Bump version 1.2.24 (#295) #151
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release halo-tools | |
| on: | |
| push: | |
| tags: | |
| - 'halotools-v*' | |
| jobs: | |
| create_release: | |
| name: Create halo-tools release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Prepare version number | |
| id: parse_version | |
| run: | | |
| ( echo -n "version=" && ( echo "$GITHUB_REF" | cut -f2 -d- | tr -d '\n' ) ) >> "$GITHUB_OUTPUT" | |
| - name: Draft release | |
| id: create_release | |
| uses: actions/create-release@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| tag_name: ${{ github.ref }} | |
| release_name: HaLo Tools ${{ steps.parse_version.outputs.version }} | |
| draft: true | |
| prerelease: false | |
| body: | | |
| Set of standalone HaLo tools: [halocli](https://github.com/arx-research/libhalo/blob/master/docs/desktop-cli.md), [halo-bridge](https://github.com/arx-research/libhalo/blob/master/docs/halo-bridge.md), [halo-gateway](https://github.com/arx-research/libhalo/blob/master/docs/halo-gateway.md). | |
| Release contents: | |
| * `halo-tools-linux-x64.tgz` - Linux x64 build (elf files; tar-gzip compressed) | |
| * `halo-tools-win-x64.exe` - Windows 64 build (exe files; signed; zipped) | |
| * `halo-tools-macos-x64.pkg` - Mac OS x64 build (installer; signed) | |
| **Note:** The files `*-keyless.sig` and `*-keyless.pem` constitute a part of [build audit trail](https://github.com/arx-research/libhalo/blob/master/docs/build-audit-trail.md). | |
| - name: Store release upload URL | |
| run: | | |
| echo -n "${{ steps.create_release.outputs.upload_url }}" > release-upload-url.txt | |
| - name: Store release upload URL artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: release-upload-url | |
| path: release-upload-url.txt | |
| build_cli_tool: | |
| permissions: | |
| id-token: write | |
| strategy: | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| - os: windows-latest | |
| - os: macos-latest | |
| name: Build halo-tools (${{ matrix.os }}) | |
| runs-on: ${{ matrix.os }} | |
| needs: create_release | |
| steps: | |
| - name: Install native dependencies (Linux) | |
| if: matrix.os == 'ubuntu-latest' | |
| run: | | |
| sudo apt-get update && sudo apt-get install -y libpcsclite-dev | |
| - name: Install native dependencies (MacOS) | |
| if: matrix.os == 'macos-latest' | |
| run: | | |
| brew install python@3.11 | |
| brew unlink python@3.11 | |
| brew link --overwrite python@3.11 | |
| brew install pcsc-lite | |
| - name: Checkout the repository | |
| uses: actions/checkout@v3 | |
| - name: Install Node.JS | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: 18 | |
| - name: Install dependencies (root) | |
| shell: bash | |
| run: | | |
| npm --include=dev ci | |
| - name: Install dependencies (cli) | |
| shell: bash | |
| run: | | |
| cd cli | |
| npm --include=dev ci | |
| - name: Build libhalo with webpack | |
| shell: bash | |
| run: | | |
| cd web | |
| ../node_modules/.bin/webpack | |
| - name: Package HaLo CLI tool (Linux) | |
| if: matrix.os == 'ubuntu-latest' | |
| shell: bash | |
| run: | | |
| cd cli | |
| node_modules/.bin/pkg --compress GZip -t node18-linux-x64 -c package.json -o dist/halocli entry_cli.js | |
| node_modules/.bin/pkg --compress GZip -t node18-linux-x64 -c package.json -o dist/halo-bridge entry_bridge.js | |
| node_modules/.bin/pkg --compress GZip -t node18-linux-x64 -c package.json -o dist/halo-gateway entry_gateway.js | |
