opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-05-20 16:47:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

GHA: Support testing build/sign workflows

Browse Source 
Neither `release` nor `workflow_dispatch` triggers may be tested inside
a PR context.  The workflow steps always run from what's already
committed to `main`.  Rather than waiting for a release to discover
some unforeseen workflow problem, allow manual runs to optionally skip
the release upload step (by default).

Also, update the windows workflow to store an artifact of the signed
build, and migrate away from the deprecated "set-output" command.

Signed-off-by: Chris Evich <cevich@redhat.com>
This commit is contained in:
Chris Evich
2023-07-28 14:47:00 -04:00
parent b6a52f1f8b
commit 4d69f01468
2 changed files with 106 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
.github/workflows/mac-pkg.yml vendored
View File

@ -8,8 +8,18 @@ on:
version: version:
description: 'Release version to build and upload (e.g. "v4.2.1")' description: 'Release version to build and upload (e.g. "v4.2.1")'
required: true required: true
dryrun:
description: 'Perform all the steps except uploading to the release page'
required: true
default: "true" # 'choice' type requires string value
type: choice
options:
- "true" # Must be quoted string, boolean value not supported.
- "false"
permissions: permissions:
contents: write contents: write
jobs: jobs:
build: build:
runs-on: macos-latest runs-on: macos-latest
@ -26,10 +36,24 @@ jobs:
KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }} KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
steps: steps:
- name: Consolidate dryrun setting to always be true or false
id: actual_dryrun
run: |
# The 'release' trigger will not have a 'dryrun' input set. Handle
# this case in a readable/maintainable way.
if [[ -z "${{ inputs.dryrun }}" ]]
then
echo "dryrun=false" >> $GITHUB_OUTPUT
else
echo "dryrun=${{ inputs.dryrun }}" >> $GITHUB_OUTPUT
fi
- name: Dry Run Status
run: |
echo "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}"
- name: Determine Version - name: Determine Version
id: getversion id: getversion
run: | run: |
if [ -z "${{ inputs.version }}" ] if [[ -z "${{ inputs.version }}" ]]
then then
VERSION=${{ github.event.release.tag_name }} VERSION=${{ github.event.release.tag_name }}
else else
@ -48,7 +72,7 @@ jobs:
if [[ "$status" == "404" ]] ; then if [[ "$status" == "404" ]] ; then
echo "buildarm=true" >> $GITHUB_OUTPUT echo "buildarm=true" >> $GITHUB_OUTPUT
else else
echo "ARM installer already exists, skipping" echo "::warning::ARM installer already exists, skipping"
echo "buildarm=false" >> $GITHUB_OUTPUT echo "buildarm=false" >> $GITHUB_OUTPUT
fi fi
@ -56,23 +80,31 @@ jobs:
if [[ "$status" == "404" ]] ; then if [[ "$status" == "404" ]] ; then
echo "buildamd=true" >> $GITHUB_OUTPUT echo "buildamd=true" >> $GITHUB_OUTPUT
else else
echo "AMD installer already exists, skipping" echo "::warning::AMD installer already exists, skipping"
echo "buildamd=false" >> $GITHUB_OUTPUT echo "buildamd=false" >> $GITHUB_OUTPUT
fi fi
- name: Checkout Version - name: Checkout Version
# If no binaries need to be built, then there's no reason to Checkout if: >-
if: steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true' steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/checkout@v3 uses: actions/checkout@v3
with: with:
ref: ${{steps.getversion.outputs.version}} ref: ${{steps.getversion.outputs.version}}
- name: Set up Go - name: Set up Go
# If no binaries need to be built, then there's no reason to set up Go # Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases
if: steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true' if: >-
steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/setup-go@v4 uses: actions/setup-go@v4
with: with:
go-version: '1.18' go-version: '1.18'
- name: Create Keychain - name: Create Keychain
if: steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true' if: >-
steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
run: | run: |
echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12 echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12 echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12
@ -86,26 +118,32 @@ jobs:
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null
- name: Build and Sign ARM - name: Build and Sign ARM
if: steps.check.outputs.buildarm == 'true' if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
working-directory: contrib/pkginstaller working-directory: contrib/pkginstaller
run: | run: |
make ARCH=aarch64 notarize &> /dev/null make ARCH=aarch64 notarize &> /dev/null
cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums
- name: Build and Sign AMD - name: Build and Sign AMD
if: steps.check.outputs.buildamd == 'true' if: steps.check.outputs.buildamd == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
working-directory: contrib/pkginstaller working-directory: contrib/pkginstaller
run: | run: |
make ARCH=amd64 notarize &> /dev/null make ARCH=amd64 notarize &> /dev/null
cd out && shasum -a 256 podman-installer-macos-amd64.pkg >> shasums cd out && shasum -a 256 podman-installer-macos-amd64.pkg >> shasums
- name: Artifact - name: Artifact
if: steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true' if: >-
steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true' ||
steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: installers name: installers
path: | path: |
contrib/pkginstaller/out/podman-installer-macos-*.pkg contrib/pkginstaller/out/podman-installer-macos-*.pkg
- name: Upload to Release - name: Upload to Release
if: steps.check.outputs.buildamd == 'true' || steps.check.outputs.buildarm == 'true' if: >-
steps.actual_dryrun.outputs.dryrun == 'false' &&
(steps.check.outputs.buildamd == 'true' ||
steps.check.outputs.buildarm == 'true')
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |

