Multibuild #180
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Multibuild | |
on: | |
push: | |
tags: | |
- "v*.*.*" | |
workflow_dispatch: | |
inputs: | |
main_build_only: | |
description: "Run non-dockerx builds only" | |
required: true | |
default: false | |
type: boolean | |
permissions: # added using https://github.com/step-security/secure-repo | |
contents: read | |
jobs: | |
verify_tags: | |
permissions: | |
contents: write # Needed to create workflow branch | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Create action branch | |
run: | | |
git config --global user.name 'Atsign Robot' | |
git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com' | |
git checkout -b multibuild-${{github.run_number}} | |
- name: | |
Ensure pubspec.yaml matches git ref (if current git ref is a version | |
tag) | |
shell: bash | |
if: startsWith(github.ref, 'refs/tags/v') | |
working-directory: ./packages/dart/sshnoports | |
run: | | |
REF=${{ github.ref }} | |
VER=${REF:11} | |
sed -i "0,/version:/{s/version: \(.*\)/version: "${VER}"/}" pubspec.yaml | |
if [ "$(git status --porcelain)" ]; then | |
git add . | |
git commit -m 'ci: Updated version to tag' | |
fi | |
- name: Push changes to branch | |
run: git push --set-upstream origin multibuild-${{github.run_number}} | |
main_build: | |
needs: verify_tags | |
runs-on: ${{ matrix.os }} | |
defaults: | |
run: | |
working-directory: ./packages/dart/sshnoports | |
strategy: | |
matrix: | |
include: | |
- os: ubuntu-latest | |
output-name: sshnp-linux-x64 | |
ext: "" | |
bundle: "shell" | |
- os: macos-13 | |
output-name: sshnp-macos-x64 | |
ext: "" | |
bundle: "shell" | |
- os: macos-14 | |
output-name: sshnp-macos-arm64 | |
ext: "" | |
bundle: "shell" | |
- os: windows-latest | |
output-name: sshnp-windows-x64 | |
ext: ".exe" | |
bundle: "windows" | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: multibuild-${{github.run_number}} | |
- uses: dart-lang/setup-dart@0a8a0fc875eb934c15d08629302413c671d3f672 # v1.6.5 | |
- uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
node-version: '20.17.0' | |
# create directories need for build | |
- run: | | |
mkdir -p sshnp/web/admin | |
mkdir -p sshnp/beta/web/admin | |
mkdir tarball | |
- if: ${{ matrix.os != 'windows-latest' }} | |
run: mkdir sshnp/debug | |
# compile binaries | |
- run: | | |
dart pub get --enforce-lockfile | |
dart run build_runner build --delete-conflicting-outputs | |
dart compile exe bin/activate_cli.dart -v -o sshnp/at_activate${{ matrix.ext }} | |
dart compile exe bin/sshnp.dart -v -o sshnp/sshnp${{ matrix.ext }} | |
dart compile exe bin/npt.dart -v -o sshnp/npt${{ matrix.ext }} | |
dart compile exe bin/npp_file.dart -v -o sshnp/npa_file${{ matrix.ext }} | |
dart compile exe bin/npp_file.dart -v -o sshnp/npp_file${{ matrix.ext }} | |
dart compile exe bin/sshnpd.dart -v -o sshnp/sshnpd${{ matrix.ext }} | |
dart compile exe bin/srv.dart -v -o sshnp/srv${{ matrix.ext }} | |
dart compile exe bin/npp_atserver.dart -v -o sshnp/beta/npp_atserver${{ matrix.ext }} | |
- name: build admin API | |
working-directory: ./apps/admin/admin_api | |
run: | | |
dart pub get --enforce-lockfile | |
dart compile exe bin/np_admin.dart -v -o ../../../packages/dart/sshnoports/sshnp/beta/np_admin${{ matrix.ext }} | |
- name: build admin webapp | |
working-directory: ./apps/admin/webapp | |
run: | | |
npm install | |
npm run build | |
- if: ${{ matrix.os != 'windows-latest' }} | |
run: | | |
dart compile exe bin/srvd.dart -v -o sshnp/srvd${{ matrix.ext }} | |
dart compile exe bin/srvd.dart -D ENABLE_SNOOP=true -v -o sshnp/debug/srvd${{ matrix.ext }} | |
# copy additional bundle items to build | |
- run: | | |
cp -r bundles/core/* sshnp/ | |
cp -r bundles/${{ matrix.bundle }}/* sshnp/ | |
cp -r ../../../apps/admin/webapp/dist/* sshnp/beta/web/admin/ | |
cp LICENSE sshnp | |
# codesign for apple | |
- if: ${{ matrix.os == 'macos-13' || matrix.os == 'macos-14' }} | |
name: Import certificates | |
env: | |
MACOS_CODESIGN_CERT: ${{ secrets.MACOS_CODESIGN_CERT }} | |
MACOS_CODESIGN_CERT_PASSWORD: | |
${{ secrets.MACOS_CODESIGN_CERT_PASSWORD }} | |
MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} | |
MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }} | |
run: | | |
# Load certificate | |
CERT_PATH=$RUNNER_TEMP/noports-codesign.p12 | |
echo -n "$MACOS_CODESIGN_CERT" | base64 --decode -o $CERT_PATH | |
# create temp keychain | |
KEYCHAIN_PATH=$RUNNER_TEMP/build.keychain | |
security create-keychain -p "$MACOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security default-keychain -s $KEYCHAIN_PATH | |
security unlock-keychain -p "$MACOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security import $CERT_PATH -k $KEYCHAIN_PATH -P "$MACOS_CODESIGN_CERT_PASSWORD" -T /usr/bin/codesign | |
security set-key-partition-list -S apple-tool:apple,:,codesign: -s -k "$MACOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# codesign | |
/usr/bin/codesign \ | |
--force \ | |
-s "$MACOS_SIGNING_IDENTITY" \ | |
--options=runtime \ | |
--entitlements ./tools/templates/entitlements.plist \ | |
--prefix "com.atsign." \ | |
--timestamp \ | |
-v \ | |
sshnp/{sshnp,sshnpd,srv,srvd,at_activate,debug/srvd,npt,npa_file,npp_file,beta/npp_atserver,beta/np_admin} | |
# zip the build | |
- if: ${{ matrix.os == 'macos-13' || matrix.os == 'macos-14' }} | |
run: | |
ditto -c -k --keepParent sshnp tarball/${{ matrix.output-name }}.zip | |
- if: ${{ matrix.os == 'ubuntu-latest' }} | |
run: tar -cvzf tarball/${{ matrix.output-name }}.tgz sshnp | |
- if: ${{ matrix.os == 'windows-latest' }} | |
run: | |
Compress-Archive -Path sshnp -Destination tarball/${{ | |
matrix.output-name }}.zip | |
# notarize the build | |
- if: ${{ matrix.os == 'macos-13' || matrix.os == 'macos-14' }} | |
env: | |
MACOS_APPLE_ID: ${{ secrets.MACOS_APPLE_ID }} | |
MACOS_TEAM_ID: ${{ secrets.MACOS_TEAM_ID }} | |
MACOS_APPLE_ID_PASSWORD: ${{ secrets.MACOS_APPLE_ID_PASSWORD }} | |
run: | | |
xcrun notarytool submit tarball/${{ matrix.output-name }}.zip \ | |
--apple-id "$MACOS_APPLE_ID" \ | |
--team-id "$MACOS_TEAM_ID" \ | |
--password "$MACOS_APPLE_ID_PASSWORD" \ | |
--wait | |
# upload the build | |
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: | |
${{ matrix.output-name | |
}}-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} | |
path: ./packages/dart/sshnoports/tarball | |
if-no-files-found: error | |
other_build: | |
needs: verify_tags | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
platform: [linux/arm/v7, linux/arm64, linux/riscv64] | |
include: | |
- platform: linux/arm/v7 | |
output-name: sshnp-linux-arm | |
- platform: linux/arm64 | |
output-name: sshnp-linux-arm64 | |
- platform: linux/riscv64 | |
output-name: sshnp-linux-riscv64 | |
steps: | |
- if: ${{ ! inputs.main_build_only }} | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: multibuild-${{github.run_number}} | |
- if: ${{ ! inputs.main_build_only }} | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- if: ${{ ! inputs.main_build_only }} | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
- if: ${{ ! inputs.main_build_only }} | |
run: | | |
docker buildx build -t atsigncompany/sshnptarball -f ./tools/multibuild/Dockerfile.package \ | |
--platform ${{ matrix.platform }} -o type=tar,dest=bins.tar . | |
mkdir tarballs | |
tar -xvf bins.tar -C tarballs | |
- if: ${{ ! inputs.main_build_only }} | |
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: | |
${{ matrix.output-name | |
}}-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} | |
path: ./tarballs/${{ matrix.output-name }}.tgz | |
if-no-files-found: error | |
universal_sh: | |
if: startsWith(github.ref, 'refs/tags/v') | |
defaults: | |
run: | |
working-directory: ./packages/dart/sshnoports/bundles | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- run: | | |
write_metadata() { | |
start_line="# SCRIPT METADATA" | |
end_line="# END METADATA" | |
file=$1 | |
variable=$2 | |
value=$3 | |
# since this is linux only, sed -i is safe without a file ext. | |
sed -i "/$start_line/,/$end_line/s|$variable=\".*\"|$variable=\"$value\"|g" "$file" | |
} | |
REF=${{ github.ref }} | |
TAG=${REF:11} | |
write_metadata universal.sh sshnp_version "$TAG" | |
