Skip to content

CI

CI #751

Workflow file for this run

---
name: CI
"on":
push:
branches:
- trunk
pull_request:
branches:
- trunk
schedule:
- cron: "0 0 * * TUE"
jobs:
gpg-sign:
name: GPG Signing
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/[email protected]
- name: Setup Python
uses: actions/[email protected]
with:
python-version-file: ".python-version"
- name: Set Python executable path based on OS
shell: bash
run: |
if [[ "$RUNNER_OS" == "Windows" ]]; then
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV
else
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV
fi
- name: Install Python dependencies
shell: bash
run: |
python3 -m venv --upgrade-deps venv
$VENV_PYTHON -m pip install --upgrade pip wheel
$VENV_PYTHON -m pip install --require-hashes -r requirements.txt
- name: Clone Artichoke
uses: actions/[email protected]
with:
repository: artichoke/artichoke
path: artichoke
# ```
# $ gpg --fingerprint --with-subkey-fingerprints [email protected]
# pub ed25519 2021-01-03 [SC]
# C983 8F10 4021 F59E E6F6 BCBE B199 D034 7FDA 14A4
# uid [ultimate] Code signing for Artichoke Ruby <[email protected]>
# sub cv25519 2021-01-03 [E]
# 7719 1B6D 83B2 F4E8 5197 125B A9A3 F70E 710A 15AA
# sub ed25519 2021-01-03 [S]
# 1C4A 856A CF86 EC1E E841 180F AF57 A37C AC06 1452
# ```
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452
# Set the GPG key to full trust (value 4) to ensure reliable signing
# and verification in CI. Full trust balances security and practicality
# in automated environments, avoiding prompts or failures that can
# occur with marginal trust, while not compromising security like
# ultimate trust.
trust_level: 4
- name: List keys
run: gpg -K
- name: Build release artifacts
working-directory: artichoke
run: cargo build --verbose --release
- name: GPG sign binary
shell: bash
id: gpg_signing
run: |
$VENV_PYTHON -m artichoke_nightly.gpg_sign \
"nightly-gpg-sign-test" \
--artifact artichoke/target/release/artichoke
- name: Verify GPG signature
run: gpg --batch --verify "${{ steps.gpg_signing.outputs.signature }}" artichoke/target/release/artichoke
apple-codesign:
name: Apple Codesigning
runs-on: macos-latest
steps:
- name: Checkout repository
uses: actions/[email protected]
- name: Setup Python
uses: actions/[email protected]
with:
python-version-file: ".python-version"
- name: Set Python executable path based on OS
shell: bash
run: |
if [[ "$RUNNER_OS" == "Windows" ]]; then
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV
else
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV
fi
- name: Install Python dependencies
shell: bash
run: |
python3 -m venv --upgrade-deps venv
$VENV_PYTHON -m pip install --upgrade pip wheel
$VENV_PYTHON -m pip install --require-hashes -r requirements.txt
- name: Clone Artichoke
uses: actions/[email protected]
with:
repository: artichoke/artichoke
path: artichoke
- name: Build release artifacts
working-directory: artichoke
run: cargo build --verbose --release
# This will codesign binaries in place which means that the tarballed
# binaries will be codesigned as well.
- name: Run Apple Codesigning and Notarization
shell: bash
id: apple_codesigning
if: runner.os == 'macOS'
run: |
$VENV_PYTHON -m artichoke_nightly.macos_sign_and_notarize "nightly-apple-codesign-test" \
--binary "artichoke/target/release/artichoke" \
--binary "artichoke/target/release/airb" \
--resource artichoke/LICENSE \
--resource artichoke/README.md \
--dmg-icon-url "https://artichoke.github.io/logo/Artichoke-dmg.icns"
env:
MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }}
- name: Verify code signature
run: |
codesign --verify --check-notarization --deep --strict=all artichoke/target/release/artichoke
codesign --verify --check-notarization --deep --strict=all artichoke/target/release/airb
- name: Verify DMG code signature
run: spctl -a -t open --context context:primary-signature "${{ steps.apple_codesigning.outputs.asset }}" -v
python:
name: Lint and format Python
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/[email protected]
- name: Setup Python
uses: actions/[email protected]
with:
python-version-file: ".python-version"
- name: Set Python executable path based on OS
shell: bash
run: |
if [[ "$RUNNER_OS" == "Windows" ]]; then
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV
else
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV
fi
- name: Install Python dependencies
shell: bash
run: |
python3 -m venv --upgrade-deps venv
$VENV_PYTHON -m pip install --upgrade pip wheel
$VENV_PYTHON -m pip install --require-hashes -r dev-requirements.txt
- name: Run black
run: $VENV_PYTHON -m black --check --diff --verbose .
- name: Run ruff
run: $VENV_PYTHON -m ruff check --output-format=github .
- name: Run mypy
run: $VENV_PYTHON -m mypy .
ruby:
name: Lint and format Ruby
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/[email protected]
- name: Install Ruby toolchain
uses: ruby/setup-ruby@a6e6f86333f0a2523ece813039b8b4be04560854 # v1.190.0
with:
ruby-version: ".ruby-version"
bundler-cache: true
- name: Lint and check formatting with Rubocop
run: bundle exec rubocop --format github
text:
name: Lint and format text
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/[email protected]
- name: Setup Node.js runtime
uses: actions/[email protected]
with:
node-version: "lts/*"
- name: Install toolchain
run: npm ci
- name: Lint and check formatting with prettier
run: npx prettier --check '**/*'
- name: Lint YAML sources with yamllint
run: |
yamllint --version
echo "Linting YAML sources with yamllint ..."
yamllint --strict --format github .
echo "OK"