Skip to content

Commit

Permalink
Merge pull request #521 from mountaindude/node23-sea
Browse files Browse the repository at this point in the history
Node23 sea
  • Loading branch information
mountaindude authored Nov 15, 2024
2 parents 75c28c9 + ab191b6 commit c2bd582
Show file tree
Hide file tree
Showing 109 changed files with 3,941 additions and 4,561 deletions.
2 changes: 0 additions & 2 deletions .eslintignore

This file was deleted.

32 changes: 0 additions & 32 deletions .eslintrc.yml

This file was deleted.

10 changes: 5 additions & 5 deletions .gitattributes
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,11 @@ src/.prettierignore export-ignore
src/.prettierrc.yaml export-ignore
src/.snyk export-ignore
src/Dockerfile export-ignore
src/jest.config.js export-ignore
release-config/* export-ignore
release-config export-ignore
src/scriptlog export-ignore
scriptlog export-ignore
src/jest.config.js export-ignore
release-config/* export-ignore
release-config export-ignore
src/scriptlog export-ignore
scriptlog export-ignore

.codeclimate.yml export-ignore
.jshintrc export-ignore
Expand Down
58 changes: 29 additions & 29 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,11 @@ jobs:
steps:
- name: Show github.ref
run: echo "$GITHUB_REF"

- uses: googleapis/release-please-action@v4
id: release
if: |
github.repository_owner == 'ptarmiganlabs'
github.repository_owner == 'ptarmiganlabs'
with:
token: ${{ secrets.RELEASE_PLEASE_PAT }}
# optional. customize path to release-please-config.json
Expand Down Expand Up @@ -68,7 +68,7 @@ jobs:
- macos
- sp53
# timeout-minutes: 15

if: needs.release-please.outputs.releases_created == 'true'
env:
DIST_FILE_NAME: ctrl-q
Expand All @@ -79,32 +79,32 @@ jobs:
MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}
steps:
- name: Release tag and upload url from previous job
run: |
echo "tag_name : ${{ needs.release-please.outputs.release_tag_name }}"
echo "version : ${{ needs.release-please.outputs.release_version }}"
echo "upload_url : ${{ needs.release-please.outputs.release_upload_url }}"
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: lts/*

- name: Install tool for creating stand-alone executables
run: |
npm install pkg --location=global
npm install --save-exact esbuild
- name: Install dependencies
run: |
pwd
pwd
npm ci --include=prod
- name: Build binaries
run: |
pwd
Expand All @@ -115,42 +115,42 @@ jobs:
security delete-keychain build.keychain || true
# Turn our base64-encoded certificate back to a regular .p12 file
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
# We need to create a new keychain, otherwise using the certificate will prompt
# with a UI dialog asking for the certificate password, which we can't
# use in a headless CI environment
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security list-keychains -d user -s build.keychain
security default-keychain -d user -s build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
codesign --force -s "$MACOS_CERTIFICATE_NAME" -v "./${DIST_FILE_NAME}" --deep --strict --options=runtime --timestamp --entitlements ./release-config/${DIST_FILE_NAME}.entitlements
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
# Notarize release binary
echo "Creating temp notarization archive for release binary"
# ditto -c -k --keepParent "./${DIST_FILE_NAME}" "./${DIST_FILE_NAME}.zip"
ditto -c -k --keepParent "./${DIST_FILE_NAME}" "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_version }}-macos.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
# you're curious
echo "Notarize release app"
xcrun notarytool submit "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_version }}-macos.zip" --keychain-profile "notarytool-profile" --wait
# Delete build keychain
security delete-keychain build.keychain
- name: Upload to existing release
uses: ncipollo/release-action@v1
with:
Expand All @@ -163,15 +163,15 @@ jobs:
tag: ${{ needs.release-please.outputs.release_tag_name }}
artifacts: ./ctrl-q-${{ needs.release-please.outputs.release_version }}-macos.zip
token: ${{ github.token }}

- name: Tidy up before existing
run: |
pwd
ls -la
ls -la
rm build.cjs
rm "./${DIST_FILE_NAME}"
rm "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_version }}-macos.zip"
#####################
release-win64:
needs: release-please
Expand All @@ -196,22 +196,22 @@ jobs:
Write-Output 'tag_name : ${{ needs.release-please.outputs.release_tag_name }}'
Write-Output 'version : ${{ needs.release-please.outputs.release_version }}'
Write-Output 'upload_url : ${{ needs.release-please.outputs.release_upload_url }}'
- name: Checkout repository
uses: actions/checkout@v4

