build(deps): bump github/codeql-action from 3.27.4 to 3.27.5 #13316
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package | |
on: | |
pull_request: | |
paths-ignore: | |
- '.github/actions/spelling/**' | |
- 'docs/**' | |
- '**.md' | |
push: | |
branches: | |
- main | |
- release-* | |
tags: | |
- '*' | |
workflow_dispatch: | |
inputs: | |
sign: | |
type: boolean | |
default: true | |
description: Whether to check signing result | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
check-paths: | |
uses: ./.github/workflows/paths-ignore.yaml | |
with: | |
paths-ignore-globs: | | |
.github/actions/spelling/** | |
docs/** | |
**.md | |
package: | |
needs: check-paths | |
if: needs.check-paths.outputs.should-run == 'true' | |
strategy: | |
matrix: | |
include: | |
- platform: mac | |
arch: x86_64 | |
runs-on: macos-13 | |
- platform: mac | |
arch: aarch64 | |
runs-on: macos-latest | |
- platform: win | |
runs-on: windows-2019 | |
- platform: linux | |
runs-on: ubuntu-20.04 | |
runs-on: ${{ matrix.runs-on }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
# Needed to run `git describe` to get full version info | |
fetch-depth: 0 | |
- uses: ./.github/actions/yarn-install | |
- run: yarn build | |
- run: yarn package | |
- name: Build bats.tar.gz | |
if: matrix.platform == 'linux' | |
run: make -C bats bats.tar.gz | |
- name: Upload bats.tar.gz | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
if: matrix.platform == 'linux' | |
with: | |
name: bats.tar.gz | |
path: bats/bats.tar.gz | |
if-no-files-found: error | |
- name: Upload mac disk image | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
if: matrix.platform == 'mac' | |
with: | |
name: Rancher Desktop.${{ matrix.arch }}.dmg | |
path: dist/Rancher Desktop*.dmg | |
if-no-files-found: error | |
- name: Upload mac zip | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
if: matrix.platform == 'mac' | |
with: | |
name: Rancher Desktop-mac.${{ matrix.arch }}.zip | |
path: dist/Rancher Desktop*.zip | |
if-no-files-found: error | |
- name: Upload Windows installer | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
if: matrix.platform == 'win' | |
with: | |
name: Rancher Desktop Setup.msi | |
path: dist/Rancher.Desktop*.msi | |
if-no-files-found: error | |
- name: Upload Windows zip | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
if: matrix.platform == 'win' | |
with: | |
name: Rancher Desktop-win.zip | |
path: dist/Rancher Desktop-*-win.zip | |
if-no-files-found: error | |
- name: Upload Linux zip | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
if: matrix.platform == 'linux' | |
with: | |
name: Rancher Desktop-linux.zip | |
path: dist/rancher-desktop-*-linux.zip | |
if-no-files-found: error | |
- name: Trigger OBS build | |
if: matrix.platform == 'linux' && github.ref_type == 'branch' && ( startsWith(github.ref_name, 'main') || startsWith(github.ref_name, 'release-') ) | |
run: | | |
if [[ -z $AWS_ACCESS_KEY_ID ]] || [[ -z $OBS_WEBHOOK_TOKEN ]]; then | |
echo "Secrets unavailable, skipping." | |
exit 0 | |
fi | |
# in pull requests GITHUB_REF_NAME is in the form "<pr_number>/merge"; | |
# remove slashes since they aren't valid in filenames | |
no_slash_ref_name="${GITHUB_REF_NAME//\//-}" | |
zip_name="rancher-desktop-linux-${no_slash_ref_name}.zip" | |
# Copy zip file to S3 | |
aws s3 cp \ | |
dist/rancher-desktop-*-linux.zip \ | |
"s3://rancher-desktop-assets-for-obs/$zip_name" | |
# Trigger OBS services for relevant package in dev channel | |
curl -X POST \ | |
-H "Authorization: Token ${OBS_WEBHOOK_TOKEN}" \ | |
"https://build.opensuse.org/trigger/runservice?project=isv:Rancher:dev&package=rancher-desktop-${GITHUB_REF_NAME}" | |
env: | |
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
AWS_DEFAULT_REGION: us-east-1 | |
OBS_WEBHOOK_TOKEN: ${{ secrets.OBS_WEBHOOK_TOKEN }} | |
sign-win: | |
name: Test Signing (Windows) | |
needs: package | |
runs-on: windows-2022 | |
