-
Notifications
You must be signed in to change notification settings - Fork 285
244 lines (236 loc) · 8.78 KB
/
package.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
name: Package
on:
pull_request:
paths-ignore:
- '.github/actions/spelling/**'
- 'docs/**'
- '**.md'
push:
branches:
- main
- release-*
tags:
- '*'
workflow_dispatch:
inputs:
sign:
type: boolean
default: true
description: Whether to check signing result
defaults:
run:
shell: bash
jobs:
check-paths:
uses: ./.github/workflows/paths-ignore.yaml
with:
paths-ignore-globs: |
.github/actions/spelling/**
docs/**
**.md
package:
needs: check-paths
if: needs.check-paths.outputs.should-run == 'true'
strategy:
matrix:
include:
- platform: mac
arch: x86_64
runs-on: macos-13
- platform: mac
arch: aarch64
runs-on: macos-latest
- platform: win
runs-on: windows-2019
- platform: linux
runs-on: ubuntu-20.04
runs-on: ${{ matrix.runs-on }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
# Needed to run `git describe` to get full version info
fetch-depth: 0
- uses: ./.github/actions/yarn-install
- run: yarn build
- run: yarn package
- name: Build bats.tar.gz
if: matrix.platform == 'linux'
run: make -C bats bats.tar.gz
- name: Upload bats.tar.gz
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: matrix.platform == 'linux'
with:
name: bats.tar.gz
path: bats/bats.tar.gz
if-no-files-found: error
- name: Upload mac disk image
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: matrix.platform == 'mac'
with:
name: Rancher Desktop.${{ matrix.arch }}.dmg
path: dist/Rancher Desktop*.dmg
if-no-files-found: error
- name: Upload mac zip
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: matrix.platform == 'mac'
with:
name: Rancher Desktop-mac.${{ matrix.arch }}.zip
path: dist/Rancher Desktop*.zip
if-no-files-found: error
- name: Upload Windows installer
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: matrix.platform == 'win'
with:
name: Rancher Desktop Setup.msi
path: dist/Rancher.Desktop*.msi
if-no-files-found: error
- name: Upload Windows zip
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: matrix.platform == 'win'
with:
name: Rancher Desktop-win.zip
path: dist/Rancher Desktop-*-win.zip
if-no-files-found: error
- name: Upload Linux zip
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
if: matrix.platform == 'linux'
with:
name: Rancher Desktop-linux.zip
path: dist/rancher-desktop-*-linux.zip
if-no-files-found: error
- name: Trigger OBS build
if: matrix.platform == 'linux' && github.ref_type == 'branch' && ( startsWith(github.ref_name, 'main') || startsWith(github.ref_name, 'release-') )
run: |
if [[ -z $AWS_ACCESS_KEY_ID ]] || [[ -z $OBS_WEBHOOK_TOKEN ]]; then
echo "Secrets unavailable, skipping."
exit 0
fi
# in pull requests GITHUB_REF_NAME is in the form "<pr_number>/merge";
# remove slashes since they aren't valid in filenames
no_slash_ref_name="${GITHUB_REF_NAME//\//-}"
zip_name="rancher-desktop-linux-${no_slash_ref_name}.zip"
# Copy zip file to S3
aws s3 cp \
dist/rancher-desktop-*-linux.zip \
"s3://rancher-desktop-assets-for-obs/$zip_name"
# Trigger OBS services for relevant package in dev channel
curl -X POST \
-H "Authorization: Token ${OBS_WEBHOOK_TOKEN}" \
"https://build.opensuse.org/trigger/runservice?project=isv:Rancher:dev&package=rancher-desktop-${GITHUB_REF_NAME}"
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: us-east-1
OBS_WEBHOOK_TOKEN: ${{ secrets.OBS_WEBHOOK_TOKEN }}
sign-win:
name: Test Signing (Windows)
needs: package
runs-on: windows-2022
if: >-
(github.event_name == 'push' && github.ref == 'refs/heads/main') ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-')) ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) ||
(github.event_name == 'workflow_dispatch' && github.event.inputs.sign)
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: ./.github/actions/yarn-install
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
name: Download artifact
with:
name: Rancher Desktop-win.zip
- name: Generate test signing certificate
shell: powershell
run: |
$cert = New-SelfSignedCertificate `
-Type Custom `
-Subject "CN=Rancher-Sandbox, C=CA" `
-KeyUsage DigitalSignature `
-CertStoreLocation Cert:\CurrentUser\My `
-FriendlyName "Rancher-Sandbox Code Signing" `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")
Write-Output $cert
Write-Output "CSC_FINGERPRINT=$($cert.Thumbprint)" `
| Out-File -Append -Encoding ASCII "${env:GITHUB_ENV}"
timeout-minutes: 1
- name: Sign artifact
shell: powershell
run: yarn sign (Get-Item "Rancher Desktop*-win.zip")
timeout-minutes: 10
- name: Verify installer signature
shell: powershell
run: |
$usedCert = (Get-AuthenticodeSignature -FilePath 'dist\Rancher*Desktop*.msi').SignerCertificate
Write-Output $usedCert
if ($usedCert.Thumbprint -ne $env:CSC_FINGERPRINT) {
Throw "Installer signed with wrong certificate"
}
timeout-minutes: 1
sign-mac:
name: Test Signing (macOS)
needs: package
strategy:
matrix:
include:
- arch: aarch64
# skip x86_64, we don't need to duplicate the testing for now.
runs-on: macos-latest
if: >-
(github.event_name == 'push' && github.ref == 'refs/heads/main') ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-')) ||
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')) ||
(github.event_name == 'workflow_dispatch' && github.event.inputs.sign)
permissions:
contents: read
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- uses: ./.github/actions/yarn-install
- uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
name: Download artifact
with:
name: Rancher Desktop-mac.${{ matrix.arch }}.zip
- name: Generate test signing certificate
run: |
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem \
-keyform pem -sha256 -days 3650 -nodes -subj \
"/C=CA/CN=RD Test Signing Key" \
-addext keyUsage=critical,digitalSignature \
-addext extendedKeyUsage=critical,codeSigning
# Create a custom keychain so we can unlock it properly.
security create-keychain -p "" tmp.keychain
security default-keychain -d user -s tmp.keychain
security unlock-keychain -p "" tmp.keychain
security set-keychain-settings -u tmp.keychain # Disable keychain auto-lock
security import key.pem -k tmp.keychain -t priv -A
security import cert.pem -k tmp.keychain -t cert -A
security set-key-partition-list -S apple-tool:,apple:,codesign: -s \
-k "" tmp.keychain
# Print out the valid certificates for debugging.
security find-identity
# Determine the key fingerprint.
awk_expr='/)/ { print $2 ; exit }'
hash="$(security find-identity | awk "$awk_expr")"
echo "CSC_FINGERPRINT=${hash}" >> "$GITHUB_ENV"
timeout-minutes: 1
- name: Flag build for M1
if: matrix.arch == 'aarch64'
run: echo "M1=1" >> "${GITHUB_ENV}"
- name: Sign artifact
run: |
for zip in Rancher\ Desktop-*mac*.zip; do
echo "::group::Signing ${zip}"
yarn sign --skip-notarize --skip-constraints "${zip}"
echo "::endgroup::"
done
timeout-minutes: 15
- name: Verify signature
run: |
codesign --verify --deep --strict --verbose=2 dist/*.dmg
codesign --verify --deep --strict --verbose=2 dist/*.zip
timeout-minutes: 5