-
Notifications
You must be signed in to change notification settings - Fork 32
223 lines (215 loc) · 8.56 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
name: CI
on:
push:
branches:
- master
pull_request:
branches:
- master
workflow_dispatch:
inputs:
dist_root:
description: 'DIST_ROOT'
required: true
default: '/ipns/dist.ipfs.tech'
env:
DIST_ROOT: ${{ github.event.inputs.custom_dist_root || '/ipns/dist.ipfs.tech' }} # content root used for calculating diff to build
KUBO_VER: 'v0.27.0' # kubo daemon used for chunking and applying diff
CLUSTER_CTL_VER: 'v1.0.8' # ipfs-cluster-ctl used for pinning
concurrency:
# we want only one job running at the time because it is expensive
# expecially when building artifact for multiple platforms
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
# IMPORTANT: we want to save resources and cancel old builds on PRs,
# but we can't cancel jobs in master branch because they update DNSLink
# which is used as DIST_ROOT of the next job, so if we cancel a master job
# we will "forget" about releases added in skipped build.
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
jobs:
build:
runs-on: ${{ fromJSON(vars.CI_BUILD_RUNS_ON || '"ubuntu-latest"') }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '16'
- env:
CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
uses: ./.github/actions/setup-ipfs
timeout-minutes: 30
- name: Build any new ./releases
run: ./dockerized make all_dists
- name: Inspect git status and contents of ./releases
run: git status && ls -Rhl ./releases
- name: Temporarily save ./releases artifacts
uses: actions/upload-artifact@v3
with:
name: releases-unsigned-diff
path: releases
retention-days: 3
lint:
runs-on: "ubuntu-latest"
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '16'
- run: npm ci --no-audit --progress=false
- run: npm run lint
sign-macos:
runs-on: "macos-latest"
needs: build
concurrency:
# notarization depends on remote HTTP service provided by Apple
# and we want to have only one instance at a time, across all branches
# and PRs to avoid triggering throttling / blacklisting when multiple
# jobs try to notarize at the same time
group: sign-macos
# never cancel ongoing notarization, it could be one for master branch
cancel-in-progress: false
steps:
- uses: actions/checkout@v4
- name: Retrieve unsigned artifacts
uses: actions/download-artifact@v3
with:
name: releases-unsigned-diff
path: releases
continue-on-error: true # skip if no releases
- name: List ./releases before
run: ls -Rhl ./releases || echo "No ./releases"
- name: Install dependencies of sign-new-macos-releases.sh
run: |
brew install ipfs coreutils gawk gnu-sed jq
- name: Set up rcodesign rust tool (TODO)
if: false
run: |
cargo install apple-codesign
- name: Import Keychain Certs
# if this ever breaks, we should replace this magic with epxlicit security commands executed inside of it via.. nodejs
# prior art: https://github.com/lando/code-sign-action/blob/f35d0b777ee592c758351252fa3f0d58f21e5129/action.yml#L106-L123
uses: apple-actions/import-codesign-certs@8f3fb608891dd2244cdab3d69cd68c0d37a7fe93 # v2
with:
p12-file-base64: ${{ secrets.APPLE_CERTS_P12 }}
p12-password: ${{ secrets.APPLE_CERTS_PASS }}
- name: Verify identity used for signing
run: security find-identity -v
- name: Secrets for signing (TODO rcodesign)
# TODO: revisit switch to rcodesign once we have to switch mode due to move to new org
# we dont use this yet, we use codesign from Apple and run on macOS
# because rcodesign errored on 'invalid password'
if: false
run: |
echo -n "${{ secrets.APPLE_CERTS_P12 }}" | base64 --decode > ~/.apple-certs.p12
echo -n "{{ secrets.APPLE_CERTS_PASS }}" > ~/.apple-certs.pass
- name: Secrets for notarization (TODO rcodesign)
# TODO: revisit switch to rcodesign once we have to switch mode due to move to new org
# we dont use this yet, we use notarytool from Apple and run on macOS
# because (afaik) rcodesign does not support App-specific password mode
# we use for legacy reasons
if: false
run: |
rcodesign encode-app-store-connect-api-key \
"${{ secrets.APPLE_APIKEY_ISSUER_ID }}" \
"${{ secrets.APPLE_APIKEY_ID }}" \
"${{ secrets.APPLE_APIKEY_FILE }}" \
> ~/.apple-api-key
- name: Kubo init
run: ipfs init --profile test # needed for calculating NEW_CID in sign-new-macos-releases.sh
- name: Sign any new releases
run: ./scripts/ci/sign-new-macos-releases.sh
env:
WORK_DIR: ${{ github.workspace }}
APPLE_AC_USERNAME: ${{ secrets.APPLE_AC_USERNAME }}
APPLE_AC_PASSWORD: ${{ secrets.APPLE_AC_PASSWORD }}
APPLE_AC_TEAM_ID: ${{ secrets.APPLE_AC_TEAM_ID }}
- name: List ./releases after
run: ls -Rhl ./releases || echo "No ./releases"
- name: Temporarily save notarized artifacts
uses: actions/upload-artifact@v3
with:
name: releases-signed-macos-diff
path: releases
retention-days: 3
continue-on-error: true # skip if no releases
persist:
runs-on: ${{ fromJSON(vars.CI_BUILD_RUNS_ON || '"ubuntu-latest"') }}
needs: sign-macos
environment: Deploy
steps:
- name: Setup node
uses: actions/setup-node@v4
with:
node-version: '16'
- uses: actions/checkout@v4
- name: Retrieve signed artifacts
uses: actions/download-artifact@v3
continue-on-error: true # skip if no releases
with:
name: releases-signed-macos-diff
path: releases
- name: List ./releases
run: ls -Rhl ./releases || echo "No ./releases"
- env:
CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
uses: ./.github/actions/setup-ipfs
timeout-minutes: 30
- run: ./dockerized make publish
- run: git status
- name: Read CID of updated DAG
id: cid-reader
run: echo "CID=$(tail -1 ./versions)" >> $GITHUB_OUTPUT
- name: Pin new website to ipfs-websites.collab.ipfscluster.io
run: ./scripts/ci/pin-to-cluster.sh
env:
PIN_CID: ${{ steps.cid-reader.outputs.CID }}
PIN_NAME: "https://github.com/ipfs/distributions/commits/${{ github.sha }}"
PIN_ADD_EXTRA_ARGS: ""
CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
timeout-minutes: 60
- name: Update PR status with preview link
run: ./scripts/ci/github-preview-link.sh
env:
CONTENT_PATH: "/ipfs/${{ steps.cid-reader.outputs.CID }}/"
GIT_REVISION: ${{ github.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: ./dockerized make diff
if: github.event_name == 'pull_request'
- uses: actions/upload-artifact@v3
if: github.event_name == 'pull_request'
with:
name: diff
path: diff
- uses: actions/setup-go@v4
if: github.ref == 'refs/heads/master'
with:
go-version: "1.20.x"
- name: Update _dnslink.dist.ipfs.tech (if on the main branch)
if: github.ref == 'refs/heads/master'
run: |
go install github.com/ipfs/[email protected]
dnslink-dnsimple --domain dist.ipfs.tech --record _dnslink --link /ipfs/${{ steps.cid-reader.outputs.CID }}
env:
DNSIMPLE_TOKEN: ${{ secrets.DNSIMPLE_TOKEN }}
diff:
needs: persist
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v3
with:
name: diff
- name: Create comment with the diff
uses: actions/github-script@v6
with:
script: |
const fs = require('fs').promises
const diff = await fs.readFile('diff', 'utf8')
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: ${{ github.event.number }},
body: diff
})