-
Notifications
You must be signed in to change notification settings - Fork 7
310 lines (304 loc) · 14.5 KB
/
prod_build_cli.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
name: Release halo-tools
on:
push:
tags:
- 'halotools-v*'
jobs:
create_release:
name: Create halo-tools release
runs-on: ubuntu-latest
steps:
- name: Prepare version number
id: parse_version
run: |
( echo -n "version=" && ( echo "$GITHUB_REF" | cut -f2 -d- | tr -d '\n' ) ) >> "$GITHUB_OUTPUT"
- name: Draft release
id: create_release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
release_name: HaLo Tools ${{ steps.parse_version.outputs.version }}
draft: true
prerelease: false
body: |
Set of standalone HaLo tools: [halocli](https://github.com/arx-research/libhalo/blob/master/docs/desktop-cli.md), [halo-bridge](https://github.com/arx-research/libhalo/blob/master/docs/halo-bridge.md), [halo-gateway](https://github.com/arx-research/libhalo/blob/master/docs/halo-gateway.md).
Release contents:
* `halo-tools-linux-x64.tgz` - Linux x64 build (elf files; tar-gzip compressed)
* `halo-tools-win-x64.exe` - Windows 64 build (exe files; signed; zipped)
* `halo-tools-macos-x64.pkg` - Mac OS x64 build (installer; signed)
**Note:** The files `*-keyless.sig` and `*-keyless.pem` constitute a part of [build audit trail](https://github.com/arx-research/libhalo/blob/master/docs/build-audit-trail.md).
- name: Store release upload URL
run: |
echo -n "${{ steps.create_release.outputs.upload_url }}" > release-upload-url.txt
- name: Store release upload URL artifact
uses: actions/upload-artifact@v3
with:
name: release-upload-url
path: release-upload-url.txt
build_cli_tool:
permissions:
id-token: write
strategy:
matrix:
include:
- os: ubuntu-latest
- os: windows-latest
- os: macos-latest
name: Build halo-tools (${{ matrix.os }})
runs-on: ${{ matrix.os }}
needs: create_release
steps:
- name: Install native dependencies (Linux)
if: matrix.os == 'ubuntu-latest'
run: |
sudo apt-get update && sudo apt-get install -y libpcsclite-dev
- name: Install native dependencies (MacOS)
if: matrix.os == 'macos-latest'
run: |
brew install python@3.11
brew unlink python@3.11
brew link --overwrite python@3.11
brew install pcsc-lite
- name: Checkout the repository
uses: actions/checkout@v3
- name: Install Node.JS
uses: actions/setup-node@v3
with:
node-version: 18
- name: Install dependencies (root)
shell: bash
run: |
npm --include=dev ci
- name: Install dependencies (cli)
shell: bash
run: |
cd cli
npm --include=dev ci
- name: Build libhalo with webpack
shell: bash
run: |
cd web
../node_modules/.bin/webpack
- name: Package HaLo CLI tool (Linux)
if: matrix.os == 'ubuntu-latest'
shell: bash
run: |
cd cli
node_modules/.bin/pkg --compress GZip -t node18-linux-x64 -c package.json -o dist/halocli entry_cli.js
node_modules/.bin/pkg --compress GZip -t node18-linux-x64 -c package.json -o dist/halo-bridge entry_bridge.js
node_modules/.bin/pkg --compress GZip -t node18-linux-x64 -c package.json -o dist/halo-gateway entry_gateway.js
- name: Package HaLo CLI tool (Windows)
if: matrix.os == 'windows-latest'
shell: bash
run: |
cd cli
node win_fix_binary.js cli
export PKG_PATCHED_BIN='1'
export PKG_CACHE_PATH='./.pkg-cache/'
export PKG_IGNORE_TAG='1'
node_modules/.bin/pkg --compress GZip -t node18-win-x64 -c package.json -o dist/halocli.exe entry_cli.js
- name: Package HaLo Bridge tool (Windows)
if: matrix.os == 'windows-latest'
shell: bash
run: |
cd cli
node win_fix_binary.js bridge
export PKG_PATCHED_BIN='1'
export PKG_CACHE_PATH='./.pkg-cache/'
export PKG_IGNORE_TAG='1'
node_modules/.bin/pkg --compress GZip -t node18-win-x64 -c package.json -o dist/halo-bridge.exe entry_bridge.js
- name: Package HaLo Gateway tool (Windows)
if: matrix.os == 'windows-latest'
shell: bash
run: |
cd cli
node win_fix_binary.js gateway
export PKG_PATCHED_BIN='1'
export PKG_CACHE_PATH='./.pkg-cache/'
export PKG_IGNORE_TAG='1'
node_modules/.bin/pkg --compress GZip -t node18-win-x64 -c package.json -o dist/halo-gateway.exe entry_gateway.js
- name: Package HaLo CLI tool (MacOS)
if: matrix.os == 'macos-latest'
shell: bash
run: |
cd cli
node_modules/.bin/pkg --compress GZip -t node18-macos-x64 -c package.json -o dist/halocli entry_cli.js
node_modules/.bin/pkg --compress GZip -t node18-macos-x64 -c package.json -o dist/halo-bridge entry_bridge.js
node_modules/.bin/pkg --compress GZip -t node18-macos-x64 -c package.json -o dist/halo-gateway entry_gateway.js
mv "macos_bridge_app" "dist/HaLo CLI Bridge Server.app"
mv "macos_pkgbuild_scripts" "dist/macos_pkgbuild_scripts"
mv "Entitlements.plist" "dist/Entitlements.plist"
- name: Compress dist files
shell: bash
run: |
cd cli/dist
tar -pczf ../dist.tgz .
