diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml index e8c158283dc..04dc2b664fc 100644 --- a/.github/workflows/cmake-ctest.yml +++ b/.github/workflows/cmake-ctest.yml @@ -22,6 +22,19 @@ on: type: string required: true default: snapshots + secrets: + AZURE_TENANT_ID: + required: true + AZURE_CLIENT_ID: + required: true + AZURE_CLIENT_SECRET: + required: true + AZURE_ENDPOINT: + required: true + AZURE_CODE_SIGNING_NAME: + required: true + AZURE_CERT_PROFILE_NAME: + required: true permissions: contents: read @@ -44,6 +57,20 @@ jobs: - name: Enable Developer Command Prompt uses: ilammy/msvc-dev-cmd@v1.13.0 + - name: Check Secrets exists + id: set-signing-state + env: + super_secret: ${{ secrets.AZURE_ENDPOINT }} + run: | + if [[ '${{ env.super_secret }}' == '' ]] + then + SIGN_VAL=$(echo "false") + else + SIGN_VAL=$(echo "true") + fi + echo "BINSIGN=$SIGN_VAL" >> $GITHUB_OUTPUT + shell: bash + - name: Set file base name (Windows) id: set-file-base run: | @@ -86,15 +113,27 @@ jobs: cmake --workflow --preset=${{ inputs.preset_name }}-MSVC --fresh shell: bash - - name: Create build folders (Windows) - run: | - mkdir "${{ runner.workspace }}/build" - mkdir "${{ runner.workspace }}/build/hdf5" - shell: bash + - name: Sign files with Trusted Signing + uses: azure/trusted-signing-action@v0.4.0 + with: + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} + endpoint: ${{ secrets.AZURE_ENDPOINT }} + trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }} + certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }} + files-folder: ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC + files-folder-filter: msi + file-digest: SHA256 + timestamp-rfc3161: http://timestamp.acs.microsoft.com + timestamp-digest: SHA256 + if: ${{ steps.set-signing-state.BINSIGN == 'true' }} - name: Publish binary (Windows) id: publish-ctest-binary run: | + mkdir "${{ runner.workspace }}/build" + mkdir "${{ runner.workspace }}/build/hdf5" Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/build/hdf5/ Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/build/hdf5/ Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/README.md -Destination ${{ runner.workspace }}/build/hdf5/ @@ -106,11 +145,13 @@ jobs: - name: Publish msi binary (Windows) id: publish-ctest-msi-binary run: | - Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/build/hdf5/ - Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/build/hdf5/ - Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/README.md -Destination ${{ runner.workspace }}/build/hdf5/ - Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/* -Destination ${{ runner.workspace }}/build/hdf5/ -Include *.msi - cd "${{ runner.workspace }}/build" + mkdir "${{ runner.workspace }}/buildmsi" + mkdir "${{ runner.workspace }}/buildmsi/hdf5" + Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/buildmsi/hdf5/ + Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/buildmsi/hdf5/ + Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/README.md -Destination ${{ runner.workspace }}/buildmsi/hdf5/ + Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/* -Destination ${{ runner.workspace }}/buildmsi/hdf5/ -Include *.msi + cd "${{ runner.workspace }}/buildmsi" 7z a -tzip ${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip hdf5 shell: pwsh @@ -132,7 +173,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: msi-vs2022_cl-binary - path: ${{ runner.workspace }}/build/${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip + path: ${{ runner.workspace }}/buildmsi/${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` build_and_test_linux: @@ -237,7 +278,6 @@ jobs: path: ${{ runner.workspace }}/build/${{ steps.set-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.tar.gz if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` - # Save files created by ctest script - name: Save published binary deb (Linux) uses: actions/upload-artifact@v4 with: @@ -245,7 +285,6 @@ jobs: path: ${{ runner.workspace }}/builddeb/${{ steps.set-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.deb.tar.gz if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` - # Save files created by ctest script - name: Save published binary rpm (Linux) uses: actions/upload-artifact@v4 with: @@ -340,13 +379,14 @@ jobs: - name: Publish dmg binary (MacOS_latest) id: publish-ctest-dmg-binary run: | - mkdir "${{ runner.workspace }}/build/hdf5dmg" - cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING ${{ runner.workspace }}/build/hdf5dmg - cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 ${{ runner.workspace }}/build/hdf5dmg - cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/README.md ${{ runner.workspace }}/build/hdf5dmg - cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/*.dmg.tar.gz ${{ runner.workspace }}/build/hdf5dmg - cd "${{ runner.workspace }}/build" - tar -zcvf ${{ steps.set-file-base.outputs.FILE_BASE }}-osx.tar.gz hdf5dmg + mkdir "${{ runner.workspace }}/builddmg" + mkdir "${{ runner.workspace }}/builddmg/hdf5" + cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING ${{ runner.workspace }}/builddmg/hdf5 + cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 ${{ runner.workspace }}/builddmg/hdf5 + cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/README.md ${{ runner.workspace }}/builddmg/hdf5 + cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/*.dmg ${{ runner.workspace }}/builddmg/hdf5 + cd "${{ runner.workspace }}/builddmg" + tar -zcvf ${{ steps.set-file-base.outputs.FILE_BASE }}-osx.dmg.tar.gz hdf5 shell: bash - name: List files in the space (MacOS_latest) @@ -366,7 +406,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: tgz-osx-dmg-binary - path: ${{ runner.workspace }}/build/${{ steps.set-file-base.outputs.FILE_BASE }}-osx.dmg.tar.gz + path: ${{ runner.workspace }}/builddmg/${{ steps.set-file-base.outputs.FILE_BASE }}-osx.dmg.tar.gz if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` build_and_test_S3_linux: @@ -451,6 +491,20 @@ jobs: - name: Install Dependencies (Windows_intel) run: choco install ninja + - name: Check Secrets exists + id: set-signing-state + env: + super_secret: ${{ secrets.AZURE_ENDPOINT }} + run: | + if [[ '${{ env.super_secret }}' == '' ]] + then + SIGN_VAL=$(echo "false") + else + SIGN_VAL=$(echo "true") + fi + echo "BINSIGN=$SIGN_VAL" >> $GITHUB_OUTPUT + shell: bash + - name: add oneAPI to env uses: fortran-lang/setup-fortran@v1 id: setup-fortran @@ -504,15 +558,27 @@ jobs: cmake --workflow --preset=${{ inputs.preset_name }}-win-Intel --fresh shell: pwsh - - name: Create build folders (Windows_intel) - run: | - mkdir "${{ runner.workspace }}/build" - mkdir "${{ runner.workspace }}/build/hdf5" - shell: bash + - name: Sign files with Trusted Signing (Windows_intel) + uses: azure/trusted-signing-action@v0.4.0 + with: + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} + endpoint: ${{ secrets.AZURE_ENDPOINT }} + trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }} + certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }} + files-folder: ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC + files-folder-filter: msi + file-digest: SHA256 + timestamp-rfc3161: http://timestamp.acs.microsoft.com + timestamp-digest: SHA256 + if: ${{ steps.set-signing-state.BINSIGN == 'true' }} - name: Publish binary (Windows_intel) id: publish-ctest-binary run: | + mkdir "${{ runner.workspace }}/build" + mkdir "${{ runner.workspace }}/build/hdf5" Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/build/hdf5/ Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/build/hdf5/ Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/README.md -Destination ${{ runner.workspace }}/build/hdf5/ @@ -524,11 +590,13 @@ jobs: - name: Publish msi binary (Windows_intel) id: publish-ctest-msi-binary run: | - Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/build/hdf5/ - Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/build/hdf5/ - Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/README.md -Destination ${{ runner.workspace }}/build/hdf5/ - Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/* -Destination ${{ runner.workspace }}/build/hdf5/ -Include *.msi - cd "${{ runner.workspace }}/build" + mkdir "${{ runner.workspace }}/buildmsi" + mkdir "${{ runner.workspace }}/buildmsi/hdf5" + Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/buildmsi/hdf5/ + Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/buildmsi/hdf5/ + Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/README.md -Destination ${{ runner.workspace }}/buildmsi/hdf5/ + Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/* -Destination ${{ runner.workspace }}/buildmsi/hdf5/ -Include *.msi + cd "${{ runner.workspace }}/buildmsi" 7z a -tzip ${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_intel.msi.zip hdf5 shell: pwsh @@ -550,7 +618,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: msi-vs2022_intel-binary - path: ${{ runner.workspace }}/build/${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_intel.msi.zip + path: ${{ runner.workspace }}/buildmsi/${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_intel.msi.zip if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` build_and_test_linux_intel: diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml index c8441bd8dae..ad53474b91c 100644 --- a/.github/workflows/daily-build.yml +++ b/.github/workflows/daily-build.yml @@ -44,6 +44,13 @@ jobs: file_base: ${{ needs.call-workflow-tarball.outputs.file_base }} # use_tag: snapshot use_environ: snapshots + secrets: + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + AZURE_ENDPOINT: ${{ secrets.AZURE_ENDPOINT }} + AZURE_CODE_SIGNING_NAME: ${{ secrets.AZURE_CODE_SIGNING_NAME }} + AZURE_CERT_PROFILE_NAME: ${{ secrets.AZURE_CERT_PROFILE_NAME }} if: ${{ needs.call-workflow-tarball.outputs.has_changes == 'true' }} call-workflow-abi: