CI #570
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI | |
"on": | |
push: | |
branches: | |
- trunk | |
pull_request: | |
branches: | |
- trunk | |
schedule: | |
- cron: "0 0 * * TUE" | |
jobs: | |
gpg-sign: | |
name: GPG Signing | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Setup Python | |
uses: actions/[email protected] | |
- name: Install Python dependencies | |
run: | | |
python3 -m venv --upgrade-deps venv | |
venv/bin/pip install --upgrade pip wheel | |
venv/bin/pip install --require-hashes -r requirements.txt | |
- name: Clone Artichoke | |
uses: actions/[email protected] | |
with: | |
repository: artichoke/artichoke | |
path: artichoke | |
# ``` | |
# $ gpg --fingerprint --with-subkey-fingerprints [email protected] | |
# pub ed25519 2021-01-03 [SC] | |
# C983 8F10 4021 F59E E6F6 BCBE B199 D034 7FDA 14A4 | |
# uid [ultimate] Code signing for Artichoke Ruby <[email protected]> | |
# sub cv25519 2021-01-03 [E] | |
# 7719 1B6D 83B2 F4E8 5197 125B A9A3 F70E 710A 15AA | |
# sub ed25519 2021-01-03 [S] | |
# 1C4A 856A CF86 EC1E E841 180F AF57 A37C AC06 1452 | |
# ``` | |
- name: Import GPG key | |
id: import_gpg | |
uses: crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41 # v5.3.0 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }} | |
fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452 | |
- name: List keys | |
run: gpg -K | |
- name: Build release artifacts | |
working-directory: artichoke | |
run: cargo build --verbose --release | |
- name: GPG sign binary | |
id: gpg_signing | |
run: venv/bin/python3 gpg_sign.py "nightly-gpg-sign-test" --artifact artichoke/target/release/artichoke | |
- name: Verify GPG signature | |
run: gpg --batch --verify "${{ steps.gpg_signing.outputs.signature }}" artichoke/target/release/artichoke | |
apple-codesign: | |
name: Apple Codesigning | |
runs-on: macos-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Setup Python | |
uses: actions/[email protected] | |
- name: Install Python dependencies | |
run: | | |
python3 -m venv --upgrade-deps venv | |
venv/bin/pip install --upgrade pip wheel | |
venv/bin/pip install --require-hashes -r requirements.txt | |
- name: Clone Artichoke | |
uses: actions/[email protected] | |
with: | |
repository: artichoke/artichoke | |
path: artichoke | |
- name: Build release artifacts | |
working-directory: artichoke | |
run: cargo build --verbose --release | |
# This will codesign binaries in place which means that the tarballed | |
# binaries will be codesigned as well. | |
- name: Run Apple Codesigning and Notarization | |
id: apple_codesigning | |
if: runner.os == 'macOS' | |
run: | | |
venv/bin/python3 macos_sign_and_notarize.py "nightly-apple-codesign-test" \ | |
--binary "artichoke/target/release/artichoke" \ | |
--binary "artichoke/target/release/airb" \ | |
--resource artichoke/LICENSE \ | |
--resource artichoke/README.md \ | |
--dmg-icon-url "https://artichoke.github.io/logo/Artichoke-dmg.icns" | |
env: | |
MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }} | |
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | |
MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }} | |
- name: Verify code signature | |
run: | | |
codesign --verify --check-notarization --deep --strict=all artichoke/target/release/artichoke | |
codesign --verify --check-notarization --deep --strict=all artichoke/target/release/airb | |
- name: Verify DMG code signature | |
run: spctl -a -t open --context context:primary-signature "${{ steps.apple_codesigning.outputs.asset }}" -v | |
python: | |
name: Lint and format Python | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Setup Python | |
uses: actions/[email protected] | |
- name: Install Python dependencies | |
run: | | |
python3 -m venv --upgrade-deps venv | |
venv/bin/pip install --upgrade pip wheel | |
venv/bin/pip install --require-hashes -r requirements.txt | |
- name: Run black | |
run: venv/bin/black --check --diff --verbose . | |
- name: Run ruff | |
run: venv/bin/ruff --format=github . | |
- name: Run mypy | |
run: venv/bin/mypy . | |
ruby: | |
name: Lint and format Ruby | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Install Ruby toolchain | |
uses: ruby/setup-ruby@250fcd6a742febb1123a77a841497ccaa8b9e939 # v1.152.0 | |
with: | |
ruby-version: ".ruby-version" | |
bundler-cache: true | |
- name: Lint and check formatting with Rubocop | |
run: bundle exec rubocop --format github | |
text: | |
name: Lint and format text | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Format with prettier | |
run: npx prettier --check '**/*' | |
- name: Lint YAML sources with yamllint | |
run: | | |
yamllint --version | |
echo "Linting YAML sources with yamllint ..." | |
yamllint --strict --format github . | |
echo "OK" |