-
Notifications
You must be signed in to change notification settings - Fork 178
430 lines (366 loc) · 18.4 KB
/
build-all.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
# Build and test on each commit. Create a release on tagged commits.
#
# Binaries on each platform are stripped. This removes debug symbols.
name: Build
on: [push]
jobs:
build-all:
name: ${{ matrix.os-name }}-build
runs-on: ${{ matrix.os }}
container: ${{ matrix.container }}
env:
GHC_VERSION: '9.4.8'
defaults:
run:
shell: bash
strategy:
matrix:
os: ['windows-latest', 'ubuntu-latest', 'macos-12', 'macos-latest']
include:
- os: ubuntu-latest
os-name: Linux
container: fossa/haskell-static-alpine:ghc-9.4.8
project-file: cabal.project.ci.linux
ghc: '9.4.8'
# macos-latest pointed at macos-12 this before it was changed to ARM.
- os: macos-12
os-name: macOS-intel
project-file: cabal.project.ci.macos
ghc: '9.4.8'
- os: windows-latest
os-name: Windows
project-file: cabal.project.ci.windows
ghc: '9.4.8'
- os: macos-latest
os-name: macOS-arm64
project-file: cabal.project.ci.macos
ghc: '9.4.8'
steps:
- uses: actions/checkout@v4
with:
lfs: true
fetch-depth: 2
- name: Install MacOS binary dependencies
if: ${{ contains(matrix.os, 'macos') }}
run: |
brew install jq
# Set up Haskell.
- uses: haskell-actions/setup@v2
id: setup-haskell
name: Setup ghc/cabal (non-alpine)
if: ${{ !contains(matrix.os, 'ubuntu') }}
with:
ghc-version: ${{ matrix.ghc }}
cabal-version: '3.10.2.1'
# Set up Rust.
# This action installs the 'minimal' profile.
- uses: dtolnay/rust-toolchain@stable
- name: Install additional Rust tooling
uses: taiki-e/install-action@v2
with:
tool: nextest
- uses: Swatinem/rust-cache@v2
- name: Debugging information
run: |
ghc --version || echo "no ghc"
cabal --version || echo "no cabal"
ghcup --version || echo "no ghcup"
rustc -V || echo "no rustc"
cargo -V || echo "no cargo"
# Linux builds are run in Alpine, which builds them statically;
# using jemalloc reduces the performance impact of this
# over the default libc allocator (which performs very poorly in static builds).
- name: Build Rust dependencies (Linux)
if: ${{ matrix.os-name == 'linux' }}
run: cargo build --features jemalloc --release
# Non-Linux environments generally don't need `jemalloc`
# and in particular Windows doesn't support it.
- name: Build Rust dependencies (non-Linux)
if: ${{ matrix.os-name != 'linux' }}
run: cargo build --release
# Run tests in release mode to reduce the need for rebuilds.
- name: Test Rust dependencies
run: cargo nextest run --release
- name: Ensure git ownership check does not lead to compiler error
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
- name: Check git status and collect information
# https://github.com/actions/checkout/issues/760#issuecomment-1099519159
run: |
git status --porcelain
echo "parent_commit=$(git rev-parse HEAD^)" >> $GITHUB_ENV
# Compute cache key and save to a temporary file.
#
# We compute the cache key based on the solved install plan instead of just
# hashing the `.cabal` file, since there are many kinds of changes that will
# cause `.cabal` to change (e.g. adding new source modules).
- name: Compute cache key
id: compute-cache-key
env:
RUNNER_OS: ${{ runner.os }}
run: |
cabal --project-file=${{ matrix.project-file }} update
cabal --project-file=${{ matrix.project-file }} build --dry-run
cat dist-newstyle/cache/plan.json | jq '."install-plan"[]."id"' | sort > /tmp/cabal-cache-key
echo "Install plan:"
cat /tmp/cabal-cache-key
if [ "$RUNNER_OS" = "macOS" ]; then
PLAN_SUM=$(shasum -a256 /tmp/cabal-cache-key)
else
PLAN_SUM=$(sha256sum /tmp/cabal-cache-key)
fi
export CABAL_CACHE_KEY=$(echo $PLAN_SUM | awk '{print $1}')
echo "Cabal cache key: $CABAL_CACHE_KEY"
