Skip to content

fix: do not include full path to binary in .sha512 files (#1108) #795

fix: do not include full path to binary in .sha512 files (#1108)

fix: do not include full path to binary in .sha512 files (#1108) #795

Workflow file for this run

name: CI
on:
push:
branches:
- master
pull_request:
branches:
- master
workflow_dispatch:
inputs:
dist_root:
description: 'DIST_ROOT'
required: true
default: '/ipns/dist.ipfs.tech'
env:
DIST_ROOT: ${{ github.event.inputs.dist_root || '/ipns/dist.ipfs.tech' }} # content root used for calculating diff to build
KUBO_VER: 'v0.30.0' # kubo daemon used for chunking and applying diff
CLUSTER_CTL_VER: 'v1.0.8' # ipfs-cluster-ctl used for pinning
concurrency:
# we want only one job running at the time because it is expensive
# expecially when building artifact for multiple platforms
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
# IMPORTANT: we want to save resources and cancel old builds on PRs,
# but we can't cancel jobs in master branch because they update DNSLink
# which is used as DIST_ROOT of the next job, so if we cancel a master job
# we will "forget" about releases added in skipped build.
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
jobs:
build:
runs-on: ${{ fromJSON(vars.CI_BUILD_RUNS_ON || '"ubuntu-latest"') }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '16'
- env:
CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
uses: ./.github/actions/setup-ipfs
timeout-minutes: 30
- name: Build any new ./releases
run: ./dockerized make all_dists
- name: Inspect git status and contents of ./releases
run: git status && ls -Rhl ./releases
- name: Temporarily save ./releases artifacts
uses: actions/upload-artifact@v3
with:
name: releases-unsigned-diff
path: releases
retention-days: 3
lint:
runs-on: "ubuntu-latest"
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '16'
- run: npm ci --no-audit --progress=false
- run: npm run lint
sign-macos:
runs-on: "macos-latest"
needs: build
concurrency:
# notarization depends on remote HTTP service provided by Apple
# and we want to have only one instance at a time, across all branches
# and PRs to avoid triggering throttling / blacklisting when multiple
# jobs try to notarize at the same time
group: sign-macos
# never cancel ongoing notarization, it could be one for master branch
cancel-in-progress: false
steps:
- uses: actions/checkout@v4
- name: Retrieve unsigned artifacts
uses: actions/download-artifact@v3
with:
name: releases-unsigned-diff
path: releases
continue-on-error: true # skip if no releases
- name: List ./releases before
run: ls -Rhl ./releases || echo "No ./releases"
- name: Install dependencies of sign-new-macos-releases.sh
run: |
brew install ipfs coreutils gawk gnu-sed jq
- name: Set up rcodesign rust tool (TODO)
if: false
run: |
cargo install apple-codesign
- name: Import Keychain Certs
# if this ever breaks, we should replace this magic with epxlicit security commands executed inside of it via.. nodejs
# prior art: https://github.com/lando/code-sign-action/blob/f35d0b777ee592c758351252fa3f0d58f21e5129/action.yml#L106-L123
uses: apple-actions/import-codesign-certs@8f3fb608891dd2244cdab3d69cd68c0d37a7fe93 # v2
with:
p12-file-base64: ${{ secrets.APPLE_CERTS_P12 }}
p12-password: ${{ secrets.APPLE_CERTS_PASS }}
- name: Verify identity used for signing
run: security find-identity -v
- name: Secrets for signing (TODO rcodesign)
# TODO: revisit switch to rcodesign once we have to switch mode due to move to new org
# we dont use this yet, we use codesign from Apple and run on macOS
# because rcodesign errored on 'invalid password'
if: false
