feat(ci): move to GitHub Actions

[lidel]

TLDR

The main value added here:

• secrets stay on github, easier to reason about security
• easier QA and release confidence: every commit produces production ready binaries for every supported platform that we can grab and run instead of building PR locally

This PR

• Fixes the CI error on Windows during signing – was (not) fun – details in feat(ci): move to GitHub Actions #1657 (comment)
• Migrates our CI/CD setup to a single GitHub Action
• Removes Travis and Appveyor configuration
• This is first time I work with Github Actions – feedback is really appreciated 🙏

Workflow highlights

• the same pipeline runs on macOS, Linux and Windows
• triggered by push and pull_request events
  • we test original commit as-is + check how target branch would behave after PR is merged
• secrets
  • signing for windows and mac, and notarization for mac
  • exposed only when PR was created by Collaborator and disabled for forks
  • this means we still run tests and build binaries for PRs from contributors, the only difference is those are not signed/notarized
• workflow has two stages:
  • test
    • runs lint, unit tests and end-to-end tests with spectron (linux uses xvfb)
  • build
    • starts only if tests are green
      • this is important speedup, because build for linux takes time (we have many package types), and this way we immediatelly see failing tests on linux (without waiting 20 minutes)
    • runs electron-build pipeline and produces packages for specific platform
    • produced packages
      • are attached to GithHub Action and can be downloaded for inspection / testing
        • see example here (links to dist...zip archives)
      • if build occurred on a tag (v0.13) then artifacts are also uploaded and attached to release draft on GitHub
        • this means there is no change to the way we do releases and checklist remains the same
• caching
  • downloads done by npm, electron and electron-builder are cached under key based on OS and hash(package.json, package-lock.json and electron-builder.yml), which saves around a minute per job

cc #1263 #789

[lidel]

PSA: I am getting flashbacks of the usual MS Windows SNAFU. I am going to test doing windows build on Github Actions to see if its Appveyor-specific issue.

Ref. https://github.com/samuelmeuli/action-electron-builder

[lidel]

I'll have to do local tests via nektos/act before this is ready.
Nope, it requires windows box. I'll test in this PR instead.

🕳️ 🐇

[lidel]

💚 Good news: Github Action works fine, so we can drop Appveyor
💔 Bad news: we have the same error as on Appveyor 🙃

SignTool Error: The file is being used by another process.
SignTool Error: An error occurred while attempting to sign: D:\a\ipfs-desktop\ipfs-desktop\dist\win-unpacked\resources\app.asar.unpacked\node_modules\go-ipfs\bin\ipfs.exe

  stackTrace=
Error: Exit code: 1. Command failed: C:\Users\runneradmin\AppData\Local\electron-builder\Cache\winCodeSign\winCodeSign-2.6.0\windows-10\x64\signtool.exe sign /t http://timestamp.digicert.com /f C:\Users\RUNNER~1\AppData\Local\Temp\t-T5G40O\0.p12 /d IPFS Desktop /du ipfs-shipyard/ipfs-desktop /p fd63d34e656e0ee0396638165d2f35ed4c8aeab428560f4a83cc90b737c6ea71 (sha256 hash) /debug D:\a\ipfs-desktop\ipfs-desktop\dist\win-unpacked\resources\app.asar.unpacked\node_modules\go-ipfs\bin\ipfs.exe

SignTool Error: The file is being used by another process.

Suspects to check:

• build step (webui over ipfs for some reason?)
• test step (lack of cleanup keeping lock on ipfs.exe?)
• node version
• electron-builder version
• stale binaries
• ipfs binary being utilized by ipfs-or-gateway (it says "Fetching from IPFS" instead of "HTTP
  -- I don't expect ipfs to be running)
• 👉 double signing due to node_modules/go-ipfs/bin/ipfs being symlink to node_modules/go-ipfs/go-ipfs/ipfs
  • This was the reason. I hate this.

[lidel]

Fixed Windows signing

Good news: I've found and fixed the problem with signing.

The problem was caused by clash of:

• the fact that every .exe bundled with Electron app is signed
• our switch from go-ipfs-dep to go-ipfs, which introduced symlink in bin/ directory
• how symlinks are represented when unpacked on MS Windows filesystem

That is why signing node_modules\go-ipfs\go-ipfs\ipfs.exe worked
but node_modules\go-ipfs\bin\ipfs.exe caused the problem.

