From 778e4c971077e38bf8f7d03b8b299d3dd111ba22 Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Thu, 23 Nov 2023 15:30:26 -0700 Subject: chore: start codesigning mac release builds (#21303) - Adds a codesigning step to all mac targets - Adds a new ci-full label to the build to force aarch64 builds on any PR --- .github/workflows/ci.yml | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) (limited to '.github/workflows/ci.yml') diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2a88523cb..dfc037116 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,14 +60,14 @@ jobs: - os: macos-12 job: test profile: release - skip: '${{ github.event_name == ''pull_request'' }}' - runner: '${{ (github.event_name == ''pull_request'') && ''ubuntu-22.04'' || ''macos-12'' }}' + skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'') }}' + runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'')) && ''ubuntu-22.04'' || ''macos-12'' }}' os_display_name: macos-x86_64 - os: macos-13-xlarge job: test profile: release - skip: '${{ github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'' }}' - runner: '${{ (github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'') && ''ubuntu-22.04'' || ''macos-13-xlarge'' }}' + skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'') }}' + runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'')) && ''ubuntu-22.04'' || ''macos-13-xlarge'' }}' os_display_name: macos-aarch64 - os: windows-2022 job: test @@ -76,8 +76,8 @@ jobs: - os: '${{ github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}' job: test profile: release - skip: '${{ github.event_name == ''pull_request'' }}' - runner: '${{ (github.event_name == ''pull_request'') && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}' + skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'') }}' + runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'')) && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}' os_display_name: windows-x86_64 - os: '${{ github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}' job: test @@ -89,8 +89,8 @@ jobs: job: bench profile: release use_sysroot: true - skip: '${{ github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench'') }}' - runner: '${{ (github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench'')) && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}' + skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench'')) }}' + runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench''))) && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}' os_display_name: ubuntu-x86_64 - os: ubuntu-22.04 job: test @@ -301,10 +301,13 @@ jobs: CFLAGS=-flto=thin --sysroot=/sysroot __0 - name: Install aarch64 lld + run: ./tools/install_prebuilt.js ld64.lld + if: '!(matrix.skip) && (matrix.os == ''macos-13-xlarge'')' + - name: Install rust-codesign run: |- - ./tools/install_prebuilt.js ld64.lld + ./tools/install_prebuilt.js rcodesign echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH - if: '!(matrix.skip) && (matrix.os == ''macos-13-xlarge'')' + if: '!(matrix.skip) && ((matrix.os == ''macos-13-xlarge'' || matrix.os == ''macos-12''))' - name: Log versions run: |- python --version @@ -403,7 +406,12 @@ jobs: matrix.job == 'test' && matrix.profile == 'release' && github.repository == 'denoland/deno') + env: + APPLE_CODESIGN_KEY: '${{ secrets.APPLE_CODESIGN_KEY }}' + APPLE_CODESIGN_PASSWORD: '${{ secrets.APPLE_CODESIGN_PASSWORD }}' run: |- + echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes" + rcodesign sign target/release/deno --code-signature-flags=runtime --p12-password="$APPLE_CODESIGN_PASSWORD" --p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) --entitlements-xml-file=cli/entitlements.plist cd target/release zip -r deno-x86_64-apple-darwin.zip deno - name: Pre-release (mac aarch64) @@ -412,7 +420,12 @@ jobs: matrix.job == 'test' && matrix.profile == 'release' && github.repository == 'denoland/deno') + env: + APPLE_CODESIGN_KEY: '${{ secrets.APPLE_CODESIGN_KEY }}' + APPLE_CODESIGN_PASSWORD: '${{ secrets.APPLE_CODESIGN_PASSWORD }}' run: |- + echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes" + rcodesign sign target/release/deno --code-signature-flags=runtime --p12-password="$APPLE_CODESIGN_PASSWORD" --p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) --entitlements-xml-file=cli/entitlements.plist cd target/release zip -r deno-aarch64-apple-darwin.zip deno - name: Pre-release (windows) -- cgit v1.2.3