Add CI Support (#1)

* first build test

* install just

* try using brew

* use just all

* install ninja

* add cargo update

* print dir and upload artifact

* use relative path

* separated actions

* code sign llvm-objcopy

* sign multiple files

* fix secrets

* add linux support

* install just

* run linux only for testing

* try with sudo

* apt update

* install just with dedicated action

* install ninja

* fix if

* update cargo

* fix path

* fix loop and sign script path

* sign rust lib

* temporary remove sign.sh

* restore sign.sh

* no quotation marks

* run both macos and linux

* [skip ci] remove comment

* create a release with artifacts

* disable binaries signing for macos temporary

* restore signing and remove zip file from root dir

* disable signing temporary

* restore signing and add rust-lld

* don't sign rustc

* sign other rust bins

* remove test branch

* fix rust-lld filename

* test build

* remove test branch

* sign only when running ci and disable signing for now

* use cargo 1.75

* add macos intel build

* add mac intel to release

* add toolchain for v1.75

* cahnge default toolchain

* use version 1.75 and fix default toolchain

* use macos-13 for intel

.github/workflows/main.yml

@@ -0,0 +1,126 @@
+name: Build Tools
+
+on:
+  push:
+    branches:
+      - main
+      - oz/ci
+    tags: ['*']
+  workflow_dispatch:
+
+jobs:
+  build-mac-arm:
+    runs-on: macos-latest
+    env:
+      TAG: ${{ github.ref_name }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: |
+            brew install just ninja
+            rustup install 1.75
+            rustup toolchain install 1.75
+            rustup default 1.75-aarch64-apple-darwin
+      - name: Clone
+        run: just clone
+      - name: Prepare
+        run: just prepare
+      - name: Build rust, cargo and newlib
+        run: just build-all
+      - name: Package
+        env:
+          APPLE_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_IDENTITY }}
+          APPLE_CRED: ${{ secrets.APPLE_CRED }}
+          APPLE_P12_BASE64: ${{ secrets.APPLE_P12_BASE64 }}
+          APPLE_P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
+          APPLE_TEAMID: ${{ secrets.APPLE_TEAMID }}
+          APPLE_TEMPKEYCHAIN_PASSWORD: ${{ secrets.APPLE_TEMPKEYCHAIN_PASSWORD }}
+        run: just package
+      - uses: actions/upload-artifact@v4
+        with:
+          name: platform-tools-osx-aarch64.tar.bz2
+          path: out/platform-tools-osx-aarch64.tar.bz2
+
+  build-mac-intel:
+    runs-on: macos-13
+    env:
+      TAG: ${{ github.ref_name }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: |
+            brew install just ninja
+            rustup install 1.75
+            rustup toolchain install 1.75
+            rustup default 1.75-x86_64-apple-darwin
+      - name: Clone
+        run: just clone
+      - name: Prepare
+        run: just prepare
+      - name: Build rust, cargo and newlib
+        run: just build-all
+      - name: Package
+        env:
+          APPLE_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_IDENTITY }}
+          APPLE_CRED: ${{ secrets.APPLE_CRED }}
+          APPLE_P12_BASE64: ${{ secrets.APPLE_P12_BASE64 }}
+          APPLE_P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }}
+          APPLE_TEAMID: ${{ secrets.APPLE_TEAMID }}
+          APPLE_TEMPKEYCHAIN_PASSWORD: ${{ secrets.APPLE_TEMPKEYCHAIN_PASSWORD }}
+        run: just package
+      - uses: actions/upload-artifact@v4
+        with:
+          name: platform-tools-osx-x86_64.tar.bz2
+          path: out/platform-tools-osx-x86_64.tar.bz2
+
+  build-linux:
+    runs-on: ubuntu-latest
+    env:
+      TAG: ${{ github.ref_name }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install just
+        uses: taiki-e/install-action@just
+      - name: Install dependencies
+        run: |
+          sudo apt update; sudo apt install ninja-build
+          rustup install 1.75
+          rustup toolchain install 1.75
+          rustup default 1.75-x86_64-unknown-linux-gnu
+      - name: Clone
+        run: just clone
+      - name: Prepare
+        run: just prepare
+      - name: Build rust, cargo and newlib
+        run: just build-all
+      - name: Package
+        run: just package
+      - uses: actions/upload-artifact@v4
+        with:
+          name: platform-tools-linux-x86_64.tar.bz2
+          path: out/platform-tools-linux-x86_64.tar.bz2
+
+  release:
+    runs-on: ubuntu-latest
+    needs: [build-linux, build-mac-arm, build-mac-intel]
+    if: startsWith(github.event.ref, 'refs/tags/') #  only on new tag creation
+    env:
+      TAG: ${{ github.ref_name }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+      - name: Create a release
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          release_exist=$(gh release view $TAG 2>&1 || exit 0)
+          if [ "$release_exist" = "release not found" ]; then
+            gh release create $TAG platform-tools-osx-aarch64.tar.bz2/platform-tools-osx-aarch64.tar.bz2 --title "Release $TAG" --generate-notes --latest
+            gh release upload $TAG platform-tools-osx-x86_64.tar.bz2/platform-tools-osx-x86_64.tar.bz2
+            gh release upload $TAG platform-tools-linux-x86_64.tar.bz2/platform-tools-linux-x86_64.tar.bz2
+          else
+            gh release upload $TAG platform-tools-osx-aarch64.tar.bz2/platform-tools-osx-aarch64.tar.bz2
+            gh release upload $TAG platform-tools-osx-x86_64.tar.bz2/platform-tools-osx-x86_64.tar.bz2
+            gh release upload $TAG platform-tools-linux-x86_64.tar.bz2/platform-tools-linux-x86_64.tar.bz2
+          fi

