Skip to content

Commit

Permalink
Add windows signing (HDFGroup#4703)
Browse files Browse the repository at this point in the history
  • Loading branch information
byrnHDF authored and lrknox committed Aug 21, 2024
1 parent 3cc6ffb commit f886150
Show file tree
Hide file tree
Showing 2 changed files with 107 additions and 34 deletions.
134 changes: 100 additions & 34 deletions .github/workflows/cmake-ctest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,19 @@ on:
type: string
required: true
default: snapshots
secrets:
AZURE_TENANT_ID:
required: true
AZURE_CLIENT_ID:
required: true
AZURE_CLIENT_SECRET:
required: true
AZURE_ENDPOINT:
required: true
AZURE_CODE_SIGNING_NAME:
required: true
AZURE_CERT_PROFILE_NAME:
required: true

permissions:
contents: read
Expand All @@ -44,6 +57,20 @@ jobs:
- name: Enable Developer Command Prompt
uses: ilammy/[email protected]

- name: Check Secrets exists
id: set-signing-state
env:
super_secret: ${{ secrets.AZURE_ENDPOINT }}
run: |
if [[ '${{ env.super_secret }}' == '' ]]
then
SIGN_VAL=$(echo "false")
else
SIGN_VAL=$(echo "true")
fi
echo "BINSIGN=$SIGN_VAL" >> $GITHUB_OUTPUT
shell: bash

- name: Set file base name (Windows)
id: set-file-base
run: |
Expand Down Expand Up @@ -86,15 +113,27 @@ jobs:
cmake --workflow --preset=${{ inputs.preset_name }}-MSVC --fresh
shell: bash

- name: Create build folders (Windows)
run: |
mkdir "${{ runner.workspace }}/build114"
mkdir "${{ runner.workspace }}/build114/hdf5"
shell: bash
- name: Sign files with Trusted Signing
uses: azure/[email protected]
with:
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
endpoint: ${{ secrets.AZURE_ENDPOINT }}
trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
files-folder: ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC
files-folder-filter: msi
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256
if: ${{ steps.set-signing-state.BINSIGN == 'true' }}

- name: Publish binary (Windows)
id: publish-ctest-binary
run: |
mkdir "${{ runner.workspace }}/build114"
mkdir "${{ runner.workspace }}/build114/hdf5"
Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/build114/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/build114/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/build114/${{ inputs.preset_name }}-MSVC/README.md -Destination ${{ runner.workspace }}/build114/hdf5/
Expand All @@ -106,11 +145,13 @@ jobs:
- name: Publish msi binary (Windows)
id: publish-ctest-msi-binary
run: |
Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/build/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/build/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/README.md -Destination ${{ runner.workspace }}/build/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/* -Destination ${{ runner.workspace }}/build/hdf5/ -Include *.msi
cd "${{ runner.workspace }}/build"
mkdir "${{ runner.workspace }}/buildmsi"
mkdir "${{ runner.workspace }}/buildmsi/hdf5"
Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/buildmsi/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/buildmsi/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/README.md -Destination ${{ runner.workspace }}/buildmsi/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC/* -Destination ${{ runner.workspace }}/buildmsi/hdf5/ -Include *.msi
cd "${{ runner.workspace }}/buildmsi"
7z a -tzip ${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip hdf5
shell: pwsh

Expand All @@ -132,7 +173,7 @@ jobs:
uses: actions/upload-artifact@v4
with:
name: msi-vs2022_cl-binary
path: ${{ runner.workspace }}/build/${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip
path: ${{ runner.workspace }}/buildmsi/${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_cl.msi.zip
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`

build_and_test_linux:
Expand Down Expand Up @@ -237,15 +278,13 @@ jobs:
path: ${{ runner.workspace }}/build114/${{ steps.set-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.tar.gz
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`

# Save files created by ctest script
- name: Save published binary deb (Linux)
uses: actions/upload-artifact@v4
with:
name: deb-ubuntu-2204_gcc-binary
path: ${{ runner.workspace }}/builddeb/${{ steps.set-file-base.outputs.FILE_BASE }}-ubuntu-2204_gcc.deb.tar.gz
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`

# Save files created by ctest script
- name: Save published binary rpm (Linux)
uses: actions/upload-artifact@v4
with:
Expand Down Expand Up @@ -340,13 +379,14 @@ jobs:
- name: Publish dmg binary (MacOS_latest)
id: publish-ctest-dmg-binary
run: |
mkdir "${{ runner.workspace }}/build/hdf5dmg"
cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING ${{ runner.workspace }}/build/hdf5dmg
cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 ${{ runner.workspace }}/build/hdf5dmg
cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/README.md ${{ runner.workspace }}/build/hdf5dmg
cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/*.dmg.tar.gz ${{ runner.workspace }}/build/hdf5dmg
cd "${{ runner.workspace }}/build"
tar -zcvf ${{ steps.set-file-base.outputs.FILE_BASE }}-osx.tar.gz hdf5dmg
mkdir "${{ runner.workspace }}/builddmg"
mkdir "${{ runner.workspace }}/builddmg/hdf5"
cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING ${{ runner.workspace }}/builddmg/hdf5
cp ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 ${{ runner.workspace }}/builddmg/hdf5
cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/README.md ${{ runner.workspace }}/builddmg/hdf5
cp ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Clang/*.dmg ${{ runner.workspace }}/builddmg/hdf5
cd "${{ runner.workspace }}/builddmg"
tar -zcvf ${{ steps.set-file-base.outputs.FILE_BASE }}-osx.dmg.tar.gz hdf5
shell: bash

