Skip to content

Commit

Permalink
pare down windows
Browse files Browse the repository at this point in the history
  • Loading branch information
ldennington committed Oct 27, 2023
1 parent 4c7a142 commit 0bedba0
Showing 1 changed file with 27 additions and 252 deletions.
279 changes: 27 additions & 252 deletions .github/workflows/windows-test.yml
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
name: build-git-installers

permissions:
id-token: write
contents: write

on:
push:
tags:
Expand Down Expand Up @@ -75,6 +71,23 @@ jobs:
with:
flavor: build-installers

- name: Run tmate
shell: bash
run: |
# install tmate
pacman -Sy --noconfirm tmate openssh &&
# Generate an SSH key (needed for tmate)
echo -e 'y\n' | ssh-keygen -q -t rsa -N '' -f ~/.ssh/id_rsa &&
# Start tmate session
export CHERE_INVOKING=1 &&
tmate -S /tmp/tmate.sock -a ~/.ssh/authorized_keys new-session -d &&
tmate -S /tmp/tmate.sock wait tmate-ready &&
# Print SSH invocation every 5 seconds, until tmate session has terminated
tmate -S /tmp/tmate.sock display -p '#{tmate_ssh}'
- name: Clone build-extra
shell: bash
run: |
Expand All @@ -100,52 +113,7 @@ jobs:
- name: Configure Azure Code Signing
shell: bash
run: |
git config alias.signtool '!f() { printf "%s\n" "$@" >./catalog && /c/Windows/System32/WindowsPowerShell/v1.0/powershell -command "Invoke-AzureCodeSigning -Endpoint https://wus2.codesigning.azure.net/ -CodeSigningAccountName git-fundamentals-signing -CertificateProfileName git-fundamentals-windows-signing -FilesCatalog ./catalog -FileDigest SHA256 -TimestampRfc3161 http://timestamp.acs.microsoft.com -TimestampDigest SHA256"; };f'
- name: Prepare for GPG signing
env:
AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
GPG_KEY_SECRET_NAME: ${{ secrets.GPG_KEY_SECRET_NAME }}
GPG_PASSPHRASE_SECRET_NAME: ${{ secrets.GPG_PASSPHRASE_SECRET_NAME }}
GPG_KEYGRIP_SECRET_NAME: ${{ secrets.GPG_KEYGRIP_SECRET_NAME }}
shell: bash
run: |
# Download GPG key, passphrase, and keygrip from Azure Key Vault
key=$(az keyvault secret show --name $GPG_KEY_SECRET_NAME --vault-name $AZURE_VAULT --query "value")
passphrase=$(az keyvault secret show --name $GPG_PASSPHRASE_SECRET_NAME --vault-name $AZURE_VAULT --query "value")
keygrip=$(az keyvault secret show --name $GPG_KEYGRIP_SECRET_NAME --vault-name $AZURE_VAULT --query "value")
# Remove quotes from downloaded values
key=$(sed -e 's/^"//' -e 's/"$//' <<<"$key")
passphrase=$(sed -e 's/^"//' -e 's/"$//' <<<"$passphrase")
keygrip=$(sed -e 's/^"//' -e 's/"$//' <<<"$keygrip")
# Import GPG key
echo "$key" | base64 -d | gpg $GPG_OPTIONS --import
# Configure GPG
echo "allow-preset-passphrase" > ~/.gnupg/gpg-agent.conf
gpg-connect-agent RELOADAGENT /bye
gpg-connect-agent 'PRESET_PASSPHRASE "$keygrip" -1 "$passphrase"' /bye
- name: Prepare home directory for GPG signing
if: env.GPG_FINGERPRINT_SECRET_NAME != ''
shell: bash
run: |
# This section ensures that the identity for the GPG key matches the git user identity, otherwise
# signing will fail
# Get GPG key fingerprint from Azure Key Vault
GPGKEY=$(az keyvault secret show --name "$GPG_FINGERPRINT_SECRET_NAME" \
--vault-name "$AZURE_VAULT" --query "value" \
| sed -e 's/^"//' -e 's/"$//')
info="$(gpg --list-keys --with-colons "${GPGKEY%% *}" | cut -d : -f 1,10 | sed -n '/^uid/{s|uid:||p;q}')" &&
git config --global user.name "${info% <*}" &&
git config --global user.email "<${info#*<}"
env:
AZURE_VAULT: ${{ secrets.AZURE_VAULT }}
GPG_FINGERPRINT_SECRET_NAME: ${{secrets.GPG_FINGERPRINT_SECRET_NAME}}
git config alias.signtool '!f() { printf "%s\n" "$@" >./catalog && cat ./catalog && /c/Windows/System32/WindowsPowerShell/v1.0/powershell -command "Invoke-AzureCodeSigning -Endpoint https://wus2.codesigning.azure.net/ -CodeSigningAccountName git-fundamentals-signing -CertificateProfileName git-fundamentals-windows-signing -FilesCatalog ./catalog -FileDigest SHA256 -TimestampRfc3161 http://timestamp.acs.microsoft.com -TimestampDigest SHA256"; };f'
- name: Build mingw-w64-x86_64-git
env:
Expand All @@ -170,210 +138,17 @@ jobs:
# Install Azure Code Signing Module
/c/Windows/System32/WindowsPowerShell/v1.0/powershell -command "Install-Module -Name AzureCodeSigning -RequiredVersion 0.2.24 -Force -Repository PSGallery"
cp /mingw64/bin/git.exe ./g.exe && git signtool g.exe
sh -x /usr/src/build-extra/please.sh build-mingw-w64-git --only-64-bit --build-src-pkg -o artifacts HEAD
- name: Sign tarballs with GPG
shell: bash
run: |
if test -n "$GPGKEY"
then
for tar in artifacts/*.tar*
do
/usr/src/build-extra/gnupg-with-gpgkey.sh --detach-sign --no-armor $tar
done
fi &&
b=$PWD/artifacts &&
version=${{ needs.prereqs.outputs.tag_name }} &&
(cd /usr/src/MINGW-packages/mingw-w64-git &&
cp PKGBUILD.$version PKGBUILD &&
git commit -s -m "mingw-w64-git: new version ($version)" PKGBUILD &&
git bundle create "$b"/MINGW-packages.bundle origin/main..main)
- name: action-tmate
if: failure()
uses: mxschmitt/action-tmate@v3