Removing node_modules\go-ipfs\bin before packaging removes file locking issue.

  •   Signing NSIS uninstaller  file=dist\__uninstaller-nsis-ipfs-desktop.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-j1v0tw\0.p12
  • signing         file=dist\IPFS Desktop Setup 0.12.3.exe certificateFile=C:\Users\RUNNER~1\AppData\Local\Temp\t-j1v0tw\0.p12
  • building block map  blockMapFile=dist\IPFS Desktop Setup 0.12.3.exe.blockmap
  • publishing      publisher=Github (owner: ipfs-shipyard, project: ipfs-desktop, version: 0.12.3)
  • uploading       file=IPFS-Desktop-Setup-0.12.3.exe.blockmap provider=GitHub
  • uploading       file=IPFS-Desktop-Setup-0.12.3.exe provider=GitHub
  • overwrite published file  file=IPFS-Desktop-Setup-0.12.3.exe.blockmap reason=already exists on GitHub
  • overwrite published file  file=IPFS-Desktop-Setup-0.12.3.exe reason=already exists on GitHub
  • overwrite published file  file=latest.yml reason=already exists on GitHub

Next: move everything to Github Action

Need todouble check if

While debugging the issue I've created Github Action setup (to confirm its Window issue, not AppVeyor), and it could also replace Travis for macOS and Linux, so I'm removing AppVeyor for building Windows binaries in this PR.

@rafaelramalho19 @jessicaschilling
The Action I created is easy to extend for supporting macOS and Linux, so I'll try to spend some time on Thursday to push this over the finish line, migrate secrets to github, and then do test release with new setup without Travis.

I'll timebox it to one day to avoid 🕳️ 🐇, if this takes too much time, we can keep Travis for macOS and Linux, just to unblock the release.

[lidel]

Ok, this is ready for review.

@rafaelramalho19 I migrated secrets and based on the lack of fireworks I believe CI correctly signs Windows and macOS binaries, but would like second set of eyes to confirm by dowloading .zip with package for respective platform and smoke-testing Windows/macOS artifacts attached to this run: https://github.com/ipfs-shipyard/ipfs-desktop/actions/runs/283172385

• is .exe for Windows signed? dist-windows-latest.zip
• is .dmg for macOS signed and notarized? dist-macos-latest.zip (aka "no security error" on run)

[jessicaschilling]

Downloaded from here, unzipped, got this

... and successfully launched upon clicking "Open".

[aschmahmann]

@lidel seems to be working fine on Windows and looks signed (SHA1 and SHA256 with Protocol Labs as the signer). Perhaps unrelated to this PR there is a file IPFS Desktop Setup 0.12.3.exe.blockmap inside the zip next to the exe. What's this for?

[hacdias]

I must say I'm happy we can ditch Appveyor and Travis and put everything together in GitHub actions. Everything looks fine for me! Thanks @lidel

[olizilla]

Why lint so late? is deliberate? could go before build to fail fast on trivial errors?

[lidel]

I think it may be just my personal preference: I find it more friendly to do linting later,
that way we see that contributed PR passes tests and only need linting fixes (which could be trivial), which makes it easier to evaluate contribution.

[olizilla]

Nice! so fast we dont need th special case!

[olizilla]

it is so clear, i love it! 🏆 ✨

[rafaelramalho19]

[rafaelramalho19]

Maybe we should keep that version on package.json under dev deps? Would make it easier to maintain in the future perhaps?

[lidel]

This is the version of github action, internally it will use the version of electron-builder we have in package.json. I don't expect the action to be updated unless there is a breaking-change release of electron-builder that we want to switch to.

ps. I've hardened setup and those third party actions are safelisted in https://github.com/ipfs-shipyard/ipfs-desktop/settings/actions, everything else is blocked. So even if someone sneaks different version in a PR, it won't work.

[lidel]

Thank you all for help with reviews and testing ✅

I'm going to merge this and start release dance, create release draft, but will wait with publishing Desktop release until Monday, because I'll be AFK this weekend and in my past life I've learned that shipping to production on Friday is not the best idea 🙈 It will also give us weekend and Monday to smoke-test final binaries.

Perhaps unrelated to this PR there is a file IPFS Desktop Setup 0.12.3.exe.blockmap inside the zip next to the exe. What's this for?

@aschmahmann iiuc when published next to binaries it will be used by autoupdate mechanism for partial / differential updates, to shrink the update payload size.