ADVANCED

nuxeo · Aug 1, 2024 · 7225e04 · 7225e04
2 parents 6e92012 + dc5fc49
commit 7225e04
Show file tree

Hide file tree

Showing 62 changed files with 2,863 additions and 364 deletions.
diff --git a/.github/workflows/alpha_cleanup.yml b/.github/workflows/alpha_cleanup.yml
@@ -24,11 +24,21 @@ jobs:
         with:
           fetch-depth: "0"
 
-      - name: Install SSH key
+      - name: Install SSH key for Bastion
         uses: shimataro/ssh-key-action@v2
         with:
-          key: ${{ secrets.SSH_PRIV_KEY }}
-          known_hosts: ${{ secrets.SSH_KNOWN_HOST_DEPLOY }}
+          key: ${{ secrets.DEV_TOOLS_BASTION_PRIVATE_KEY }}
+          name: id_rsa-bastion
+          known_hosts: ${{ secrets.KNOWN_HOSTS_OF_BASTION }}
+          config: ${{ secrets.CONFIG }}
+
+      - name: Install SSH key of target
+        uses: shimataro/ssh-key-action@v2
+        with:
+          key: ${{ secrets.DEV_TOOLS_EC2_PRIVATE_KEY }}
+          name: id_rsa-target
+          known_hosts: ${{ secrets.KNOWN_HOSTS_OF_TARGET }}
+          config: ${{ secrets.CONFIG }}
 
       - name: Clean-up old versions
         run: bash tools/cleanup.sh ${{ github.event.inputs.appVersion }}
diff --git a/.github/workflows/beta_to_prod.yml b/.github/workflows/beta_to_prod.yml
@@ -16,11 +16,21 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Install SSH key
+      - name: Install SSH key for Bastion
         uses: shimataro/ssh-key-action@v2
         with:
-          key: ${{ secrets.SSH_PRIV_KEY }}
-          known_hosts: ${{ secrets.SSH_KNOWN_HOST_DEPLOY }}
+          key: ${{ secrets.DEV_TOOLS_BASTION_PRIVATE_KEY }}
+          name: id_rsa-bastion
+          known_hosts: ${{ secrets.KNOWN_HOSTS_OF_BASTION }}
+          config: ${{ secrets.CONFIG }}
+
+      - name: Install SSH key of target
+        uses: shimataro/ssh-key-action@v2
+        with:
+          key: ${{ secrets.DEV_TOOLS_EC2_PRIVATE_KEY }}
+          name: id_rsa-target
+          known_hosts: ${{ secrets.KNOWN_HOSTS_OF_TARGET }}
+          config: ${{ secrets.CONFIG }}
 
       - name: Ready for promotion
         run: bash tools/deploy.sh ${{ github.event.inputs.betaVersion }}
diff --git a/.github/workflows/functional_tests.yml b/.github/workflows/functional_tests.yml
@@ -52,6 +52,7 @@ jobs:
         if: ${{ success() }} || ${{ failure() }}
         uses: codecov/[email protected]
         with:
+          token: ${{secrets.CODECOV_TOKEN}}
           files: ./coverage.xml
           flags: functional
           env_vars: OS,PYTHON
@@ -81,6 +82,7 @@ jobs:
         if: ${{ success() }} || ${{ failure() }}
         uses: codecov/[email protected]
         with:
+          token: ${{secrets.CODECOV_TOKEN}}
           files: ./coverage.xml
           flags: functional
           env_vars: OS,PYTHON
@@ -111,6 +113,7 @@ jobs:
         if: ${{ success() }} || ${{ failure() }}
         uses: codecov/[email protected]
         with:
+          token: ${{secrets.CODECOV_TOKEN}}
           files: ./coverage.xml
           flags: functional
           env_vars: OS,PYTHON

diff --git a/.github/workflows/functional_tests_2023.yml b/.github/workflows/functional_tests_2023.yml
@@ -52,6 +52,7 @@ jobs:
         if: ${{ success() }} || ${{ failure() }}
         uses: codecov/[email protected]
         with:
+          token: ${{secrets.CODECOV_TOKEN}}
           files: ./coverage.xml
           flags: functional
           env_vars: OS,PYTHON
@@ -81,6 +82,7 @@ jobs:
         if: ${{ success() }} || ${{ failure() }}
         uses: codecov/[email protected]
         with:
+          token: ${{secrets.CODECOV_TOKEN}}
           files: ./coverage.xml
           flags: functional
           env_vars: OS,PYTHON
@@ -105,6 +107,7 @@ jobs:
         if: ${{ success() }} || ${{ failure() }}
         uses: codecov/[email protected]
         with:
+          token: ${{secrets.CODECOV_TOKEN}}
           files: ./coverage.xml
           flags: functional
           env_vars: OS,PYTHON

