|
32 | 32 | CODER_RELEASE_NOTES: ${{ inputs.release_notes }} |
33 | 33 |
|
34 | 34 | jobs: |
35 | | - # build-dylib is a separate job to build the dylib on macOS. |
36 | | - build-dylib: |
37 | | - runs-on: ${{ github.repository_owner == 'coder' && 'depot-macos-latest' || 'macos-latest' }} |
38 | | - steps: |
39 | | - - name: Harden Runner |
40 | | - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 |
41 | | - with: |
42 | | - egress-policy: audit |
43 | | - |
44 | | - - name: Checkout |
45 | | - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 |
46 | | - with: |
47 | | - fetch-depth: 0 |
48 | | - |
49 | | - - name: Setup build tools |
50 | | - run: | |
51 | | - brew install bash gnu-getopt make |
52 | | - echo "$(brew --prefix bash)/bin" >> $GITHUB_PATH |
53 | | - echo "$(brew --prefix gnu-getopt)/bin" >> $GITHUB_PATH |
54 | | - echo "$(brew --prefix make)/libexec/gnubin" >> $GITHUB_PATH |
55 | | -
|
56 | | - - name: Setup Go |
57 | | - uses: ./.github/actions/setup-go |
58 | | - |
59 | | - - name: Install rcodesign |
60 | | - run: | |
61 | | - set -euo pipefail |
62 | | - wget -O /tmp/rcodesign.tar.gz https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-macos-universal.tar.gz |
63 | | - sudo tar -xzf /tmp/rcodesign.tar.gz \ |
64 | | - -C /usr/local/bin \ |
65 | | - --strip-components=1 \ |
66 | | - apple-codesign-0.22.0-macos-universal/rcodesign |
67 | | - rm /tmp/rcodesign.tar.gz |
68 | | -
|
69 | | - - name: Setup Apple Developer certificate and API key |
70 | | - run: | |
71 | | - set -euo pipefail |
72 | | - touch /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8} |
73 | | - chmod 600 /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8} |
74 | | - echo "$AC_CERTIFICATE_P12_BASE64" | base64 -d > /tmp/apple_cert.p12 |
75 | | - echo "$AC_CERTIFICATE_PASSWORD" > /tmp/apple_cert_password.txt |
76 | | - echo "$AC_APIKEY_P8_BASE64" | base64 -d > /tmp/apple_apikey.p8 |
77 | | - env: |
78 | | - AC_CERTIFICATE_P12_BASE64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }} |
79 | | - AC_CERTIFICATE_PASSWORD: ${{ secrets.AC_CERTIFICATE_PASSWORD }} |
80 | | - AC_APIKEY_P8_BASE64: ${{ secrets.AC_APIKEY_P8_BASE64 }} |
81 | | - |
82 | | - - name: Build dylibs |
83 | | - run: | |
84 | | - set -euxo pipefail |
85 | | - go mod download |
86 | | -
|
87 | | - make gen/mark-fresh |
88 | | - make build/coder-dylib |
89 | | - env: |
90 | | - CODER_SIGN_DARWIN: 1 |
91 | | - AC_CERTIFICATE_FILE: /tmp/apple_cert.p12 |
92 | | - AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt |
93 | | - |
94 | | - - name: Upload build artifacts |
95 | | - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 |
96 | | - with: |
97 | | - name: dylibs |
98 | | - path: | |
99 | | - ./build/*.h |
100 | | - ./build/*.dylib |
101 | | - retention-days: 7 |
102 | | - |
103 | | - - name: Delete Apple Developer certificate and API key |
104 | | - run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8} |
105 | | - |
106 | 35 | release: |
107 | 36 | name: Build and publish |
108 | | - needs: build-dylib |
109 | 37 | runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-8' || 'ubuntu-latest' }} |
110 | 38 | permissions: |
111 | 39 | # Required to publish a release |
@@ -217,18 +145,6 @@ jobs: |
217 | 145 | - name: Install nsis and zstd |
218 | 146 | run: sudo apt-get install -y nsis zstd |
219 | 147 |
|
220 | | - - name: Download dylibs |
221 | | - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 |
222 | | - with: |
223 | | - name: dylibs |
224 | | - path: ./build |
225 | | - |
226 | | - - name: Insert dylibs |
227 | | - run: | |
228 | | - mv ./build/*amd64.dylib ./site/out/bin/coder-vpn-darwin-amd64.dylib |
229 | | - mv ./build/*arm64.dylib ./site/out/bin/coder-vpn-darwin-arm64.dylib |
230 | | - mv ./build/*arm64.h ./site/out/bin/coder-vpn-darwin-dylib.h |
231 | | -
|
232 | 148 | - name: Install nfpm |
233 | 149 | run: | |
234 | 150 | set -euo pipefail |
@@ -355,7 +271,6 @@ jobs: |
355 | 271 | ${{ steps.image-base-tag.outputs.tag }} |
356 | 272 |
|
357 | 273 | - name: Verify that images are pushed properly |
358 | | - if: steps.image-base-tag.outputs.tag != '' |
359 | 274 | run: | |
360 | 275 | # retry 10 times with a 5 second delay as the images may not be |
361 | 276 | # available immediately |
@@ -388,17 +303,17 @@ jobs: |
388 | 303 | run: | |
389 | 304 | set -euxo pipefail |
390 | 305 |
|
| 306 | + # build Docker images for each architecture |
| 307 | + version="$(./scripts/version.sh)" |
| 308 | + make build/coder_"$version"_linux_{amd64,arm64,armv7}.tag |
| 309 | +
|
391 | 310 | # we can't build multi-arch if the images aren't pushed, so quit now |
392 | 311 | # if dry-running |
393 | 312 | if [[ "$CODER_RELEASE" != *t* ]]; then |
394 | 313 | echo Skipping multi-arch docker builds due to dry-run. |
395 | 314 | exit 0 |
396 | 315 | fi |
397 | 316 |
|
398 | | - # build Docker images for each architecture |
399 | | - version="$(./scripts/version.sh)" |
400 | | - make build/coder_"$version"_linux_{amd64,arm64,armv7}.tag |
401 | | -
|
402 | 317 | # build and push multi-arch manifest, this depends on the other images |
403 | 318 | # being pushed so will automatically push them. |
404 | 319 | make push/build/coder_"$version"_linux.tag |
|
0 commit comments