-
Notifications
You must be signed in to change notification settings - Fork 224
507 lines (457 loc) · 25.6 KB
/
autobuild.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
# This file builds the source and produces artifacts for every supported platform.
# For release tags it creates a Github release and uploads the binaries to that releases.
# The builds are instrumented with CodeQL.
# see analyse_git_reference.py for implementation of the logic:
# for every push to a branch starting with "autobuild": (can be used during development for tighter supervision of builds)
# - do CodeQl while building for every platform
# - publish the created binaries/packs only as artifacts/appendix of the github-action-run (not as release), and only retain those files for limited period
# for every pull-request to main:
# - do CodeQl while building for every platform
# - publish the created binaries/packs only as artifacts/appendix of the github-action-run (not as release), and only retain those files for limited period
# for every tag that starts with 'r' and has an arbitrary suffix (e.g. beta1, rc1, etc.)
# - do CodeQl while building for every platform
# - publish the created binaries/packs only as artifacts/appendix as a prerelease
# for every tag that starts with 'r' and does not have any suffix:
# - do CodeQl while building for every platform
# - publish the created binaries/packs only as artifacts/appendix as a release
on:
workflow_dispatch:
inputs:
build_all_targets:
type: boolean
description: 'Build all targets (instead of just the main platforms)'
push:
tags:
- "r*"
branches:
# For developers: Branches starting with autobuild will be built and evaluated on each push.
- "autobuild**"
# CodeQL requires every branch from on.pull_request to be part of on.push as well in order to run comparisons.
# We also need main here to trigger builds on PR merge to main and manual pushes (e.g. as part of the release process):
- "main"
paths-ignore:
- '**README.md'
- 'docs/**'
- 'SECURITY.md'
- 'CONTRIBUTING.md'
- 'COMPILING.md'
- 'COPYING'
- 'APPLEAPPSTORE.LICENCE.WAIVER'
- '.github/ISSUE_TEMPLATE/*'
- '.github/pull_request_template.md'
pull_request:
branches:
- main
paths-ignore:
- '**README.md'
- 'docs/**'
- 'SECURITY.md'
- 'CONTRIBUTING.md'
- 'COMPILING.md'
- 'COPYING'
- 'APPLEAPPSTORE.LICENCE.WAIVER'
- '.github/ISSUE_TEMPLATE/*'
- '.github/pull_request_template.md'
name: Auto-Build
permissions: {}
jobs:
create_release:
# Check if we are doing a release or just a normal build.
# This must be done before actually building the app to find out where to upload the binaries and if we need to create a Github release.
name: Build vars & Github release (if required)
runs-on: ubuntu-20.04
outputs:
publish_to_release: ${{ steps.get-build-vars.outputs.PUBLISH_TO_RELEASE }}
tag_name: ${{ steps.get-build-vars.outputs.RELEASE_TAG }}
build_version: ${{ steps.get-build-vars.outputs.BUILD_VERSION }}
build_all_targets: ${{ steps.decide-build-targets.outputs.build_all_targets }}
env:
release_changelog_path: ./.github_release_changelog.md
# Set permissions. We need write permissions to content for creating/removing the release
permissions:
contents: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Determine release version, type and prerelease variables
run: ./.github/autobuild/get_build_vars.py
