Skip to content

ci: Update glue to use JWT auth #1124

ci: Update glue to use JWT auth

ci: Update glue to use JWT auth #1124

Workflow file for this run

name: Build Binaries
on:
push:
tags:
- '**'
pull_request:
branches:
- '**'
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}-${{ github.event_name }}
cancel-in-progress: true
permissions:
id-token: write
contents: write
jobs:
build:
name: Build Binaries
runs-on: ${{ matrix.runs-on }}
strategy:
matrix:
include:
- runs-on: ubuntu-latest
artifact-name: cadt-linux-x64
build-command: npm run create-linux-x64-dist
sqlite-path: ./node_modules/sqlite3/lib/binding/napi-v6-linux-glibc-x64/
- runs-on: macos-latest
artifact-name: cadt-macos-x64
build-command: npm run create-mac-x64-dist
sqlite-path: ./node_modules/sqlite3/lib/binding/napi-v6-darwin-unknown-x64/
- runs-on: windows-2019
artifact-name: cadt-windows-x64
build-command: npm run create-win-x64-dist
sqlite-path: .\node_modules\sqlite3\lib\binding\napi-v6-win32-unknown-x64\
steps:
- name: Clean workspace
uses: Chia-Network/actions/clean-workspace@main
- name: Checkout Code
uses: actions/checkout@v3
- name: Setup Node 18.x
uses: actions/setup-node@v3
with:
node-version: '18.16'
- name: Install Husky
run: npm install --save-dev husky
- name: Ignore Husky where not compatible
run: npm pkg delete scripts.prepare
if: matrix.runs-on != 'windows-2019'
- name: npm install
run: |
node --version
npm install
- name: npm cache clear --force
run: npm cache clear --force
- name: npm cache rm
run: npm cache rm --force
- name: npm cache verify
run: npm cache verify
- name: install global packages
run: npm i -g @babel/cli @babel/preset-env pkg
- name: create distributions
run: ${{ matrix.build-command }}
- name: Make binary executable
run: |
chmod +x dist/cadt
- name: Copy sqlite3
run: cp ${{ matrix.sqlite-path }}node_sqlite3.node ./dist/
# Windows Code Signing
- name: Sign windows artifacts
if: matrix.runs-on == 'windows-2019'
uses: chia-network/actions/digicert/windows-sign@main
with:
sm_api_key: ${{ secrets.SM_API_KEY }}
sm_client_cert_file_b64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
sm_client_cert_password: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
sm_code_signing_cert_sha1_hash: ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}
file: ${{ github.workspace }}/dist/cadt.exe
# Mac .pkg build + sign
- name: Import Apple installer signing certificate
if: matrix.runs-on == 'macos-latest'
uses: Apple-Actions/import-codesign-certs@v1
with:
keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }}
p12-file-base64: ${{ secrets.APPLE_DEV_ID_INSTALLER }}
p12-password: ${{ secrets.APPLE_DEV_ID_INSTALLER_PASS }}
- name: Import Apple Application signing certificate
if: matrix.runs-on == 'macos-latest'
uses: Apple-Actions/import-codesign-certs@v1
with:
create-keychain: false # Created when importing the first cert
keychain-password: ${{ secrets.KEYCHAIN_PASSWORD }}
p12-file-base64: ${{ secrets.APPLE_DEV_ID_APP }}
p12-password: ${{ secrets.APPLE_DEV_ID_APP_PASS }}
- name: Build Mac .pkg
if: matrix.runs-on == 'macos-latest'
run: |
rm -rf ${{ github.workspace }}/build-scripts/macos/darwin/application || true
cp -r ${{ github.workspace }}/dist ${{ github.workspace }}/build-scripts/macos/application
echo "Signing the binaries"
codesign -f -s "Developer ID Application: Chia Network Inc." --timestamp --options=runtime --entitlements ${{ github.workspace }}/build-scripts/macos/entitlements.mac.plist ${{ github.workspace }}/build-scripts/macos/application/cadt
codesign -f -s "Developer ID Application: Chia Network Inc." --timestamp ${{ github.workspace }}/build-scripts/macos/application/node_sqlite3.node
# Makes the .pkg in ./build-scripts/macos/target/pkg
echo "Building the .pkg"
bash ${{ github.workspace }}/build-scripts/macos/build-macos.sh CADT
mkdir -p ${{ github.workspace }}/build-scripts/macos/target/pkg-signed
echo "Signing the .pkg"
productsign --sign "Developer ID Installer: Chia Network Inc." ${{ github.workspace }}/build-scripts/macos/target/pkg/CADT-macos-installer-x64.pkg ${{ github.workspace }}/build-scripts/macos/target/pkg-signed/CADT-macos-installer-x64.pkg
echo "Notarizing the .pkg"
npm install -g notarize-cli
notarize-cli \
--file=${{ github.workspace }}/build-scripts/macos/target/pkg-signed/CADT-macos-installer-x64.pkg \
--bundle-id net.chia.cadt \
--username "${{ secrets.APPLE_NOTARIZE_USERNAME }}" \
--password "${{ secrets.APPLE_NOTARIZE_PASSWORD }}"
- name: Upload Mac Installer
if: matrix.runs-on == 'macos-latest'
uses: actions/upload-artifact@v3
with:
name: cadt-mac-installer