- name: Publish mingw-w64-x86_64-git
uses: actions/upload-artifact@v3
with:
name: pkg-x86_64
path: artifacts

create-windows-artifacts:
runs-on: windows-2019
environment: release
needs: [prereqs, windows_pkg]
env:
HOME: "${{github.workspace}}\\home"
strategy:
matrix:
artifact:
- name: installer
fileprefix: Git
- name: portable
fileprefix: PortableGit
fail-fast: false
steps:
- name: Download pkg-x86_64
uses: actions/download-artifact@v3
with:
name: pkg-x86_64
path: pkg-x86_64

- uses: git-for-windows/setup-git-for-windows-sdk@v1
with:
flavor: build-installers

- name: Clone build-extra
shell: bash
run: |
git clone --filter=blob:none --single-branch -b main https://github.com/git-for-windows/build-extra /usr/src/build-extra
- name: Retarget auto-update to microsoft/git
- name: wait for tmate to be done
if: always()
shell: bash
run: |
set -x
b=/usr/src/build-extra &&
filename=$b/git-update-git-for-windows.config
tr % '\t' >$filename <<-\EOF &&
[update]
%fromFork = microsoft/git
EOF
sed -i -e '/^#include "file-list.iss"/a\
Source: {#SourcePath}\\..\\git-update-git-for-windows.config; DestDir: {app}\\mingw64\\bin; Flags: replacesameversion; AfterInstall: DeleteFromVirtualStore' \
-e '/^Type: dirifempty; Name: {app}\\{#MINGW_BITNESS}$/i\
Type: files; Name: {app}\\{#MINGW_BITNESS}\\bin\\git-update-git-for-windows.config\
Type: dirifempty; Name: {app}\\{#MINGW_BITNESS}\\bin' \
$b/installer/install.iss
- name: Set alerts to continue until upgrade is taken
shell: bash
run: |
set -x
b=/mingw64/bin &&
sed -i -e '6 a use_recently_seen=no' \
$b/git-update-git-for-windows
- name: Set the installer Publisher to the Git Fundamentals team
shell: bash
run: |
b=/usr/src/build-extra &&
sed -i -e 's/^\(AppPublisher=\).*/\1The Git Fundamentals Team at GitHub/' $b/installer/install.iss
- name: Let the installer configure Visual Studio to use the installed Git
shell: bash
run: |
set -x
b=/usr/src/build-extra &&
sed -i -e '/^ *InstallAutoUpdater();$/a\
CustomPostInstall();' \
-e '/^ *UninstallAutoUpdater();$/a\
CustomPostUninstall();' \
$b/installer/install.iss &&
cat >>$b/installer/helpers.inc.iss <<\EOF
procedure CustomPostInstall();
begin
if not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\15.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or
not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\16.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or
not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\17.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or
not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\18.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or
not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\19.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) or
not RegWriteStringValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\20.0\TeamFoundation\GitSourceControl','GitPath',ExpandConstant('{app}')) then
LogError('Could not register TeamFoundation\GitSourceControl');
end;
procedure CustomPostUninstall();
begin
if not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\15.0\TeamFoundation\GitSourceControl','GitPath') or