| - name: Package HaLo CLI tool (Windows) | |
| if: matrix.os == 'windows-latest' | |
| shell: bash | |
| run: | | |
| cd cli | |
| node win_fix_binary.js cli | |
| export PKG_PATCHED_BIN='1' | |
| export PKG_CACHE_PATH='./.pkg-cache/' | |
| export PKG_IGNORE_TAG='1' | |
| node_modules/.bin/pkg --compress GZip -t node18-win-x64 -c package.json -o dist/halocli.exe entry_cli.js | |
| - name: Package HaLo Bridge tool (Windows) | |
| if: matrix.os == 'windows-latest' | |
| shell: bash | |
| run: | | |
| cd cli | |
| node win_fix_binary.js bridge | |
| export PKG_PATCHED_BIN='1' | |
| export PKG_CACHE_PATH='./.pkg-cache/' | |
| export PKG_IGNORE_TAG='1' | |
| node_modules/.bin/pkg --compress GZip -t node18-win-x64 -c package.json -o dist/halo-bridge.exe entry_bridge.js | |
| - name: Package HaLo Gateway tool (Windows) | |
| if: matrix.os == 'windows-latest' | |
| shell: bash | |
| run: | | |
| cd cli | |
| node win_fix_binary.js gateway | |
| export PKG_PATCHED_BIN='1' | |
| export PKG_CACHE_PATH='./.pkg-cache/' | |
| export PKG_IGNORE_TAG='1' | |
| node_modules/.bin/pkg --compress GZip -t node18-win-x64 -c package.json -o dist/halo-gateway.exe entry_gateway.js | |
| - name: Package HaLo CLI tool (MacOS) | |
| if: matrix.os == 'macos-latest' | |
| shell: bash | |
| run: | | |
| cd cli | |
| node_modules/.bin/pkg --compress GZip -t node18-macos-x64 -c package.json -o dist/halocli entry_cli.js | |
| node_modules/.bin/pkg --compress GZip -t node18-macos-x64 -c package.json -o dist/halo-bridge entry_bridge.js | |
| node_modules/.bin/pkg --compress GZip -t node18-macos-x64 -c package.json -o dist/halo-gateway entry_gateway.js | |
| mv "macos_bridge_app" "dist/HaLo CLI Bridge Server.app" | |
| mv "macos_pkgbuild_scripts" "dist/macos_pkgbuild_scripts" | |
| mv "Entitlements.plist" "dist/Entitlements.plist" | |
| - name: Compress dist files | |
| shell: bash | |
| run: | | |
| cd cli/dist | |
| tar -pczf ../dist.tgz . | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 | |
| - name: Sign output with cosign | |
| run: | | |
| echo y | cosign sign-blob ./cli/dist.tgz --output-certificate ./cli/dist.tgz-keyless.pem --output-signature ./cli/dist.tgz-keyless.sig | |
| - name: Store binary as artifact | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: binary-${{ matrix.os }} | |
| path: | | |
| ./cli/dist.tgz | |
| ./cli/dist.tgz-keyless.pem | |
| ./cli/dist.tgz-keyless.sig | |
| sign_cli_tool: | |
| environment: production | |
| permissions: | |
| contents: write | |
| id-token: write | |
| strategy: | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| out_name: halo-tools-linux-x64.tgz | |
| - os: windows-latest | |
| out_name: halo-tools-win-x64.zip | |
| - os: macos-latest | |
| out_name: halo-tools-macos-x64.pkg | |
| name: Sign halo-tools and release (${{ matrix.os }}) | |
| runs-on: ${{ matrix.os }} | |
| needs: build_cli_tool | |
| steps: | |
| - name: Download binary from artifact | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: binary-${{ matrix.os }} | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 | |
| - name: Validate signatures from previous stage | |
| shell: bash | |
| run: | | |
| cosign verify-blob --cert ./dist.tgz-keyless.pem --signature ./dist.tgz-keyless.sig --certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_cli.yml@${GITHUB_REF}" --certificate-oidc-issuer https://token.actions.githubusercontent.com ./dist.tgz | |
