Skip to content

Commit

Permalink
Sign releases, dev builds, and nuget package
Browse files Browse the repository at this point in the history
  • Loading branch information
HebaruSan committed Sep 21, 2024
1 parent 422e68e commit a7a29f5
Show file tree
Hide file tree
Showing 5 changed files with 134 additions and 96 deletions.
21 changes: 16 additions & 5 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,15 +7,15 @@ on:
type: string
default: Debug
outputs:
repack-artifact-id:
description: "Artifact ID of the repack"
value: ${{ jobs.build.outputs.repack-artifact-id }}
unsigned-artifact-id:
description: Artifact ID of the assets to be signed
value: ${{ jobs.build.outputs.unsigned-artifact-id }}

jobs:
build:
runs-on: ubuntu-latest
outputs:
repack-artifact-id: ${{ steps.upload-repack-artifact.outputs.artifact-id }}
unsigned-artifact-id: ${{ steps.upload-unsigned-artifact.outputs.artifact-id }}
steps:
- uses: actions/checkout@v4
- name: Restore cache for _build/tools
Expand Down Expand Up @@ -50,10 +50,21 @@ jobs:
name: ${{ inputs.configuration }}-out-unsigned
path: _build/out/
retention-days: 1
- name: Bundle assets for signing
if: inputs.configuration == 'Release'
run: ./build Prepare-SignPath --configuration=${{ inputs.configuration }} --exclusive
- name: Upload unsigned artifact
id: upload-unsigned-artifact
if: inputs.configuration == 'Release'
uses: actions/upload-artifact@v4
with:
name: unsigned
path: _build/signpath
retention-days: 7
- name: Upload ckan.exe artifact
if: inputs.configuration == 'Release'
uses: actions/upload-artifact@v4
with:
name: ckan.exe
path: _build/repack/Release/ckan.exe
retention-days: 7
if: inputs.configuration == 'Release'
74 changes: 40 additions & 34 deletions .github/workflows/deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,8 @@ env:
AWS_S3_BUCKET: ksp-ckan

jobs:
test-release:
uses: ./.github/workflows/test.yml

smoke-inflator:
uses: ./.github/workflows/smoke.yml
sign-assets:
uses: ./.github/workflows/sign.yml

check-dev-build:
runs-on: ubuntu-latest
Expand All @@ -40,13 +37,12 @@ jobs:
upload-release-s3:
needs:
- test-release
- smoke-inflator
- sign-assets
if: github.event_name != 'repository_dispatch'
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
if: github.event_name != 'repository_dispatch'
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
Expand All @@ -55,11 +51,15 @@ jobs:
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- uses: actions/checkout@v4
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed exes into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/*.exe _build/repack/Release
- uses: actions/setup-python@v5
with:
python-version: 3.11
Expand All @@ -70,14 +70,13 @@ jobs:
pip install gitpython
git config --global --add safe.directory '*'
python bin/version_info.py > _build/repack/Release/version.json
- name: Push ckan.exe, netkan.exe, and version.json to S3
- name: Push ckan.exe, AutoUpdater.exe, netkan.exe, and version.json to S3
run: aws s3 sync _build/repack/Release s3://${AWS_S3_BUCKET} --follow-symlinks

upload-dmg:
needs:
- check-dev-build
- test-release
- smoke-inflator
- sign-assets
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
Expand All @@ -93,11 +92,15 @@ jobs:
- name: Install OSX build dependencies
run: sudo apt-get install -y libplist-utils xorriso
- uses: actions/checkout@v4
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed exe into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/ckan.exe _build/repack/Release
- name: Build dmg
run: ./build osx --configuration=Release --exclusive
- name: Push dmg to S3
Expand All @@ -106,8 +109,7 @@ jobs:
upload-deb:
needs:
- check-dev-build
- test-release
- smoke-inflator
- sign-assets
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
Expand All @@ -121,11 +123,15 @@ jobs:
aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- uses: actions/checkout@v4
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed exe into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/ckan.exe _build/repack/Release
- name: Build deb
env:
CODENAME: nightly
Expand Down Expand Up @@ -160,8 +166,7 @@ jobs:
upload-rpm:
needs:
- check-dev-build
- test-release
- smoke-inflator
- sign-assets
runs-on: ubuntu-latest
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
Expand All @@ -177,11 +182,15 @@ jobs:
- uses: actions/checkout@v4
- name: Install rpm build dependencies
run: sudo apt-get install -y createrepo-c
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed exe into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/ckan.exe _build/repack/Release
- name: Build rpm
run: ./build rpm --configuration=Release --exclusive
- name: Import GPG key
Expand All @@ -202,10 +211,9 @@ jobs:

