|
1 | 1 | # GitHub release workflow.
|
2 |
| -# |
3 |
| -# This workflow is a bit complicated because we have to build darwin binaries on |
4 |
| -# a mac runner, but the mac runners are extremely slow. So instead of running |
5 |
| -# the entire release on a mac (which will take an hour to run), we run only the |
6 |
| -# mac build on a mac, and the rest on a linux runner. The final release is then |
7 |
| -# published using a final linux runner. |
8 | 2 | name: release
|
9 | 3 | on:
|
10 | 4 | push:
|
|
25 | 19 | CODER_RELEASE: ${{ github.event.inputs.snapshot && 'false' || 'true' }}
|
26 | 20 |
|
27 | 21 | jobs:
|
28 |
| - linux-windows: |
| 22 | + release: |
29 | 23 | runs-on: ubuntu-latest
|
30 | 24 | env:
|
31 | 25 | # Necessary for Docker manifest
|
@@ -71,15 +65,36 @@ jobs:
|
71 | 65 | - name: Install zstd
|
72 | 66 | run: sudo apt-get install -y zstd
|
73 | 67 |
|
74 |
| - - name: Build Linux and Windows Binaries |
| 68 | + - name: Setup Apple Developer certificate and API key |
| 69 | + run: | |
| 70 | + set -euo pipefail |
| 71 | + touch /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8} |
| 72 | + chmod 600 /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8} |
| 73 | + echo "$AC_CERTIFICATE_BASE64" | base64 -d > /tmp/apple_cert.p12 |
| 74 | + echo "$AC_CERTIFICATE_PASSWORD" > /tmp/apple_cert_password.txt |
| 75 | + echo "$AC_APIKEY_BASE64" | base64 -d > /tmp/apple_apikey.p8 |
| 76 | + env: |
| 77 | + AC_CERTIFICATE_BASE64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }} |
| 78 | + AC_CERTIFICATE_PASSWORD: ${{ secrets.AC_CERTIFICATE_PASSWORD }} |
| 79 | + AC_APIKEY_BASE64: ${{ secrets.AC_APIKEY_PEM_BASE64 }} |
| 80 | + |
| 81 | + - name: Build binaries |
75 | 82 | run: |
|
76 | 83 | set -euo pipefail
|
77 | 84 | go mod download
|
78 | 85 |
|
79 | 86 | version="$(./scripts/version.sh)"
|
80 | 87 | make -j \
|
81 | 88 | build/coder_"$version"_linux_{amd64,armv7,arm64}.{tar.gz,apk,deb,rpm} \
|
82 |
| - build/coder_"$version"_windows_{amd64,arm64}.zip \ |
| 89 | + build/coder_"$version"_{darwin,windows}_{amd64,arm64}.zip \ |
| 90 | + build/coder_helm_"$version".tgz |
| 91 | + env: |
| 92 | + CODER_SIGN_DARWIN: "1" |
| 93 | + AC_CERTIFICATE_FILE: /tmp/apple_cert.p12 |
| 94 | + AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt |
| 95 | + AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }} |
| 96 | + AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }} |
| 97 | + AC_APIKEY_FILE: /tmp/apple_apikey.p8 |
83 | 98 |
|
84 | 99 | - name: Build Linux Docker images
|
85 | 100 | run: |
|
@@ -115,154 +130,18 @@ jobs:
|
115 | 130 | "${images[@]}"
|
116 | 131 | fi
|
117 | 132 |
|
118 |
| - - name: Upload binary artifacts |
119 |
| - uses: actions/upload-artifact@v3 |
120 |
| - with: |
121 |
| - name: linux |
122 |
| - path: | |
123 |
| - ./build/*.zip |
124 |
| - ./build/*.tar.gz |
125 |
| - ./build/*.apk |
126 |
| - ./build/*.deb |
127 |
| - ./build/*.rpm |
128 |
| -
|
129 |
| - # The mac binaries get built on mac runners because they need to be signed, |
130 |
| - # and the signing tool only runs on mac. This darwin job only builds the Mac |
131 |
| - # binaries and uploads them as job artifacts used by the publish step. |
132 |
| - darwin: |
133 |
| - runs-on: macos-latest |
134 |
| - steps: |
135 |
| - - uses: actions/checkout@v3 |
136 |
| - with: |
137 |
| - fetch-depth: 0 |
138 |
| - |
139 |
| - # If the event that triggered the build was an annotated tag (which our |
140 |
| - # tags are supposed to be), actions/checkout has a bug where the tag in |
141 |
| - # question is only a lightweight tag and not a full annotated tag. This |
142 |
| - # command seems to fix it. |
143 |
| - # https://github.com/actions/checkout/issues/290 |
144 |
| - - name: Fetch git tags |
145 |
| - run: git fetch --tags --force |
146 |
| - |
147 |
| - - uses: actions/setup-go@v3 |
148 |
| - with: |
149 |
| - go-version: "~1.19" |
150 |
| - |
151 |
| - - name: Import Signing Certificates |
152 |
| - uses: Apple-Actions/import-codesign-certs@v1 |
153 |
| - with: |
154 |
| - p12-file-base64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }} |
155 |
| - p12-password: ${{ secrets.AC_CERTIFICATE_PASSWORD }} |