id: get-build-vars
- name: Extract Changelog for the Github release body
if: steps.get-build-vars.outputs.PUBLISH_TO_RELEASE == 'true'
run: ./.github/autobuild/extractVersionChangelog.pl ChangeLog ${{ steps.get-build-vars.outputs.JAMULUS_PRO_VERSION }} > ${{ env.release_changelog_path }}
- name: Create/Recreate Release ${{steps.get-build-vars.outputs.RELEASE_TAG}} ${{steps.get-build-vars.outputs.RELEASE_TITLE}}
if: steps.get-build-vars.outputs.PUBLISH_TO_RELEASE == 'true'
id: create-release
run: |
set -eu
# delete release if existing
gh release delete "${tag_name}" || true
RELEASE_PRERELEASE_ARG=""
if [[ "${prerelease}" == 'true' ]]; then
RELEASE_PRERELEASE_ARG="--prerelease"
fi
# Actually create the release. This will print the release url if successful
gh release create "${tag_name}" --title "${release_name}" --notes-file "${body_path}" ${RELEASE_PRERELEASE_ARG}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
tag_name: ${{ steps.get-build-vars.outputs.RELEASE_TAG }}
release_name: ${{ steps.get-build-vars.outputs.RELEASE_TITLE }}
body_path: ${{ env.release_changelog_path }}
prerelease: ${{ steps.get-build-vars.outputs.IS_PRERELEASE }}
- name: Decide which targets to build for
id: decide-build-targets
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
INPUT_BUILD_ALL_TARGETS: ${{ github.event.inputs.build_all_targets }}
PR_NUMBER: ${{ github.event.number }}
PR_BASE: ${{ github.event.pull_request.base.sha }}
PR_HEAD: ${{ github.event.pull_request.head.sha }}
run: |
set -eu
build_all_targets() {
echo "build_all_targets=${1}" >> $GITHUB_OUTPUT
echo "Building for all targets? Result: ${1}"
exit 0
}
handle_push() {
if [[ "${GITHUB_REF}" == "refs/tags/"* ]]; then
echo 'Triggered by a tag push, building all targets'
build_all_targets 'true'
fi
if [[ "${GITHUB_REF}" == "refs/heads/autobuild"* ]]; then
echo 'Triggered by a push to an autobuild* branch, building all targets'
build_all_targets 'true'
fi
}
handle_workflow_dispatch() {
if [[ "${INPUT_BUILD_ALL_TARGETS}" == 'true' ]]; then
echo 'Triggered by manual run with "Build all targets" checkbox set'
build_all_targets 'true'
fi
}
handle_pull_request() {
pr_body_contains_magic_string() {
pr_body=$(gh pr view "${PR_NUMBER}" --json body --jq .body)
grep -vP '<!--' <<< "$pr_body" | grep -qiF -- 'AUTOBUILD: Please build all targets'
}
if pr_body_contains_magic_string; then
echo 'Triggered by a PR with magic AUTOBUILD: string, building all targets'
build_all_targets 'true'
fi
pr_contains_build_changes() {
git fetch origin "${PR_BASE}" "${PR_HEAD}"
git diff --name-only "${PR_BASE}..${PR_HEAD}" |
grep -qP 'autobuild|windows|linux|mac|ios|android|\.pro'
}
if pr_contains_build_changes; then
echo 'Triggered by a PR with build- or platform-specific changes, building all targets'
build_all_targets 'true'
fi
}
case "${GITHUB_EVENT_NAME}" in
push)
handle_push
;;
workflow_dispatch)
handle_workflow_dispatch
;;
pull_request)
handle_pull_request
;;
esac
echo 'default case, not building all targets'
build_all_targets 'false'
release_assets:
name: Build for ${{ matrix.config.config_name }}
needs: create_release
# Set permissions to allow uploading artifact, uploading to release and allowing CodeQl to set security events
permissions:
checks: write
contents: write
security-events: write
strategy:
fail-fast: false
matrix:
