ci: Use new notarization tool #269
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Binaries | |
| on: | |
| push: | |
| branches: | |
| - stage | |
| tags: | |
| - '**' | |
| pull_request: | |
| branches: | |
| - '**' | |
| concurrency: | |
| group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }} | |
| cancel-in-progress: true | |
| permissions: | |
| id-token: write | |
| contents: write | |
| jobs: | |
| build: | |
| name: Build Binaries | |
| runs-on: ${{ matrix.runs-on }} | |
| strategy: | |
| matrix: | |
| include: | |
| - runs-on: ubuntu-latest | |
| artifact-name: climate-tokenization-engine-linux-x64 | |
| build-command: npm run create-linux-x64-dist | |
| - runs-on: [Linux, ARM64] | |
| artifact-name: climate-tokenization-engine-linux-arm64 | |
| build-command: npm run create-linux-arm64-dist | |
| - runs-on: macos-latest | |
| artifact-name: climate-tokenization-engine-macos-x64 | |
| build-command: npm run create-mac-x64-dist | |
| - runs-on: windows-2019 | |
| artifact-name: climate-tokenization-engine-windows-x64 | |
| build-command: npm run create-win-x64-dist | |
| steps: | |
| - name: Clean workspace | |
| uses: Chia-Network/actions/clean-workspace@main | |
| - name: Checkout Code | |
| uses: actions/checkout@v3 | |
| - name: Setup Node 18.16 | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: '18.16' | |
| - name: Ignore Husky | |
| run: npm pkg delete scripts.prepare | |
| if: matrix.runs-on != 'windows-2019' | |
| - name: npm install | |
| run: | | |
| node --version | |
| npm install | |
| - name: npm cache clear --force | |
| run: npm cache clear --force | |
| - name: npm cache rm | |
| run: npm cache rm --force | |
| - name: npm cache verify | |
| run: npm cache verify | |
| - name: install global packages | |
| run: npm i -g @babel/cli @babel/preset-env pkg | |
| - name: create distributions | |
| run: ${{ matrix.build-command }} | |
| - name: Make executable | |
| run: chmod +x dist/climate-tokenization* | |
| # Windows Code Signing | |
| - name: Sign windows artifacts | |
| if: matrix.runs-on == 'windows-2019' | |
| uses: chia-network/actions/digicert/windows-sign@main | |
| with: | |
| sm_api_key: ${{ secrets.SM_API_KEY }} | |
| sm_client_cert_file_b64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }} | |
| sm_client_cert_password: ${{ secrets.SM_CLIENT_CERT_PASSWORD }} | |
| sm_code_signing_cert_sha1_hash: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} | |
| file: ${{ github.workspace }}/dist/climate-tokenization-engine.exe | |
| # Mac .pkg build + sign | |
| - name: Import Apple installer signing certificate | |
| #if: steps.check_secrets.outputs.HAS_SECRET | |
| if: matrix.runs-on == 'macos-latest' | |
| uses: Apple-Actions/import-codesign-certs@v1 | |
| with: | |
| keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }} | |
| p12-file-base64: ${{ secrets.APPLE_DEV_ID_INSTALLER }} | |
| p12-password: ${{ secrets.APPLE_DEV_ID_INSTALLER_PASS }} | |
| - name: Import Apple Application signing certificate | |
| #if: steps.check_secrets.outputs.HAS_SECRET | |
| if: matrix.runs-on == 'macos-latest' | |
| uses: Apple-Actions/import-codesign-certs@v1 | |
| with: | |
| create-keychain: false # Created when importing the first cert | |
| keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }} | |
| p12-file-base64: ${{ secrets.APPLE_DEV_ID_APP }} | |
| p12-password: ${{ secrets.APPLE_DEV_ID_APP_PASS }} | |
| - name: Build Mac .pkg | |
| if: matrix.runs-on == 'macos-latest' | |
| run: | | |
| rm -rf ${{ github.workspace }}/build-scripts/macos/darwin/application || true | |
| cp -r ${{ github.workspace }}/dist ${{ github.workspace }}/build-scripts/macos/application | |
| echo "Signing the binaries" | |