| - name: Uncompress previous stage | |
| run: | | |
| tar -xopf dist.tgz | |
| - name: Compress application (Linux) | |
| if: matrix.os == 'ubuntu-latest' | |
| run: | | |
| chmod +x halocli | |
| chmod +x halo-bridge | |
| chmod +x halo-gateway | |
| tar -pczf halo-tools-linux-x64.tgz halocli halo-bridge halo-gateway | |
| - name: Write certificate file (Windows) | |
| if: matrix.os == 'windows-latest' | |
| uses: DamianReeves/write-file-action@0a7fcbe1960c53fc08fe789fa4850d24885f4d84 | |
| with: | |
| path: ./chain.cer | |
| write-mode: overwrite | |
| contents: ${{ vars.WINDOWS_CODE_SIGN_CERT_CHAIN }} | |
| - name: Download jsign and verify (Windows) | |
| if: matrix.os == 'windows-latest' | |
| shell: bash | |
| run: | | |
| curl -s -L -o jsign.jar https://github.com/ebourg/jsign/releases/download/4.2/jsign-4.2.jar | |
| echo "290377fc4f593256200b3ea4061b7409e8276255f449d4c6de7833faf0850cc1 jsign.jar" > jsign.sum | |
| sha256sum -c jsign.sum | |
| - name: Authenticate with gcloud (Windows) | |
| if: matrix.os == 'windows-latest' | |
| uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d | |
| with: | |
| credentials_json: ${{ secrets.GCLOUD_SERVICE_ACCOUNT_KEY }} | |
| - name: Set up Cloud SDK (Windows) | |
| uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587 | |
| if: matrix.os == 'windows-latest' | |
| with: | |
| install_components: 'gcloud' | |
| project_id: ${{ secrets.GCLOUD_PROJECT_ID }} | |
| - name: Sign application (Windows) | |
| if: matrix.os == 'windows-latest' | |
| shell: bash | |
| run: | | |
| java -jar jsign.jar --storetype GOOGLECLOUD --storepass "$(gcloud auth print-access-token)" --keystore "${{ vars.WINDOWS_CODE_SIGN_KEYSTORE }}" --alias "${{ vars.WINDOWS_CODE_SIGN_KEY_ALIAS }}" --certfile "chain.cer" --tsmode RFC3161 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 halocli.exe | |
| java -jar jsign.jar --storetype GOOGLECLOUD --storepass "$(gcloud auth print-access-token)" --keystore "${{ vars.WINDOWS_CODE_SIGN_KEYSTORE }}" --alias "${{ vars.WINDOWS_CODE_SIGN_KEY_ALIAS }}" --certfile "chain.cer" --tsmode RFC3161 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 halo-bridge.exe | |
| java -jar jsign.jar --storetype GOOGLECLOUD --storepass "$(gcloud auth print-access-token)" --keystore "${{ vars.WINDOWS_CODE_SIGN_KEYSTORE }}" --alias "${{ vars.WINDOWS_CODE_SIGN_KEY_ALIAS }}" --certfile "chain.cer" --tsmode RFC3161 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 halo-gateway.exe | |
| - name: Compress application (Windows) | |
| if: matrix.os == 'windows-latest' | |
| run: | | |
| Compress-Archive -Path halocli.exe,halo-bridge.exe,halo-gateway.exe halo-tools-win-x64.zip | |
| - name: Load signing credentials (Mac OS) | |
| if: matrix.os == 'macos-latest' | |
| uses: apple-actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071 | |
| with: | |
| p12-file-base64: ${{ secrets.MACOS_SIGN_P12 }} | |
| p12-password: ${{ secrets.MACOS_SIGN_P12_PASSWORD }} | |
| - name: Sign application (Mac OS) | |
| if: matrix.os == 'macos-latest' | |
| run: | | |
| mkdir -p root/usr/local/bin/ | |
| mkdir -p root/Applications/ | |
| mv halocli root/usr/local/bin/halocli | |
| mv halo-bridge root/usr/local/bin/halo-bridge | |
| mv halo-gateway root/usr/local/bin/halo-gateway | |
| mv "HaLo CLI Bridge Server.app" "root/Applications/HaLo CLI Bridge Server.app" | |
