280382ad3e
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.13.2 to 2.13.3.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](95d9a5deda...df199fb7be)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-version: 2.13.3
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
185 lines
7.2 KiB
YAML
185 lines
7.2 KiB
YAML
name: Build Release
|
|
on:
|
|
release:
|
|
types: [created]
|
|
schedule:
|
|
- cron: "0 0 * * 3"
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
upload_src:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
build_tag: ${{ steps.get_tag.outputs.build_tag }}
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout Source
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
ref: ${{ github.sha }}
|
|
fetch-depth: 2
|
|
fetch-tags: true
|
|
submodules: 'recursive'
|
|
|
|
- name: get tag and create release if weekly
|
|
id: get_tag
|
|
shell: bash -l {0}
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
if [ "${{ github.event_name }}" = "release" ]; then
|
|
export BUILD_TAG="${{ github.event.release.tag_name }}"
|
|
else
|
|
export BUILD_TAG=weekly-$(date "+%Y.%m.%d")
|
|
gh release create ${BUILD_TAG} --title "Development Build ${BUILD_TAG}" -F .github/workflows/weekly-build-notes.md --prerelease || true
|
|
fi
|
|
echo "BUILD_TAG=${BUILD_TAG}" >> "$GITHUB_ENV"
|
|
echo "build_tag=${BUILD_TAG}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Upload Source
|
|
id: upload_source
|
|
shell: bash -l {0}
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
run: |
|
|
python3 package/scripts/write_version_info.py ../freecad_version.txt
|
|
git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
|
|
git config user.name 'github-actions[bot]'
|
|
git apply package/disable_git_info.patch
|
|
git commit -a -m "Disable git info write to Version.h"
|
|
git archive HEAD -o freecad_source_${BUILD_TAG}.tar
|
|
git submodule foreach --recursive \
|
|
"git archive HEAD --prefix=\$path/ -o \$sha1.tar && \
|
|
tar -A -f \$toplevel/freecad_source_${BUILD_TAG}.tar \$sha1.tar && \
|
|
rm \$sha1.tar"
|
|
gzip freecad_source_${BUILD_TAG}.tar
|
|
sha256sum freecad_source_${BUILD_TAG}.tar.gz > freecad_source_${BUILD_TAG}.tar.gz-SHA256.txt
|
|
gh release upload --clobber ${BUILD_TAG} "freecad_source_${BUILD_TAG}.tar.gz" "freecad_source_${BUILD_TAG}.tar.gz-SHA256.txt"
|
|
|
|
build:
|
|
needs: upload_src
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- { target: linux-64, os: ubuntu-22.04 }
|
|
- { target: linux-arm64, os: ubuntu-22.04-arm }
|
|
- { target: osx-64, os: macos-15-intel }
|
|
- { target: osx-arm64, os: macos-latest }
|
|
- { target: win-64, os: windows-latest }
|
|
fail-fast: false
|
|
|
|
runs-on: ${{ matrix.os }}
|
|
environment: weekly-build
|
|
steps:
|
|
- name: Harden the runner (Audit all outbound calls)
|
|
uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
|
|
with:
