From 8613c1726ed85ecc409e88dfaab53c3baef69f72 Mon Sep 17 00:00:00 2001 From: aboyko Date: Wed, 19 Jul 2023 23:16:31 -0400 Subject: [PATCH] GHA: upload linux files to s3 outside of maven build. Cleanups --- .github/scripts/notarize-osx-distro-file.sh | 5 +- .github/scripts/sign-osx-distro-file.sh | 4 +- .../gh-hosted-eclipse-distro-build.yml | 59 ++++++++----------- .../pom.xml | 40 ++++++------- 4 files changed, 48 insertions(+), 60 deletions(-) diff --git a/.github/scripts/notarize-osx-distro-file.sh b/.github/scripts/notarize-osx-distro-file.sh index 551f4c7e3..b1d87c189 100755 --- a/.github/scripts/notarize-osx-distro-file.sh +++ b/.github/scripts/notarize-osx-distro-file.sh @@ -6,12 +6,9 @@ notarize_profile=$2 dmg_filename="$(basename -- $dmg_file)" dir="$(dirname "$dmg_file")" -echo "****************************************************************" -echo "*** Notarizing: ${dmg_filename}" -echo "****************************************************************" cd $dir xcrun notarytool submit ./${dmg_filename} --keychain-profile $notarize_profile --wait echo "Staple and generate checksums for ${dmg_filename}" xcrun stapler staple $dmg_filename shasum -a 256 $dmg_filename > ${dmg_filename}.sha256 -md5 $dmg_filename > ${dmg_filename}.md5) \ No newline at end of file +md5 $dmg_filename > ${dmg_filename}.md5 \ No newline at end of file diff --git a/.github/scripts/sign-osx-distro-file.sh b/.github/scripts/sign-osx-distro-file.sh index 93e64b76f..3ea246efb 100755 --- a/.github/scripts/sign-osx-distro-file.sh +++ b/.github/scripts/sign-osx-distro-file.sh @@ -15,8 +15,7 @@ echo "Extracting archive ${filename} to ${dir}/${destination_folder_name}" mkdir ${dir}/${destination_folder_name} tar -zxf $file --directory ${dir}/${destination_folder_name} echo "Successfully extracted ${filename}" -echo "About to sign OSX .app file: ${dir}/${destination_folder_name}/SpringToolSuite4.app" -echo "keychain ${KEYCHAIN}" + codesign --verbose --deep --force --timestamp --entitlements "${entitlements}" --options=runtime --keychain "${KEYCHAIN}" -s "${MACOS_CERTIFICATE_ID}" ${dir}/${destination_folder_name}/SpringToolSuite4.app cd ${dir}/${destination_folder_name} @@ -34,6 +33,7 @@ echo '}' >> dmg-config.json cat ./dmg-config.json dmg_filename=${filename%.*.*}.dmg appdmg ./dmg-config.json ../${dmg_filename} + cd .. rm -rf ./${destination_folder_name} rm -f $filename diff --git a/.github/workflows/gh-hosted-eclipse-distro-build.yml b/.github/workflows/gh-hosted-eclipse-distro-build.yml index eeb096e1e..c679ffd71 100644 --- a/.github/workflows/gh-hosted-eclipse-distro-build.yml +++ b/.github/workflows/gh-hosted-eclipse-distro-build.yml @@ -41,48 +41,35 @@ jobs: run: | echo "${{ secrets.GPG_PRIVATE_KEY }}" > gpg.asc echo "${{ secrets.GPG_PASSPHRASE }}" | gpg --batch --yes --passphrase-fd 0 --import gpg.asc - - name: Create Keychain. Add Mac App Dev Certificate to Keychain - env: - BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} - P12_PASSWORD: ${{ secrets.P12_PASSWORD }} - KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - run: | - CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 - KEYCHAIN=$RUNNER_TEMP/app-signing.keychain-db - - echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH - - security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN - security set-keychain-settings -lut 21600 $KEYCHAIN - security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN - - security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN - security list-keychain -d user -s $KEYCHAIN - - name: Unlock Keychain for OSX signing - run: | - security unlock-keychain -p ${{ secrets.KEYCHAIN_PASSWORD }} $RUNNER_TEMP/app-signing.keychain-db - - name: Install appdmg - run: | - npm install -g appdmg - - name: Create Temp Directory Structure for Notarization Service - run: | - cd /tmp - mkdir -p macos-notarization-service/pending-files - name: Build Eclipse Distro env: tools_s3_access_key: ${{ secrets.TOOLS_S3_ACCESS_KEY }} tools_s3_secret_key: ${{ secrets.TOOLS_S3_SECRET_KEY }} gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }} gpg_keyname: ${{ secrets.GPG_KEYID }} - MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERTIFICATE_ID }} - MACOS_NOTARIZATION_SERVICE_URL: http://localhost:8080 - AC_USERNAME: ${{ secrets.AC_USERNAME }} - AC_PASSWORD: ${{ secrets.AC_PASSWORD }} - APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} run: | cd eclipse-distribution - KEYCHAIN=$RUNNER_TEMP/app-signing.keychain-db ./mvnw --batch-mode -U clean deploy -P${{ inputs.eclipse_profile }} -P${{ inputs.build_type }} -Pgitactions -Pgpg.sign -Dsigning.skip=true -Dmaven.repo.local=~/.m2/repository-signed -Dhttpclient.retry-max=20 -Dmaven.test.skip=true -Declipse.p2.mirrors=false -Dtycho.localArtifacts=ignore -Ds3service.https-only=true -Dp2.replaceQualifier=true -Dorg.eclipse.ecf.provider.filetransfer.httpclient.retrieve.readTimeout=1200000 -Dorg.eclipse.equinox.p2.transport.ecf.retry=5 -Dskip.eclipserun.proxies=false -Dskip.osx.signing=true -Dskip.win.signing=true -Dskip.osx.notarizing=true -Dtycho.equinox.resolver.uses=true + - name: Upload Linux Distro Build Artifacts + env: + AWS_ACCESS_KEY_ID: ${{ secrets.TOOLS_S3_ACCESS_KEY }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLS_S3_SECRET_KEY }} + AWS_DEFAULT_REGION: us-east-1 + run: | + files=`ls spring-tool-suite-4*linux*.tar.gz` + for file in $files + do + echo "Generate checksums for ${file}" + shasum -a 256 $file > ${file}.sha256 + md5 $file > ${file}.md5 + done + echo "Processing S3 update..." + ls spring-tool-suite-4*linux*.tar.gz* + dist_path=`cat ${{ github.workspace }}/eclipse-distribution/org.springframework.boot.ide.product.${{ inputs.eclipse_profile }}/target/s3-dist-path.txt` + echo "Removing old Linux .tar.gz files from s3..." + aws s3 rm s3://dist.springsource.com/${dist_path} --recursive --exclude "*" --include "spring-tool-suite-4*linux*.tar.gz*" --exclude "*/*" + echo "Uploading new Linux .ta.gz files to s3..." + aws s3 mv . s3://dist.springsource.com/${dist_path} --recursive --exclude "*" --include "spring-tool-suite-4*linux*.ta.gz*" --exclude "*/*" --acl public-read --no-progress - name: Upload Build Artifacts for Signing env: AWS_ACCESS_KEY_ID: ${{ secrets.TOOLS_S3_ACCESS_KEY }} @@ -178,7 +165,7 @@ jobs: rm -rf *macosx* ls aws s3 mv s3://dist.springsource.com/sts4-distro-ci-temp/${{ github.run_id }} . --recursive --exclude "*" --include "spring-tool-suite-4*macosx*.tar.gz" --exclude "*/*" --no-progress - - name: Sign .app, Create DMG, Sign and Notarize DMG + - name: Sign .app, Create and Sign DMG env: MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERTIFICATE_ID }} NOTARIZE_PROFILE: notarize-app-dmg-profile @@ -190,6 +177,10 @@ jobs: do ${{ github.workspace }}/.github/scripts/sign-osx-distro-file.sh $file ${{ github.workspace }}/.github/assets/entitlements.plist ${{ github.workspace }}/.github/assets/sts4.icns done + - name: Notarize DMG files + env: + NOTARIZE_PROFILE: notarize-app-dmg-profile + run: | xcrun notarytool store-credentials $NOTARIZE_PROFILE --apple-id ${{ secrets.AC_USERNAME }} --team-id ${{ secrets.APPLE_TEAM_ID }} --password ${{ secrets.AC_PASSWORD }} dmg_files=`ls spring-tool-suite-4*macosx*.dmg` for dmg_file in $dmg_files diff --git a/eclipse-distribution/org.springframework.boot.ide.product.e428/pom.xml b/eclipse-distribution/org.springframework.boot.ide.product.e428/pom.xml index 4f013edf9..9e473d4e8 100644 --- a/eclipse-distribution/org.springframework.boot.ide.product.e428/pom.xml +++ b/eclipse-distribution/org.springframework.boot.ide.product.e428/pom.xml @@ -533,34 +533,34 @@ - - - - + + + + - + - - - + + + - - + + - - - - - - - - + + + + + + + + + - +