# Think of this like a foreach loop. Basically runs the steps with every combination of
# the contents of this.
config:
- config_name: Android .apk (artifact+codeQL)
target_os: android
building_on_os: ubuntu-20.04
base_command: ./.github/autobuild/android.sh
run_codeql: true
is_main_build_target: true
# Jamulus.pro needs to count git history length for android versioning:
checkout_fetch_depth: '0'
- config_name: Linux .deb amd64 (artifacts+codeQL)
target_os: linux
building_on_os: ubuntu-22.04
building_container: ubuntu:20.04
base_command: ./.github/autobuild/linux_deb.sh
run_codeql: true
is_main_build_target: true
- config_name: Linux .deb armhf (artifacts)
target_os: linux
building_on_os: ubuntu-22.04
building_container: ubuntu:20.04
base_command: TARGET_ARCH=armhf ./.github/autobuild/linux_deb.sh
run_codeql: false
- config_name: Linux .deb arm64 (artifacts)
target_os: linux
building_on_os: ubuntu-22.04
building_container: ubuntu:20.04
base_command: TARGET_ARCH=arm64 ./.github/autobuild/linux_deb.sh
run_codeql: false
- config_name: MacOS (artifacts)
target_os: macos
building_on_os: macos-14
base_command: QT_VERSION=6.6.3 SIGN_IF_POSSIBLE=1 TARGET_ARCHS="x86_64 arm64" ./.github/autobuild/mac.sh
# Disable CodeQL on mac as it interferes with signing the binaries (signing hangs, see #2563 and #2564)
run_codeql: false
# Latest Xcode which runs on macos-14:
xcode_version: 15.4.0
is_main_build_target: true
# Reminder: If Legacy is removed, be sure to add a dedicated job for CodeQL again.
- config_name: MacOS Legacy (artifacts+CodeQL)
target_os: macos
building_on_os: macos-12
base_command: QT_VERSION=5.15.2 SIGN_IF_POSSIBLE=0 ARTIFACT_SUFFIX=_legacy ./.github/autobuild/mac.sh
# Enable CodeQL on mac legacy as this version does not get signed
run_codeql: true
# For Qt5 on Mac, we need to use an unsupported SDK version as macOS 12 doesn't
# support Xcode 12.1 which still ships SDK 10.15.
# https://developer.apple.com/support/xcode/
# https://xcodereleases.com/
xcode_version: 14.2.0
is_main_build_target: true
- config_name: iOS (artifacts)
target_os: ios
building_on_os: macos-12
base_command: QT_VERSION=5.15.2 ./.github/autobuild/ios.sh
# Build failed with CodeQL enabled when last tested 03/2022 (#2490).
# There are no hints that iOS is supposed to be supported by CodeQL.
# Therefore, disable it:
run_codeql: false
# Unfortunately, more modern Xcode versions no longer seem to support
# Qt 5.15.2. Therefore upgrading to Qt6 is needed in the medium term (#2711)
xcode_version: 13.4.1
- config_name: Windows (artifact+codeQL)
target_os: windows
building_on_os: windows-2022
base_command: powershell .\.github\autobuild\windows.ps1 -Stage
run_codeql: true
is_main_build_target: true
- config_name: Windows JACK (artifact)
target_os: windows
building_on_os: windows-2022
base_command: powershell .\.github\autobuild\windows.ps1 -BuildOption jackonwindows -Stage
run_codeql: false
# This injects the build_all_targets information into each matrix output:
build_all_targets:
- ${{ needs.create_release.outputs.build_all_targets }}
# Exclude all non-main build targets if we are not building for all targets:
exclude:
- build_all_targets: 'false' # This is based on a script output and is therefore a string
config:
is_main_build_target: null
runs-on: ${{ matrix.config.building_on_os }}
container: ${{ matrix.config.building_container }}
steps:
- name: Select Xcode version for Mac
if: matrix.config.target_os == 'macos' || matrix.config.target_os == 'ios'
uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd
with:
xcode-version: ${{ matrix.config.xcode_version }}
- name: Set up base dependencies in container environment
if: matrix.config.building_container == 'ubuntu:20.04'
run: |
set -eu
apt-get -qq update
apt-get install -y software-properties-common sudo curl
add-apt-repository ppa:git-core/ppa
curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | sudo dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg
sudo chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | sudo tee /etc/apt/sources.list.d/github-cli.list > /dev/null
