-
Notifications
You must be signed in to change notification settings - Fork 0
259 lines (236 loc) · 10.8 KB
/
build_and_upload.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
name: Build and Upload
on:
# for manual release on the v1 release channel
workflow_dispatch:
inputs:
ref:
description: 'ref to build'
required: true
type: string
release_channel:
description: 'release channel'
required: true
type: choice
options:
- "v1"
- "unstable"
# for automatic release from main on the unstable release channel
workflow_call:
inputs:
ref:
description: 'ref to build'
required: true
type: string
release_channel:
description: 'release channel'
required: true
type: string
secrets:
RWX_STAGING_CREATE_RELEASE_ACCESS_TOKEN:
required: true
RWX_PRODUCTION_CREATE_RELEASE_ACCESS_TOKEN:
required: true
AWS_S3_ABQ_RELEASES_DEVELOPMENT_ACCESS_KEY_ID:
required: true
AWS_S3_ABQ_RELEASES_DEVELOPMENT_SECRET_ACCESS_KEY:
required: true
AWS_S3_ABQ_RELEASES_STAGING_ACCESS_KEY_ID:
required: true
AWS_S3_ABQ_RELEASES_STAGING_SECRET_ACCESS_KEY:
required: true
AWS_S3_ABQ_RELEASES_PRODUCTION_ACCESS_KEY_ID:
required: true
AWS_S3_ABQ_RELEASES_PRODUCTION_SECRET_ACCESS_KEY:
required: true
RWX_APPLE_DEVELOPER_ID_APPLICATION_CERT:
required: true
RWX_APPLE_APP_STORE_CONNECT_API_KEY:
required: true
jobs:
release:
name: Build, Upload, Release ABQ
strategy:
# in the future we'll want to release against different architectures
matrix:
include:
- runs-on: ubuntu-latest
# todo: deprecate plaform key when we move to RFC 20 style abq uploads
deprecated-platform: linux_x86-64
os: linux
architecture: x86_64
cross-target: 'x86_64-unknown-linux-musl'
install-musl-tools: true
- runs-on: ubuntu-latest
deprecated-platform: linux_aarch64
os: linux
architecture: aarch64
cross-target: 'aarch64-unknown-linux-musl'
container: messense/rust-musl-cross:aarch64-musl@sha256:777bd4c61179c38dc213bb8472500584646d28fd4a7c3e0b30b9ef70cb446d58
- runs-on: macos-11 # use an older version for broader osx support
deprecated-platform: darwin_x86-64
os: darwin
architecture: x86_64
cross-target: ''
- runs-on: macos-11 # first OS X to support arm64 -- so the first os for cross compilation
deprecated-platform: darwin_aarch64
os: darwin
architecture: aarch64
cross-target: 'aarch64-apple-darwin'
runs-on: ${{ matrix.runs-on }}
container: ${{ matrix.container }}
outputs:
abq_version: ${{ steps.abq_version.outputs.abq_version }}
env:
AWS_DEFAULT_REGION: us-east-2
AWS_DEFAULT_OUTPUT: json
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0 # get whole history for versioning