diff --git a/.github/workflows/integration_tests.yml b/.github/workflows/integration_tests.yml
@@ -63,6 +63,7 @@ jobs:
         if: ${{ success() }} || ${{ failure() }}
         uses: codecov/[email protected]
         with:
+          token: ${{secrets.CODECOV_TOKEN}}
           files: ./coverage.xml
           flags: integration
           env_vars: OS,PYTHON
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -1,10 +0,0 @@
-name: test
-
-on:
-  workflow_dispatch:
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Use GitHub secret
-        run: echo ${{ secrets.MY_SECRET }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,6 +14,10 @@ on:
         description: 'Set to "release" for a beta release.'
         required: false
         default: "alpha"
+      signExe:
+        description: 'Set to "true" to generate sign .exe on Windows.'
+        required: false
+        default: "false"
 
 env:
   GITHUB_USERNAME: "nuxeodrive"
@@ -98,13 +102,13 @@ jobs:
           echo "${{ secrets.CERT_APP_MACOS }}" | base64 --decode > developerID_application.cer
           echo "${{ secrets.PRIV_APP_MACOS }}" | base64 --decode > nuxeo-drive.priv
 
-      - name: "[macOS] Downloading Python"
-        if: matrix.os == 'macos-latest'
-        run: curl https://www.python.org/ftp/python/3.9.5/python-3.9.5-macosx10.9.pkg -o "python.pkg" # XXX_PYTHON
+      #- name: "[macOS] Downloading Python"
+      #  if: matrix.os == 'macos-latest'
+      #  run: curl https://www.python.org/ftp/python/3.9.5/python-3.9.5-macosx10.9.pkg -o "python.pkg" # XXX_PYTHON
 
-      - name: "[macOS] Install Python"
-        if: matrix.os == 'macos-latest'
-        run: sudo installer -pkg python.pkg -target /
+      #- name: "[macOS] Install Python"
+      #  if: matrix.os == 'macos-latest'
+      #  run: sudo installer -pkg python.pkg -target /
 
       - name: "[macOS] Setup the environment"
         if: matrix.os == 'macos-latest'
@@ -125,6 +129,7 @@ jobs:
           NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
           NOTARIZATION_TEAMID: ${{ secrets.NOTARIZATION_TEAMID }}
           SIGNING_ID: "NUXEO CORP"
+          SIGNING_ID_NEW: "Hyland Software, Inc."
           SYSTEM_VERSION_COMPAT: 0
         run: bash tools/osx/deploy_ci_agent.sh --check-upgrade
 
@@ -148,13 +153,6 @@ jobs:
       #
       # Windows
       #
-
-      - name: "[Windows] Setup certificate"
-        if: matrix.os == 'windows-latest'
-        run: |
-          echo "${{ secrets.CERT_APP_WINDOWS }}" > certificate.b64
-          certutil -decode certificate.b64 certificate.pfx
-
       - name: "[Windows] Unlock PowerShell"
         if: matrix.os == 'windows-latest'
         run: powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope LocalMachine
@@ -163,11 +161,60 @@ jobs:
         if: matrix.os == 'windows-latest'
         run: powershell ".\\tools\\windows\\deploy_ci_agent.ps1" -install_release
 
+      - name: Setup Certificate
+        if: matrix.os == 'windows-latest'
+        run: |
+           echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
+           cat  /d/Certificate_pkcs12.p12
+        shell: bash
+
+      - name: Set variables
+        if: matrix.os == 'windows-latest'
+        id: variables
+        run: |
+          dir
+          echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+          echo "KEYPAIR_NAME=gt-standard-keypair"  >> $GITHUB_OUTPUT
+          echo "CERTIFICATE_NAME=gt-certificate"  >> $GITHUB_OUTPUT
+          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
+          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
+          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
+          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
+          echo "SM_KEYPAIR_ALIAS=${{ secrets.SM_KEYPAIR_ALIAS }}" >> "$GITHUB_ENV"
+          echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
+          echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
+          echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
+          echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH
+        shell: bash
+
+      - name: Setup Keylocker KSP on windows
+        if: matrix.os == 'windows-latest'
+        run: |
+          curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi
+          msiexec /i Keylockertools-windows-x64.msi /quiet /qn
+          smksp_registrar.exe list
+          smctl.exe keypair ls
+          C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
+        shell: cmd
+
+      - name: Certificates Sync
+        if: matrix.os == 'windows-latest'
+        run: |
+           smctl windows certsync --keypair-alias=${{ secrets.SM_KEYPAIR_ALIAS }}
+        shell: cmd
+
+      - name: Health status
+        if: matrix.os == 'windows-latest'
+        run: |
+           smctl healthcheck
+        shell: cmd
+
+
       - name: "[Windows] Generate the .exe and validate against 2021"
         timeout-minutes: 15
         if: matrix.os == 'windows-latest'
         env:
-          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
+          KEYCHAIN_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
           NXDRIVE_TEST_NUXEO_URL: "https://drive-2021.beta.nuxeocloud.com/nuxeo"
           SIGNING_ID: "Nuxeo"
           SIGNTOOL_PATH: 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.20348.0\x86'
@@ -177,14 +224,22 @@ jobs:
         timeout-minutes: 15
         if: matrix.os == 'windows-latest'
         env:
-          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
           NXDRIVE_TEST_NUXEO_URL: "https://drive-2023.beta.nuxeocloud.com/nuxeo"
           NXDRIVE_TEST_USERNAME: ${{ secrets.NXDRIVE_2023_TEST_USERNAME }}
           NXDRIVE_TEST_PASSWORD: ${{ secrets.NXDRIVE_2023_TEST_PASSWORD }}
           SIGNING_ID: "Nuxeo"
           SIGNTOOL_PATH: 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.20348.0\x86'
         run: powershell ".\\tools\\windows\\deploy_ci_agent.ps1" -check_upgrade
 
