-
Notifications
You must be signed in to change notification settings - Fork 0
188 lines (158 loc) Β· 5.95 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
---
name: CI
"on":
push:
branches:
- trunk
pull_request:
branches:
- trunk
schedule:
- cron: "0 0 * * TUE"
jobs:
gpg-sign:
name: GPG Signing
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.1
- name: Setup Python
uses: actions/setup-python@v5.0.0
with:
python-version-file: ".python-version"
- name: Install Python dependencies
run: |
python3 -m venv --upgrade-deps venv
venv/bin/python3 -m pip install --upgrade pip wheel
venv/bin/python3 -m pip install --require-hashes -r requirements.txt
- name: Clone Artichoke
uses: actions/checkout@v4.1.1
with:
repository: artichoke/artichoke
path: artichoke
# ```
# $ gpg --fingerprint --with-subkey-fingerprints codesign@artichokeruby.org
# pub ed25519 2021-01-03 [SC]
# C983 8F10 4021 F59E E6F6 BCBE B199 D034 7FDA 14A4
# uid [ultimate] Code signing for Artichoke Ruby <codesign@artichokeruby.org>
# sub cv25519 2021-01-03 [E]
# 7719 1B6D 83B2 F4E8 5197 125B A9A3 F70E 710A 15AA
# sub ed25519 2021-01-03 [S]
# 1C4A 856A CF86 EC1E E841 180F AF57 A37C AC06 1452
# ```
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452
- name: List keys
run: gpg -K
- name: Build release artifacts
working-directory: artichoke
run: cargo build --verbose --release
- name: GPG sign binary
id: gpg_signing
run: venv/bin/python3 gpg_sign.py "nightly-gpg-sign-test" --artifact artichoke/target/release/artichoke
- name: Verify GPG signature
run: gpg --batch --verify "${{ steps.gpg_signing.outputs.signature }}" artichoke/target/release/artichoke
apple-codesign:
name: Apple Codesigning
runs-on: macos-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.1
- name: Setup Python
uses: actions/setup-python@v5.0.0
with:
python-version-file: ".python-version"
- name: Install Python dependencies
run: |
python3 -m venv --upgrade-deps venv
venv/bin/python3 -m pip install --upgrade pip wheel
venv/bin/python3 -m pip install --require-hashes -r requirements.txt
- name: Clone Artichoke
uses: actions/checkout@v4.1.1
with:
repository: artichoke/artichoke
path: artichoke
- name: Build release artifacts
working-directory: artichoke
run: cargo build --verbose --release
# This will codesign binaries in place which means that the tarballed
# binaries will be codesigned as well.
- name: Run Apple Codesigning and Notarization
id: apple_codesigning
if: runner.os == 'macOS'
run: |
venv/bin/python3 macos_sign_and_notarize.py "nightly-apple-codesign-test" \
--binary "artichoke/target/release/artichoke" \
--binary "artichoke/target/release/airb" \
--resource artichoke/LICENSE \
--resource artichoke/README.md \
--dmg-icon-url "https://artichoke.github.io/logo/Artichoke-dmg.icns"
env:
MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }}
- name: Verify code signature
run: |
codesign --verify --check-notarization --deep --strict=all artichoke/target/release/artichoke
codesign --verify --check-notarization --deep --strict=all artichoke/target/release/airb
- name: Verify DMG code signature
run: spctl -a -t open --context context:primary-signature "${{ steps.apple_codesigning.outputs.asset }}" -v
python:
name: Lint and format Python
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.1
- name: Setup Python
uses: actions/setup-python@v5.0.0
with:
python-version-file: ".python-version"
- name: Install Python dependencies
run: |
python3 -m venv --upgrade-deps venv
venv/bin/python3 -m pip install --upgrade pip wheel
venv/bin/python3 -m pip install --require-hashes -r requirements.txt -r dev-requirements.txt
- name: Run black
run: venv/bin/black --check --diff --verbose .
- name: Run ruff
run: venv/bin/ruff --output-format=github .
- name: Run mypy
run: venv/bin/mypy .
ruby:
name: Lint and format Ruby
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.1
- name: Install Ruby toolchain
uses: ruby/setup-ruby@22fdc77bf4148f810455b226c90fb81b5cbc00a7 # v1.171.0
with:
ruby-version: ".ruby-version"
bundler-cache: true
- name: Lint and check formatting with Rubocop
run: bundle exec rubocop --format github
text:
name: Lint and format text
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.1
- name: Setup Node.js runtime
uses: actions/setup-node@v4.0.1
with:
node-version: "lts/*"
- name: Install toolchain
run: npm ci
- name: Lint and check formatting with prettier
run: npx prettier --check '**/*'
- name: Lint YAML sources with yamllint
run: |
yamllint --version
echo "Linting YAML sources with yamllint ..."
yamllint --strict --format github .
echo "OK"