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: universal.sh-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} | |
path: ./packages/dart/sshnoports/bundles/universal.sh | |
if-no-files-found: error | |
universal_ps1: | |
if: startsWith(github.ref, 'refs/tags/v') | |
defaults: | |
run: | |
working-directory: ./packages/dart/sshnoports/bundles | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: universal.ps1-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} | |
path: ./packages/dart/sshnoports/bundles/universal.ps1 | |
if-no-files-found: error | |
github-release: | |
name: >- | |
Upload artifacts and generate SBOMs and checksums for provenance | |
needs: [main_build, other_build, universal_sh, universal_ps1] | |
runs-on: ubuntu-latest | |
outputs: | |
hashes: ${{ steps.hash.outputs.hashes }} | |
permissions: | |
contents: write # Mandatory for making GitHub Releases | |
id-token: write # Mandatory for sigstore | |
attestations: write | |
steps: | |
- name: Checkout pubspec.lock | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
sparse-checkout: packages/dart/sshnoports/pubspec.lock | |
sparse-checkout-cone-mode: false | |
- name: Install Syft | |
uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 | |
- name: Download all the tarballs | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
path: tarballs/ | |
- name: Generate SBOMs | |
run: | | |
syft scan file:./packages/dart/sshnoports/pubspec.lock \ | |
-o 'spdx-json=tarballs/dart_sshnoports_sbom.spdx.json' \ | |
-o 'cyclonedx-json=tarballs/dart_sshnoports_sbom.cyclonedx.json' | |
- name: Move packages for signing | |
run: | | |
cd tarballs | |
mv */*.sh . | |
mv */*.ps1 . | |
mv */*.tgz . | |
mv */*.zip . | |
rm -Rf -- */ | |
- name: Generate SHA256 checksums | |
working-directory: tarballs | |
run: sha256sum * > checksums.txt | |
- name: Upload artifacts to GitHub Release | |
env: | |
GITHUB_TOKEN: ${{ github.token }} | |
# Upload to GitHub Release using the `gh` CLI. | |
# `tarballs/` contains the built packages, and the | |
# Syft produced SBOMs | |
run: >- | |
gh release upload '${{ github.ref_name }}' tarballs/** --repo '${{ | |
github.repository }}' | |
- id: hash | |
name: Pass artifact hashes for SLSA provenance | |
working-directory: tarballs | |
run: | | |
echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" | |
- uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 | |
with: | |
subject-path: "tarballs/**" | |
provenance: | |
needs: [github-release] | |
permissions: | |
actions: read # Needed for detection of GitHub Actions environment. | |
id-token: write # Needed for provenance signing and ID | |
contents: write # Needed for release uploads | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # 5a775b367a56d5bd118a224a811bba288150a563 | |
with: | |
base64-subjects: "${{ needs.github-release.outputs.hashes }}" | |
upload-assets: true | |
cleanup: | |
name: Clean up temporary branch | |
needs: [main_build, other_build] | |
runs-on: ubuntu-latest | |
if: ${{ always() }} | |
permissions: | |
contents: write # Needed to delete workflow branch | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
ref: multibuild-${{github.run_number}} | |
- name: Delete workflow branch | |
run: git push origin --delete multibuild-${{github.run_number}} | |
notify_on_completion: | |
needs: [github-release, cleanup] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Google Chat Notification | |
uses: Co-qn/google-chat-notification@3691ccf4763537d6e544bc6cdcccc1965799d056 # v1 | |
with: | |
name: | |
SSH no ports binaries were built by GitHub Action ${{ | |
github.run_number }} | |
url: ${{ secrets.GOOGLE_CHAT_WEBHOOK }} | |
status: ${{ job.status }} | |
notify_on_failure: | |
if: failure() | |
needs: [github-release, cleanup] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Google Chat Notification | |
uses: Co-qn/google-chat-notification@3691ccf4763537d6e544bc6cdcccc1965799d056 # v1 | |
with: | |
name: | |
SSH no ports binaries build by GitHub Action ${{ github.run_number | |
}} | |
url: ${{ secrets.GOOGLE_CHAT_WEBHOOK }} | |
status: failure |