forked from rancher-sandbox/rancher-desktop
-
Notifications
You must be signed in to change notification settings - Fork 0
285 lines (277 loc) · 9.9 KB
/
package.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
name: Package
on:
pull_request:
paths-ignore:
- '.github/actions/spelling/**'
- 'docs/**'
- '**.md'
push:
branches:
- main
- release-*
tags:
- '*'
workflow_dispatch:
inputs:
sign:
type: boolean
default: true
description: Whether to check signing result
defaults:
run:
shell: bash
jobs:
check-paths:
uses: ./.github/workflows/paths-ignore.yaml
with:
paths-ignore-globs: |
.github/actions/spelling/**
docs/**
**.md
package:
needs: check-paths
if: needs.check-paths.outputs.should-run == 'true'
strategy:
matrix:
include:
- platform: mac
arch: x86_64
runs-on: macos-13
- platform: mac
arch: aarch64
runs-on: macos-latest
- platform: win
runs-on: windows-2019
- platform: linux
runs-on: ubuntu-20.04
runs-on: ${{ matrix.runs-on }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
# Needed to run `git describe` to get full version info
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version-file: package.json
cache: yarn
- uses: actions/setup-python@v5
with:
python-version: '3.x'
- uses: actions/setup-go@v5
with:
go-version-file: go.work
cache-dependency-path: src/go/**/go.sum
- name: Install Windows dependencies
if: runner.os == 'Windows'
shell: powershell
run: .\scripts\windows-setup.ps1 -SkipVisualStudio -SkipTools
- name: Flag build for M1
if: matrix.arch == 'aarch64' && matrix.platform == 'mac'
run: echo "M1=1" >> "${GITHUB_ENV}"
- run: pip install setuptools
- # Needs a network timeout for macos & windows. See https://github.com/yarnpkg/yarn/issues/8242 for more info
run: yarn install --frozen-lockfile --network-timeout 1000000
- run: yarn build
- run: yarn package
- name: Build bats.tar.gz
if: matrix.platform == 'linux'
run: make -C bats bats.tar.gz
- name: Upload bats.tar.gz
uses: actions/upload-artifact@v4
if: matrix.platform == 'linux'
with:
name: bats.tar.gz
path: bats/bats.tar.gz
if-no-files-found: error
- name: Upload mac disk image
uses: actions/upload-artifact@v4
if: matrix.platform == 'mac'
with:
name: Rancher Desktop.${{ matrix.arch }}.dmg
path: dist/Rancher Desktop*.dmg
if-no-files-found: error
- name: Upload mac zip
uses: actions/upload-artifact@v4
if: matrix.platform == 'mac'
with:
name: Rancher Desktop-mac.${{ matrix.arch }}.zip
path: dist/Rancher Desktop*.zip
if-no-files-found: error
- name: Upload Windows installer
uses: actions/upload-artifact@v4
if: matrix.platform == 'win'
with:
name: Rancher Desktop Setup.msi
path: dist/Rancher.Desktop*.msi
if-no-files-found: error
- name: Upload Windows zip
uses: actions/upload-artifact@v4
if: matrix.platform == 'win'
with:
name: Rancher Desktop-win.zip
path: dist/Rancher Desktop-*-win.zip
if-no-files-found: error
- name: Upload Linux zip
uses: actions/upload-artifact@v4
if: matrix.platform == 'linux'
with:
name: Rancher Desktop-linux.zip
path: dist/rancher-desktop-*-linux.zip
if-no-files-found: error
- name: Trigger OBS build
if: matrix.platform == 'linux' && github.ref_type == 'branch' && ( startsWith(github.ref_name, 'main') || startsWith(github.ref_name, 'release-') )
run: |
if [[ -z $AWS_ACCESS_KEY_ID ]] || [[ -z $OBS_WEBHOOK_TOKEN ]]; then
echo "Secrets unavailable, skipping."