apt-get -qq update
apt-get -qq -y install git-core gh
# Github Runner environments usually whitelist the default checkout directory for git.
# However, when using containers, we have to do that manually in order for git commands to work
# (e.g. in Jamulus.pro's VERSION logic):
# https://github.com/actions/runner/issues/2033
# https://github.com/actions/checkout/issues/766
git config --global --add safe.directory "${GITHUB_WORKSPACE}"
- name: Checkout code
uses: actions/checkout@v4
with:
# only Android needs the oboe submodule, so don't fetch it for other builds
submodules: ${{ matrix.config.target_os == 'android' }}
fetch-depth: ${{ matrix.config.checkout_fetch_depth || '1' }}
- name: Cache Mac dependencies
if: matrix.config.target_os == 'macos'
uses: actions/cache@v4
with:
path: |
/opt/qt
~/Library/Cache/jamulus-homebrew-bottles
key: ${{ matrix.config.target_os }}-${{ hashFiles('.github/workflows/autobuild.yml', '.github/autobuild/mac.sh', 'mac/deploy_mac.sh') }}-${{ matrix.config.base_command }}
- name: Cache Windows dependencies
if: matrix.config.target_os == 'windows'
uses: actions/cache@v4
with:
path: |
C:\Qt
C:\ChocoCache
C:\AutobuildCache
${{ github.workspace }}\libs\NSIS\NSIS-source
${{ github.workspace }}\libs\ASIOSDK2
key: ${{ matrix.config.target_os }}-${{ hashFiles('.github/workflows/autobuild.yml', '.github/autobuild/windows.ps1', 'windows/deploy_windows.ps1') }}-${{ matrix.config.base_command }}
- name: Cache Android dependencies
if: matrix.config.target_os == 'android'
uses: actions/cache@v4
with:
path: |
/opt/Qt
/opt/android/android-sdk
/opt/android/android-ndk
key: ${{ matrix.config.target_os }}-${{ hashFiles('.github/workflows/autobuild.yml', '.github/autobuild/android.sh') }}-${{ matrix.config.base_command }}
- name: Set up build dependencies for ${{ matrix.config.config_name }}
run: ${{ matrix.config.base_command }} setup
env:
JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }}
- name: Initialize CodeQL
if: matrix.config.run_codeql
uses: github/codeql-action/init@v3
with:
languages: 'cpp'
- name: Build for ${{ matrix.config.config_name }}
id: build
run: ${{ matrix.config.base_command }} build
env:
JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT }} # Base64 encoded Developer ID Application certificate. See https://help.apple.com/xcode/mac/current/#/dev154b28f09
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERT_PWD }} # Password protecting secrets.MACOS_CERTIFICATE
MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERT_ID }} # Certificate ID of secrets.MACOS_CERTIFICATE. If unknown, import secrets.MACOS_CERT into keychain and get the hash via "security find-identity -v"
MAC_STORE_APP_CERT: ${{ secrets.MACAPP_CERT }} # Base64 encoded Mac App Distribution certificate
MAC_STORE_APP_CERT_PWD: ${{ secrets.MACAPP_CERT_PWD }}
MAC_STORE_APP_CERT_ID: ${{ secrets.MACAPP_CERT_ID }}
MAC_STORE_INST_CERT: ${{ secrets.MACAPP_INST_CERT }} # Base64 encoded Mac Installer Distribution certificate
MAC_STORE_INST_CERT_PWD: ${{ secrets.MACAPP_INST_CERT_PWD }}
MAC_STORE_INST_CERT_ID: ${{ secrets.MACAPP_INST_CERT_ID }}
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
MACOS_CA_PUBLICKEY: ${{ secrets.MACOS_CA_PUBKEY }}
- name: Post-Build for ${{ matrix.config.config_name }}
id: get-artifacts
run: ${{ matrix.config.base_command }} get-artifacts
env:
JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }}
- name: Upload Artifact 1 to Job
# Every build job has at least one artifact. Therefore, no `if` here.
# If the artifact is missing, this should fail.
uses: actions/upload-artifact@v4
with:
name: ${{ steps.get-artifacts.outputs.artifact_1 }}
path: deploy/${{ steps.get-artifacts.outputs.artifact_1 }}
retention-days: 31
if-no-files-found: error
- name: Upload Artifact 2 to Job
if: steps.get-artifacts.outputs.artifact_2
uses: actions/upload-artifact@v4
with:
name: ${{ steps.get-artifacts.outputs.artifact_2 }}
path: deploy/${{ steps.get-artifacts.outputs.artifact_2 }}
retention-days: 31
if-no-files-found: error
- name: Notarize macOS Release Build
if: >-
steps.build.outputs.macos_signed == 'true' &&
needs.create_release.outputs.publish_to_release == 'true' &&
steps.build.outputs.macos_notarize == 'true'
id: notarize-macOS-app
run: ${{ matrix.config.base_command }} notarize
env:
JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }}
ARTIFACT_PATH: deploy/${{ steps.get-artifacts.outputs.artifact_1 }}
NOTARIZATION_USERNAME: ${{ secrets.NOTARIZATION_USERNAME }} # Apple ID for notarization
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }} # App specific password for Apple ID
APPLE_TEAM_ID: ${{ secrets.NOTARIZATION_TEAM_ID }} # Team ID from App Store Connect
- name: Staple macOS Release Build
if: >-
steps.build.outputs.macos_signed == 'true' &&
needs.create_release.outputs.publish_to_release == 'true' &&
steps.build.outputs.macos_notarize == 'true'
id: staple-macOS-app
run: ${{ matrix.config.base_command }} staple
env:
JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }}
ARTIFACT_PATH: deploy/${{ steps.get-artifacts.outputs.artifact_1 }}
- name: Deploy Artifact 1 to Release
if: needs.create_release.outputs.publish_to_release == 'true'
id: upload-release-asset1
run: >
gh release upload "${{ needs.create_release.outputs.tag_name }}" "deploy/${{ steps.get-artifacts.outputs.artifact_1 }}" --clobber
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Deploy Artifact 2 to Release
if: needs.create_release.outputs.publish_to_release == 'true' &&
steps.get-artifacts.outputs.artifact_2
id: upload-release-asset2
run: >
gh release upload "${{ needs.create_release.outputs.tag_name }}" "deploy/${{ steps.get-artifacts.outputs.artifact_2 }}" --clobber
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Perform CodeQL Analysis
if: matrix.config.run_codeql
uses: github/codeql-action/analyze@v3
create_deb_repo:
name: Create files for .deb repository (if requested)
runs-on: ubuntu-22.04
needs: [create_release, release_assets]
if: needs.create_release.outputs.publish_to_release == 'true'
# Set permissions to allow uploading artifact, uploading to release
permissions:
checks: write
contents: write
steps:
- name: Import GPG key
env:
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
run: |
set -eu
[[ "${GPG_PRIVATE_KEY:-}" ]] || {
echo "Missing Github secret GPG_PRIVATE_KEY. Please set it on GitHub to enable deb repository releases. Skipping step..."
echo "GPG_REPO_KEY_MISSING=true" >> ${GITHUB_ENV}
exit 0
}
echo "GPG_REPO_KEY_MISSING=false" >> ${GITHUB_ENV}
mkdir -p gpghome
chmod 700 gpghome
echo "${GPG_PRIVATE_KEY}" | gpg --homedir gpghome --import -
# Unfortunately download-artifact action doesn't support wild card downloads. Thus downloading all artifacts
- name: Download all artifacts
if: env.GPG_REPO_KEY_MISSING == 'false'
uses: actions/download-artifact@v4
with:
path: releasedl/
- name: Create Debian repository
if: env.GPG_REPO_KEY_MISSING == 'false'
run: |
set -eu
# Create and cd into repo directory
mkdir repo
mv releasedl/*.deb/*.deb repo/
pushd repo
# create repo files
apt-ftparchive packages . > Packages
apt-ftparchive release . > Release
gpg --homedir "../gpghome" --armor --yes --clearsign --output InRelease --detach-sign Release
gpg --homedir "../gpghome" --armor --export > "key.asc"
# remove .deb files as they have been uploaded to the GitHub release already before
rm *.deb
popd
- name: Upload Debian repository files to release
if: env.GPG_REPO_KEY_MISSING == 'false'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release upload "${{ needs.create_release.outputs.tag_name }}" "repo/InRelease" "repo/key.asc" "repo/Packages" "repo/Release" --clobber -R "${{ github.repository}}"