ref: ${{inputs.ref}}
- name: Mark safe directory
run: |
# For some reason we need this, even though actions/checkout sets
# safe.directory by default?
# Perhaps it is because we work in a container?
git config --global --add safe.directory "$PWD"
git describe
# this may not be unecessary when https://github.com/actions/checkout/issues/882 is resolved
- name: re-fetch overwritten tag
run: git fetch --tags --force
- name: Restore cargo cache
uses: actions/[email protected]
env:
cache-name: ci
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: cargo-release-${{ matrix.os }}-${{ matrix.architecture }}-${{ hashFiles('rust-toolchain.toml')}}-${{ hashFiles('Cargo.lock') }}
restore-keys: |
cargo-release-${{ matrix.os }}-${{ matrix.architecture }}-${{ hashFiles('rust-toolchain.toml')}}-
- name: Install Rust toolchain
uses: rwx-research/rust-toolchain@abq
with:
toolchain: 1.65.0
target: ${{ matrix.cross-target }}
# We don't build a musl ABQ on MacOS
- name: Install musl libc tools
if: matrix.install-musl-tools
run: |
sudo apt-get install -y musl-tools
- name: Build release
if: '!matrix.cross-target'
run: cargo build --release --all-features
- name: Build release
if: matrix.cross-target
run: cargo build --release --all-features --target="${{ matrix.cross-target }}"
- name: Prepare release environment
run: |
ABQ_VERSION="$(cat build_artifact/abq_version.txt)"
RELEASE_DIR="abq_${ABQ_VERSION}_${{ matrix.deprecated-platform }}"
# deprecated, remove these when we fully migrate to RFC-20 style storage
RELEASE_ARCHIVE="${RELEASE_DIR}.tar.gz"
# drop `NEW_` when we migrate to RFC-20 style storage
{
echo "ABQ_VERSION=$ABQ_VERSION"
echo "RELEASE_DIR=$RELEASE_DIR"
echo "RELEASE_ARCHIVE=$RELEASE_ARCHIVE"
echo "RELEASE_S3_OBJECT=abq/${ABQ_VERSION}/${RELEASE_ARCHIVE}"
echo "RELEASE_S3_NIGHTLY_OBJECT=abq/nightly/abq_nightly_${{ matrix.deprecated-platform }}"
echo "NEW_RELEASE_S3_OBJECT=abq/${ABQ_VERSION}/${{ matrix.os }}/${{ matrix.architecture }}/abq"
echo "NEW_RELEASE_S3_NIGHTLY_OBJECT=abq/nightly/${{ matrix.os }}/${{ matrix.architecture }}/abq"
echo "NEW_RELEASE_S3_OBJECT_TESTER_HARNESS=abq/${ABQ_VERSION}/${{ matrix.os }}/${{ matrix.architecture }}/abq_tester_harness"
echo "NEW_RELEASE_S3_NIGHTLY_OBJECT_TESTER_HARNESS=abq/nightly/${{ matrix.os }}/${{ matrix.architecture }}/abq_tester_harness"
} >> "$GITHUB_ENV"
- name: Move release to consistent directory
run: |
mkdir "${RELEASE_DIR}"
if [ -z "${{ matrix.cross-target }}" ]; then
cp target/release/abq "${RELEASE_DIR}/"
cp target/release/abq_tester_harness "${RELEASE_DIR}/"
else
cp target/${{ matrix.cross-target }}/release/abq "${RELEASE_DIR}/"
cp target/${{ matrix.cross-target }}/release/abq_tester_harness "${RELEASE_DIR}/"
fi
- name: Sign & Notarize Release
if: matrix.os == 'darwin'
run: |
(rcodesign --version | grep "$CODESIGN_VERSION") || cargo install apple-codesign --force --locked --version "$CODESIGN_VERSION"
echo "$RWX_APPLE_DEVELOPER_ID_APPLICATION_CERT" > rwx-developer-id-application-cert.pem