66
.github/workflows/upload-win-installer.yml vendored
View File

@ -8,12 +8,38 @@ on:
version: version:
description: 'Release version to build and upload (e.g. "4.2.1")' description: 'Release version to build and upload (e.g. "4.2.1")'
required: true required: true
dryrun:
description: 'Perform all the steps except uploading to the release page'
required: true
default: "true" # 'choice' type requires string value
type: choice
options:
- "true" # Must be quoted string, boolean value not supported.
- "false"
permissions:
contents: write
jobs: jobs:
build: build:
runs-on: windows-latest runs-on: windows-latest
env: env:
FETCH_BASE_URL: ${{ github.server_url }}/${{ github.repository }} FETCH_BASE_URL: ${{ github.server_url }}/${{ github.repository }}
steps: steps:
- name: Consolidate dryrun setting to always be true or false
id: actual_dryrun
run: |
# The 'release' trigger will not have a 'dryrun' input set. Handle
# this case in a readable/maintainable way.
$inputs_dryrun = "${{ inputs.dryrun }}"
if ($inputs_dryrun.Length -lt 1) {
Write-Output "dryrun=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
} else {
Write-Output "dryrun=${{ inputs.dryrun }}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
}
- name: Dry Run Status
run: |
Write-Output "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}"
- name: Determine version - name: Determine version
id: getversion id: getversion
run: | run: |
@ -21,12 +47,14 @@ jobs:
if ($version.Length -lt 1) { if ($version.Length -lt 1) {
$version = "${{ github.event.release.tag_name }}" $version = "${{ github.event.release.tag_name }}"
if ($version.Length -lt 1) { if ($version.Length -lt 1) {
Write-Host "Could not determine version!" Write-Host "::error::Could not determine version!"
Exit 1 Exit 1
} }
} }
Write-Output "::set-output name=version::$version" Write-Output "version=$version" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
- uses: actions/checkout@v3 - uses: actions/checkout@v3
with:
ref: ${{steps.getversion.outputs.version}}
- name: Check - name: Check
id: check id: check
run: | run: |
@ -34,20 +62,29 @@ jobs:
.\check.ps1 ${{steps.getversion.outputs.version}} .\check.ps1 ${{steps.getversion.outputs.version}}
$code = $LASTEXITCODE $code = $LASTEXITCODE
if ($code -eq 2) { if ($code -eq 2) {
Write-Output "::set-output name=already-exists::true" Write-Output "already-exists=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Pop-Location Pop-Location
Exit 0 Exit 0
} }
Write-Output "UPLOAD_ASSET_NAME=$env:UPLOAD_ASSET_NAME" | Out-File -FilePath $env:GITHUB_ENV -Append Write-Output "upload_asset_name=$env:UPLOAD_ASSET_NAME" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Pop-Location Pop-Location
Exit $code Exit $code
# The podman release process requires a cross-compile of the windows binaries be uploaded to
# the release page as a hard-coded filename. If non-existent, this workflow will fail in
# non-obvious ways with a non-obvious error message. Address that here.
- name: Confirm upload_asset_name is non-empty
if: ${{ steps.check.outputs.upload_asset_name == '' }}
run: |
Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_md64.zip github release asset for version ${{steps.getversion.outputs.version}}."
Exit 1
- name: Set up Go - name: Set up Go
uses: actions/setup-go@v4 uses: actions/setup-go@v4
if: steps.check.outputs.already-exists != 'true' # N/B: already-exists may be an empty-string or "false", handle both cases.
if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
with: with:
go-version: 1.18 go-version: 1.18
- name: Setup Signature Tooling - name: Setup Signature Tooling
if: steps.Check.outputs.already-exists != 'true' if: steps.Check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
run: | run: |
dotnet tool install --global AzureSignTool --version 3.0.0 dotnet tool install --global AzureSignTool --version 3.0.0
echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append
@ -57,20 +94,29 @@ jobs:
echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append
- name: Build - name: Build
id: build id: build
if: steps.check.outputs.already-exists != 'true' if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
run: | run: |
Push-Location contrib\win-installer Push-Location contrib\win-installer
.\build.ps1 ${{steps.getversion.outputs.version}} prod .\build.ps1 ${{steps.getversion.outputs.version}} prod
$code = $LASTEXITCODE $code = $LASTEXITCODE
if ($code -eq 2) { if ($code -eq 2) {
Write-Output "::set-output name=artifact-missing::true" Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
Pop-Location Pop-Location
Exit 0 Exit 0
} }
Pop-Location Pop-Location
Exit $code Exit $code
- name: Artifact
if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
uses: actions/upload-artifact@v3
with:
name: installer
path: ${{ steps.check.outputs.upload_asset_name }}
- name: Upload - name: Upload
if: steps.check.outputs.already-exists != 'true' && steps.build.outputs.artifact-missing != 'true' if: >-
steps.actual_dryrun.outputs.dryrun == 'false' &&
steps.check.outputs.already-exists != 'true' &&
steps.build.outputs.artifact-missing != 'true'
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: | run: |
@ -79,7 +125,7 @@ jobs:
if ($version[0] -ne "v") { if ($version[0] -ne "v") {
$version = "v$version" $version = "v$version"
} }
gh release upload $version $ENV:UPLOAD_ASSET_NAME gh release upload $version ${{ steps.check.outputs.upload_asset_name }}
if ($LASTEXITCODE -ne 0) { if ($LASTEXITCODE -ne 0) {
.\check.ps1 $version .\check.ps1 $version
if ($LASTEXITCODE -eq 2) { if ($LASTEXITCODE -eq 2) {