workflows: Enable codesign and notarize for macOS binaries (#997)

livepeer · Apr 12, 2022 · c91205c · c91205c
1 parent 0567547
commit c91205c
Show file tree

Hide file tree

Showing 11 changed files with 974 additions and 561 deletions.
diff --git a/.github/workflows/api.yaml b/.github/workflows/api.yaml
@@ -1,7 +1,10 @@
 name: Build API service docker image
 
 on:
+  pull_request:
   push:
+    paths:
+      - "packages/api/*"
     branches-ignore:
       - latest
 
@@ -11,7 +14,8 @@ defaults:
 
 jobs:
   build:
-    runs-on: ubuntu-latest
+    name: Publish API server docker image
+    runs-on: ubuntu-20.04
     services:
       postgres:
         image: postgres
@@ -23,6 +27,7 @@ jobs:
           --health-retries 5
         ports:
           - 5432:5432
+
       rabbitmq:
         image: rabbitmq:3.9-management
         env:
@@ -36,23 +41,22 @@ jobs:
         uses: actions/checkout@master
         with:
           fetch-depth: 0
+          # Check https://github.com/livepeer/go-livepeer/pull/1891
+          # for ref value discussion
+          ref: ${{ github.event.pull_request.head.sha }}
 
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3
         with:
           node-version: "16"
           cache: "yarn"
 
       - name: Tags
         id: tags
-        uses: livepeer/action-gh-release-tags@v0
+        uses: livepeer/action-gh-release-tags@latest
 
       - name: yarn install
-        run: |
-          yarn install --frozen-lockfile
-
-      - name: yarn test
-        run: |
-          yarn test
+        if: ${{ steps.yarn-cache.outputs.cache-hit != 'true' }}
+        run: yarn install --frozen-lockfile
 
       - name: docker login
         env:

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,164 @@
+name: Build binaries
+
+on:
+  pull_request:
+  push:
+    branches:
+      - "master"
+    tags:
+      - "v*"
+
+jobs:
+  build:
+    name: Build binary packages
+    runs-on: ubuntu-20.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          # Check https://github.com/livepeer/go-livepeer/pull/1891
+          # for ref value discussion
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - uses: actions/setup-node@v3
+        with:
+          node-version: "16"
+          cache: "yarn"
+
+      - name: Tags
+        id: tags
+        uses: livepeer/action-gh-release-tags@latest
+
+      - name: restore lerna
+        id: cache-lerna
+        uses: actions/cache@v3
+        with:
+          path: "**/node_modules"
+          key: ${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}
+
+      - name: restore pkg cache
+        id: cache-pkg
+        uses: actions/cache@v3
+        with:
+          path: "~/.pkg-cache"
+          key: ${{ runner.os }}-${{ hashFiles('**/yarn.lock') }}
+
+      - name: yarn install
+        run: yarn install --frozen-lockfile --silent
+
+      - name: build pkgs
+        # I want to do --parallel here, but the binary downloads conflict with each other
+        run: |
+          echo RELEASE_PATH="${GITHUB_WORKSPACE}/releases" >> "${GITHUB_ENV}"
+          echo BIN_PATH="${GITHUB_WORKSPACE}/bin" >> "${GITHUB_ENV}"
+          yarn run lerna-run pkg
+
+      - name: Rename and move built binaries
+        run: |
+          mkdir -p "${RELEASE_PATH}" "${BIN_PATH}"
+
+          for package in api www; do
+            for arch in linux-arm64 linux-x64 macos-arm64 macos-x64 win-x64; do
+              in_name="$package-$arch"
+              out_name="livepeer-$package"
+              archive_name="livepeer-$(echo $in_name | sed -e 's/x64/amd64/;s/win/windows/;s/macos/darwin/')"
+              cd ./packages/$package/bin
+              case "$arch" in
+                win-x64)
+                  in_name="$in_name.exe"
+                  out_name="$out_name.exe"
+                  mv "./$in_name" "./$out_name"
+                  zip -q9 "${RELEASE_PATH}/${archive_name}.zip" "./$out_name"
+                  ;;
+                linux-*)
+                  mv "./$in_name" "./$out_name"
+                  tar -czvf "${RELEASE_PATH}/${archive_name}.tar.gz" "./$out_name"
+                  ;;
+                macos-*)
+                  mkdir -p "${BIN_PATH}/$arch"
+                  mv "./$in_name" "${BIN_PATH}/$arch/$out_name"
+                  ;;
+              esac
+              cd -
+            done
+          done
+
+      - name: Upload macos binaries for codesigning (arm64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: macos-arm64
+          path: bin/macos-arm64
+
+      - name: Upload macos binaries for codesigning (amd64)
+        uses: actions/upload-artifact@v3
+        with:
+          name: macos-amd64
+          path: bin/macos-x64
+
+      - name: Upload artifacts for cutting release
+        uses: actions/upload-artifact@master
+        with:
+          name: release-artifacts
+          path: releases/
+
+  macos:
+    strategy:
+      fail-fast: true
+      matrix:
+        arch:
+          - amd64
+          - arm64
+    name: Codesign and archive macOS binaries
+    runs-on: macos-11
+    needs: build
+    steps:
+      - name: Setup env
+        run: |
+          echo ARCH="${{ matrix.arch }}" >> "$GITHUB_ENV"
+
+      - name: Download binaries from build stage
+        uses: actions/download-artifact@v3
+        with:
+          name: macos-${{ matrix.arch }}
+          path: bin/
+
+      - name: Fix file permissions
+        run: |
+          cd bin/
+          chmod a+x livepeer-*
+
+      - uses: actions-ecosystem/action-regex-match@v2
+        id: match-tag
+        with:
+          text: ${{ github.ref_name }}
+          regex: '^(master|main|v[0-9]+\.\d+\.\d+)$'
+
+      - name: Codesign and notarize binaries
+        if: ${{ steps.match-tag.outputs.match != '' }}
+        uses: livepeer/action-gh-codesign-apple@latest
+        with:
+          developer-certificate-id: ${{ secrets.CI_MACOS_CERTIFICATE_ID }}
+          developer-certificate-base64:
+            ${{ secrets.CI_MACOS_CERTIFICATE_BASE64 }}
+          developer-certificate-password:
+            ${{ secrets.CI_MACOS_CERTIFICATE_PASSWORD }}
+          app-notarization-email: ${{ secrets.CI_MACOS_NOTARIZATION_USER }}
+          app-notarization-password:
+            ${{ secrets.CI_MACOS_NOTARIZATION_PASSWORD }}
+          binary-path: "bin/"
+          app-bundle-id: "org.livepeer.api"
+
+      - name: Archive built binaries
+        run: |
+          mkdir -p releases/
+          cd bin/
+          for file in $(find . -type f -perm -a+x); do
+            tar -czf "../releases/${file}-darwin-${ARCH}.tar.gz" "${file}"
+          done
+
+      - name: Upload artifacts for cutting release
+        uses: actions/upload-artifact@master
+        with:
+          name: release-artifacts
+          path: releases/
diff --git a/.github/workflows/cron.yml → .github/workflows/cron.yaml b/.github/workflows/cron.yml → .github/workflows/cron.yaml
@@ -1,7 +1,9 @@
 name: 1-hour-cron
+
 on:
   schedule:
     - cron: "0 * * * *" # run every hour
+
 jobs:
   cron:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml