src--release_created }}
# run: |
# ls -la ghaction-virustotal
# - name: Upload macOS build artifacts
# if: ${{ steps.release.outputs.src--release_created }}
# uses: actions/upload-artifact@v3
# with:
# name: binaries-macos
# path: src/build/macos/*
# - name: Upload Linux build artifacts
# if: ${{ steps.release.outputs.src--release_created }}
# uses: actions/upload-artifact@v3
# with:
# name: binaries-linux
# path: src/build/linux/*
# - name: Upload Windows build artifacts
# if: ${{ steps.release.outputs.src--release_created }}
# uses: actions/upload-artifact@v3
# with:
# name: binaries-win
# path: src/build/win/*
# release-macos:
# needs: release-please
# runs-on:
# - self-hosted
# - x64
# - macos
# - sp53
# # timeout-minutes: 15
# if: ${{ needs.release-please.outputs.release_created }}
# env:
# DIST_FILE_NAME: ctrl-q
# steps:
# - name: Release tag and upload url from previous job
# run: |
# echo "tag_name : ${{ needs.release-please.outputs.release_tag_name }}"
# echo "upload_url : ${{ needs.release-please.outputs.release_upload_url }}"
# - name: Checkout
# uses: actions/checkout@v4
# - name: Setup node
# uses: actions/setup-node@v3
# with:
# node-version: lts/*
# - name: Download-Binaries
# uses: actions/download-artifact@v3
# with:
# name: binaries-macos
# path: release-macos/
# - name: Make binary executable
# run: |
# chmod +x release-macos/${DIST_FILE_NAME}
# # Needed for GitHub hosted runner
# # For self-hosted runner the cert must either be installed manually, or the code below run once and then disabled.
# # - name: Import Code-Signing Certificates
# # uses: Apple-Actions/import-codesign-certs@v1
# # with:
# # # The certificates in a PKCS12 file encoded as a base64 string
# # p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
# # # The password used to import the PKCS12 file.
# # p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
# # - name: Install gon via HomeBrew for code signing and app notarization
# # run: |
# # brew tap mitchellh/gon
# # brew install mitchellh/gon/gon
# - name: Debug
# run: |
# ls -la
# ls -la ./release-macos
# - name: Sign the mac binaries with Gon
# env:
# AC_USERNAME: ${{ secrets.AC_USERNAME }}
# AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
# run: |
# pwd
# ls -la
# gon ./release-config/gon.json
# - name: Change name of zip file
# run: |
# pwd
# ls -la
# ls -la ./release-macos
# mv ./${{ env.DIST_FILE_NAME }}-macos.zip ./${{ needs.release-please.outputs.release_tag_name }}-macos.zip
# - name: Debug
# run: |
# ls -la
# ls -la ./release-macos
# - name: Upload to existing release
# uses: ncipollo/release-action@v1
# with:
# allowUpdates: true
# omitBodyDuringUpdate: true
# omitNameDuringUpdate: true
# artifactContentType: raw
# # artifactContentType: application/zip
# draft: true
# tag: ${{ needs.release-please.outputs.release_tag_name }}
# artifacts: ./${{ needs.release-please.outputs.release_tag_name }}-macos.zip
# token: ${{ github.token }}
# - name: Tidy up before existing
# run: |
# rm -r release-macos
# release-linux:
# needs: release-please
# runs-on: ubuntu-latest
# # timeout-minutes: 15
# if: ${{ needs.release-please.outputs.release_created }}
# env:
# DIST_FILE_NAME: ctrl-q
# steps:
# - name: Release tag and upload url from previous job
# run: |
# echo "tag_name : ${{ needs.release-please.outputs.release_tag_name }}"
# echo "upload_url : ${{ needs.release-please.outputs.release_upload_url }}"