- name: Install cosign
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
- name: Sign output with cosign
run: |
echo y | cosign sign-blob ./cli/dist.tgz --output-certificate ./cli/dist.tgz-keyless.pem --output-signature ./cli/dist.tgz-keyless.sig
- name: Store binary as artifact
uses: actions/upload-artifact@v3
with:
name: binary-${{ matrix.os }}
path: |
./cli/dist.tgz
./cli/dist.tgz-keyless.pem
./cli/dist.tgz-keyless.sig
sign_cli_tool:
environment: production
permissions:
contents: write
id-token: write
strategy:
matrix:
include:
- os: ubuntu-latest
out_name: halo-tools-linux-x64.tgz
- os: windows-latest
out_name: halo-tools-win-x64.zip
- os: macos-latest
out_name: halo-tools-macos-x64.pkg
name: Sign halo-tools and release (${{ matrix.os }})
runs-on: ${{ matrix.os }}
needs: build_cli_tool
steps:
- name: Download binary from artifact
uses: actions/download-artifact@v3
with:
name: binary-${{ matrix.os }}
- name: Install cosign
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
- name: Validate signatures from previous stage
shell: bash
run: |
cosign verify-blob --cert ./dist.tgz-keyless.pem --signature ./dist.tgz-keyless.sig --certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_cli.yml@${GITHUB_REF}" --certificate-oidc-issuer https://token.actions.githubusercontent.com ./dist.tgz
- name: Uncompress previous stage
run: |
tar -xopf dist.tgz
- name: Compress application (Linux)
if: matrix.os == 'ubuntu-latest'
run: |
chmod +x halocli
chmod +x halo-bridge
chmod +x halo-gateway
tar -pczf halo-tools-linux-x64.tgz halocli halo-bridge halo-gateway
- name: Write certificate file (Windows)
if: matrix.os == 'windows-latest'
uses: DamianReeves/write-file-action@0a7fcbe1960c53fc08fe789fa4850d24885f4d84
with:
path: ./chain.cer
write-mode: overwrite
contents: ${{ vars.WINDOWS_CODE_SIGN_CERT_CHAIN }}
- name: Download jsign and verify (Windows)
if: matrix.os == 'windows-latest'
shell: bash
run: |
curl -s -L -o jsign.jar https://github.com/ebourg/jsign/releases/download/4.2/jsign-4.2.jar
echo "290377fc4f593256200b3ea4061b7409e8276255f449d4c6de7833faf0850cc1 jsign.jar" > jsign.sum
sha256sum -c jsign.sum
- name: Authenticate with gcloud (Windows)
if: matrix.os == 'windows-latest'
uses: google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d
with:
credentials_json: ${{ secrets.GCLOUD_SERVICE_ACCOUNT_KEY }}
- name: Set up Cloud SDK (Windows)
uses: google-github-actions/setup-gcloud@62d4898025f6041e16b1068643bfc5a696863587
if: matrix.os == 'windows-latest'
with:
install_components: 'gcloud'
project_id: ${{ secrets.GCLOUD_PROJECT_ID }}
- name: Sign application (Windows)
if: matrix.os == 'windows-latest'
shell: bash
run: |
java -jar jsign.jar --storetype GOOGLECLOUD --storepass "$(gcloud auth print-access-token)" --keystore "${{ vars.WINDOWS_CODE_SIGN_KEYSTORE }}" --alias "${{ vars.WINDOWS_CODE_SIGN_KEY_ALIAS }}" --certfile "chain.cer" --tsmode RFC3161 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 halocli.exe
java -jar jsign.jar --storetype GOOGLECLOUD --storepass "$(gcloud auth print-access-token)" --keystore "${{ vars.WINDOWS_CODE_SIGN_KEYSTORE }}" --alias "${{ vars.WINDOWS_CODE_SIGN_KEY_ALIAS }}" --certfile "chain.cer" --tsmode RFC3161 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 halo-bridge.exe
java -jar jsign.jar --storetype GOOGLECLOUD --storepass "$(gcloud auth print-access-token)" --keystore "${{ vars.WINDOWS_CODE_SIGN_KEYSTORE }}" --alias "${{ vars.WINDOWS_CODE_SIGN_KEY_ALIAS }}" --certfile "chain.cer" --tsmode RFC3161 --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 halo-gateway.exe
- name: Compress application (Windows)
if: matrix.os == 'windows-latest'