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: lts/*

- name: Install tool for creating stand-alone executables
run: |
npm install pkg --location=global
- name: Install dependencies
run: |
pwd
pwd
npm ci --include=prod
- name: Build binaries
Expand Down Expand Up @@ -299,7 +299,7 @@ jobs:
- name: Install dependencies
run: |
pwd
pwd
npm ci
- name: Build binaries
Expand Down
59 changes: 40 additions & 19 deletions .github/workflows/insiders-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,21 @@ jobs:
include:
- os: win-code-sign
build: |
./node_modules/.bin/esbuild src/ctrl-q.js --bundle --external:axios --external:xdg-open --external:enigma.js --outfile=build.cjs --format=cjs --platform=node --target=node18 --minify --inject:./src/lib/util/import-meta-url.js --define:import.meta.url=import_meta_url
pkg --output "./${env:DIST_FILE_NAME}.exe" -t node18-win-x64 ./build.cjs --config package.json --compress GZip
./node_modules/.bin/esbuild src/ctrl-q.js --bundle --outfile=build.cjs --format=cjs --platform=node --target=node23 --inject:./src/lib/util/import-meta-url.js --define:import.meta.url=import_meta_url
node --experimental-sea-config sea-config.json
node -e "require('fs').copyFileSync(process.execPath, 'ctrl-q.exe')"
# Remove the signature from the executable
$processOptions1 = @{
FilePath = "C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe"
Wait = $true
ArgumentList = "remove", "/s", "./${env:DIST_FILE_NAME}.exe"
WorkingDirectory = "."
NoNewWindow = $true
}
Start-Process @processOptions1
npx postject ctrl-q.exe NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
dir
Expand Down Expand Up @@ -46,48 +59,51 @@ jobs:
}
Compress-Archive @compress
artifact_insider: ctrl-q--win-x64--${{ github.sha }}.zip
- os: mac-build1
build: |
./node_modules/.bin/esbuild src/ctrl-q.js --bundle --external:axios --external:xdg-open --external:enigma.js --outfile=build.cjs --format=cjs --platform=node --target=node18 --minify --inject:./src/lib/util/import-meta-url.js --define:import.meta.url=import_meta_url
pkg --output "./${DIST_FILE_NAME}" -t node18-macos-x64 ./build.cjs --config package.json --compress GZip
# -------------------
./node_modules/.bin/esbuild src/ctrl-q.js --bundle --outfile=build.cjs --format=cjs --platform=node --target=node23 --inject:./src/lib/util/import-meta-url.js --define:import.meta.url=import_meta_url
node --experimental-sea-config sea-config.json
cp $(command -v node) ${DIST_FILE_NAME}
codesign --remove-signature ${DIST_FILE_NAME}
npx postject ctrl-q NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 --macho-segment-name NODE_SEA
chmod +x "${DIST_FILE_NAME}"
security delete-keychain build.keychain || true
pwd
ls -la
# -------------------
# Turn our base64-encoded certificate back to a regular .p12 file
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
# -------------------
# We need to create a new keychain, otherwise using the certificate will prompt
# with a UI dialog asking for the certificate password, which we can't
# use in a headless CI environment
security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security list-keychains -d user -s build.keychain
security default-keychain -d user -s build.keychain
security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
codesign --force -s "$MACOS_CERTIFICATE_NAME" -v "./${DIST_FILE_NAME}" --deep --strict --options=runtime --timestamp --entitlements ./release-config/${DIST_FILE_NAME}.entitlements
codesign --force -s "$MACOS_CERTIFICATE_NAME" -v "./${DIST_FILE_NAME}" --deep --strict --options=runtime --timestamp --entitlements ./release-config/${DIST_FILE_NAME}.entitlements
# -------------------
# Notarize
# Store the notarization credentials so that we can prevent a UI password dialog from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
# -------------------
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service


# Notarize insider binary
echo "Creating temp notarization archive for insider build"
ditto -c -k --keepParent "./${DIST_FILE_NAME}" "./${DIST_FILE_NAME}--macos-x64--${{ github.sha }}.zip"
Expand All @@ -99,14 +115,20 @@ jobs:
echo "Notarize insider app"
xcrun notarytool submit "./${DIST_FILE_NAME}--macos-x64--${{ github.sha }}.zip" --keychain-profile "notarytool-profile" --wait
# -------------------
# Clean up
# Delete build keychain
security delete-keychain build.keychain
rm build.cjs
artifact_insider: ctrl-q--macos-x64--${{ github.sha }}.zip

- os: ubuntu-latest
build: |
./node_modules/.bin/esbuild src/ctrl-q.js --bundle --external:axios --external:xdg-open --external:enigma.js --outfile=build.cjs --format=cjs --platform=node --target=node18 --minify --inject:./src/lib/util/import-meta-url.js --define:import.meta.url=import_meta_url
pkg --output "./${DIST_FILE_NAME}" -t node18-linux-x64 ./build.cjs --config package.json --compress GZip
./node_modules/.bin/esbuild src/ctrl-q.js --bundle --outfile=build.cjs --format=cjs --platform=node --target=node23 --inject:./src/lib/util/import-meta-url.js --define:import.meta.url=import_meta_url
node --experimental-sea-config sea-config.json
cp $(command -v node) ${DIST_FILE_NAME}
npx postject ctrl-q NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2
chmod +x ${DIST_FILE_NAME}
Expand All @@ -122,7 +144,7 @@ jobs:
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: lts/*
node-version: 23.x

- name: Install tool for creating stand-alone executables
run: |
Expand All @@ -131,7 +153,7 @@ jobs:
- name: Install dependencies
run: |
pwd
pwd
npm ci --include=prod
- name: Run Snyk to check for vulnerabilities
Expand All @@ -144,7 +166,7 @@ jobs:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
args: --file=./package.json --sarif-file-output=snyk.sarif

- name: Upload Snyk result to GitHub Code Scanning
if: |
github.repository_owner == 'ptarmiganlabs' &&
Expand All @@ -156,7 +178,7 @@ jobs:

- name: Create binaries
env:
DIST_FILE_NAME: ctrl-q
DIST_FILE_NAME: ctrl-q
GITHUB_TOKEN: ${{ secrets.RELEASE_PLEASE_PAT }}
MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE_BASE64_CODESIGN }}
MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_CODESIGN_PWD }}
Expand All @@ -175,4 +197,3 @@ jobs:
with:
name: ${{ matrix.artifact_insider }}
path: ${{ matrix.artifact_insider }}

12 changes: 12 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -140,3 +140,15 @@ task-chain.csv
.vscode/launch.json
build.cjs
ctrl-q
a.json
a1.csv
build-sea.sh
build
certtest.js
logcertfile
sea-config.json
sea-prep.blob
.vscode/launch.json
.vscode/launch.json
certificate.p12
.vscode/launch.json
3 changes: 0 additions & 3 deletions .jshintrc

This file was deleted.

Loading

0 comments on commit c2bd582

Please sign in to comment.