# - name: Checkout
# uses: actions/checkout@v4
# - name: Setup node
# uses: actions/setup-node@v3
# with:
# node-version: lts/*
# - name: Download-Binaries
# uses: actions/download-artifact@v3
# with:
# name: binaries-linux
# path: release-linux/
# - name: Make binary executable
# run: |
# chmod +x release-linux/${DIST_FILE_NAME}
# - name: Compress into zip
# run: |
# ls -la
# ls -la ./release-linux
# zip -9 -r ./${{ needs.release-please.outputs.release_tag_name }}-linux.zip release-linux/
# - name: Debug
# run: |
# ls -la
# ls -la ./release-linux
# - name: Upload to existing release
# uses: ncipollo/release-action@v1
# with:
# allowUpdates: true
# omitBodyDuringUpdate: true
# omitNameDuringUpdate: true
# artifactContentType: raw
# # artifactContentType: application/zip
# draft: true
# tag: ${{ needs.release-please.outputs.release_tag_name }}
# artifacts: ./${{ needs.release-please.outputs.release_tag_name }}-linux.zip
# token: ${{ github.token }}
# - name: Tidy up before existing
# run: |
# rm -r release-linux
# release-win64:
# needs: release-please
# runs-on:
# - self-hosted
# - x64
# - windows
# - sp53
# # timeout-minutes: 15
# if: ${{ needs.release-please.outputs.release_created }}
# env:
# DIST_FILE_NAME: ctrl-q
# steps:
# - name: Release tag and upload url from previous job
# run: |
# Write-Output 'tag_name : ${{ needs.release-please.outputs.release_tag_name }}'
# Write-Output 'upload_url : ${{ needs.release-please.outputs.release_upload_url }}'
# - name: Checkout
# uses: actions/checkout@v4
# - name: Setup node
# uses: actions/setup-node@v3
# with:
# node-version: lts/*
# - name: Download-Binaries
# uses: actions/download-artifact@v3
# with:
# name: binaries-win
# path: release-win/
# - name: Sign the executable
# env:
# CODESIGN_PWD: ${{ secrets.WIN_CODESIGN_PWD}}
# CODESIGN_INTERMEDIATE_BASE64: ${{ secrets.WIN_CODESIGN_INTERMEDIATE_BASE64 }}
# CODESIGN_BASE64: ${{ secrets.WIN_CODESIGN_BASE64}}
# run: |
# New-Item -ItemType directory -Path certificate
# Set-Content -Path certificate\certificate.txt -Value $env:CODESIGN_BASE64
# certutil -decode certificate\certificate.txt certificate\certificate.pfx
# Set-Content -Path certificate\intermediate.txt -Value $env:CODESIGN_INTERMEDIATE_BASE64
# certutil -decode certificate\intermediate.txt certificate\intermediate.crt
# & 'C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe' sign /fd SHA256 /p $env:CODESIGN_PWD /ac certificate\intermediate.crt /f certificate\certificate.pfx /tr "http://timestamp.sectigo.com/rfc3161" /td sha256 release-win/ctrl-q.exe
# Remove-Item -Recurse -Force certificate
# - name: Install dependencies and zip into release asset
# run: |
# cd release-win
# dir
# $compress = @{
# Path = "."
# CompressionLevel = "Fastest"
# DestinationPath = "${{ needs.release-please.outputs.release_tag_name }}-win.zip"
# }
# Compress-Archive @compress
# - name: Debug
# run: |
# dir
# dir ./release-win
# - name: Upload to existing release
# uses: ncipollo/release-action@v1
# with:
# allowUpdates: true
# omitBodyDuringUpdate: true
# omitNameDuringUpdate: true
# artifactContentType: raw
# # artifactContentType: application/zip
# draft: true
# tag: ${{ needs.release-please.outputs.release_tag_name }}
# artifacts: release-win/${{ needs.release-please.outputs.release_tag_name }}-win.zip
# token: ${{ github.token }}
# - name: Tidy up before existing
# run: |
# dir
# Remove-Item -path ./release-win -recurse