From d3abc312fe0130dc6509f51e2e3fc00e391cf786 Mon Sep 17 00:00:00 2001 From: Allen Byrne Date: Thu, 8 Aug 2024 15:32:48 -0500 Subject: [PATCH 1/4] Add windows signing --- .github/workflows/cmake-ctest.yml | 122 +++++++++++++++++++++++------- .github/workflows/daily-build.yml | 7 ++ 2 files changed, 100 insertions(+), 29 deletions(-) diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml index e8c158283dc..70af585eb7e 100644 --- a/.github/workflows/cmake-ctest.yml +++ b/.github/workflows/cmake-ctest.yml @@ -22,6 +22,19 @@ on: type: string required: true default: snapshots + secrets: + AZURE_TENANT_ID: + required: true + AZURE_CLIENT_ID: + required: true + AZURE_CLIENT_SECRET: + required: true + AZURE_ENDPOINT: + required: true + AZURE_CODE_SIGNING_NAME: + required: true + AZURE_CERT_PROFILE_NAME: + required: true permissions: contents: read @@ -44,6 +57,18 @@ jobs: - name: Enable Developer Command Prompt uses: ilammy/msvc-dev-cmd@v1.13.0 + - name: Check Secrets exists + id: set-signing-state + env: + super_secret: ${{ secrets.AZURE_ENDPOINT }} + run: | + if [[ '${{ env.super_secret }}' == '' ]] + then + echo "BINSIGN=false" >> $GITHUB_OUTPUT + else + echo "BINSIGN=true" >> $GITHUB_OUTPUT + fi + - name: Set file base name (Windows) id: set-file-base run: | @@ -86,15 +111,27 @@ jobs: cmake --workflow --preset=${{ inputs.preset_name }}-MSVC --fresh shell: bash - - name: Create build folders (Windows) - run: | - mkdir "${{ runner.workspace }}/build" - mkdir "${{ runner.workspace }}/build/hdf5" - shell: bash + - name: Sign files with Trusted Signing + uses: azure/trusted-signing-action@v0.4.0 + with: + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} + endpoint: ${{ secrets.AZURE_ENDPOINT }} + trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }} + certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }} + files-folder: ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC + files-folder-filter: msi + file-digest: SHA256 + timestamp-rfc3161: http://timestamp.acs.microsoft.com + timestamp-digest: SHA256 + if: ${{ steps.set-signing-state.BINSIGN == 'true' }} - name: Publish binary (Windows) id: publish-ctest-binary run: | + mkdir "${{ runner.workspace }}/build" + mkdir "${{ runner.workspace }}/build/hdf5" Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/build/hdf5/ Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/build/hdf5/ Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/README.md -Destination ${{ runner.workspace }}/build/hdf5/ @@ -106,11 +143,13 @@ jobs: - name: Publish msi binary (Windows) id: publish-ctest-msi-binary run: | - Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/build/hdf5/ - Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/build/hdf5/ - Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/README.md -Destination ${{ runner.workspace }}/build/hdf5/ - Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/* -Destination ${{ runner.workspace }}/build/hdf5/ -Include *.msi - cd "${{ runner.workspace }}/build" + mkdir "${{ runner.workspace }}/buildmsi" + mkdir "${{ runner.workspace }}/buildmsi/hdf5" + Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/buildmsi/hdf5/ + Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/buildmsi/hdf5/ + Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/README.md -Destination ${{ runner.workspace }}/buildmsi/hdf5/ + Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/* -Destination ${{ runner.workspace }}/buildmsi/hdf5/ -Include *.msi + cd "${{ runner.workspace }}/buildmsi" 7z a -tzip ${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip hdf5 shell: pwsh @@ -237,7 +276,6 @@ jobs: path: ${{ runner.workspace }}/build/${{ steps.set-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.tar.gz if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` - # Save files created by ctest script - name: Save published binary deb (Linux) uses: actions/upload-artifact@v4 with: @@ -245,7 +283,6 @@ jobs: path: ${{ runner.workspace }}/builddeb/${{ steps.set-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.deb.tar.gz if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` - # Save files created by ctest script - name: Save published binary rpm (Linux) uses: actions/upload-artifact@v4 with: @@ -340,13 +377,14 @@ jobs: - name: Publish dmg binary (MacOS_latest) id: publish-ctest-dmg-binary run: | - mkdir "${{ runner.workspace }}/build/hdf5dmg" - cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING ${{ runner.workspace }}/build/hdf5dmg - cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 ${{ runner.workspace }}/build/hdf5dmg - cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/README.md ${{ runner.workspace }}/build/hdf5dmg - cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/*.dmg.tar.gz ${{ runner.workspace }}/build/hdf5dmg - cd "${{ runner.workspace }}/build" - tar -zcvf ${{ steps.set-file-base.outputs.FILE_BASE }}-osx.tar.gz hdf5dmg + mkdir "${{ runner.workspace }}/builddmg" + mkdir "${{ runner.workspace }}/builddmg/hdf5" + cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING ${{ runner.workspace }}/builddmg/hdf5 + cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 ${{ runner.workspace }}/builddmg/hdf5 + cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/README.md ${{ runner.workspace }}/builddmg/hdf5 + cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/*.dmg.tar.gz ${{ runner.workspace }}/builddmg/hdf5 + cd "${{ runner.workspace }}/builddmg" + tar -zcvf ${{ steps.set-file-base.outputs.FILE_BASE }}-osx.tar.gz hdf5 shell: bash - name: List files in the space (MacOS_latest) @@ -451,6 +489,18 @@ jobs: - name: Install Dependencies (Windows_intel) run: choco install ninja + - name: Check Secrets exists + id: set-signing-state + env: + super_secret: ${{ secrets.AZURE_ENDPOINT }} + run: | + if [[ '${{ env.super_secret }}' == '' ]] + then + echo "BINSIGN=false" >> $GITHUB_OUTPUT + else + echo "BINSIGN=true" >> $GITHUB_OUTPUT + fi + - name: add oneAPI to env uses: fortran-lang/setup-fortran@v1 id: setup-fortran @@ -504,15 +554,27 @@ jobs: cmake --workflow --preset=${{ inputs.preset_name }}-win-Intel --fresh shell: pwsh - - name: Create build folders (Windows_intel) - run: | - mkdir "${{ runner.workspace }}/build" - mkdir "${{ runner.workspace }}/build/hdf5" - shell: bash + - name: Sign files with Trusted Signing (Windows_intel) + uses: azure/trusted-signing-action@v0.4.0 + with: + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} + endpoint: ${{ secrets.AZURE_ENDPOINT }} + trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }} + certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }} + files-folder: ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC + files-folder-filter: msi + file-digest: SHA256 + timestamp-rfc3161: http://timestamp.acs.microsoft.com + timestamp-digest: SHA256 + if: ${{ steps.set-signing-state.BINSIGN == 'true' }} - name: Publish binary (Windows_intel) id: publish-ctest-binary run: | + mkdir "${{ runner.workspace }}/build" + mkdir "${{ runner.workspace }}/build/hdf5" Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/build/hdf5/ Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/build/hdf5/ Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/README.md -Destination ${{ runner.workspace }}/build/hdf5/ @@ -524,11 +586,13 @@ jobs: - name: Publish msi binary (Windows_intel) id: publish-ctest-msi-binary run: | - Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/build/hdf5/ - Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/build/hdf5/ - Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/README.md -Destination ${{ runner.workspace }}/build/hdf5/ - Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/* -Destination ${{ runner.workspace }}/build/hdf5/ -Include *.msi - cd "${{ runner.workspace }}/build" + mkdir "${{ runner.workspace }}/buildmsi" + mkdir "${{ runner.workspace }}/buildmsi/hdf5" + Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/buildmsi/hdf5/ + Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/buildmsi/hdf5/ + Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/README.md -Destination ${{ runner.workspace }}/buildmsi/hdf5/ + Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/* -Destination ${{ runner.workspace }}/buildmsi/hdf5/ -Include *.msi + cd "${{ runner.workspace }}/buildmsi" 7z a -tzip ${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_intel.msi.zip hdf5 shell: pwsh diff --git a/.github/workflows/daily-build.yml b/.github/workflows/daily-build.yml index c8441bd8dae..ad53474b91c 100644 --- a/.github/workflows/daily-build.yml +++ b/.github/workflows/daily-build.yml @@ -44,6 +44,13 @@ jobs: file_base: ${{ needs.call-workflow-tarball.outputs.file_base }} # use_tag: snapshot use_environ: snapshots + secrets: + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + AZURE_ENDPOINT: ${{ secrets.AZURE_ENDPOINT }} + AZURE_CODE_SIGNING_NAME: ${{ secrets.AZURE_CODE_SIGNING_NAME }} + AZURE_CERT_PROFILE_NAME: ${{ secrets.AZURE_CERT_PROFILE_NAME }} if: ${{ needs.call-workflow-tarball.outputs.has_changes == 'true' }} call-workflow-abi: From 6305804092618d5f07e2425e56b325ed061a62e2 Mon Sep 17 00:00:00 2001 From: Allen Byrne Date: Thu, 8 Aug 2024 16:40:43 -0500 Subject: [PATCH 2/4] Correct syntax --- .github/workflows/cmake-ctest.