justfile

@@ -30,11 +30,11 @@ build-cargo:
 	# AG: this fails for me with macport and libiconv
 	# AG: I have to disable libiconv, run this manually
 	# AG: and then re-enable it
-	cd {{ out_dir }}/cargo && env OPENSSL_STATIC=1 cargo build --release
+	cd {{ out_dir }}/cargo && env OPENSSL_STATIC=1 cargo +1.75 build --release
 
 [linux]
 build-cargo:
-	cd {{ out_dir }}/cargo && env OPENSSL_STATIC=1 OPENSSL_LIB_DIR=/usr/lib/x86_64-linux-gnu OPENSSL_INCLUDE_DIR=/usr/include/openssl cargo build --release
+	cd {{ out_dir }}/cargo && env OPENSSL_STATIC=1 OPENSSL_LIB_DIR=/usr/lib/x86_64-linux-gnu OPENSSL_INCLUDE_DIR=/usr/include/openssl cargo +1.75 build --release
 
 
 [linux,macos]

scripts/package.sh

@@ -82,6 +82,26 @@ if [[ "${HOST_TRIPLE}" != "x86_64-pc-windows-msvc" ]] ; then
     #cp -R rust/build/${HOST_TRIPLE}/llvm/lib/python* deploy/llvm/lib/
 fi
 
+# Sign macOS binaries - Disabled
+# if [[ $HOST_TRIPLE == *apple-darwin* ]] && [[ ! -z "$APPLE_CODESIGN_IDENTITY" ]]; then
+#     LLVM_BIN="./deploy/llvm/bin"
+#     RUST_BIN="./deploy/rust/bin"
+#     RUST_LIB="./deploy/rust/lib"
+#     RUST_LIB_BIN="$RUST_LIB/rustlib/aarch64-apple-darwin/bin"
+
+#     ../scripts/sign.sh \
+#         "$LLVM_BIN/llvm-objdump" \
+#         "$LLVM_BIN/llvm-ar" \
+#         "$LLVM_BIN/llvm-readobj" \
+#         "$LLVM_BIN/llvm-objcopy" \
+#         "$RUST_BIN/rustdoc" \
+#         "$RUST_BIN/cargo" \
+#         "$RUST_LIB/librustc_driver-b4e91886a4c059a0.dylib" \
+#         "$RUST_LIB/libstd-6eff127b55c063c2.dylib" \
+#         "$RUST_LIB_BIN/rust-lld"
+#        # "$RUST_BIN/rustc" # Not signing 'rustc' duo to failing cargo build
+# fi
+
 # Check the Rust binaries
 while IFS= read -r f
 do

scripts/sign.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -ex
+
+FILES_TO_SIGN=$@
+
+for FILE_PATH in $FILES_TO_SIGN; do
+    FILE_NAME=$(basename $FILE_PATH)
+    APPLE_TEMPKEYCHAIN_NAME=$(echo $FILE_NAME | tr -cd 'a-zA-Z')$(($RANDOM)) # use a random name
+
+    echo "File path: $FILE_PATH"
+    echo "File name: $FILE_NAME"
+    echo "Apple temp keychain name: $APPLE_TEMPKEYCHAIN_NAME"
+
+    # create keychain
+    printf "$APPLE_P12_BASE64" | base64 -d > dev.p12
+    security create-keychain -p "$APPLE_TEMPKEYCHAIN_PASSWORD" "$APPLE_TEMPKEYCHAIN_NAME"
+    security list-keychains -d user -s "$APPLE_TEMPKEYCHAIN_NAME" $(security list-keychains -d user | tr -d '"')
+    security set-keychain-settings "$APPLE_TEMPKEYCHAIN_NAME"
+    security import dev.p12 -k "$APPLE_TEMPKEYCHAIN_NAME" -P "$APPLE_P12_PASSWORD" -T "/usr/bin/codesign"
+    security set-key-partition-list -S apple-tool:,apple: -s -k "$APPLE_TEMPKEYCHAIN_PASSWORD" -D "$APPLE_CODESIGN_IDENTITY" -t private "$APPLE_TEMPKEYCHAIN_NAME"
+    security default-keychain -d user -s "$APPLE_TEMPKEYCHAIN_NAME"
+    security unlock-keychain -p "$APPLE_TEMPKEYCHAIN_PASSWORD" "$APPLE_TEMPKEYCHAIN_NAME"
+
+    # sign the binary
+    codesign -o runtime --force --timestamp -s "$APPLE_CODESIGN_IDENTITY" -v $FILE_PATH
+
+    # notarize binary
+    ditto -c -k $FILE_PATH $FILE_NAME.zip # notarization require zip files
+    xcrun notarytool store-credentials --apple-id [email protected] --password "$APPLE_CRED" --team-id "$APPLE_TEAMID" altool
+    xcrun notarytool submit $FILE_NAME.zip --keychain-profile altool --wait
+done