echo "cabal-cache-key=$CABAL_CACHE_KEY" >> $GITHUB_OUTPUT
# Build FOSSA CLI.
- uses: actions/cache@v4
name: Cache cabal store
with:
path: ${{ steps.setup-haskell.outputs.cabal-store || '~/.local/state/cabal' }}
key: ${{ matrix.os-name }}-${{ matrix.ghc }}-cabal-cache-${{ steps.compute-cache-key.outputs.cabal-cache-key }}
restore-keys: |
${{ matrix.os-name }}-${{ matrix.ghc }}-cabal-cache-
${{ matrix.os-name }}-${{ matrix.ghc }}-
${{ matrix.os-name }}-
- uses: actions/cache@v4
name: Cache dist-newstyle
with:
path: ${{ github.workspace }}/dist-newstyle
key: ${{ matrix.os-name }}-${{ env.GHC_VERSION }}-dist-newstyle-${{ github.sha }}
restore-keys: |
${{ matrix.os-name }}-${{ env.GHC_VERSION }}-dist-newstyle-${{ env.parent_commit }}
${{ matrix.os-name }}-${{ env.GHC_VERSION }}-dist-newstyle-
${{ matrix.os-name }}-${{ env.GHC_VERSION }}-
${{ matrix.os-name }}-
- name: Update vendored binaries
run: |
mkdir vendor-bins
./vendor_download.sh
env:
GITHUB_TOKEN: ${{ secrets.BASIS_ACCESS_TOKEN }}
- name: Build test data
run: |
make build-test-data
- name: Build
# Occasionally, we run out of memory on the build process.
# Since cabal uses incremental compilation, we can retry from where we left off
# by simply re-running cabal if we fail.
env:
RUN_CMD: cabal build --project-file=${{ matrix.project-file }} all
run: |
: # With dist-newstyle caches:
: # Cabal mainly knows to recompile based on changes to files.
: # Tagging in git doesn't reliably change a file in a fixed location that cabal/GHC can track to indicate that there's a new tag.
: # For our release process, we merge to master, which builds (and may store a dist-newstyle cache), then push a release tag.
: # During the tag build, cabal/GHC may not realize that they have to rebuild the Version.hs file because the tag is invisible to it.
: # This line adds a unique comment to our version source file to prompt cabal/GHC to rebuild Version.hs unconditionally.
echo "{- $RANDOM$RANDOM$RANDOM -}" >> src/App/Version.hs
cabal update
$RUN_CMD || $RUN_CMD
- name: Run unit tests
run: |
cabal test --project-file=${{ matrix.project-file }} unit-tests
- name: Validate diagnose commands run on the platform
run: |
cargo run --bin diagnose -- walk --trace-spans none --trace-level info
# Test cabal-install
- name: Test Cabal Install (Linux)
if: ${{ contains(matrix.os, 'linux') }}
run: cabal install --overwrite-policy=always --project=${{ matrix.project-file }} --ghc-options="-Wwarn"
# Save artifacts.
- name: Find and move binaries (Windows)
if: ${{ contains(matrix.os, 'windows') }}
run: |
mkdir release
find . -type f -path '*/fossa/fossa.exe' -exec cp {} release \;
./release/fossa.exe --version
cp target/release/diagnose.exe release
cp target/release/millhone.exe release
- name: Find and move binaries (non-Windows)
if: ${{ !contains(matrix.os, 'windows') }}
run: |
mkdir release
find . -type f -path '*/fossa/fossa' -exec cp {} release \;
./release/fossa --version
cp target/release/diagnose release
cp target/release/millhone release
- name: Strip binaries
run: |
strip release/*
- name: Sign and Notarize Binaries (Mac OS)
if: ${{ contains(matrix.os, 'macos') && startsWith(github.ref, 'refs/tags/v') }}
env:
MACOS_BUILD_CERT_BASE64: ${{ secrets.MACOS_BUILD_CERT_BASE64 }}
MACOS_BUILD_CERT_P12_PASSWORD: ${{ secrets.MACOS_BUILD_CERT_P12_PASSWORD }}
MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
APPLE_NOTARIZATION_DEV_PASS: ${{ secrets.APPLE_NOTARIZATION_DEV_PASS }}
APPLE_NOTARIZATION_DEV_ID: ${{ secrets.APPLE_NOTARIZATION_DEV_ID }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
OS_NAME: ${{ matrix.os-name }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate and provisioning profile from secrets
echo -n "$MACOS_BUILD_CERT_BASE64" | base64 --decode -o $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$MACOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$MACOS_KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$MACOS_BUILD_CERT_P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
