ANON-197 - Optimize windows binary build #243
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Anon Packages | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| - '*beta*' | |
| branches: | |
| - main | |
| - development | |
| pull_request: | |
| branches: | |
| - main | |
| - development | |
| env: | |
| DEBIAN_FRONTEND: noninteractive | |
| # tags (v*): live | |
| # tags (*beta*): beta | |
| # main: stage | |
| # development: dev | |
| # everything else (pull request, etc.): unstable-dev | |
| PKG_ENV: ${{ github.ref_type == 'tag' && (contains(github.ref, 'beta') && 'beta' || 'live') || github.ref == 'refs/heads/main' && 'stage' || github.ref == 'refs/heads/development' && 'dev' || 'unstable-dev' }} | |
| jobs: | |
| # | |
| # Debian Packages | |
| # | |
| build-deb-source: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: debian:bookworm | |
| steps: | |
| - name: Install Dependencies | |
| run: | | |
| apt-get -y update | |
| apt-get -y dist-upgrade | |
| apt-get -y install sudo git build-essential devscripts gpg | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: Setup | |
| run: | | |
| apt-get -y install $(cat debian/.debian-ci/build_source/build-depends) | |
| git config --global --add safe.directory $(realpath .) | |
| - name: Build Source | |
| run: | | |
| $(pwd)/debian/.debian-ci/build_source/build-script | |
| - name: Sign Source Package | |
| run: | | |
| echo "${{ secrets.DEBIAN_PRIVATE_KEY }}" | base64 -d > debian-private.gpg | |
| gpg --allow-secret-key-import --import debian-private.gpg | |
| debsign -k ${{ secrets.DEBIAN_FINGERPRINT }} source-packages/anon_*.changes | |
| - name: Upload Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: anon-${{ env.PKG_ENV }}-source-packages | |
| path: source-packages/ | |
| build-deb-package: | |
| runs-on: ${{ matrix.build.runner }} | |
| needs: build-deb-source | |
| container: | |
| image: ${{ matrix.build.os }}:${{ matrix.build.suite }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| build: | |
| # Debian Bookworm | |
| - os: debian | |
| suite: bookworm | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - os: debian | |
| suite: bookworm | |
| arch: arm64 | |
| runner: arm64 | |
| # Debian Bullseye | |
| - os: debian | |
| suite: bullseye | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - os: debian | |
| suite: bullseye | |
| arch: arm64 | |
| runner: arm64 | |
| # Ubuntu Noble | |
| - os: ubuntu | |
| suite: noble | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - os: ubuntu | |
| suite: noble | |
| arch: arm64 | |
| runner: arm64 | |
| # Ubuntu Lunar | |
| - os: ubuntu | |
| suite: lunar | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - os: ubuntu | |
| suite: lunar | |
| arch: arm64 | |
| runner: arm64 | |
| # Ubuntu Jammy | |
| - os: ubuntu | |
| suite: jammy | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - os: ubuntu | |
| suite: jammy | |
| arch: arm64 | |
| runner: arm64 | |
| # Ubuntu Focal | |
| - os: ubuntu | |
| suite: focal | |
| arch: amd64 | |
| runner: ubuntu-latest | |
| - os: ubuntu | |
| suite: focal | |
| arch: arm64 | |
| runner: arm64 | |
| steps: | |
| - name: Install Dependencies | |
| run: | | |
| apt-get -y update | |
| apt-get -y dist-upgrade | |
| apt-get -y install build-essential devscripts gpg reprepro fakeroot | |
| - name: Download Artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: anon-${{ env.PKG_ENV }}-source-packages | |
| path: source-packages/ | |
| - name: Build Package | |
| run: | | |
| set -x | |
| find source-packages | |
| upstream_version="$(head -n1 source-packages/version.txt)" | |
| if [ -z "$upstream_version" ]; then echo >&2 "Did not get package version from artifact."; exit 1; fi | |
| echo $upstream_version | |
| srcchanges="$(ls -1 source-packages/anon_"$upstream_version"*${{ matrix.build.suite }}+*_src.changes)" | |
| echo "srcchanges: $srcchanges" | |