run: |
Compress-Archive -Path halocli.exe,halo-bridge.exe,halo-gateway.exe halo-tools-win-x64.zip
- name: Load signing credentials (Mac OS)
if: matrix.os == 'macos-latest'
uses: apple-actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071
with:
p12-file-base64: ${{ secrets.MACOS_SIGN_P12 }}
p12-password: ${{ secrets.MACOS_SIGN_P12_PASSWORD }}
- name: Sign application (Mac OS)
if: matrix.os == 'macos-latest'
run: |
mkdir -p root/usr/local/bin/
mkdir -p root/Applications/
mv halocli root/usr/local/bin/halocli
mv halo-bridge root/usr/local/bin/halo-bridge
mv halo-gateway root/usr/local/bin/halo-gateway
mv "HaLo CLI Bridge Server.app" "root/Applications/HaLo CLI Bridge Server.app"
/usr/bin/codesign --deep --force --options=runtime --entitlements ./Entitlements.plist --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp ./root/usr/local/bin/halocli
/usr/bin/codesign --deep --force --options=runtime --entitlements ./Entitlements.plist --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp ./root/usr/local/bin/halo-bridge
/usr/bin/codesign --deep --force --options=runtime --entitlements ./Entitlements.plist --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp ./root/usr/local/bin/halo-gateway
/usr/bin/codesign --deep --force --sign "${{ secrets.MACOS_SIGN_IDENTITY_APPLICATION }}" --timestamp "./root/Applications/HaLo CLI Bridge Server.app"
chmod +x ./root/usr/local/bin/halocli
chmod +x ./root/usr/local/bin/halo-bridge
chmod +x ./root/usr/local/bin/halo-gateway
chmod +x "./root/Applications/HaLo CLI Bridge Server.app/Contents/MacOS/halocli_bridge_launcher"
pkgbuild --root ./root --identifier "org.arx.halo.halocli" --version "1.0.$(date +%s)" --scripts "macos_pkgbuild_scripts/" --install-location "/" --sign "${{ secrets.MACOS_SIGN_IDENTITY_INSTALLER }}" ./halo-tools-macos-x64.pkg
- name: Notarize application for Mac OS
if: matrix.os == 'macos-latest'
run: |
xcrun notarytool submit "--apple-id=${{ secrets.MACOS_NOTARIZE_APPLE_ID }}" "--password=${{ secrets.MACOS_NOTARIZE_PASSWORD }}" "--team-id=${{ secrets.MACOS_NOTARIZE_TEAM_ID }}" --progress --wait ./halo-tools-macos-x64.pkg
- name: Staple notarized application (Mac OS)
if: matrix.os == 'macos-latest'
run: |
xcrun stapler staple ./halo-tools-macos-x64.pkg
rm -rf ./root/
- name: Download release upload URL
uses: actions/download-artifact@v3
with:
name: release-upload-url
- name: Store release upload URL output
id: out_store
shell: bash
run: |
echo "release_upload_url=$(cat release-upload-url.txt)" >> "$GITHUB_OUTPUT"
- name: Sign output binaries with cosign
run: |
echo y | cosign sign-blob ./${{ matrix.out_name }} --output-certificate ./${{ matrix.out_name }}-keyless.pem --output-signature ./${{ matrix.out_name }}-keyless.sig
- name: Upload release asset (binary)
id: upload-release-asset-binary
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ./${{ matrix.out_name }}
asset_name: ${{ matrix.out_name }}
asset_content_type: application/octet-stream
- name: Upload release asset (cosign pem)
id: upload-release-asset-cosign-pem
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ./${{ matrix.out_name }}-keyless.pem
asset_name: ${{ matrix.out_name }}-keyless.pem
asset_content_type: application/octet-stream
- name: Upload release asset (cosign sig)
id: upload-release-asset-cosign-sig
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ./${{ matrix.out_name }}-keyless.sig
asset_name: ${{ matrix.out_name }}-keyless.sig
asset_content_type: application/octet-stream
- name: Delete binary artifact
if: always()
uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af
with:
name: binary-${{ matrix.os }}