upload-inflator:
needs:
- test-release
- smoke-inflator
runs-on: ubuntu-latest
- sign-assets
if: github.event_name != 'repository_dispatch'
runs-on: ubuntu-latest
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
Expand Down Expand Up @@ -239,8 +247,7 @@ jobs:
upload-metadata-tester:
needs:
- test-release
- smoke-inflator
- sign-assets
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Expand All @@ -266,8 +273,7 @@ jobs:

notify-discord:
needs:
- test-release
- smoke-inflator
- sign-assets
- upload-release-s3
- upload-dmg
- upload-deb
Expand Down
90 changes: 37 additions & 53 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,64 +9,44 @@ env:
AWS_S3_BUCKET: ksp-ckan

jobs:
test-release:
uses: ./.github/workflows/test.yml

smoke-inflator:
uses: ./.github/workflows/smoke.yml

sign-release:
runs-on: ubuntu-latest
needs:
- test-release
- smoke-inflator
outputs:
artifact-url: ${{steps.sign.outputs.signing-request-id }}
steps:
- uses: signpath/github-action-submit-signing-request@v1
id: sign
with:
api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
organization-id: 0cd9fc3f-b78d-4214-b152-b2e93c952e14
project-slug: CKAN
signing-policy-slug: test-signing
github-artifact-id: ${{ needs.smoke-inflator.outputs.repack-artifact-id }}
artifact-configuration-slug: release
wait-for-completion: true
sign-assets:
uses: ./.github/workflows/sign.yml

upload-nuget:
runs-on: ubuntu-latest
needs:
- test-release
- smoke-inflator
- sign-assets
steps:
- name: Download out artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-out-unsigned
path: _build/out/
name: signed
path: _build/signed
- name: Publish ckan.dll to NuGet
env:
NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }}
if: env.NUGET_API_KEY
run: |
curl -o nuget.exe -L 'https://dist.nuget.org/win-x86-commandline/v5.6.0/nuget.exe'
mono nuget.exe push _build/out/CKAN/Release/bin/*.nupkg ${{ secrets.NUGET_API_KEY }} -Source https://api.nuget.org/v3/index.json -SkipDuplicate
mono nuget.exe push _build/signed/*.nupkg ${{ secrets.NUGET_API_KEY }} -Source https://api.nuget.org/v3/index.json -SkipDuplicate
build-dmg:
runs-on: ubuntu-latest
needs:
- test-release
- smoke-inflator
- sign-assets
steps:
- uses: actions/checkout@v4
- name: Install OSX build dependencies
run: sudo apt-get install -y libplist-utils xorriso
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed ckan.exe into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/ckan.exe _build/repack/Release
- name: Build dmg
run: ./build osx --configuration=Release --exclusive
- name: Upload OSX release asset
Expand All @@ -77,8 +57,7 @@ jobs:
build-deb:
runs-on: ubuntu-latest
needs:
- test-release
- smoke-inflator
- sign-assets
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
Expand All @@ -87,11 +66,15 @@ jobs:
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- uses: actions/checkout@v4
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed ckan.exe into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/ckan.exe _build/repack/Release
- name: Set deb version
run: |
VERSION=$(echo "${{ github.event.release.tag_name }}" | tr -d "v")
Expand Down Expand Up @@ -125,8 +108,7 @@ jobs:
build-rpm:
runs-on: ubuntu-latest
needs:
- test-release
- smoke-inflator
- sign-assets
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
Expand All @@ -137,11 +119,15 @@ jobs:
- uses: actions/checkout@v4
- name: Install rpm build dependencies
run: sudo apt-get install -y createrepo-c
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Put signed ckan.exe into repack path
run: |
mkdir -p _build/repack/Release
cp _build/signed/ckan.exe _build/repack/Release
- name: Set rpm version
run: |
VERSION=$(echo "${{ github.event.release.tag_name }}" | tr -d v)
Expand Down Expand Up @@ -170,23 +156,21 @@ jobs:
upload-binaries:
runs-on: ubuntu-latest
needs:
- test-release
- smoke-inflator
- sign-assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Download repack artifact
- name: Download signed artifact
uses: actions/download-artifact@v4
with:
name: Release-repack-unsigned
path: _build/repack/
name: signed
path: _build/signed
- name: Upload ckan.exe and AutoUpdater.exe release assets
run: gh release upload ${{ github.event.release.tag_name }} _build/repack/Release/ckan.exe _build/repack/Release/AutoUpdater.exe
run: gh release upload ${{ github.event.release.tag_name }} _build/signed/ckan.exe _build/signed/AutoUpdater.exe

notify-discord:
needs:
- test-release
- smoke-inflator
- sign-assets
- build-dmg
- build-deb
- build-rpm
Expand Down
Loading

0 comments on commit a7a29f5

Please sign in to comment.