Make getPaths
more robust
#8277
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Package | |
on: | |
pull_request: {} | |
push: | |
branches: | |
- main | |
- release-* | |
tags: | |
- '*' | |
workflow_dispatch: {} | |
defaults: | |
run: | |
shell: bash | |
jobs: | |
package: | |
strategy: | |
matrix: | |
include: | |
- platform: mac | |
arch: x86_64 | |
runs-on: macos-11 | |
- platform: mac | |
arch: aarch64 | |
runs-on: macos-11 | |
- platform: win | |
runs-on: windows-2019 | |
- platform: linux | |
runs-on: ubuntu-20.04 | |
runs-on: ${{ matrix.runs-on }} | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
persist-credentials: false | |
# Needed to run `git describe` to get full version info | |
fetch-depth: 0 | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '16.x' | |
- uses: actions/setup-python@v4 | |
with: | |
python-version: '3.x' | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '^1.18' | |
- name: Install Windows dependencies | |
if: runner.os == 'Windows' | |
shell: powershell | |
run: .\scripts\windows-setup.ps1 -SkipVisualStudio -SkipTools | |
- name: Flag build for M1 | |
if: matrix.arch == 'aarch64' && matrix.platform == 'mac' | |
run: echo "M1=1" >> "${GITHUB_ENV}" | |
- name: Upgrade npm | |
# We do this to avoid https://github.com/npm/cli/issues/3079 | |
run: | | |
npm install -g npm@9 | |
npm --version | |
- run: npm ci | |
- run: npm run build | |
- run: npm run package -- --${{ matrix.platform }} --publish=never | |
- name: Build bats.tar.gz | |
if: matrix.platform == 'linux' | |
run: make -C bats bats.tar.gz | |
- name: Upload bats.tar.gz | |
uses: actions/upload-artifact@v3 | |
if: matrix.platform == 'linux' | |
with: | |
name: bats.tar.gz | |
path: bats/bats.tar.gz | |
if-no-files-found: error | |
- name: Upload mac disk image | |
uses: actions/upload-artifact@v3 | |
if: matrix.platform == 'mac' | |
with: | |
name: Rancher Desktop.${{ matrix.arch }}.dmg | |
path: dist/Rancher Desktop*.dmg | |
if-no-files-found: error | |
- name: Upload mac zip | |
uses: actions/upload-artifact@v3 | |
if: matrix.platform == 'mac' | |
with: | |
name: Rancher Desktop-mac.${{ matrix.arch }}.zip | |
path: dist/Rancher Desktop*.zip | |
if-no-files-found: error | |
- name: Upload Windows installer | |
uses: actions/upload-artifact@v3 | |
if: matrix.platform == 'win' | |
with: | |
name: Rancher Desktop Setup.msi | |
path: dist/Rancher Desktop*.msi | |
if-no-files-found: error | |
- name: Upload Windows zip | |
uses: actions/upload-artifact@v3 | |
if: matrix.platform == 'win' | |
with: | |
name: Rancher Desktop-win.zip | |
path: dist/Rancher Desktop-*-win.zip | |
if-no-files-found: error | |
- name: Upload Linux zip | |
uses: actions/upload-artifact@v3 | |
if: matrix.platform == 'linux' | |
with: | |
name: Rancher Desktop-linux.zip | |
path: dist/rancher-desktop-*-linux.zip | |
if-no-files-found: error | |
- id: has_s3 | |
name: Check if S3 secrets are available | |
continue-on-error: true | |
if: github.ref_type == 'branch' && ( startsWith(github.ref_name, 'main') || startsWith(github.ref_name, 'release-') ) | |
run: '[[ -n "${key}" ]]' | |
env: | |
key: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
- name: set zip_name env var | |
id: zip_name | |
if: matrix.platform == 'linux' && steps.has_s3.outcome == 'success' | |
run: | | |
# in pull requests GITHUB_REF_NAME is in the form "<pr_number>/merge"; | |
# remove slashes since they aren't valid in filenames | |
no_slash_ref_name="${GITHUB_REF_NAME//\//-/}" | |
zip_name="rancher-desktop-linux-${no_slash_ref_name}.zip" | |
echo "zip_name=${zip_name}" >> "${GITHUB_OUTPUT}" | |
- name: Copy zip file to S3 | |
uses: prewk/s3-cp-action@74701625561055a306f92fa5c18e948f9d14a54a | |
if: matrix.platform == 'linux' && steps.has_s3.outcome == 'success' | |
with: | |
aws_access_key_id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
source: dist/rancher-desktop-*-linux.zip | |
dest: s3://rancher-desktop-assets-for-obs/${{ steps.zip_name.outputs.zip_name }} | |
- name: Trigger OBS services for relevant package in dev channel | |
if: matrix.platform == 'linux' && steps.has_s3.outcome == 'success' | |
run: | | |
curl -X POST \ | |
-H "Authorization: Token ${OBS_WEBHOOK_TOKEN}" \ | |
"https://build.opensuse.org/trigger/runservice?project=isv:Rancher:dev&package=rancher-desktop-${GITHUB_REF_NAME}" | |
env: | |
OBS_WEBHOOK_TOKEN: ${{ secrets.OBS_WEBHOOK_TOKEN }} | |
sign: | |
name: Test Signing | |
needs: package | |
runs-on: windows-2022 | |
if: >- | |
(github.event_name == 'push' && github.ref == 'refs/heads/main') || | |
(github.event_name == 'push' && startsWith(github.ref, 'refs/heads/release-')) || | |
(github.event_name == 'push' && startsWith(github.ref, 'refs/tags')) || | |
(github.event_name == 'workflow_dispatch') | |
permissions: | |
contents: read | |
steps: | |
- uses: actions/checkout@v3 | |
with: | |
persist-credentials: false | |
- name: Install Windows dependencies | |
if: runner.os == 'Windows' | |
shell: powershell | |
run: .\scripts\windows-setup.ps1 -SkipVisualStudio -SkipTools | |
- uses: actions/setup-go@v4 | |
with: | |
go-version: '^1.18' | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '16.x' | |
- run: npm ci | |
- uses: actions/download-artifact@v3 | |
if: runner.os == 'Windows' | |
with: | |
name: Rancher Desktop-win.zip | |
- if: runner.os == 'Windows' | |
shell: powershell | |
run: | | |
# Generate a test signing certificate | |
$cert = New-SelfSignedCertificate ` | |
-Type Custom ` | |
-Subject "CN=Rancher-Sandbox, C=CA" ` | |
-KeyUsage DigitalSignature ` | |
-CertStoreLocation Cert:\CurrentUser\My ` | |
-FriendlyName "Rancher-Sandbox Code Signing" ` | |
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}") | |
Write-Output $cert | |
$env:CSC_FINGERPRINT = $cert.Thumbprint | |
# Run the signing script | |
npm run sign -- (Get-Item "Rancher Desktop*-win.zip") | |
# Check that the msi file was signed by the expected cert | |
$usedCert = (Get-AuthenticodeSignature -FilePath 'dist\Rancher Desktop Setup*.msi').SignerCertificate | |
Write-Output $usedCert | |
if ($cert -ne $usedCert) { | |
Write-Output "Expected Certificate" $cert "Actual Certificate" $usedCert | |
Throw "Installer signed with wrong certificate" | |
} |