| if [ "$(echo "$srcchanges" | wc -l)" != 1 ] || [ -z "$srcchanges" ] ; then echo >&2 "Weird number of changes files found."; exit 1; fi | |
| case "${{ matrix.build.arch }}" in | |
| amd64) build_selector="-b";; | |
| *) build_selector="-B";; | |
| esac | |
| echo "source changes file:" | |
| cat "$srcchanges" | |
| dsc="$(dcmd --dsc "$srcchanges")" | |
| echo "dsc file is ${dsc}" | |
| cat "$dsc" | |
| mkdir build-tree | |
| cd build-tree | |
| dpkg-source -x ../${dsc} | |
| cd anon-${upstream_version} | |
| apt-get -y build-dep . | |
| debuild -rfakeroot -uc -us -j4 "$build_selector" | |
| cd .. | |
| binchanges="$(ls -1 *.changes)" | |
| if [ "$(echo "$binchanges" | wc -l)" != 1 ] || [ -z "$binchanges" ] ; then echo >&2 "Weird number of changes files produced."; exit 1; fi | |
| cd .. | |
| mkdir RESULT | |
| dcmd ln -v "build-tree/${binchanges}" RESULT | |
| mv -v --no-target-directory RESULT binary-packages/ | |
| - name: Sign Binary Package | |
| run: | | |
| echo "${{ secrets.DEBIAN_PRIVATE_KEY }}" | base64 -d > debian-private.gpg | |
| gpg --allow-secret-key-import --import debian-private.gpg | |
| debsign -k ${{ secrets.DEBIAN_FINGERPRINT }} binary-packages/anon_*.changes | |
| - name: Upload Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: anon-${{ env.PKG_ENV }}-${{ matrix.build.os }}-${{ matrix.build.suite }}-${{ matrix.build.arch }} | |
| path: binary-packages/ | |
| # | |
| # Linux Build | |
| # | |
| build-linux-binary: | |
| runs-on: ${{ matrix.build.runner }} | |
| container: | |
| image: debian:bookworm | |
| env: | |
| OPENSSL_VERSION: "1.1.1w" | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| build: | |
| # Linux amd64 | |
| - runner: ubuntu-latest | |
| arch: amd64 | |
| libarch: x86_64 | |
| # Linux arm64 | |
| - runner: arm64 | |
| arch: arm64 | |
| libarch: aarch64 | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| path: ator-protocol | |
| fetch-depth: 1 | |
| - name: Install dependencies | |
| run: | | |
| apt-get update && \ | |
| apt_build_deps="libssl-dev zlib1g-dev libevent-dev ca-certificates dh-apparmor libseccomp-dev debhelper" && \ | |
| apt_runtime_deps="iputils-ping curl pwgen" && \ | |
| apt_temps="build-essential automake git wget" && \ | |
| apt-get -y --no-install-recommends install $apt_build_deps $apt_runtime_deps $apt_temps | |
| - name: Build anon | |
| run: | | |
| cd ator-protocol | |
| ./scripts/ci/update-env.sh ${{ env.PKG_ENV }} | |
| ./autogen.sh | |
| ./configure \ | |
| --disable-asciidoc \ | |
| --disable-zstd \ | |
| --disable-lzma \ | |
| --enable-static-zlib \ | |
| --enable-static-libevent \ | |
| --enable-static-openssl \ | |
| --enable-static-tor \ | |
| --with-libevent-dir=/usr/lib/${{ matrix.build.libarch }}-linux-gnu/ \ | |
| --with-openssl-dir=/usr/lib/${{ matrix.build.libarch }}-linux-gnu/ \ | |
| --with-zlib-dir=/usr/lib/${{ matrix.build.libarch }}-linux-gnu/ \ | |
| --disable-tool-name-check \ | |
| --disable-gcc-hardening | |
| make | |
| - name: Copy executables to artifact directory | |
| run: | | |
| mkdir -p package | |
| cp ator-protocol/src/app/anon package | |
| cp ator-protocol/src/tools/anon-gencert package | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: anon-${{ env.PKG_ENV }}-linux-${{ matrix.build.arch }} | |
| path: package/ | |
| # | |
| # MacOS Build | |
| # | |
| build-macos-binary: | |
| runs-on: ${{ matrix.build.runner }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| build: | |
| # MacOS Intel | |
| - runner: macos-13 | |
| arch: amd64 | |
| # MacOS Apple Silicon | |
| - runner: macos-14 | |
| arch: arm64 | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| path: ator-protocol | |
| fetch-depth: 1 | |
| - name: Set variables | |
| run: | | |
| echo "ANON_BREW_PREFIX=$(brew --prefix)" >> $GITHUB_ENV | |
| - name: Install dependencies | |
| run: | | |
| brew install gsed automake docbook docbook-xsl zlib libevent openssl@3 | |
| - name: Build anon | |