not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\16.0\TeamFoundation\GitSourceControl','GitPath') or
not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\17.0\TeamFoundation\GitSourceControl','GitPath') or
not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\18.0\TeamFoundation\GitSourceControl','GitPath') or
not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\19.0\TeamFoundation\GitSourceControl','GitPath') or
not RegDeleteValue(HKEY_CURRENT_USER,'Software\Microsoft\VSCommon\20.0\TeamFoundation\GitSourceControl','GitPath') then
LogError('Could not register TeamFoundation\GitSourceControl');
end;
EOF
- name: Enable Scalar/C and the auto-updater in the installer by default
shell: bash
run: |
set -x
b=/usr/src/build-extra &&
sed -i -e "/ChosenOptions:=''/a\\
if (ExpandConstant('{param:components|/}')='/') then begin\n\
WizardSelectComponents('autoupdate');\n\
#ifdef WITH_SCALAR\n\
WizardSelectComponents('scalar');\n\
#endif\n\
end;" $b/installer/install.iss
- name: Build 64-bit ${{matrix.artifact.name}}
shell: bash
run: |
set -x
# Copy the PDB archive to the directory where `--include-pdbs` expects it
b=/usr/src/build-extra &&
mkdir -p $b/cached-source-packages &&
cp pkg-x86_64/*-pdb* $b/cached-source-packages/ &&
# Build the installer, embedding PDBs
eval $b/please.sh make_installers_from_mingw_w64_git --include-pdbs \
--version=${{ needs.prereqs.outputs.tag_version }} \
-o artifacts --${{matrix.artifact.name}} \
--pkg=pkg-x86_64/mingw-w64-x86_64-git-[0-9]*.tar.xz \
--pkg=pkg-x86_64/mingw-w64-x86_64-git-doc-html-[0-9]*.tar.xz &&
if test portable = '${{matrix.artifact.name}}' && test -n "$(git config alias.signtool)"
then
git signtool artifacts/PortableGit-*.exe
fi &&
openssl dgst -sha256 artifacts/${{matrix.artifact.fileprefix}}-*.exe | sed "s/.* //" >artifacts/sha-256.txt
- name: Log into Azure
uses: azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}

- name: Install Azure Code Signing Module
shell: pwsh
run: |
Install-Module -Name AzureCodeSigning -RequiredVersion 0.2.24 -Force `
-Repository PSGallery
- name: Sign installers with Azure Code Signing
uses: azure/azure-code-signing-action@v0.2.21
with:
endpoint: https://wus2.codesigning.azure.net/
code-signing-account-name: git-fundamentals-signing
certificate-profile-name: git-fundamentals-windows-signing
files-folder: ${{ github.workspace }}\artifacts
files-folder-filter: exe
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256

- name: Verify that .exe files are code-signed
shell: bash
run: |
PATH=$PATH:"/c/Program Files (x86)/Windows Kits/10/App Certification Kit/" \
signtool verify //pa artifacts/${{matrix.artifact.fileprefix}}-*.exe
- name: Publish ${{matrix.artifact.name}}-x86_64
uses: actions/upload-artifact@v3
with:
name: win-${{matrix.artifact.name}}-x86_64
path: artifacts
PATH=$HOME/bin:$PATH
while test -e /tmp/tmate.sock
do
tmate -S /tmp/tmate.sock display -p '#{tmate_ssh}'
sleep 5
done
# End build Windows installers

0 comments on commit 0bedba0

Please sign in to comment.