|
|
egress-policy: audit
|
|
|
|
# prevent running out of disk space on Ubuntu runners.
|
|
- name: Maximize build space
|
|
if: runner.os == 'Linux'
|
|
uses: AdityaGarg8/remove-unwanted-software@90e01b21170618765a73370fcc3abbd1684a7793 # v5
|
|
with:
|
|
verbose: 'true'
|
|
remove-android: 'true' # (frees ~9 GB)
|
|
remove-cached-tools: 'true' # (frees ~8.3 GB)
|
|
|
|
- name: Set Platform Environment Variables
|
|
shell: bash -l {0}
|
|
env:
|
|
OPERATING_SYSTEM: ${{ runner.os }}
|
|
run: |
|
|
if [[ $OPERATING_SYSTEM == 'Windows' ]]; then
|
|
echo 'PIXI_CACHE_DIR=D:\rattler' >> "$GITHUB_ENV"
|
|
echo 'RATTLER_CACHE_DIR=D:\rattler' >> "$GITHUB_ENV"
|
|
fi
|
|
|
|
- name: Checkout Source
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
ref: ${{ github.sha }}
|
|
fetch-depth: 2
|
|
fetch-tags: true
|
|
submodules: 'recursive'
|
|
|
|
- uses: prefix-dev/setup-pixi@82d477f15f3a381dbcc8adc1206ce643fe110fb7 # v0.9.3
|
|
with:
|
|
pixi-version: v0.59.0
|
|
cache: false
|
|
|
|
- name: Install the Apple certificate and provisioning profile
|
|
id: get_cert
|
|
if: runner.os == 'macOS'
|
|
env:
|
|
APP_SPECIFIC_PASSWORD: ${{ secrets.APP_SPECIFIC_PASSWORD }}
|
|
APPLE_ID: ${{ secrets.APPLE_ID }}
|
|
BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
|
|
BUILD_PROVISION_PROFILE_BASE64: ${{ secrets.BUILD_PROVISION_PROFILE_BASE64 }}
|
|
DEVELOPER_TEAM_ID: ${{ secrets.DEVELOPER_TEAM_ID }}
|
|
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
|
|
P12_PASSWORD: ${{ secrets.P12_PASSWORD }}
|
|
run: |
|
|
if [ -z "$BUILD_CERTIFICATE_BASE64" ]; then
|
|
echo "has_cert=false" >> $GITHUB_OUTPUT
|
|
echo "No certificate avalable... skipping" && exit 0
|
|
else
|
|
echo "has_cert=true" >> $GITHUB_OUTPUT
|
|
fi
|
|
# create variables
|
|
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
|
|
PP_PATH=$RUNNER_TEMP/FreeCAD_bundle.provisionprofile
|
|
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
|
|
|
|
export KEYCHAIN_PASSWORD=$(openssl rand -base64 8)
|
|
|
|
# import certificate and provisioning profile from secrets
|
|
echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o $CERTIFICATE_PATH
|
|
echo -n "$BUILD_PROVISION_PROFILE_BASE64" | base64 --decode -o $PP_PATH
|
|
|
|
# create temporary keychain
|
|
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
|
|
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
|
|
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
|
|
|
|
# import certificate to keychain
|
|
security import $CERTIFICATE_PATH -P "$P12_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
|
|
security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
|
|
security list-keychain -d user -s $KEYCHAIN_PATH
|
|
|
|
# apply provisioning profile
|
|
mkdir -p ~/Library/Provisioning\ Profiles
|
|
cp $PP_PATH ~/Library/Provisioning\ Profiles
|
|
|
|
xcrun notarytool store-credentials "FreeCAD" --keychain "$KEYCHAIN_PATH" --apple-id "${APPLE_ID}" --password "${APP_SPECIFIC_PASSWORD}" --team-id "${DEVELOPER_TEAM_ID}"
|
|
|
|
- name: Build and Release Packages
|
|
shell: bash
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
|
|
SIGN_RELEASE: ${{ steps.get_cert.outputs.has_cert }}
|
|
TARGET_PLATFORM: ${{ matrix.target }}
|
|
MAKE_INSTALLER: "true"
|
|
UPLOAD_RELEASE: "true"
|
|
BUILD_TAG: ${{ needs.upload_src.outputs.build_tag }}
|
|
run: |
|
|
python3 package/scripts/write_version_info.py ../freecad_version.txt
|
|
cd package/rattler-build
|
|
pixi install
|
|
pixi run -e package create_bundle
|
|
|
|
## Needed if running on a self-hosted runner:
|
|
# - name: Clean up keychain and provisioning profile
|
|
# if: ${{ always() }}
|
|
# run: |
|
|
# security delete-keychain $RUNNER_TEMP/app-signing.keychain-db
|
|
# rm ~/Library/MobileDevice/Provisioning\ Profiles/build_pp.mobileprovision
|