if: >- | |
(github.event_name == 'push' && github.ref == 'refs/heads/main') || | |
(github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-')) || | |
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || | |
(github.event_name == 'workflow_dispatch' && github.event.inputs.sign) | |
permissions: | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
- uses: ./.github/actions/yarn-install | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
name: Download artifact | |
with: | |
name: Rancher Desktop-win.zip | |
- name: Generate test signing certificate | |
shell: powershell | |
run: | | |
$cert = New-SelfSignedCertificate ` | |
-Type Custom ` | |
-Subject "CN=Rancher-Sandbox, C=CA" ` | |
-KeyUsage DigitalSignature ` | |
-CertStoreLocation Cert:\CurrentUser\My ` | |
-FriendlyName "Rancher-Sandbox Code Signing" ` | |
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") | |
Write-Output $cert | |
Write-Output "CSC_FINGERPRINT=$($cert.Thumbprint)" ` | |
| Out-File -Append -Encoding ASCII "${env:GITHUB_ENV}" | |
timeout-minutes: 1 | |
- name: Sign artifact | |
shell: powershell | |
run: yarn sign (Get-Item "Rancher Desktop*-win.zip") | |
timeout-minutes: 10 | |
- name: Verify installer signature | |
shell: powershell | |
run: | | |
$usedCert = (Get-AuthenticodeSignature -FilePath 'dist\Rancher*Desktop*.msi').SignerCertificate | |
Write-Output $usedCert | |
if ($usedCert.Thumbprint -ne $env:CSC_FINGERPRINT) { | |
Throw "Installer signed with wrong certificate" | |
} | |
timeout-minutes: 1 | |
sign-mac: | |
name: Test Signing (macOS) | |
needs: package | |
strategy: | |
matrix: | |
include: | |
- arch: aarch64 | |
# skip x86_64, we don't need to duplicate the testing for now. | |
runs-on: macos-latest | |
if: >- | |
(github.event_name == 'push' && github.ref == 'refs/heads/main') || | |
(github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-')) || | |
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) || | |
(github.event_name == 'workflow_dispatch' && github.event.inputs.sign) | |
permissions: | |
contents: read | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
persist-credentials: false | |
- uses: ./.github/actions/yarn-install | |
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
name: Download artifact | |
with: | |
name: Rancher Desktop-mac.${{ matrix.arch }}.zip | |
- name: Generate test signing certificate | |
run: | | |
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \ | |
-keyform pem -sha256 -days 3650 -nodes -subj \ | |
"/C=CA/CN=RD Test Signing Key" \ | |
-addext keyUsage=critical,digitalSignature \ | |
-addext extendedKeyUsage=critical,codeSigning | |
# Create a custom keychain so we can unlock it properly. | |
security create-keychain -p "" tmp.keychain | |
security default-keychain -d user -s tmp.keychain | |
security unlock-keychain -p "" tmp.keychain | |
security set-keychain-settings -u tmp.keychain # Disable keychain auto-lock | |
security import key.pem -k tmp.keychain -t priv -A | |
security import cert.pem -k tmp.keychain -t cert -A | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s \ | |
-k "" tmp.keychain | |
# Print out the valid certificates for debugging. | |
security find-identity | |
# Determine the key fingerprint. | |
awk_expr='/)/ { print $2 ; exit }' | |
hash="$(security find-identity | awk "$awk_expr")" | |
echo "CSC_FINGERPRINT=${hash}" >> "$GITHUB_ENV" | |
timeout-minutes: 1 | |
- name: Flag build for M1 | |
if: matrix.arch == 'aarch64' | |
run: echo "M1=1" >> "${GITHUB_ENV}" | |
- name: Sign artifact | |
run: | | |
for zip in Rancher\ Desktop-*mac*.zip; do | |
echo "::group::Signing ${zip}" | |
yarn sign --skip-notarize --skip-constraints "${zip}" | |
echo "::endgroup::" | |
done | |
timeout-minutes: 15 | |
- name: Verify signature | |
run: | | |
codesign --verify --deep --strict --verbose=2 dist/*.dmg | |
codesign --verify --deep --strict --verbose=2 dist/*.zip | |
timeout-minutes: 5 |