chmod +x release/*
# '--options runtime' enables the hardened runtime: https://developer.apple.com/documentation/security/hardened_runtime
# On Apple Silicon there doesn't seem to be a default liblzma, and the one installed via homebrew is rejected.
# The entitlement line will relax that check.
# The hardened runtime is required for notarization.
if [ "$OS_NAME" = "macOS-arm64" ] ; then
codesign --entitlements .github/entitlements.plist --options runtime -s 'FOSSA, Inc.' release/fossa
else
# Intel does not need the entitlement to run liblzma, which is included in the base system.
codesign --options runtime -s 'FOSSA, Inc.' release/fossa
fi
codesign --options runtime -s 'FOSSA, Inc.' release/diagnose
codesign --options runtime -s 'FOSSA, Inc.' release/millhone
# Perform notarization
zip -rj notarization-archive.zip release
NOTARY_RESULTS=$(xcrun notarytool submit notarization-archive.zip --apple-id "$APPLE_NOTARIZATION_DEV_ID" --password "$APPLE_NOTARIZATION_DEV_PASS" --team-id "$APPLE_TEAM_ID" --wait)
echo "$NOTARY_RESULTS"
rm notarization-archive.zip
# The notarization tool doesn't set $?, so examine the output.
if ! echo "$NOTARY_RESULTS" | grep -q "status: Accepted"; then
exit 1
fi
- uses: actions/upload-artifact@v4
with:
name: ${{ matrix.os-name }}-binaries
path: release
create-release:
name: create-release
runs-on: ubuntu-latest
needs: ['build-all']
permissions:
id-token: write
contents: write
steps:
- uses: actions/download-artifact@v4
# Sets VERSION from git's tag or sha.
# refer to: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-of-setting-an-output-parameter
- name: Get version
id: get-version
run: |
case $GITHUB_REF in
refs/tags/v*)
# This strips the 'v' prefix from the tag.
echo "VERSION=${GITHUB_REF/refs\/tags\/v/}" >> "$GITHUB_OUTPUT"
;;
*)
echo "VERSION=${GITHUB_SHA}" >> "$GITHUB_OUTPUT"
;;
esac
- name: Check that version info was embedded correctly
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
run: |
chmod +x Linux-binaries/fossa
echo $GITHUB_REF_NAME
echo $GITHUB_REF_TYPE
echo $GITHUB_SHA
echo ${GITHUB_SHA:0:12}
VERSION=$(echo $(Linux-binaries/fossa --version))
EXPECTED="fossa-cli version ${{ steps.get-version.outputs.VERSION }} (revision ${GITHUB_SHA:0:12} compiled with ghc-9.4)"
echo " VERSION: $VERSION"
echo "EXPECTED: $EXPECTED"
[ "$GITHUB_REF_TYPE" = "tag" ] && echo "Ref type OK"
[ "$VERSION" = "$EXPECTED" ] && echo "CLI version OK"
- name: Install Cosign
if: ${{ github.ref_type == 'tag' }}
uses: sigstore/[email protected]
- name: Sign Release (Linux)
if: ${{ github.ref_type == 'tag' }}
run: |
cosign version
cosign sign-blob --yes --bundle "Linux-binaries/fossa.bundle" "Linux-binaries/fossa"
cosign sign-blob --yes --bundle "Linux-binaries/diagnose.bundle" "Linux-binaries/diagnose"
cosign sign-blob --yes --bundle "Linux-binaries/millhone.bundle" "Linux-binaries/millhone"
- name: Verify Signatures
if: ${{ github.ref_type == 'tag' }}
run: |
cosign verify-blob --bundle "Linux-binaries/fossa.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "Linux-binaries/fossa"
cosign verify-blob --bundle "Linux-binaries/diagnose.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "Linux-binaries/diagnose"
cosign verify-blob --bundle "Linux-binaries/millhone.bundle" --certificate-oidc-issuer "https://token.actions.githubusercontent.com" --certificate-identity "https://github.com/$GITHUB_WORKFLOW_REF" "Linux-binaries/millhone"