| run: | | |
| cd ator-protocol | |
| ./scripts/ci/update-env.sh ${{ env.PKG_ENV }} | |
| ./autogen.sh | |
| ./configure --prefix=/usr/local \ | |
| --disable-asciidoc \ | |
| --disable-zstd \ | |
| --disable-lzma \ | |
| --with-zlib-dir=${{ env.ANON_BREW_PREFIX }}/opt/zlib \ | |
| --with-libevent-dir=${{ env.ANON_BREW_PREFIX }}/opt/libevent \ | |
| --with-openssl-dir=${{ env.ANON_BREW_PREFIX }}/opt/openssl@3 \ | |
| --enable-static-zlib \ | |
| --enable-static-libevent \ | |
| --enable-static-openssl \ | |
| --disable-tool-name-check \ | |
| --disable-gcc-hardening | |
| make | |
| - name: Copy executables to artifact directory | |
| run: | | |
| mkdir -p package | |
| cp ator-protocol/src/app/anon package | |
| cp ator-protocol/src/tools/anon-gencert package | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: anon-${{ env.PKG_ENV }}-macos-${{ matrix.build.arch }} | |
| path: package/ | |
| # | |
| # Windows Build | |
| # | |
| build-windows-64-binary: | |
| runs-on: ubuntu-latest | |
| container: | |
| image: ubuntu:latest | |
| env: | |
| OPENSSL_VERSION: "1.1.1w" | |
| LIBEVENT_VERSION: "2.1.12-stable" | |
| ZLIB_VERSION: "1.3.1" | |
| BUILD_TYPE: "64" | |
| CROSS_HOST: "x86_64-w64-mingw32" | |
| MINGW: "mingw64" | |
| MINGW_DEB: "gcc-mingw-w64-x86-64" | |
| steps: | |
| - name: Set variables | |
| run: | | |
| echo "ANON_JOBS=$((`nproc`+1))" | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| path: ator-protocol | |
| fetch-depth: 1 | |
| - name: Install dependencies | |
| run: | | |
| apt-get update -qq | |
| apt-get upgrade -qy | |
| apt-get install -qy autoconf automake libtool make wget git | |
| apt-get install -qy ${MINGW_DEB} | |
| - name: Build openssl | |
| run: | | |
| wget --quiet https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz | |
| tar zxf openssl-${OPENSSL_VERSION}.tar.gz | |
| rm openssl-${OPENSSL_VERSION}.tar.gz | |
| cd openssl-${OPENSSL_VERSION} | |
| ./Configure ${MINGW} shared --cross-compile-prefix=${CROSS_HOST}- --prefix="/build/openssl-${BUILD_TYPE}-prefix/" | |
| make -j${{ env.ANON_JOBS }} | |
| make install | |
| cd .. | |
| rm -rf openssl-${OPENSSL_VERSION} | |
| - name: Build libevent | |
| run: | | |
| wget --quiet https://github.com/libevent/libevent/releases/download/release-${LIBEVENT_VERSION}/libevent-${LIBEVENT_VERSION}.tar.gz | |
| tar zxf libevent-${LIBEVENT_VERSION}.tar.gz | |
| rm libevent-${LIBEVENT_VERSION}.tar.gz | |
| cd libevent-${LIBEVENT_VERSION} | |
| ./configure --host=${CROSS_HOST} --disable-openssl --disable-shared --disable-samples --disable-libevent-regress --enable-static --prefix="/build/libevent-${BUILD_TYPE}-prefix/" | |
| make -j${{ env.ANON_JOBS }} | |
| make install | |
| cd .. | |
| rm -rf libevent-${LIBEVENT_VERSION} | |
| - name: Build zlib | |
| run: | | |
| wget --quiet https://www.zlib.net/fossils/zlib-${ZLIB_VERSION}.tar.gz | |
| tar zxf zlib-${ZLIB_VERSION}.tar.gz | |
| rm zlib-${ZLIB_VERSION}.tar.gz | |
| cd zlib-${ZLIB_VERSION} | |
| CHOST=${CROSS_HOST} ./configure --static --prefix="/build/zlib-${BUILD_TYPE}-prefix/" | |
| make -j${{ env.ANON_JOBS }} | |
| make install | |
| cd .. | |
| rm -rf zlib-${ZLIB_VERSION} | |
| - name: Build anon | |
| run: | | |
| cd ator-protocol | |
| ./scripts/ci/update-env.sh ${{ env.PKG_ENV }} | |
| ./autogen.sh | |
| ./configure --host=${CROSS_HOST} \ | |
| --disable-asciidoc \ | |
| --disable-zstd \ | |
| --disable-lzma \ | |
| --enable-static-libevent --with-libevent-dir="/build/libevent-${BUILD_TYPE}-prefix/" \ | |
| --enable-static-openssl --with-openssl-dir="/build/openssl-${BUILD_TYPE}-prefix/" \ | |
| --enable-static-zlib --with-zlib-dir="/build/zlib-${BUILD_TYPE}-prefix/" \ | |
| --disable-tool-name-check \ | |
| --disable-gcc-hardening \ | |
| --enable-static-tor \ | |
| --prefix="/build/anon-prefix" | |
| make -j1 | |
| make install | |
| - name: Copy executables to artifact directory | |
| run: | | |
| mkdir -p package | |