+      - name: "[Windows] Generate and sign the .exe"
+        timeout-minutes: 15
+        if: matrix.os == 'windows-latest' && github.event.inputs.signExe == 'true'
+        env:
+          KEYCHAIN_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
+          SIGNING_ID_NEW: "Hyland Software, Inc."
+          SIGNTOOL_PATH: 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.20348.0\x86'
+        run: powershell ".\\tools\\windows\\deploy_ci_agent.ps1" -build_installer_and_sign
+
       - name: "Upload artifacts"
         uses: actions/upload-artifact@v4
         with:
@@ -210,11 +265,21 @@ jobs:
         run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT
         id: extract_branch
 
-      - name: Install SSH key
+      - name: Install SSH key for Bastion
         uses: shimataro/ssh-key-action@v2
         with:
-          key: ${{ secrets.SSH_PRIV_KEY }}
-          known_hosts: ${{ secrets.SSH_KNOWN_HOST_DEPLOY }}
+          key: ${{ secrets.DEV_TOOLS_BASTION_PRIVATE_KEY }}
+          name: id_rsa-bastion
+          known_hosts: ${{ secrets.KNOWN_HOSTS_OF_BASTION }}
+          config: ${{ secrets.CONFIG }}
+
+      - name: Install SSH key of target
+        uses: shimataro/ssh-key-action@v2
+        with:
+          key: ${{ secrets.DEV_TOOLS_EC2_PRIVATE_KEY }}
+          name: id_rsa-target
+          known_hosts: ${{ secrets.KNOWN_HOSTS_OF_TARGET }}
+          config: ${{ secrets.CONFIG }}
       - name: Setup git
         run: |
           git config user.email ${{ env.GITHUB_EMAILID }}

diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml
@@ -42,6 +42,7 @@ jobs:
         if: ${{ success() }} || ${{ failure() }}
         uses: codecov/[email protected]
         with:
+          token: ${{secrets.CODECOV_TOKEN}}
           files: ./coverage.xml
           flags: unit
           env_vars: OS,PYTHON
@@ -74,6 +75,7 @@ jobs:
         if: ${{ success() }} || ${{ failure() }}
         uses: codecov/[email protected]
         with:
+          token: ${{secrets.CODECOV_TOKEN}}
           files: ./coverage.xml
           flags: unit
           env_vars: OS,PYTHON
@@ -106,6 +108,7 @@ jobs:
         if: ${{ success() }} || ${{ failure() }}
         uses: codecov/[email protected]
         with:
+          token: ${{secrets.CODECOV_TOKEN}}
           files: ./coverage.xml
           flags: unit
           env_vars: OS,PYTHON
diff --git a/docs/changes.md b/docs/changes.md
@@ -20,7 +20,8 @@
 - [5.3.1](changes/5.3.1.md) ([diff](https://github.com/nuxeo/nuxeo-drive/compare/release-5.3.0...release-5.3.1))
 - [5.3.2](changes/5.3.2.md) ([diff](https://github.com/nuxeo/nuxeo-drive/compare/release-5.3.1...release-5.3.2))
 - [5.4.0](changes/5.4.0.md) ([diff](https://github.com/nuxeo/nuxeo-drive/compare/release-5.3.2...release-5.4.0))
-- [5.5.0](changes/5.5.0.md) ([diff](https://github.com/nuxeo/nuxeo-drive/compare/release-5.4.0...master))
+- [5.4.1](changes/5.4.1.md) ([diff](https://github.com/nuxeo/nuxeo-drive/compare/release-5.4.0...release-5.4.1))
+- [5.5.0](changes/5.5.0.md) ([diff](https://github.com/nuxeo/nuxeo-drive/compare/release-5.4.1...master))
 
 ## 4.x