156 |
| - |
157 |
| - - name: Cache Node |
158 |
| - id: cache-node |
159 |
| - uses: actions/cache@v3 |
160 |
| - with: |
161 |
| - path: | |
162 |
| - **/node_modules |
163 |
| - .eslintcache |
164 |
| - key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }} |
165 |
| - restore-keys: | |
166 |
| - js-${{ runner.os }}- |
| 133 | + - name: ls build |
| 134 | + run: ls build |
167 | 135 |
|
168 |
| - - name: Install dependencies |
169 |
| - run: | |
170 |
| - set -euo pipefail |
171 |
| - # The version of bash that macOS ships with is too old |
172 |
| - brew install bash |
173 |
| -
|
174 |
| - # The version of make that macOS ships with is too old |
175 |
| - brew install make |
176 |
| - echo "$(brew --prefix)/opt/make/libexec/gnubin" >> $GITHUB_PATH |
177 |
| -
|
178 |
| - # BSD getopt is incompatible with the build scripts |
179 |
| - brew install gnu-getopt |
180 |
| - echo "$(brew --prefix)/opt/gnu-getopt/bin" >> $GITHUB_PATH |
181 |
| -
|
182 |
| - # Used for notarizing the binaries |
183 |
| - brew tap mitchellh/gon |
184 |
| - brew install mitchellh/gon/gon |
185 |
| -
|
186 |
| - # Used for compressing embedded slim binaries |
187 |
| - brew install zstd |
188 |
| -
|
189 |
| - - name: Build Site |
190 |
| - run: make site/out/index.html |
191 |
| - |
192 |
| - - name: Build darwin Binaries (with signatures) |
193 |
| - run: | |
194 |
| - set -euo pipefail |
195 |
| - go mod download |
196 |
| -
|
197 |
| - version="$(./scripts/version.sh)" |
198 |
| - make -j \ |
199 |
| - build/coder_"$version"_darwin_{amd64,arm64}.zip |
200 |
| - env: |
201 |
| - CODER_SIGN_DARWIN: "1" |
202 |
| - AC_USERNAME: ${{ secrets.AC_USERNAME }} |
203 |
| - AC_PASSWORD: ${{ secrets.AC_PASSWORD }} |
204 |
| - AC_APPLICATION_IDENTITY: BDB050EB749EDD6A80C6F119BF1382ECA119CCCC |
205 |
| - |
206 |
| - - name: Upload Binary Artifacts |
207 |
| - uses: actions/upload-artifact@v3 |
208 |
| - with: |
209 |
| - name: darwin |
210 |
| - path: ./build/*.zip |
211 |
| - |
212 |
| - publish: |
213 |
| - runs-on: ubuntu-latest |
214 |
| - needs: |
215 |
| - - linux-windows |
216 |
| - - darwin |
217 |
| - steps: |
218 |
| - - uses: actions/checkout@v3 |
219 |
| - with: |
220 |
| - fetch-depth: 0 |
221 |
| - |
222 |
| - # If the event that triggered the build was an annotated tag (which our |
223 |
| - # tags are supposed to be), actions/checkout has a bug where the tag in |
224 |
| - # question is only a lightweight tag and not a full annotated tag. This |
225 |
| - # command seems to fix it. |
226 |
| - # https://github.com/actions/checkout/issues/290 |
227 |
| - - name: Fetch git tags |
228 |
| - run: git fetch --tags --force |
229 |
| - |
230 |
| - - name: mkdir artifacts |
231 |
| - run: mkdir artifacts |
232 |
| - |
233 |
| - - name: Download darwin Artifacts |
234 |
| - uses: actions/download-artifact@v3 |
235 |
| - with: |
236 |
| - name: darwin |
237 |
| - path: artifacts |
238 |
| - |
239 |
| - - name: Download Linux and Windows Artifacts |
240 |
| - uses: actions/download-artifact@v3 |
241 |
| - with: |
242 |
| - name: linux |
243 |
| - path: artifacts |
244 |
| - |
245 |
| - - name: ls artifacts |
246 |
| - run: ls artifacts |
247 |
| - |
248 |
| - - name: Publish Helm |
249 |
| - run: | |
250 |
| - set -euxo pipefail |
251 |
| -
|
252 |
| - version="$(./scripts/version.sh)" |
253 |
| - make -j \ |
254 |
| - build/coder_helm_"$version".tgz |
255 |
| - mv ./build/*.tgz ./artifacts/ |
256 |
| -
|
257 |
| - - name: Publish Release |
| 136 | + - name: Publish release |
258 | 137 | run: |
|
259 | 138 | ./scripts/publish_release.sh \
|
260 | 139 | ${{ (github.event.inputs.dry_run || github.event.inputs.snapshot) && '--dry-run' }} \
|
261 |
| - ./artifacts/*.zip \ |
262 |
| - ./artifacts/*.tar.gz \ |
263 |
| - ./artifacts/*.tgz \ |
264 |
| - ./artifacts/*.apk \ |
265 |
| - ./artifacts/*.deb \ |
266 |
| - ./artifacts/*.rpm |
| 140 | + ./build/*.zip \ |
| 141 | + ./build/*.tar.gz \ |
| 142 | + ./build/*.tgz \ |
| 143 | + ./build/*.apk \ |
| 144 | + ./build/*.deb \ |
| 145 | + ./build/*.rpm |
267 | 146 | env:
|
268 | 147 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
0 commit comments