# This uses names compatible with our install script.
#
# Originally, CLI >=2.x Linux releases were only packaged as zip files, but
# we added tar.gz to improve compatibility. Our install script depends on
# the unzip command, which is not installed in most Linux distributions by
# default. To avoid breaking compatibility with older install scripts, we
# release both formats but default to using tar.gz when installing.
- name: Bundle binaries
env:
LINUX_FOSSA_TAR_PATH: "release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar"
LINUX_FOSSA_ZIP_PATH: "release/fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip"
LINUX_DIAGNOSE_TAR_PATH: "release/diagnose_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar"
LINUX_DIAGNOSE_ZIP_PATH: "release/diagnose_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip"
LINUX_MILLHONE_TAR_PATH: "release/millhone_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar"
LINUX_MILLHONE_ZIP_PATH: "release/millhone_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip"
run: |
mkdir release
ls -R
chmod +x Linux-binaries/*
zip -j "$LINUX_FOSSA_ZIP_PATH" Linux-binaries/fossa
zip -j "$LINUX_DIAGNOSE_ZIP_PATH" Linux-binaries/diagnose
zip -j "$LINUX_MILLHONE_ZIP_PATH" Linux-binaries/millhone
tar --create --verbose --file "$LINUX_FOSSA_TAR_PATH" --directory Linux-binaries fossa
tar --create --verbose --file "$LINUX_DIAGNOSE_TAR_PATH" --directory Linux-binaries diagnose
tar --create --verbose --file "$LINUX_MILLHONE_TAR_PATH" --directory Linux-binaries millhone
if [ "$GITHUB_REF_TYPE" = "tag" ]; then
tar --append --file "$LINUX_FOSSA_TAR_PATH" --directory Linux-binaries fossa.bundle
tar --append --file "$LINUX_DIAGNOSE_TAR_PATH" --directory Linux-binaries diagnose.bundle
tar --append --file "$LINUX_MILLHONE_TAR_PATH" --directory Linux-binaries millhone.bundle
zip -j "$LINUX_FOSSA_ZIP_PATH" Linux-binaries/fossa.bundle
zip -j "$LINUX_DIAGNOSE_ZIP_PATH" Linux-binaries/diagnose.bundle
zip -j "$LINUX_MILLHONE_ZIP_PATH" Linux-binaries/millhone.bundle
fi
gzip "$LINUX_FOSSA_TAR_PATH"
gzip "$LINUX_DIAGNOSE_TAR_PATH"
gzip "$LINUX_MILLHONE_TAR_PATH"
chmod +x macOS-intel-binaries/*
zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-intel-binaries/fossa
zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-intel-binaries/diagnose
zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip macOS-intel-binaries/millhone
chmod +x macOS-arm64-binaries/*
zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip macOS-arm64-binaries/fossa
zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip macOS-arm64-binaries/diagnose
zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip macOS-arm64-binaries/millhone
chmod +x Windows-binaries/*
zip -j release/fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/fossa.exe
zip -j release/diagnose_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/diagnose.exe
zip -j release/millhone_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip Windows-binaries/millhone.exe
- name: Create checksums
# We have to run from within the release dir so that "release" isn't prepended to the relative path of the zip file.
run: |
cd release
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.zip.sha256"
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz" > "fossa_${{ steps.get-version.outputs.VERSION }}_linux_amd64.tar.gz.sha256"
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_amd64.zip.sha256"
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_darwin_arm64.zip.sha256"
sha256sum --binary "fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip" > "fossa_${{ steps.get-version.outputs.VERSION }}_windows_amd64.zip.sha256"
echo "Sanity-checking the checksums."
cat *.sha256 | sha256sum --check --status
# Uploads the generated archives (tar.gz/zip) as build artifacts to allow
# verifying them without needing to do an actual release. This step does not
# need to run for tagged release versions.
- name: Upload release archives
if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
uses: actions/upload-artifact@v4
with:
name: release-archives
path: release
- name: Release
if: ${{ startsWith(github.ref, 'refs/tags/v') }}
uses: softprops/action-gh-release@v1
with:
files: release/*
draft: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}