This repository has been archived by the owner on Mar 1, 2024. It is now read-only.
release #129
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This action enables building the executables for cli, can be triggered manually or by release creation. | |
| name: release | |
| on: | |
| workflow_dispatch: | |
| push: | |
| tags: | |
| - "*" | |
| # Incremental compilation here isn't helpful | |
| env: | |
| CARGO_INCREMENTAL: 0 | |
| # TODO: get rid of `production_target` variable when we have bigger RAM for aarch64 linux | |
| jobs: | |
| executables: | |
| strategy: | |
| matrix: | |
| build: | |
| - os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "ubuntu-20.04-x86-64"]' || '"ubuntu-20.04"') }} | |
| target: x86_64-unknown-linux-gnu | |
| suffix: ubuntu-x86_64-skylake-${{ github.ref_name }} | |
| rustflags: "-C target-cpu=skylake" | |
| - os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "ubuntu-20.04-x86-64"]' || '"ubuntu-20.04"') }} | |
| target: x86_64-unknown-linux-gnu | |
| suffix: ubuntu-x86_64-v2-${{ github.ref_name }} | |
| rustflags: "-C target-cpu=x86-64-v2 -C target-feature=+aes" | |
| - os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "ubuntu-20.04-x86-64"]' || '"ubuntu-20.04"') }} | |
| target: aarch64-unknown-linux-gnu | |
| suffix: ubuntu-aarch64-${{ github.ref_name }} | |
| # TODO: AES flag is such that we have decent performance on ARMv8, remove once `aes` crate bumps MSRV to | |
| # at least 1.61: https://github.com/RustCrypto/block-ciphers/issues/373 | |
| rustflags: "-C linker=aarch64-linux-gnu-gcc --cfg aes_armv8" | |
| - os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "macos-12-arm64"]' || '"macos-12"') }} | |
| target: aarch64-apple-darwin | |
| suffix: macos-aarch64-${{ github.ref_name }} | |
| # TODO: AES flag is such that we have decent performance on ARMv8, remove once `aes` crate bumps MSRV to | |
| # at least 1.61: https://github.com/RustCrypto/block-ciphers/issues/373 | |
| rustflags: "--cfg aes_armv8" | |
| - os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "macos-12-arm64"]' || '"macos-12"') }} | |
| target: x86_64-apple-darwin | |
| suffix: macos-x86_64-${{ github.ref_name }} | |
| rustflags: "" | |
| - os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "windows-server-2022-x86-64"]' || '"windows-2022"') }} | |
| target: x86_64-pc-windows-msvc | |
| suffix: windows-x86_64-skylake-${{ github.ref_name }} | |
| rustflags: "-C target-cpu=skylake" | |
| - os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "windows-server-2022-x86-64"]' || '"windows-2022"') }} | |
| target: x86_64-pc-windows-msvc | |
| suffix: windows-x86_64-v2-${{ github.ref_name }} | |
| rustflags: "-C target-cpu=x86-64-v2 -C target-feature=+aes" | |
| runs-on: ${{ matrix.build.os }} | |
| env: | |
| PRODUCTION_TARGET: target/${{ matrix.build.target }}/production | |
| RUSTFLAGS: ${{ matrix.build.rustflags }} | |
| # TODO: use the commented out one when this issue is resolved: https://github.com/tokio-rs/console/issues/299 | |
| # RUSTFLAGS: ${{ matrix.build.rustflags }} --cfg tokio_unstable | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # @v3.1.0 | |
| # On macOS, we need a proper Clang version, not Apple's custom version without wasm32 support | |
| - name: Install LLVM and Clang | |
| uses: KyleMayes/install-llvm-action@8852e4d5c58653ed05135c0a5d949d9c2febcb00 # v1.6.1 | |
| with: | |
| version: "15.0" | |
| if: runner.os == 'macOS' | |
| - name: Install Protoc | |
| uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 # v2.0.0 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| # Needed for hwloc | |
| - name: Install automake (macOS) | |
| run: brew install automake | |
| if: runner.os == 'macOS' | |
| # Workaround to resolve link error with C:\msys64\mingw64\bin\libclang.dll | |
| - name: Remove msys64 | |
| run: Remove-Item -LiteralPath "C:\msys64\" -Force -Recurse | |
| if: runner.os == 'Windows' | |
| continue-on-error: true | |
| - name: Linux AArch64 cross-compile packages | |
| run: | | |
| FLAVOR="$(lsb_release -sc)" | |
| sudo tee /etc/apt/sources.list.d/arm64.list <<LIST | |
| deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR} main restricted | |
| deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR}-updates main restricted | |
| deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR} universe | |
| deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR}-updates universe | |
| deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR} multiverse | |
| deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR}-updates multiverse | |
| deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR}-backports main restricted universe multiverse | |
| LIST | |
| sudo sed -i 's/deb http/deb [arch=amd64] http/' /etc/apt/sources.list | |
| # GitHub runners use mirror file | |
| sudo sed -i 's/deb mirror/deb [arch=amd64] mirror/' /etc/apt/sources.list | |
| sudo dpkg --add-architecture arm64 | |
| sudo apt-get update | |
| # zlib1g-dev:arm64 is only necessary because amd64 version is present on the host and cross-compilation of | |
| # hwlocality-sys fails otherwise | |
| sudo apt-get install -y --no-install-recommends \ | |
| g++-aarch64-linux-gnu \ | |
