diff --git a/.github/workflows/multibuild.yaml b/.github/workflows/multibuild.yaml index c272ba13a..e9de72dea 100644 --- a/.github/workflows/multibuild.yaml +++ b/.github/workflows/multibuild.yaml @@ -3,7 +3,7 @@ name: Multibuild on: push: tags: - - 'v*.*.*' + - "v*.*.*" workflow_dispatch: inputs: main_build_only: @@ -27,7 +27,9 @@ jobs: git config --global user.name 'Atsign Robot' git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com' git checkout -b multibuild-${{github.run_number}} - - name: Ensure pubspec.yaml matches git ref (if current git ref is a version tag) + - name: + Ensure pubspec.yaml matches git ref (if current git ref is a version + tag) shell: bash if: startsWith(github.ref, 'refs/tags/v') working-directory: ./packages/dart/sshnoports @@ -53,20 +55,20 @@ jobs: include: - os: ubuntu-latest output-name: sshnp-linux-x64 - ext: '' - bundle: 'shell' + ext: "" + bundle: "shell" - os: macos-13 output-name: sshnp-macos-x64 - ext: '' - bundle: 'shell' + ext: "" + bundle: "shell" - os: macos-14 output-name: sshnp-macos-arm64 - ext: '' - bundle: 'shell' + ext: "" + bundle: "shell" - os: windows-latest output-name: sshnp-windows-x64 - ext: '.exe' - bundle: 'windows' + ext: ".exe" + bundle: "windows" steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: @@ -101,7 +103,8 @@ jobs: name: Import certificates env: MACOS_CODESIGN_CERT: ${{ secrets.MACOS_CODESIGN_CERT }} - MACOS_CODESIGN_CERT_PASSWORD: ${{ secrets.MACOS_CODESIGN_CERT_PASSWORD }} + MACOS_CODESIGN_CERT_PASSWORD: + ${{ secrets.MACOS_CODESIGN_CERT_PASSWORD }} MACOS_SIGNING_IDENTITY: ${{ secrets.MACOS_SIGNING_IDENTITY }} MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }} run: | @@ -127,11 +130,14 @@ jobs: sshnp/{sshnp,sshnpd,srv,srvd,at_activate,debug/srvd,npt} # zip the build - if: ${{ matrix.os == 'macos-13' || matrix.os == 'macos-14' }} - run: ditto -c -k --keepParent sshnp tarball/${{ matrix.output-name }}.zip + run: + ditto -c -k --keepParent sshnp tarball/${{ matrix.output-name }}.zip - if: ${{ matrix.os == 'ubuntu-latest' }} run: tar -cvzf tarball/${{ matrix.output-name }}.tgz sshnp - if: ${{ matrix.os == 'windows-latest' }} - run: Compress-Archive -Path sshnp -Destination tarball/${{ matrix.output-name }}.zip + run: + Compress-Archive -Path sshnp -Destination tarball/${{ + matrix.output-name }}.zip # notarize the build - if: ${{ matrix.os == 'macos-13' || matrix.os == 'macos-14' }} env: @@ -147,16 +153,15 @@ jobs: # upload the build - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: - name: ${{ matrix.output-name }}-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} + name: + ${{ matrix.output-name + }}-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} path: ./packages/dart/sshnoports/tarball if-no-files-found: error other_build: needs: verify_tags runs-on: ubuntu-latest - defaults: - run: - working-directory: ./packages/dart strategy: matrix: platform: [linux/arm/v7, linux/arm64, linux/riscv64] @@ -178,15 +183,17 @@ jobs: uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 - if: ${{ ! inputs.main_build_only }} run: | - docker buildx build -t atsigncompany/sshnptarball -f sshnoports/tools/Dockerfile.package \ + docker buildx build -t atsigncompany/sshnptarball -f ./tools/multibuild/Dockerfile.package \ --platform ${{ matrix.platform }} -o type=tar,dest=bins.tar . mkdir tarballs tar -xvf bins.tar -C tarballs - if: ${{ ! inputs.main_build_only }} uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 with: - name: ${{ matrix.output-name }}-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} - path: ./packages/dart/tarballs/${{ matrix.output-name }}.tgz + name: + ${{ matrix.output-name + }}-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} + path: ./tarballs/${{ matrix.output-name }}.tgz if-no-files-found: error universal_sh: @@ -223,13 +230,12 @@ jobs: working-directory: ./packages/dart/sshnoports/bundles runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 - with: - name: universal.ps1-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} - path: ./packages/dart/sshnoports/bundles/universal.ps1 - if-no-files-found: error - + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 + with: + name: universal.ps1-${{github.ref_name}}-${{github.run_number}}-${{github.run_attempt}} + path: ./packages/dart/sshnoports/bundles/universal.ps1 + if-no-files-found: error github-release: name: >- @@ -239,55 +245,54 @@ jobs: outputs: hashes: ${{ steps.hash.outputs.hashes }} permissions: - contents: write # Mandatory for making GitHub Releases - id-token: write # Mandatory for sigstore + contents: write # Mandatory for making GitHub Releases + id-token: write # Mandatory for sigstore attestations: write steps: - - name: Checkout pubspec.lock - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - sparse-checkout: packages/dart/sshnoports/pubspec.lock - sparse-checkout-cone-mode: false - - name: Install Syft - uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 - - name: Download all the tarballs - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 - with: - path: tarballs/ - - name: Generate SBOMs - run: | - syft scan file:./packages/dart/sshnoports/pubspec.lock \ - -o 'spdx-json=tarballs/dart_sshnoports_sbom.spdx.json' \ - -o 'cyclonedx-json=tarballs/dart_sshnoports_sbom.cyclonedx.json' - - name: Move packages for signing - run: | - cd tarballs - mv */*.sh . - mv */*.ps1 . - mv */*.tgz . - mv */*.zip . - rm -Rf -- */ - - name: Generate SHA256 checksums - working-directory: tarballs - run: sha256sum * > checksums.txt - - name: Upload artifacts to GitHub Release - env: - GITHUB_TOKEN: ${{ github.token }} - # Upload to GitHub Release using the `gh` CLI. - # `tarballs/` contains the built packages, and the - # Syft produced SBOMs - run: >- - gh release upload - '${{ github.ref_name }}' tarballs/** - --repo '${{ github.repository }}' - - id: hash - name: Pass artifact hashes for SLSA provenance - working-directory: tarballs - run: | - echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" - - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 - with: - subject-path: 'tarballs/**' + - name: Checkout pubspec.lock + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + sparse-checkout: packages/dart/sshnoports/pubspec.lock + sparse-checkout-cone-mode: false + - name: Install Syft + uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2 + - name: Download all the tarballs + uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + with: + path: tarballs/ + - name: Generate SBOMs + run: | + syft scan file:./packages/dart/sshnoports/pubspec.lock \ + -o 'spdx-json=tarballs/dart_sshnoports_sbom.spdx.json' \ + -o 'cyclonedx-json=tarballs/dart_sshnoports_sbom.cyclonedx.json' + - name: Move packages for signing + run: | + cd tarballs + mv */*.sh . + mv */*.ps1 . + mv */*.tgz . + mv */*.zip . + rm -Rf -- */ + - name: Generate SHA256 checksums + working-directory: tarballs + run: sha256sum * > checksums.txt + - name: Upload artifacts to GitHub Release + env: + GITHUB_TOKEN: ${{ github.token }} + # Upload to GitHub Release using the `gh` CLI. + # `tarballs/` contains the built packages, and the + # Syft produced SBOMs + run: >- + gh release upload '${{ github.ref_name }}' tarballs/** --repo '${{ + github.repository }}' + - id: hash + name: Pass artifact hashes for SLSA provenance + working-directory: tarballs + run: | + echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" + - uses: actions/attest-build-provenance@6149ea5740be74af77f260b9db67e633f6b0a9a1 # v1.4.2 + with: + subject-path: "tarballs/**" provenance: needs: [github-release] @@ -308,11 +313,11 @@ jobs: permissions: contents: write # Needed to delete workflow branch steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - ref: multibuild-${{github.run_number}} - - name: Delete workflow branch - run: git push origin --delete multibuild-${{github.run_number}} + - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + ref: multibuild-${{github.run_number}} + - name: Delete workflow branch + run: git push origin --delete multibuild-${{github.run_number}} notify_on_completion: needs: [github-release, cleanup] @@ -321,7 +326,9 @@ jobs: - name: Google Chat Notification uses: Co-qn/google-chat-notification@3691ccf4763537d6e544bc6cdcccc1965799d056 # v1 with: - name: SSH no ports binaries were built by GitHub Action ${{ github.run_number }} + name: + SSH no ports binaries were built by GitHub Action ${{ + github.run_number }} url: ${{ secrets.GOOGLE_CHAT_WEBHOOK }} status: ${{ job.status }} @@ -333,6 +340,8 @@ jobs: - name: Google Chat Notification uses: Co-qn/google-chat-notification@3691ccf4763537d6e544bc6cdcccc1965799d056 # v1 with: - name: SSH no ports binaries build by GitHub Action ${{ github.run_number }} + name: + SSH no ports binaries build by GitHub Action ${{ github.run_number + }} url: ${{ secrets.GOOGLE_CHAT_WEBHOOK }} status: failure diff --git a/packages/dart/sshnoports/tools/Dockerfile.package b/packages/dart/sshnoports/tools/Dockerfile.package deleted file mode 100644 index a45026cc1..000000000 --- a/packages/dart/sshnoports/tools/Dockerfile.package +++ /dev/null @@ -1,33 +0,0 @@ -# Dockerfile.package -# A dockerfile for packaging SSH No Ports releases using docker buildx - -FROM atsigncompany/buildimage:3.5.2_3.6.0-149.3.beta@sha256:df67b9e3271381fc0c5b20e7350cf4de8dad6ac62e075b49b1a866c49af47409 AS build -# Using atsigncompany/buildimage until official dart image has RISC-V support -WORKDIR /sshnoports -COPY . . -RUN set -eux; \ - case "$(dpkg --print-architecture)" in \ - amd64) ARCH="x64";; \ - armhf) ARCH="arm";; \ - arm64) ARCH="arm64";; \ - riscv64) ARCH="riscv64";; \ - esac; \ - cd sshnoports; \ - mkdir -p sshnp/debug; \ - mkdir tarball; \ - dart pub get --enforce-lockfile; \ - dart run build_runner build --delete-conflicting-outputs; \ - dart compile exe bin/activate_cli.dart -v -o sshnp/at_activate; \ - dart compile exe bin/sshnp.dart -v -o sshnp/sshnp; \ - dart compile exe bin/npt.dart -v -o sshnp/npt; \ - dart compile exe bin/sshnpd.dart -v -o sshnp/sshnpd; \ - dart compile exe bin/srv.dart -v -o sshnp/srv; \ - dart compile exe bin/srvd.dart -v -o sshnp/srvd; \ - dart compile exe bin/srvd.dart -D ENABLE_SNOOP=true -v -o sshnp/debug/srvd; \ - cp -r bundles/core/* sshnp/; \ - cp -r bundles/shell/* sshnp/; \ - cp LICENSE sshnp/; \ - tar -cvzf tarball/sshnp-linux-${ARCH}.tgz sshnp - -FROM scratch -COPY --from=build /sshnoports/sshnoports/tarball/* / diff --git a/tools/multibuild/Dockerfile.package b/tools/multibuild/Dockerfile.package new file mode 100644 index 000000000..9665389d8 --- /dev/null +++ b/tools/multibuild/Dockerfile.package @@ -0,0 +1,56 @@ +# Dockerfile.package +# A dockerfile for packaging SSH No Ports releases using docker buildx + +FROM atsigncompany/buildimage:3.5.2_3.6.0-149.3.beta@sha256:df67b9e3271381fc0c5b20e7350cf4de8dad6ac62e075b49b1a866c49af47409 AS build +# Using atsigncompany/buildimage until official dart image has RISC-V support +WORKDIR /noports + +# install node for later (keep at the top file to increase cache hits) +RUN apt-get update; \ + apt-get install -y --no-install-recommends nodejs=18.19.0+dfsg-6~deb12u2; + +COPY . . + +# Build packages/dart/sshnoports +WORKDIR /noports/packages/dart/sshnoports +RUN set -eux; \ + mkdir -p /sshnp/debug; \ + mkdir /tarball; \ + dart pub get --enforce-lockfile; \ + dart run build_runner build --delete-conflicting-outputs; \ + dart compile exe bin/activate_cli.dart -v -o /sshnp/at_activate; \ + dart compile exe bin/sshnp.dart -v -o /sshnp/sshnp; \ + dart compile exe bin/npt.dart -v -o /sshnp/npt; \ + dart compile exe bin/npa_file.dart -v -o /sshnp/npa_file; \ + dart compile exe bin/sshnpd.dart -v -o /sshnp/sshnpd; \ + dart compile exe bin/srv.dart -v -o /sshnp/srv; \ + dart compile exe bin/npp.dart -v -o /sshnp/npp; \ + dart compile exe bin/srvd.dart -v -o /sshnp/srvd; \ + dart compile exe bin/srvd.dart -D ENABLE_SNOOP=true -v -o /sshnp/debug/srvd; \ + cp -r bundles/core/* /sshnp/; \ + cp -r bundles/shell/* /sshnp/; \ + cp LICENSE /sshnp/; + +# Build apps/admin/admin_api +WORKDIR /noports/apps/admin/admin_api +RUN dart pub get --enforce-lockfile; \ + dart compile exe bin/admin_api.dart -v -o /sshnp/admin_api + +# Build apps/admin/webapp +WORKDIR /noports/apps/admin/webapp +RUN npm install; \ + npm run build; \ + mkdir -p /sshnp/web/admin; \ + cp -r ./dist /sshnp/web/admin + +RUN set -eux; \ + case "$(dpkg --print-architecture)" in \ + amd64) ARCH="x64";; \ + armhf) ARCH="arm";; \ + arm64) ARCH="arm64";; \ + riscv64) ARCH="riscv64";; \ + esac; \ + tar -cvzf /tarball/sshnp-linux-"${ARCH}".tgz /sshnp + +FROM scratch +COPY --from=build /tarball/* /