-
Notifications
You must be signed in to change notification settings - Fork 0
229 lines (196 loc) Β· 7.33 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
---
name: CI
"on":
push:
branches:
- trunk
pull_request:
branches:
- trunk
schedule:
- cron: "0 0 * * TUE"
jobs:
gpg-sign:
name: GPG Signing
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.7
- name: Setup Python
uses: actions/setup-python@v5.2.0
with:
python-version-file: ".python-version"
- name: Set Python executable path based on OS
shell: bash
run: |
if [[ "$RUNNER_OS" == "Windows" ]]; then
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV
else
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV
fi
- name: Install Python dependencies
shell: bash
run: |
python3 -m venv --upgrade-deps venv
$VENV_PYTHON -m pip install --upgrade pip wheel
$VENV_PYTHON -m pip install --require-hashes -r requirements.txt
- name: Clone Artichoke
uses: actions/checkout@v4.1.7
with:
repository: artichoke/artichoke
path: artichoke
# ```
# $ gpg --fingerprint --with-subkey-fingerprints codesign@artichokeruby.org
# pub ed25519 2021-01-03 [SC]
# C983 8F10 4021 F59E E6F6 BCBE B199 D034 7FDA 14A4
# uid [ultimate] Code signing for Artichoke Ruby <codesign@artichokeruby.org>
# sub cv25519 2021-01-03 [E]
# 7719 1B6D 83B2 F4E8 5197 125B A9A3 F70E 710A 15AA
# sub ed25519 2021-01-03 [S]
# 1C4A 856A CF86 EC1E E841 180F AF57 A37C AC06 1452
# ```
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452
# Set the GPG key to full trust (value 4) to ensure reliable signing
# and verification in CI. Full trust balances security and practicality
# in automated environments, avoiding prompts or failures that can
# occur with marginal trust, while not compromising security like
# ultimate trust.
trust_level: 4
- name: List keys
run: gpg -K
- name: Build release artifacts
working-directory: artichoke
run: cargo build --verbose --release
- name: GPG sign binary
shell: bash
id: gpg_signing
run: |
$VENV_PYTHON -m artichoke_nightly.gpg_sign \
"nightly-gpg-sign-test" \
--artifact artichoke/target/release/artichoke
- name: Verify GPG signature
run: gpg --batch --verify "${{ steps.gpg_signing.outputs.signature }}" artichoke/target/release/artichoke
apple-codesign:
name: Apple Codesigning
runs-on: macos-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.7
- name: Setup Python
uses: actions/setup-python@v5.2.0
with:
python-version-file: ".python-version"
- name: Set Python executable path based on OS
shell: bash
run: |
if [[ "$RUNNER_OS" == "Windows" ]]; then
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV
else
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV
fi
- name: Install Python dependencies
shell: bash
run: |
python3 -m venv --upgrade-deps venv
$VENV_PYTHON -m pip install --upgrade pip wheel
$VENV_PYTHON -m pip install --require-hashes -r requirements.txt
- name: Clone Artichoke
uses: actions/checkout@v4.1.7
with:
repository: artichoke/artichoke
path: artichoke
- name: Build release artifacts
working-directory: artichoke
run: cargo build --verbose --release
# This will codesign binaries in place which means that the tarballed
# binaries will be codesigned as well.
- name: Run Apple Codesigning and Notarization
shell: bash
id: apple_codesigning
if: runner.os == 'macOS'
run: |
$VENV_PYTHON -m artichoke_nightly.macos_sign_and_notarize "nightly-apple-codesign-test" \
--binary "artichoke/target/release/artichoke" \
--binary "artichoke/target/release/airb" \
--resource artichoke/LICENSE \
--resource artichoke/README.md \
--dmg-icon-url "https://artichoke.github.io/logo/Artichoke-dmg.icns"
env:
MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }}
- name: Verify code signature
run: |
codesign --verify --check-notarization --deep --strict=all artichoke/target/release/artichoke
codesign --verify --check-notarization --deep --strict=all artichoke/target/release/airb
- name: Verify DMG code signature
run: spctl -a -t open --context context:primary-signature "${{ steps.apple_codesigning.outputs.asset }}" -v
python:
name: Lint and format Python
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.7
- name: Setup Python
uses: actions/setup-python@v5.2.0
with:
python-version-file: ".python-version"
- name: Set Python executable path based on OS
shell: bash
run: |
if [[ "$RUNNER_OS" == "Windows" ]]; then
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV
else
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV
fi
- name: Install Python dependencies
shell: bash
run: |
python3 -m venv --upgrade-deps venv
$VENV_PYTHON -m pip install --upgrade pip wheel
$VENV_PYTHON -m pip install --require-hashes -r dev-requirements.txt
- name: Run black
run: $VENV_PYTHON -m black --check --diff --verbose .
- name: Run ruff
run: $VENV_PYTHON -m ruff check --output-format=github .
- name: Run mypy
run: $VENV_PYTHON -m mypy .
ruby:
name: Lint and format Ruby
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.7
- name: Install Ruby toolchain
uses: ruby/setup-ruby@a6e6f86333f0a2523ece813039b8b4be04560854 # v1.190.0
with:
ruby-version: ".ruby-version"
bundler-cache: true
- name: Lint and check formatting with Rubocop
run: bundle exec rubocop --format github
text:
name: Lint and format text
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4.1.7
- name: Setup Node.js runtime
uses: actions/setup-node@v4.0.3
with:
node-version: "lts/*"
- name: Install toolchain
run: npm ci
- name: Lint and check formatting with prettier
run: npx prettier --check '**/*'
- name: Lint YAML sources with yamllint
run: |
yamllint --version
echo "Linting YAML sources with yamllint ..."
yamllint --strict --format github .
echo "OK"