# first we sign the binary. This happens locally.
rcodesign sign --pem-source rwx-developer-id-application-cert.pem --code-signature-flags runtime "$RELEASE_DIR/abq"
zip -r abq.zip "$RELEASE_DIR"
echo "$RWX_APPLE_APP_STORE_CONNECT_API_KEY" > rwx-apple-app-store-connect-api-key.json
submission_id="$(rcodesign notary-submit --wait --api-key-path rwx-apple-app-store-connect-api-key.json abq.zip 2>&1 | tee /dev/fd/2 | grep "created submission ID:" | awk '{print $4}')"
echo "Submission ID: $submission_id"
echo "submission_id=$submission_id" >> "$GITHUB_OUTPUT"
env:
CODESIGN_VERSION: 0.22.0
RWX_APPLE_DEVELOPER_ID_APPLICATION_CERT: ${{ secrets.RWX_APPLE_DEVELOPER_ID_APPLICATION_CERT }}
RWX_APPLE_APP_STORE_CONNECT_API_KEY: ${{ secrets.RWX_APPLE_APP_STORE_CONNECT_API_KEY }}
- name: ensure sign & notary cleanup happens
if: matrix.os == 'darwin' && always()
run: rm -f rwx-apple-app-store-connect-api-key.json rwx-developer-id-application-cert.pem
# Deprecated. Remove archiving release when we fully migrate to RFC-20 style storage
- name: (Deprecated) Archive release
# we do this in its own step so that for darwin, abq is already signed
run: tar -czvf "${RELEASE_ARCHIVE}" "${RELEASE_DIR}"
- name: Install tools to container that are baked into default image
if: matrix.container
# we need to install aws tools if we use a container. The default images have the tools baked in.
# The AWS code is approximately copied from the native image, https://github.com/actions/runner-images/blob/4aeccc7b5b5a63058b2d8a9a29072708e1f267bf/images/linux/scripts/installers/aws.sh#L11
# perhaps we should fork the musl container
run: |
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
unzip -qq awscliv2.zip
./aws/install -i /usr/local/aws-cli -b /usr/local/bin
curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ubuntu_64bit/session-manager-plugin.deb" -o "session-manager-plugin.deb"
apt install -y ./session-manager-plugin.deb
# Download & install the latest aws sam cli release
curl -L "https://github.com/aws/aws-sam-cli/releases/latest/download/aws-sam-cli-linux-x86_64.zip" -o "aws-sam-cli-linux-x86_64.zip"
mkdir aws-sam
unzip aws-sam-cli-linux-x86_64.zip -d aws-sam
./aws-sam/install
apt-get update && apt-get install jq -y
- name: Push release to development S3
env:
RELEASE_BUCKET: abq-releases-development
run: |
scripts/upload-to-aws.sh ${{ secrets.AWS_S3_ABQ_RELEASES_DEVELOPMENT_ACCESS_KEY_ID }} ${{ secrets.AWS_S3_ABQ_RELEASES_DEVELOPMENT_SECRET_ACCESS_KEY }} development
- name: Push release to staging S3
env:
RELEASE_BUCKET: abq-releases-staging
run: |
scripts/upload-to-aws.sh ${{ secrets.AWS_S3_ABQ_RELEASES_STAGING_ACCESS_KEY_ID }} ${{ secrets.AWS_S3_ABQ_RELEASES_STAGING_SECRET_ACCESS_KEY }} staging
- name: Push release to production S3
env:
RELEASE_BUCKET: abq-releases
run: |
scripts/upload-to-aws.sh ${{ secrets.AWS_S3_ABQ_RELEASES_PRODUCTION_ACCESS_KEY_ID }} ${{ secrets.AWS_S3_ABQ_RELEASES_PRODUCTION_SECRET_ACCESS_KEY }} production
- name: export abq version
id: abq_version
run: |
echo "abq_version=$ABQ_VERSION" >> "$GITHUB_OUTPUT"
notify-staging-api:
name: Release new abq to staging API
needs: release
uses: ./.github/workflows/release_staging.yml
with:
version: ${{ needs.release.outputs.abq_version }}
release_channel: ${{inputs.release_channel}}
secrets:
RWX_STAGING_CREATE_RELEASE_ACCESS_TOKEN: ${{ secrets.RWX_STAGING_CREATE_RELEASE_ACCESS_TOKEN }}
notify-production-api:
name: Release new abq to production API
needs: release
uses: ./.github/workflows/release_production.yml
with:
version: ${{ needs.release.outputs.abq_version }}
release_channel: ${{inputs.release_channel}}
secrets:
RWX_PRODUCTION_CREATE_RELEASE_ACCESS_TOKEN: ${{ secrets.RWX_PRODUCTION_CREATE_RELEASE_ACCESS_TOKEN }}