| gcc-aarch64-linux-gnu \ | |
| libc6-dev-arm64-cross \ | |
| zlib1g-dev:arm64 | |
| echo "PKG_CONFIG_ALLOW_CROSS=true" >> $GITHUB_ENV | |
| if: matrix.build.target == 'aarch64-unknown-linux-gnu' | |
| - name: Build the executable (other than aarch64 linux) | |
| uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # @v1.0.1 | |
| if: matrix.build.target != 'aarch64-unknown-linux-gnu' && runner.os != 'macOS' | |
| with: | |
| command: build | |
| args: --locked -Z build-std --target ${{ matrix.build.target }} --profile production --bin pulsar | |
| # TODO: get rid of this when we have bigger RAM for aarch64 linux | |
| - name: Build the executable for aarch64 linux separately | |
| uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # @v1.0.1 | |
| if: matrix.build.target == 'aarch64-unknown-linux-gnu' && runner.os == 'Linux' | |
| with: | |
| command: build | |
| args: --locked -Z build-std --target ${{ matrix.build.target }} --profile aarch64linux --bin pulsar | |
| # We build macOS without `numa` feature, primarily because of https://github.com/HadrienG2/hwlocality/issues/31 | |
| - name: Build the executable (macOS) | |
| uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # @v1.0.1 | |
| with: | |
| command: build | |
| args: --locked -Z build-std --target ${{ matrix.build.target }} --profile production --no-default-features --bin pulsar | |
| if: runner.os == 'macOS' | |
| - name: Sign and Notarize Application (macOS) | |
| run: | | |
| echo "Importing certificate" | |
| echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12 | |
| security create-keychain -p "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" build.keychain | |
| security default-keychain -s build.keychain | |
| security unlock-keychain -p "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" build.keychain | |
| security import certificate.p12 -k build.keychain -P "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign | |
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" build.keychain | |
| echo "Signing farmer" | |
| codesign --force --options=runtime --entitlements .github/workflows/Entitlements.plist -s "${{ secrets.MACOS_IDENTITY }}" --timestamp ${{ env.PRODUCTION_TARGET }}/pulsar | |
| echo "Creating an archive" | |
| mkdir ${{ env.PRODUCTION_TARGET }}/macos-binaries | |
| cp ${{ env.PRODUCTION_TARGET }}/pulsar ${{ env.PRODUCTION_TARGET }}/macos-binaries | |
| ditto -c -k --rsrc ${{ env.PRODUCTION_TARGET }}/macos-binaries subspace-binaries.zip | |
| echo "Notarizing" | |
| brew update | |
| brew install mitchellh/gon/gon | |
| cat << EOF > gon.hcl | |
| source = ["subspace-binaries.zip"] | |
| bundle_id = "${{ secrets.MACOS_BUNDLE_ID }}" | |
| sign { | |
| application_identity = "${{ secrets.MACOS_IDENTITY }}" | |
| } | |
| apple_id { | |
| username = "${{ secrets.MACOS_APPLE_ID }}" | |
| password = "${{ secrets.MACOS_APP_PASSWORD }}" | |
| } | |
| EOF | |
| gon -log-level=info -log-json gon.hcl | |
| # Notarize the ZIP using notarytool | |
| xcrun notarytool submit subspace-binaries.zip --apple-id "${{ secrets.MACOS_APPLE_ID }}" --password "${{ secrets.MACOS_APP_PASSWORD }}" --team-id "${{ secrets.MACOS_TEAM_ID }}" --wait | |
| # // todo stapling for macOS artifacts | |
| # Staple the zip package | |
| # xcrun stapler staple subspace-binaries.zip | |
| echo "Done!" | |
| # Allow code signing to fail on non-release builds and in non-subspace repos (forks) | |
| continue-on-error: ${{ github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }} | |
| if: runner.os == 'macOS' | |
| - name: Sign Application (Windows) | |
| run: | | |
| AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v "${{ env.PRODUCTION_TARGET }}/pulsar.exe" | |
| continue-on-error: ${{ github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }} | |
| if: runner.os == 'Windows' | |
| - name: Prepare executables for uploading (Ubuntu) | |
| run: | | |
| mkdir executables | |
| mv ${{ env.PRODUCTION_TARGET }}/pulsar executables/pulsar-${{ matrix.build.suffix }} | |
| if: runner.os == 'Linux' | |
| - name: Prepare executables for uploading (macOS) | |
| run: | | |
| mkdir executables | |
| mv ${{ env.PRODUCTION_TARGET }}/pulsar executables/pulsar-${{ matrix.build.suffix }} | |
| # Zip it so that signature is not lost | |
| ditto -c -k --rsrc executables/pulsar-${{ matrix.build.suffix }} executables/pulsar-${{ matrix.build.suffix }}.zip | |
| rm executables/pulsar-${{ matrix.build.suffix }} | |
| if: runner.os == 'macOS' | |
| - name: Prepare executables for uploading (Windows) | |
| run: | | |
| mkdir executables | |
| mv ${{ env.PRODUCTION_TARGET }}/pulsar.exe executables/pulsar-${{ matrix.build.suffix }}.exe | |
| if: runner.os == 'Windows' | |
| - name: Upload executable to artifacts | |
| uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # @v3.1.1 | |
| with: | |
| name: executables-${{ matrix.build.suffix }} | |
| path: | | |
| executables/* | |
| if-no-files-found: error | |
| - name: Upload executable to assets | |
| uses: alexellis/upload-assets@259de5111cb56966d046ced998941e93f91d2c93 # @0.4.0 | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| with: | |
| asset_paths: '["executables/*"]' | |
| if: github.event_name == 'push' && github.ref_type == 'tag' |