path: ${{ github.workspace }}/build-scripts/macos/target/pkg-signed
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
name: ${{ matrix.artifact-name }}
path: ${{ github.workspace }}/dist
build-linux-arm64:
name: Build Linux ARM64 Binaries
runs-on: ubuntu-latest
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
with:
platforms: arm64
- uses: Chia-Network/actions/clean-workspace@main
- name: Checkout Code
uses: actions/checkout@v3
- name: Determine npm cache key
id: npm-cache
run: |
CACHE_KEY=node-linux-arm64-$(shasum package.json | awk '{ print $1 }')-$(shasum package-lock.json | awk '{ print $1 }')
echo "CACHE_KEY=$CACHE_KEY" >> $GITHUB_OUTPUT
- name: Setup NPM Cache
uses: actions/cache@v3
with:
path: node_modules
key: ${{ steps.npm-cache.outputs.CACHE_KEY }}
- name: Build arm 64 dist
run: |
mkdir pkgcache
docker run --rm --platform linux/arm64 -v $(pwd):/app -w /app -e PKG_CACHE_PATH=pkgcache node:18.16 /bin/bash -c "npm pkg delete scripts.prepare && npm install && npm i -g @babel/cli @babel/preset-env pkg && npm run create-linux-arm64-dist"
- name: Copy sqlite3
run: |
ls ./node_modules/sqlite3/lib/binding/
sudo cp ./node_modules/sqlite3/lib/binding/napi-v6-linux-glibc-arm64/node_sqlite3.node ./dist/
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
name: cadt-linux-arm64
path: ${{ github.workspace }}/dist
debs:
name: Build ${{ matrix.name }} deb
runs-on: ubuntu-latest
needs:
- build
- build-linux-arm64
strategy:
matrix:
include:
- name: cadt-linux-x64
platform: amd64
- name: cadt-linux-arm64
platform: arm64
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Download Linux artifacts
uses: actions/download-artifact@v3
with:
name: ${{ matrix.name }}
path: ${{ matrix.name }}
- name: Get tag name
id: tag-name
run: |
echo "TAGNAME=$(echo $GITHUB_REF | cut -d / -f 3)" >> $GITHUB_OUTPUT
- name: Build .deb
env:
CADT_VERSION: ${{ steps.tag-name.outputs.TAGNAME }}
PLATFORM: ${{ matrix.platform }}
run: |
pip install j2cli
CLI_DEB_BASE="cadt_${{ steps.tag-name.outputs.TAGNAME }}-1_${PLATFORM}"
mkdir -p "deb/$CLI_DEB_BASE/opt/cadt"
mkdir -p "deb/$CLI_DEB_BASE/usr/bin"
mkdir -p "deb/$CLI_DEB_BASE/etc/systemd/system"
mkdir -p "deb/$CLI_DEB_BASE/DEBIAN"
j2 -o "deb/$CLI_DEB_BASE/DEBIAN/control" build-scripts/deb/control.j2
cp -r ${{ matrix.name }}/* "deb/$CLI_DEB_BASE/opt/cadt/"
cp build-scripts/deb/cadt@.service deb/$CLI_DEB_BASE/etc/systemd/system/cadt@.service
chmod +x deb/$CLI_DEB_BASE/opt/cadt/cadt
ln -s ../../opt/cadt/cadt "deb/$CLI_DEB_BASE/usr/bin/cadt"
dpkg-deb --build --root-owner-group "deb/$CLI_DEB_BASE"
- name: Upload deb
uses: actions/upload-artifact@v3
with:
name: ${{ matrix.name }}-deb
path: ${{ github.workspace }}/deb/*.deb
release:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
needs:
- debs
steps:
- name: Download Windows artifacts
uses: actions/download-artifact@v3
with:
name: cadt-windows-x64
path: cadt-windows-x64
- name: Download MacOS artifacts
uses: actions/download-artifact@v3
with:
name: cadt-mac-installer
path: cadt-mac-installer
- name: Download Linux artifacts
uses: actions/download-artifact@v3
with:
name: cadt-linux-x64
path: cadt-linux-x64
- name: Download Linux x64 deb
uses: actions/download-artifact@v3
with:
name: cadt-linux-x64-deb
path: cadt-linux-x64-deb
- name: Download Linux arm64 deb
uses: actions/download-artifact@v3
with:
name: cadt-linux-arm64-deb
path: cadt-linux-arm64-deb
- name: Get tag name
id: tag-name
run: |
echo "TAGNAME=$(echo $GITHUB_REF | cut -d / -f 3)" >>$GITHUB_OUTPUT
- name: Create zips
run: |
zip -r cadt-windows-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip cadt-windows-x64
zip -r cadt-macos-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip cadt-mac-installer
zip -r cadt-linux-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip cadt-linux-x64
- name: Release
uses: softprops/action-gh-release@v0.1.15
with:
files: |
cadt-windows-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip
cadt-macos-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip
cadt-linux-x64-${{ steps.tag-name.outputs.TAGNAME }}.zip
cadt-linux-x64-deb/*.deb
cadt-linux-arm64-deb/*.deb
- uses: Chia-Network/actions/github/jwt@main
- name: Trigger apt repo update
run: |
curl -s -XPOST -H "Authorization: Bearer ${{ env.JWT_TOKEN }}" --data '{"cadt_repo":"cadt","release_version":"${{ steps.tag-name.outputs.TAGNAME }}"}' ${{ secrets.GLUE_API_URL }}/api/v1/cadt/${{ github.sha }}/start
curl -s -XPOST -H "Authorization: Bearer ${{ env.JWT_TOKEN }}" --data '{"cadt_repo":"cadt","release_version":"${{ steps.tag-name.outputs.TAGNAME }}"}' ${{ secrets.GLUE_API_URL }}/api/v1/cadt/${{ github.sha }}/success/deploy