| codesign -f -s "Developer ID Application: Chia Network Inc." --timestamp --options=runtime --entitlements ${{ github.workspace }}/build-scripts/macos/entitlements.mac.plist ${{ github.workspace }}/build-scripts/macos/application/climate-tokenization-engine | |
| # Makes the .pkg in ./build-scripts/macos/target/pkg | |
| echo "Building the .pkg" | |
| bash ${{ github.workspace }}/build-scripts/macos/build-macos.sh ClimateTokenizationEngine | |
| mkdir -p ${{ github.workspace }}/build-scripts/macos/target/pkg-signed | |
| echo "Signing the .pkg" | |
| productsign --sign "Developer ID Installer: Chia Network Inc." ${{ github.workspace }}/build-scripts/macos/target/pkg/ClimateTokenizationEngine-macos-installer-x64.pkg ${{ github.workspace }}/build-scripts/macos/target/pkg-signed/ClimateTokenizationEngine-macos-installer-x64.pkg | |
| echo "Notarizing the .pkg" | |
| xcrun notarytool submit \ | |
| --wait | |
| --apple-id "${{ secrets.APPLE_NOTARIZE_USERNAME }}" \ | |
| --password "${{ secrets.APPLE_NOTARIZE_PASSWORD }}" \ | |
| --team-id "${{ secrets.APPLE_TEAM_ID }}" \ | |
| "${{ github.workspace }}/build-scripts/macos/target/pkg-signed/ClimateTokenizationEngine-macos-installer-x64.pkg" | |
| - name: Upload Mac Installer | |
| if: matrix.runs-on == 'macos-latest' | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: climate-tokenization-engine-mac-installer | |
| path: ${{ github.workspace }}/build-scripts/macos/target/pkg-signed | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ${{ matrix.artifact-name }} | |
| path: ${{ github.workspace }}/dist | |
| debs: | |
| name: Build ${{ matrix.name }} deb | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build | |
| strategy: | |
| matrix: | |
| include: | |
| - name: climate-tokenization-engine-linux-x64 | |
| platform: amd64 | |
| - name: climate-tokenization-engine-linux-arm64 | |
| platform: arm64 | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v3 | |
| - name: Download Linux artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: ${{ matrix.name }} | |
| path: ${{ matrix.name }} | |
| - name: Get tag name | |
| id: tag-name | |
| run: | | |
| echo "TAGNAME=$(echo $GITHUB_REF | cut -d / -f 3)" >> $GITHUB_OUTPUT | |
| - name: Build .deb | |
| env: | |
| CLIMATE_TOKENIZATION_ENGINE_VERSION: ${{ steps.tag-name.outputs.TAGNAME }} | |
| PLATFORM: ${{ matrix.platform }} | |
| run: | | |
| pip install j2cli | |
| CLI_DEB_BASE="climate-tokenization-engine_${{ steps.tag-name.outputs.TAGNAME }}-1_${PLATFORM}" | |
| mkdir -p "deb/$CLI_DEB_BASE/opt/climate-tokenization-engine" | |
| mkdir -p "deb/$CLI_DEB_BASE/usr/bin" | |
| mkdir -p "deb/$CLI_DEB_BASE/etc/systemd/system" | |
| mkdir -p "deb/$CLI_DEB_BASE/DEBIAN" | |
| j2 -o "deb/$CLI_DEB_BASE/DEBIAN/control" build-scripts/deb/control.j2 | |
| cp -r ${{ matrix.name }}/* "deb/$CLI_DEB_BASE/opt/climate-tokenization-engine/" | |
| cp build-scripts/deb/[email protected] deb/$CLI_DEB_BASE/etc/systemd/system/[email protected] | |
| chmod +x deb/$CLI_DEB_BASE/opt/climate-tokenization-engine/climate-tokenization-engine | |
| ln -s ../../opt/climate-tokenization-engine/climate-tokenization-engine "deb/$CLI_DEB_BASE/usr/bin/climate-tokenization-engine" | |
| dpkg-deb --build --root-owner-group "deb/$CLI_DEB_BASE" | |
| - name: Upload deb | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ${{ matrix.name }}-deb | |
| path: ${{ github.workspace }}/deb/*.deb | |
| release: | |
| runs-on: ubuntu-latest | |
| if: startsWith(github.ref, 'refs/tags/') | |
| needs: | |
| - debs | |
| - build | |
| steps: | |
| - name: Download Windows artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: climate-tokenization-engine-windows-x64 | |
| path: climate-tokenization-engine-windows-x64 | |