| /usr/bin/codesign --deep --force --options=runtime --entitlements ./Entitlements.plist --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp ./root/usr/local/bin/halocli | |
| /usr/bin/codesign --deep --force --options=runtime --entitlements ./Entitlements.plist --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp ./root/usr/local/bin/halo-bridge | |
| /usr/bin/codesign --deep --force --options=runtime --entitlements ./Entitlements.plist --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp ./root/usr/local/bin/halo-gateway | |
| /usr/bin/codesign --deep --force --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp "./root/Applications/HaLo CLI Bridge Server.app" | |
| chmod +x ./root/usr/local/bin/halocli | |
| chmod +x ./root/usr/local/bin/halo-bridge | |
| chmod +x ./root/usr/local/bin/halo-gateway | |
| chmod +x "./root/Applications/HaLo CLI Bridge Server.app/Contents/MacOS/halocli_bridge_launcher" | |
| pkgbuild --root ./root --identifier "org.arx.halo.halocli" --version "1.0.$(date +%s)" --scripts "macos_pkgbuild_scripts/" --install-location "/" --sign "${{ secrets.MACOS_SIGN_IDENTITY_INSTALLER }}" ./halo-tools-macos-x64.pkg | |
| - name: Notarize application for Mac OS | |
| if: matrix.os == 'macos-latest' | |
| run: | | |
| xcrun notarytool submit "--apple-id=${{ secrets.MACOS_NOTARIZE_APPLE_ID }}" "--password=${{ secrets.MACOS_NOTARIZE_PASSWORD }}" "--team-id=${{ secrets.MACOS_NOTARIZE_TEAM_ID }}" --progress --wait ./halo-tools-macos-x64.pkg | |
| - name: Staple notarized application (Mac OS) | |
| if: matrix.os == 'macos-latest' | |
| run: | | |
| xcrun stapler staple ./halo-tools-macos-x64.pkg | |
| rm -rf ./root/ | |
| - name: Download release upload URL | |
| uses: actions/download-artifact@v3 | |
| with: | |
| name: release-upload-url | |
| - name: Store release upload URL output | |
| id: out_store | |
| shell: bash | |
| run: | | |
| echo "release_upload_url=$(cat release-upload-url.txt)" >> "$GITHUB_OUTPUT" | |
| - name: Sign output binaries with cosign | |
| run: | | |
| echo y | cosign sign-blob ./${{ matrix.out_name }} --output-certificate ./${{ matrix.out_name }}-keyless.pem --output-signature ./${{ matrix.out_name }}-keyless.sig | |
| - name: Upload release asset (binary) | |
| id: upload-release-asset-binary | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.out_store.outputs.release_upload_url }} | |
| asset_path: ./${{ matrix.out_name }} | |
| asset_name: ${{ matrix.out_name }} | |
| asset_content_type: application/octet-stream | |
| - name: Upload release asset (cosign pem) | |
| id: upload-release-asset-cosign-pem | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.out_store.outputs.release_upload_url }} | |
| asset_path: ./${{ matrix.out_name }}-keyless.pem | |
| asset_name: ${{ matrix.out_name }}-keyless.pem | |
| asset_content_type: application/octet-stream | |
| - name: Upload release asset (cosign sig) | |
| id: upload-release-asset-cosign-sig | |
| uses: actions/upload-release-asset@v1 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| upload_url: ${{ steps.out_store.outputs.release_upload_url }} | |
| asset_path: ./${{ matrix.out_name }}-keyless.sig | |
| asset_name: ${{ matrix.out_name }}-keyless.sig | |
| asset_content_type: application/octet-stream | |
| - name: Delete binary artifact | |
| if: always() | |
| uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af | |
| with: | |
| name: binary-${{ matrix.os }} |