| cp ator-protocol/src/app/anon.exe package | |
| cp ator-protocol/src/tools/anon-gencert.exe package | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: anon-${{ env.PKG_ENV }}-windows-amd64 | |
| path: package/ | |
| sign-windows-64-binary: | |
| runs-on: windows-latest | |
| needs: build-windows-64-binary | |
| steps: | |
| - name: Download raw artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: anon-${{ env.PKG_ENV }}-windows-amd64 | |
| path: build/ | |
| - name: Sign | |
| run: | | |
| dotnet tool install --global AzureSignTool | |
| AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "build/anon.exe" | |
| AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "build/anon-gencert.exe" | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: anon-${{ env.PKG_ENV }}-windows-signed-amd64 | |
| path: build/ | |
| # | |
| # Release | |
| # | |
| release-deb: | |
| runs-on: ubuntu-latest | |
| needs: build-deb-package | |
| container: | |
| image: debian:bookworm | |
| steps: | |
| - name: Install Dependencies | |
| run: | | |
| apt-get -y update | |
| apt-get -y dist-upgrade | |
| apt-get -y install devscripts zip gpg dput openssh-client | |
| - name: Download raw artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: raw-artifacts/ | |
| - name: Distribute signed .deb packages | |
| run: | | |
| mkdir -p /root/.ssh | |
| ssh-keyscan ${{ secrets.DEBIAN_HOST }} > /root/.ssh/known_hosts | |
| echo "${{ secrets.DEBIAN_ID_RSA }}" | base64 -d > /root/.ssh/id_rsa | |
| chmod 600 /root/.ssh/id_rsa | |
| echo "${{ secrets.DEBIAN_PRIVATE_KEY }}" | base64 -d > debian-private.gpg | |
| gpg --allow-secret-key-import --import debian-private.gpg | |
| cat << EOF > ~/.dput.cf | |
| [anon] | |
| fqdn = ${{ secrets.DEBIAN_HOST }} | |
| incoming = /data/debian/incoming | |
| method = scp | |
| login = reprepro | |
| allow_unsigned_uploads = 0 | |
| post_upload_command = ssh %(login)s@%(fqdn)s reprepro processincoming incoming | |
| EOF | |
| echo "Uploading packages" | |
| dput anon raw-artifacts/anon-*/anon_*.changes | |
| echo "Processing incoming packages" | |
| ssh reprepro@${{ secrets.DEBIAN_HOST }} "reprepro processincoming incoming || exit 1" | |
| release-github: | |
| runs-on: ubuntu-latest | |
| needs: [build-deb-package, build-macos-binary, sign-windows-64-binary] | |
| if: ${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, 'beta') }} | |
| steps: | |
| - name: Download raw artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| path: raw-artifacts/ | |
| - name: Copy release artifacts | |
| run: | | |
| mkdir -p release-artifacts/ | |
| cp raw-artifacts/anon-*/anon_*.deb release-artifacts/ | |
| chmod +x raw-artifacts/anon-${{ env.PKG_ENV }}-linux-amd64/* | |
| chmod +x raw-artifacts/anon-${{ env.PKG_ENV }}-linux-arm64/* | |
| chmod +x raw-artifacts/anon-${{ env.PKG_ENV }}-macos-amd64/* | |
| chmod +x raw-artifacts/anon-${{ env.PKG_ENV }}-macos-arm64/* | |
| zip -j release-artifacts/anon-${{ env.PKG_ENV }}-linux-amd64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-linux-amd64/* | |
| zip -j release-artifacts/anon-${{ env.PKG_ENV }}-linux-arm64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-linux-arm64/* | |
| zip -j release-artifacts/anon-${{ env.PKG_ENV }}-macos-amd64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-macos-amd64/* | |
| zip -j release-artifacts/anon-${{ env.PKG_ENV }}-macos-arm64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-macos-arm64/* | |
| zip -j release-artifacts/anon-${{ env.PKG_ENV }}-windows-signed-amd64.zip raw-artifacts/anon-${{ env.PKG_ENV }}-windows-signed-amd64/* | |
| ls -la -R release-artifacts/ | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| path: ator-protocol | |
| fetch-depth: 1 | |
| - name: Publish release artifacts | |
| uses: ncipollo/release-action@v1 | |
| with: | |
| artifacts: "release-artifacts/anon*" | |
| bodyFile: "ator-protocol/doc/RELEASE.md" |