run: |
echo -n "${{ secrets.APPLE_CERTS_P12 }}" | base64 --decode > ~/.apple-certs.p12
echo -n "{{ secrets.APPLE_CERTS_PASS }}" > ~/.apple-certs.pass
- name: Secrets for notarization (TODO rcodesign)
# TODO: revisit switch to rcodesign once we have to switch mode due to move to new org
# we dont use this yet, we use notarytool from Apple and run on macOS
# because (afaik) rcodesign does not support App-specific password mode
# we use for legacy reasons
if: false
run: |
rcodesign encode-app-store-connect-api-key \
"${{ secrets.APPLE_APIKEY_ISSUER_ID }}" \
"${{ secrets.APPLE_APIKEY_ID }}" \
"${{ secrets.APPLE_APIKEY_FILE }}" \
> ~/.apple-api-key
- name: Kubo init
run: ipfs init --profile test # needed for calculating NEW_CID in sign-new-macos-releases.sh
- name: Sign any new releases
run: ./scripts/ci/sign-new-macos-releases.sh
env:
WORK_DIR: ${{ github.workspace }}
APPLE_AC_USERNAME: ${{ secrets.APPLE_AC_USERNAME }}
APPLE_AC_PASSWORD: ${{ secrets.APPLE_AC_PASSWORD }}
APPLE_AC_TEAM_ID: ${{ secrets.APPLE_AC_TEAM_ID }}
- name: List ./releases after
run: ls -Rhl ./releases || echo "No ./releases"
- name: Temporarily save notarized artifacts
uses: actions/upload-artifact@v3
with:
name: releases-signed-macos-diff
path: releases
retention-days: 3
continue-on-error: true # skip if no releases
persist:
runs-on: ${{ fromJSON(vars.CI_BUILD_RUNS_ON || '"ubuntu-latest"') }}
needs: sign-macos
environment: Deploy
steps:
- name: Setup node
uses: actions/setup-node@v4
with:
node-version: '16'
- uses: actions/checkout@v4
- name: Retrieve signed artifacts
uses: actions/download-artifact@v3
continue-on-error: true # skip if no releases
with:
name: releases-signed-macos-diff
path: releases
- name: List ./releases
run: ls -Rhl ./releases || echo "No ./releases"
- env:
CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
uses: ./.github/actions/setup-ipfs
timeout-minutes: 5
- run: ./dockerized make publish
- run: git status
- name: Read CID of updated DAG
id: cid-reader
run: |
tail -1 ./versions
echo "CID=$(tail -1 ./versions)" >> $GITHUB_OUTPUT
- name: Pin new website to ipfs-websites.collab.ipfscluster.io
run: ./scripts/ci/pin-to-cluster.sh
env:
PIN_CID: ${{ steps.cid-reader.outputs.CID }}
PIN_NAME: "https://github.com/ipfs/distributions/commits/${{ github.sha }}"
PIN_ADD_EXTRA_ARGS: ""
CLUSTER_USER: ${{ secrets.CLUSTER_USER }}
CLUSTER_PASSWORD: ${{ secrets.CLUSTER_PASSWORD }}
timeout-minutes: 120
- name: Update PR status with preview link
run: ./scripts/ci/github-preview-link.sh
env:
CONTENT_PATH: "/ipfs/${{ steps.cid-reader.outputs.CID }}/"
GIT_REVISION: ${{ github.sha }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- run: ./dockerized make diff
if: github.event_name == 'pull_request'
- uses: actions/upload-artifact@v3
if: github.event_name == 'pull_request'
with:
name: diff
path: diff
- uses: actions/setup-go@v4
if: github.ref == 'refs/heads/master'
with:
go-version: "1.20.x"
- name: Update _dnslink.dist.ipfs.tech (if on the main branch)
if: github.ref == 'refs/heads/master'
run: |
go install github.com/ipfs/dnslink-dnsimple@v0.1.0
dnslink-dnsimple --domain dist.ipfs.tech --record _dnslink --link /ipfs/${{ steps.cid-reader.outputs.CID }}
env:
DNSIMPLE_TOKEN: ${{ secrets.DNSIMPLE_TOKEN }}
diff:
needs: persist
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v3
with:
name: diff
- name: Create comment with the diff
uses: actions/github-script@v6
with:
script: |
const fs = require('fs').promises
const diff = await fs.readFile('diff', 'utf8')
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: ${{ github.event.number }},
body: diff
})