| - name: Download MacOS installer artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: climate-tokenization-engine-mac-installer | |
| path: climate-tokenization-engine-mac-installer | |
| - name: Download MacOS executable artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: climate-tokenization-engine-macos-x64 | |
| path: climate-tokenization-engine-macos-x64 | |
| - name: Download Linux x64 artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: climate-tokenization-engine-linux-x64 | |
| path: climate-tokenization-engine-linux-x64 | |
| - name: Download Linux ARM 64 artifacts | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: climate-tokenization-engine-linux-arm64 | |
| path: climate-tokenization-engine-linux-arm64 | |
| - name: Download Linux x64 deb | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: climate-tokenization-engine-linux-x64-deb | |
| path: climate-tokenization-engine-linux-x64-deb | |
| - name: Download Linux arm64 deb | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: climate-tokenization-engine-linux-arm64-deb | |
| path: climate-tokenization-engine-linux-arm64-deb | |
| - name: Get tag name | |
| id: tag-name | |
| run: | | |
| echo "TAGNAME=$(echo $GITHUB_REF | cut -d / -f 3)" >>$GITHUB_OUTPUT | |
| - name: Create zips | |
| run: | | |
| zip -r climate-tokenization-engine-windows-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip climate-tokenization-engine-windows-x64 | |
| zip -r climate-tokenization-engine-macos-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip climate-tokenization-engine-mac-installer | |
| zip -r climate-tokenization-engine-linux-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip climate-tokenization-engine-linux-x64 | |
| zip -r climate-tokenization-engine-linux-arm64-${{ steps.tag-name.outputs.TAGNAME }}.zip climate-tokenization-engine-linux-arm64 | |
| zip -r climate-tokenization-engine-macos-binary-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip climate-tokenization-engine-macos-x64 | |
| - name: Release | |
| uses: softprops/[email protected] | |
| with: | |
| files: | | |
| climate-tokenization-engine-windows-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip | |
| climate-tokenization-engine-macos-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip | |
| climate-tokenization-engine-linux-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip | |
| climate-tokenization-engine-linux-arm64-${{ steps.tag-name.outputs.TAGNAME }}.zip | |
| climate-tokenization-engine-macos-binary-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip | |
| climate-tokenization-engine-linux-x64-deb/*.deb | |
| climate-tokenization-engine-linux-arm64-deb/*.deb | |
| - name: Get repo name | |
| id: repo-name | |
| run: | | |
| echo "REPO_NAME=$(echo "$GITHUB_REPOSITORY" | cut -d "/" -f 2)" >>$GITHUB_OUTPUT | |
| - name: Gets JWT Token from GitHub | |
| uses: Chia-Network/actions/github/jwt@main | |
| - name: Trigger apt repo update | |
| run: | | |
| curl -s -XPOST -H "Authorization: Bearer ${{ env.JWT_TOKEN }}" --data '{"climate_tokenization_repo":"${{ steps.repo-name.outputs.REPO_NAME }}","application_name":"[\"climate-tokenization-engine\"]","release_version":"${{ steps.tag-name.outputs.TAGNAME }}","add_debian_version":"true","arm64":"available"}' ${{ secrets.GLUE_API_URL }}/api/v1/climate-tokenization/${{ github.sha }}/start | |
| curl -s -XPOST -H "Authorization: Bearer ${{ env.JWT_TOKEN }}" --data '{"climate_tokenization_repo":"${{ steps.repo-name.outputs.REPO_NAME }}","application_name":"[\"climate-tokenization-engine\"]","release_version":"${{ steps.tag-name.outputs.TAGNAME }}","add_debian_version":"true","arm64":"available"}' ${{ secrets.GLUE_API_URL }}/api/v1/climate-tokenization/${{ github.sha }}/success/deploy |