Skip to content

Commit

Permalink
[GHA MAC] Add pre-signing CI step
Browse files Browse the repository at this point in the history 
Use Linux VM to fetch list of jar to open and sign
-> Done to prevent silent hanging of heavy MacOS' Github runner
  • Loading branch information
@RoiArthurB
RoiArthurB committed Apr 26, 2022
1 parent 956907d commit 7734ed6
Show file tree
Hide file tree
Showing 2 changed files with 96 additions and 57 deletions.
83 changes: 26 additions & 57 deletions .github/workflows/github-travis.yml
View file
Expand Up @@ -81,6 +81,7 @@ jobs:
# MacOS Family
mv ${{ github.workspace }}/ummisco.gama.product/target/products/Gama*zip ${{ github.workspace }}
mv ${{ github.workspace }}/travis/mac-sign.sh ${{ github.workspace }}
mv ${{ github.workspace }}/travis/what2sign.sh ${{ github.workspace }}
mv ${{ github.workspace }}/ummisco.gama.product/extraresources/installer/windows/* ${{ github.workspace }}
# Debian Family
mv Gama1.7-linux.gtk.x86_64.zip gama-platform_1.8.2-1_amd64.zip
Expand All @@ -94,6 +95,7 @@ jobs:
path: |
./Gama1.7-macosx*zip
./mac-sign.sh
./what2sign.sh
- uses: actions/upload-artifact@v2
if: env.CONTINUE == 'true'
Expand Down Expand Up @@ -131,77 +133,44 @@ jobs:
#
# MacOS signature Pipelines
#
macOS-signing-x86_64:
macOS-pre-signing:
needs: build
if: needs.build.outputs.continue_pipeline == 'true'
runs-on: macos-latest
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2

- name: Signing zip
uses: ./.github/actions/macOS-sign
- uses: actions/download-artifact@v2
with:
toSignedZipName: Gama1.7-macosx.cocoa.x86_64
IS_WITH_JDK: false
# Pass secrets
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }}
NOTARY_APPLE_ID: ${{ secrets.NOTARY_APPLE_ID }}
NOTARY_PASSWORD: ${{ secrets.NOTARY_PASSWORD }}
NOTARY_TEAM_ID: ${{ secrets.NOTARY_TEAM_ID }}
macOS-signing-x86_64_withJDK:
needs: macOS-signing-x86_64
if: needs.build.outputs.continue_pipeline == 'true'
runs-on: macos-latest
steps:
- uses: actions/checkout@v2

- name: Signing zip
uses: ./.github/actions/macOS-sign
name: gama-mac-unsigned

- name: Calculate what Jar to sign
run: |
bash what2sign.sh
cat needToSign.txt
- uses: actions/upload-artifact@v2
if: env.CONTINUE == 'true'
with:
toSignedZipName: Gama1.7-macosx.cocoa.x86_64_withJDK
IS_WITH_JDK: true
# Pass secrets
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }}
NOTARY_APPLE_ID: ${{ secrets.NOTARY_APPLE_ID }}
NOTARY_PASSWORD: ${{ secrets.NOTARY_PASSWORD }}
NOTARY_TEAM_ID: ${{ secrets.NOTARY_TEAM_ID }}
name: gama-mac-what2sign
path: |
./needToSign.txt
macOS-signing-aarch64:
needs: macOS-signing-x86_64_withJDK
runs-on: macos-latest
macOS-signing:
needs: macOS-pre-signing
runs-on: macos-latest
strategy:
matrix:
zipName: [Gama1.7-macosx.cocoa.x86_64, Gama1.7-macosx.cocoa.x86_64_withJDK, Gama1.7-macosx.cocoa.aarch64, Gama1.7-macosx.cocoa.aarch64_withJDK]
steps:
- uses: actions/checkout@v2

- name: Signing zip
uses: ./.github/actions/macOS-sign
- uses: actions/download-artifact@v2
with:
toSignedZipName: Gama1.7-macosx.cocoa.aarch64
IS_WITH_JDK: false
# Pass secrets
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
MACOS_KEYCHAIN_PWD: ${{ secrets.MACOS_KEYCHAIN_PWD }}
MACOS_DEV_ID: ${{ secrets.MACOS_DEV_ID }}
NOTARY_APPLE_ID: ${{ secrets.NOTARY_APPLE_ID }}
NOTARY_PASSWORD: ${{ secrets.NOTARY_PASSWORD }}
NOTARY_TEAM_ID: ${{ secrets.NOTARY_TEAM_ID }}
macOS-signing-aarch64_withJDK:
needs: macOS-signing-aarch64
runs-on: macos-latest
steps:
- uses: actions/checkout@v2
name: gama-mac-what2sign

- name: Signing zip
uses: ./.github/actions/macOS-sign
with:
toSignedZipName: Gama1.7-macosx.cocoa.aarch64_withJDK
IS_WITH_JDK: true
toSignedZipName: ${{ matrix.zipName }}
# Pass secrets
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
Expand Down
70 changes: 70 additions & 0 deletions travis/what2sign.sh
View file
@@ -0,0 +1,70 @@
#!/bin/bash

#
# Generate list of jars containings .so\|.dylib\|.jnilib to sign for MacOS release
# Can automatically parse 4 releases at once
#

haveLib=false

function getJarToCheck(){
find "$1" -name "*.jar" > currentAppJar.txt

# Remove already checked lines
grep -v -x -f alreadySawJar.txt currentAppJar.txt > tmp.txt
cat tmp.txt > currentAppJar.txt && rm tmp.txt

cat currentAppJar.txt >> alreadySawJar.txt
}

function haveSomethingToSign(){
if [ $(jar tf "$1" | grep '\.so\|\.dylib\|\.jnilib' | wc -l) -gt 0 ]; then
# 0 = true
return 0
else
return 1
fi
}

function parseApp(){
getJarToCheck "$1"

while read f
do
if haveSomethingToSign "$f"; then
echo "Need to sign $f"
echo $f >> needToSign.txt
else
if [ $(jar tf "$f" | grep '\.jar' | wc -l) -gt 0 ]; then
jar tf "$f" | grep '\.jar' > nestedJar.txt
while read j
do
echo "Check in $j nested in $f"
jar xf "$f" "$j"
if haveSomethingToSign "$j"; then
echo "Need to sign $j nested in $f"
echo $f >> needToSign.txt
fi
done < nestedJar.txt
fi
fi

done < currentAppJar.txt
}

function unzipAndParse(){
echo "Unzipping $1 ..."
unzip -q "$1"
parseApp "./Gama.app"
find . -maxdepth 1 -type d -exec rm -fr {} \;
}


touch alreadySawJar.txt needToSign.txt currentAppJar.txt nestedJar.txt
for gama in ./Gama**zip; do
unzipAndParse $gama
done

# Remove duplicated lines
awk '!a[$0]++' needToSign.txt > tmp.txt
cat tmp.txt > needToSign.txt

0 comments on commit 7734ed6

Please sign in to comment.