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml index 70af585eb7e..085f6f57ddb 100644 --- a/.github/workflows/cmake-ctest.yml +++ b/.github/workflows/cmake-ctest.yml @@ -64,10 +64,12 @@ jobs: run: | if [[ '${{ env.super_secret }}' == '' ]] then - echo "BINSIGN=false" >> $GITHUB_OUTPUT + SIGN_VAL=$(echo "false") else - echo "BINSIGN=true" >> $GITHUB_OUTPUT + SIGN_VAL=$(echo "true") fi + echo "BINSIGN=$SIGN_VAL" >> $GITHUB_OUTPUT + shell: bash - name: Set file base name (Windows) id: set-file-base @@ -171,7 +173,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: msi-vs2022_cl-binary - path: ${{ runner.workspace }}/build/${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip + path: ${{ runner.workspace }}/buildmsi/${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` build_and_test_linux: @@ -404,7 +406,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: tgz-osx-dmg-binary - path: ${{ runner.workspace }}/build/${{ steps.set-file-base.outputs.FILE_BASE }}-osx.dmg.tar.gz + path: ${{ runner.workspace }}/builddmg/${{ steps.set-file-base.outputs.FILE_BASE }}-osx.dmg.tar.gz if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` build_and_test_S3_linux: @@ -496,10 +498,12 @@ jobs: run: | if [[ '${{ env.super_secret }}' == '' ]] then - echo "BINSIGN=false" >> $GITHUB_OUTPUT + SIGN_VAL=$(echo "false") else - echo "BINSIGN=true" >> $GITHUB_OUTPUT + SIGN_VAL=$(echo "true") fi + echo "BINSIGN=$SIGN_VAL" >> $GITHUB_OUTPUT + shell: bash - name: add oneAPI to env uses: fortran-lang/setup-fortran@v1 @@ -614,7 +618,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: msi-vs2022_intel-binary - path: ${{ runner.workspace }}/build/${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_intel.msi.zip + path: ${{ runner.workspace }}/buildmsi/${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_intel.msi.zip if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` build_and_test_linux_intel: From f2170f87901cc617266da4396162a40297cbf004 Mon Sep 17 00:00:00 2001 From: Allen Byrne Date: Fri, 9 Aug 2024 08:45:34 -0500 Subject: [PATCH 3/4] Correct name of binary --- .github/workflows/cmake-ctest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml index 085f6f57ddb..38199e8cd39 100644 --- a/.github/workflows/cmake-ctest.yml +++ b/.github/workflows/cmake-ctest.yml @@ -386,7 +386,7 @@ jobs: cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/README.md ${{ runner.workspace }}/builddmg/hdf5 cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/*.dmg.tar.gz ${{ runner.workspace }}/builddmg/hdf5 cd "${{ runner.workspace }}/builddmg" - tar -zcvf ${{ steps.set-file-base.outputs.FILE_BASE }}-osx.tar.gz hdf5 + tar -zcvf ${{ steps.set-file-base.outputs.FILE_BASE }}-osx.dmg.tar.gz hdf5 shell: bash - name: List files in the space (MacOS_latest) From e28c59db3a334b5034f5beaf038bbe4d570dad9f Mon Sep 17 00:00:00 2001 From: Allen Byrne Date: Fri, 9 Aug 2024 09:21:08 -0500 Subject: [PATCH 4/4] Correct filename --- .github/workflows/cmake-ctest.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cmake-ctest.yml b/.github/workflows/cmake-ctest.yml index 38199e8cd39..04dc2b664fc 100644 --- a/.github/workflows/cmake-ctest.yml +++ b/.github/workflows/cmake-ctest.yml @@ -384,7 +384,7 @@ jobs: cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING ${{ runner.workspace }}/builddmg/hdf5 cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 ${{ runner.workspace }}/builddmg/hdf5 cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/README.md ${{ runner.workspace }}/builddmg/hdf5 - cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/*.dmg.tar.gz ${{ runner.workspace }}/builddmg/hdf5 + cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/*.dmg ${{ runner.workspace }}/builddmg/hdf5 cd "${{ runner.workspace }}/builddmg" tar -zcvf ${{ steps.set-file-base.outputs.FILE_BASE }}-osx.dmg.tar.gz hdf5 shell: bash