Skip to content

Release CLI Assets

Release CLI Assets #48

name: Release CLI Assets
on:
workflow_call:
inputs:
publishedPackages:
description: 'Published packages'
required: true
type: string
commitSha:
description: 'Commit SHA'
required: true
type: string
workflow_dispatch:
inputs:
publishedPackages:
description: 'Published packages'
required: true
default: '[{"name": "@xata.io/cli", "version": "1.2.0"}]'
type: string
commitSha:
description: 'Commit SHA'
required: true
type: string
permissions:
id-token: write
contents: write
packages: write
pages: write
pull-requests: write
jobs:
release-cli-assets:
name: Release CLI assets
outputs:
version: ${{ steps.capture-version.outputs.version }}
mac_intel_sha: ${{steps.sha-macos.outputs.sha-macos-intel}},
mac_arm_sha: ${{ steps.sha-macos.outputs.sha-macos-arm }}
linux_sha: ${{ steps.sha-ubuntu.outputs.sha-linux }},
linux_arm_sha: ${{ steps.sha-ubuntu.outputs.sha-linux-arm }}
strategy:
matrix:
os: [ubuntu-latest, macos-latest]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v3
with:
# This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
fetch-depth: 0
# This makes the PR pushed to use GITHUB_TOKEN and trigger the checks
persist-credentials: false
- name: Configure
run: |
echo "NVMRC=$(cat .nvmrc)" >> $GITHUB_OUTPUT
id: config
- name: Install pnpm
uses: pnpm/action-setup@v4
- name: Use Node.js ${{ steps.config.outputs.NVMRC }}
uses: actions/setup-node@v3
with:
node-version: ${{ steps.config.outputs.NVMRC }}
cache: 'pnpm'
- name: Install the Apple certificate
if: matrix.os == 'macos-latest'
env:
BUILD_CERTIFICATE_BASE64: ${{ secrets.APPLE_DEVELOPER_ID_CERT_P12 }}
P12_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERT_SECRET }}
KEYCHAIN_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERT_SECRET }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificate from secrets
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Build
run: pnpm build
- name: Install windows dependencies
if: matrix.os == 'ubuntu-latest'
run: |
sudo apt-get update
sudo apt-get install -y nsis
sudo apt-get install -y p7zip
- name: Configure AWS Credentials for production
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.CLI_ASSETS_UPLOAD_ROLE }}
aws-region: us-east-1
mask-aws-account-id: 'no'
- name: Pack
run: pnpm run release:cli:pack
env:
PUBLISHED_PACKAGES: ${{ inputs.publishedPackages }}
MATRIX_OS: ${{ matrix.os }}
# - name: Upload CLI Assets to GitHub Releases
# run: pnpm run release:cli:upload:gh
# env:
# MATRIX_OS: ${{ matrix.os }}
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Debian cert
if: matrix.os == 'ubuntu-latest'
working-directory: /home/runner/work/client-ts/client-ts/cli/dist/deb
run: |
echo "$DEBIAN_GPG_KEY_PRIVATE" | gpg --import --batch --passphrase "$DEBIAN_GPG_KEY_PASS"
gpg --digest-algo SHA512 --clearsign --pinentry-mode loopback --passphrase "$DEBIAN_GPG_KEY_PASS" -u $DEBIAN_GPG_KEY_ID -o InRelease Release
gpg --digest-algo SHA512 -abs --pinentry-mode loopback --passphrase "$DEBIAN_GPG_KEY_PASS" -u $DEBIAN_GPG_KEY_ID -o Release.gpg Release
echo "Signed debian packages successfully"
echo "sha256 sums:"
sha256sum *Release*
mkdir -p /home/runner/work/client-ts/client-ts/cli/dist/apt
echo "$DEBIAN_GPG_KEY_PUBLIC" > /home/runner/work/client-ts/client-ts/cli/dist/apt/release.key
env:
DEBIAN_GPG_KEY_PRIVATE: ${{ secrets.DEBIAN_GPG_KEY_PRIVATE }}
DEBIAN_GPG_KEY_PASS: ${{ secrets.DEBIAN_GPG_KEY_PASS }}
DEBIAN_GPG_KEY_PUBLIC: ${{ secrets.DEBIAN_GPG_KEY_PUBLIC }}
DEBIAN_GPG_KEY_ID: ${{ secrets.DEBIAN_GPG_KEY_ID }}
- name: Capture version
id: capture-version
run: |
version=$(pnpm run release:version --silent);
echo "$version" >> "$GITHUB_OUTPUT"
- name: Create SHA outputs macos
if: matrix.os == 'macos-latest'
working-directory: /home/runner/work/client-ts/client-ts/cli/dist
id: sha-macos
run: |
echo "sha-macos-arm=$(sh -c 'shasum < "$1" | cut -d" " -f1' -- xata-v${{ steps.capture-version.version }}-${{inputs.commitSha}}-darwin-arm64.tar.gz)" >> "$GITHUB_OUTPUT"
echo "sha-macos-intel=$(sh -c 'shasum < "$1" | cut -d" " -f1' -- xata-v${{ steps.capture-version.version }}-${{inputs.commitSha}}-darwin-x64.tar.gz)" >> "$GITHUB_OUTPUT"
- name: Create SHA outputs ubuntu
if: matrix.os == 'ubuntu-latest'
working-directory: /home/runner/work/client-ts/client-ts/cli/dist
id: sha-ubuntu
run: |
echo "sha-linux=(sha256sum xata-v${{ steps.capture-version.version }}-${{inputs.commitSha}}-linux-arm.tar.gz)" >> "$GITHUB_OUTPUT"
echo "sha-linux-arm=(sha256sum xata-v${{ steps.capture-version.version }}-${{inputs.commitSha}}-linux-arm64.tar.gz)" >> "$GITHUB_OUTPUT"
# - name: Upload and Promote CLI Assets to S3
# run: pnpm run release:cli:upload:s3
# env:
# MATRIX_OS: ${{ matrix.os }}
# COMMIT_SHA: ${{ inputs.commitSha }}
# - name: Pack (Windows only)
# if: matrix.os == 'ubuntu-latest'
# run: pnpm run release:cli:pack
# env:
# PUBLISHED_PACKAGES: ${{ inputs.publishedPackages }}
# MATRIX_OS: ${{ matrix.os }}
# OS_OVERRIDE: windows-latest
# - name: Upload CLI Assets to GitHub Releases (Windows only)
# run: pnpm run release:cli:upload:gh
# if: matrix.os == 'ubuntu-latest'
# env:
# MATRIX_OS: ${{ matrix.os }}
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# OS_OVERRIDE: windows-latest
# - name: Upload and Promote CLI Assets to S3 (Windows only)
# if: matrix.os == 'ubuntu-latest'
# run: pnpm run release:cli:upload:s3
# env:
# MATRIX_OS: ${{ matrix.os }}
# COMMIT_SHA: ${{ inputs.commitSha }}
# OS_OVERRIDE: windows-latest
- name: Clean up keychain
if: matrix.os == 'macos-latest'
run: |
security delete-keychain $RUNNER_TEMP/app-signing.keychain-db