exit 0
fi
# in pull requests GITHUB_REF_NAME is in the form "<pr_number>/merge";
# remove slashes since they aren't valid in filenames
no_slash_ref_name="${GITHUB_REF_NAME//\//-}"
zip_name="rancher-desktop-linux-${no_slash_ref_name}.zip"
# Copy zip file to S3
aws s3 cp \
dist/rancher-desktop-*-linux.zip \
"s3://rancher-desktop-assets-for-obs/$zip_name"
# Trigger OBS services for relevant package in dev channel
curl -X POST \
-H "Authorization: Token ${OBS_WEBHOOK_TOKEN}" \
"https://build.opensuse.org/trigger/runservice?project=isv:Rancher:dev&package=rancher-desktop-${GITHUB_REF_NAME}"
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
OBS_WEBHOOK_TOKEN: ${{ secrets.OBS_WEBHOOK_TOKEN }}
sign-win:
name: Test Signing (Windows)
needs: package
runs-on: windows-2022
if: >-
(github.event_name == 'push' && github.ref == 'refs/heads/main') ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-')) ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) ||
(github.event_name == 'workflow_dispatch' && github.event.inputs.sign)
permissions:
contents: read
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install Windows dependencies
shell: powershell
run: .\scripts\windows-setup.ps1 -SkipVisualStudio -SkipTools
- uses: actions/setup-go@v5
with:
go-version-file: go.work
cache-dependency-path: src/go/**/go.sum
- uses: actions/setup-node@v4
with:
node-version-file: package.json
cache: yarn
# Needs a network timeout for macos & windows. See https://github.com/yarnpkg/yarn/issues/8242 for more info
- run: yarn install --frozen-lockfile --network-timeout 1000000
- uses: actions/download-artifact@v4
name: Download artifact
with:
name: Rancher Desktop-win.zip
- name: Generate test signing certificate
shell: powershell
run: |
$cert = New-SelfSignedCertificate `
-Type Custom `
-Subject "CN=Rancher-Sandbox, C=CA" `
-KeyUsage DigitalSignature `
-CertStoreLocation Cert:\CurrentUser\My `
-FriendlyName "Rancher-Sandbox Code Signing" `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")
Write-Output $cert
Write-Output "CSC_FINGERPRINT=$($cert.Thumbprint)" `
| Out-File -Append -Encoding ASCII "${env:GITHUB_ENV}"
timeout-minutes: 1
- name: Sign artifact
shell: powershell
run: yarn sign (Get-Item "Rancher Desktop*-win.zip")
timeout-minutes: 10
- name: Verify installer signature
shell: powershell
run: |
$usedCert = (Get-AuthenticodeSignature -FilePath 'dist\Rancher*Desktop*.msi').SignerCertificate
Write-Output $usedCert
if ($usedCert.Thumbprint -ne $env:CSC_FINGERPRINT) {
Throw "Installer signed with wrong certificate"
}
timeout-minutes: 1
sign-mac:
name: Test Signing (macOS)
needs: package
strategy:
matrix:
include:
- arch: aarch64
# skip x86_64, we don't need to duplicate the testing for now.
runs-on: macos-latest
if: >-
(github.event_name == 'push' && github.ref == 'refs/heads/main') ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-')) ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) ||
(github.event_name == 'workflow_dispatch' && github.event.inputs.sign)
permissions:
contents: read
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-go@v5
with:
go-version-file: go.work
cache-dependency-path: src/go/**/go.sum
- uses: actions/setup-node@v4
with:
node-version-file: package.json
cache: yarn
# Needs a network timeout for macos & windows. See https://github.com/yarnpkg/yarn/issues/8242 for more info
- run: yarn install --frozen-lockfile --network-timeout 1000000
- uses: actions/download-artifact@v4
name: Download artifact
with:
name: Rancher Desktop-mac.${{ matrix.arch }}.zip
- name: Generate test signing certificate
run: |
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
-keyform pem -sha256 -days 3650 -nodes -subj \
"/C=CA/CN=RD Test Signing Key" \
-addext keyUsage=critical,digitalSignature \
-addext extendedKeyUsage=critical,codeSigning
# Create a custom keychain so we can unlock it properly.
security create-keychain -p "" tmp.keychain
security default-keychain -d user -s tmp.keychain
security unlock-keychain -p "" tmp.keychain
security set-keychain-settings -u tmp.keychain # Disable keychain auto-lock
security import key.pem -k tmp.keychain -t priv -A
security import cert.pem -k tmp.keychain -t cert -A
security set-key-partition-list -S apple-tool:,apple:,codesign: -s \
-k "" tmp.keychain
# Print out the valid certificates for debugging.
security find-identity
# Determine the key fingerprint.
awk_expr='/)/ { print $2 ; exit }'
hash="$(security find-identity | awk "$awk_expr")"
echo "CSC_FINGERPRINT=${hash}" >> "$GITHUB_ENV"
timeout-minutes: 1
- name: Flag build for M1
if: matrix.arch == 'aarch64'
run: echo "M1=1" >> "${GITHUB_ENV}"
- name: Sign artifact
run: |
for zip in Rancher\ Desktop-*mac*.zip; do
echo "::group::Signing ${zip}"
yarn sign --skip-notarize --skip-constraints "${zip}"
echo "::endgroup::"
done
timeout-minutes: 15
- name: Verify signature
run: |
codesign --verify --deep --strict --verbose=2 dist/*.dmg
codesign --verify --deep --strict --verbose=2 dist/*.zip
timeout-minutes: 5