- name: List files in the space (MacOS_latest)
Expand All @@ -366,7 +406,7 @@ jobs:
uses: actions/upload-artifact@v4
with:
name: tgz-osx-dmg-binary
path: ${{ runner.workspace }}/build/${{ steps.set-file-base.outputs.FILE_BASE }}-osx.dmg.tar.gz
path: ${{ runner.workspace }}/builddmg/${{ steps.set-file-base.outputs.FILE_BASE }}-osx.dmg.tar.gz
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`

build_and_test_S3_linux:
Expand Down Expand Up @@ -451,6 +491,20 @@ jobs:
- name: Install Dependencies (Windows_intel)
run: choco install ninja

- name: Check Secrets exists
id: set-signing-state
env:
super_secret: ${{ secrets.AZURE_ENDPOINT }}
run: |
if [[ '${{ env.super_secret }}' == '' ]]
then
SIGN_VAL=$(echo "false")
else
SIGN_VAL=$(echo "true")
fi
echo "BINSIGN=$SIGN_VAL" >> $GITHUB_OUTPUT
shell: bash

- name: add oneAPI to env
uses: fortran-lang/setup-fortran@v1
id: setup-fortran
Expand Down Expand Up @@ -504,15 +558,27 @@ jobs:
cmake --workflow --preset=${{ inputs.preset_name }}-win-Intel --fresh
shell: pwsh

- name: Create build folders (Windows_intel)
run: |
mkdir "${{ runner.workspace }}/build114"
mkdir "${{ runner.workspace }}/build114/hdf5"
shell: bash
- name: Sign files with Trusted Signing (Windows_intel)
uses: azure/[email protected]
with:
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
endpoint: ${{ secrets.AZURE_ENDPOINT }}
trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
files-folder: ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-MSVC
files-folder-filter: msi
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256
if: ${{ steps.set-signing-state.BINSIGN == 'true' }}

- name: Publish binary (Windows_intel)
id: publish-ctest-binary
run: |
mkdir "${{ runner.workspace }}/build114"
mkdir "${{ runner.workspace }}/build114/hdf5"
Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/build114/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/build114/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/build114/${{ inputs.preset_name }}-Intel/README.md -Destination ${{ runner.workspace }}/build114/hdf5/
Expand All @@ -522,13 +588,13 @@ jobs:
shell: pwsh

- name: Publish msi binary (Windows_intel)
id: publish-ctest-msi-binary
run: |
Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/build/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/build/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/README.md -Destination ${{ runner.workspace }}/build/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/* -Destination ${{ runner.workspace }}/build/hdf5/ -Include *.msi
cd "${{ runner.workspace }}/build"
mkdir "${{ runner.workspace }}/buildmsi"
mkdir "${{ runner.workspace }}/buildmsi/hdf5"
Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING -Destination ${{ runner.workspace }}/buildmsi/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/${{ steps.set-file-base.outputs.SOURCE_BASE }}/COPYING_LBNL_HDF5 -Destination ${{ runner.workspace }}/buildmsi/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/README.md -Destination ${{ runner.workspace }}/buildmsi/hdf5/
Copy-Item -Path ${{ runner.workspace }}/hdf5/build/${{ inputs.preset_name }}-Intel/* -Destination ${{ runner.workspace }}/buildmsi/hdf5/ -Include *.msi
cd "${{ runner.workspace }}/buildmsi"
7z a -tzip ${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_intel.msi.zip hdf5
shell: pwsh

Expand All @@ -550,7 +616,7 @@ jobs:
uses: actions/upload-artifact@v4
with:
name: msi-vs2022_intel-binary
path: ${{ runner.workspace }}/build/${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_intel.msi.zip
path: ${{ runner.workspace }}/buildmsi/${{ steps.set-file-base.outputs.FILE_BASE }}-win-vs2022_intel.msi.zip
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`

build_and_test_linux_intel:
Expand Down
7 changes: 7 additions & 0 deletions .github/workflows/daily-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,13 @@ jobs:
file_base: ${{ needs.call-workflow-tarball.outputs.file_base }}
#use_tag: snapshot-1.14
use_environ: snapshots
secrets:
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_ENDPOINT: ${{ secrets.AZURE_ENDPOINT }}
AZURE_CODE_SIGNING_NAME: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
AZURE_CERT_PROFILE_NAME: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
if: ${{ needs.call-workflow-tarball.outputs.has_changes == 'true' }}

call-workflow-abi:
Expand Down

0 comments on commit f886150

Please sign in to comment.