Skip to content
This repository has been archived by the owner on Mar 1, 2024. It is now read-only.

release

release #131

Workflow file for this run

# This action enables building the executables for cli, can be triggered manually or by release creation.
name: release
on:
workflow_dispatch:
push:
tags:
- "*"
# Incremental compilation here isn't helpful
env:
CARGO_INCREMENTAL: 0
# TODO: get rid of `production_target` variable when we have bigger RAM for aarch64 linux
jobs:
executables:
strategy:
matrix:
build:
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "ubuntu-20.04-x86-64"]' || '"ubuntu-20.04"') }}
target: x86_64-unknown-linux-gnu
production_target: target/x86_64-unknown-linux-gnu/production
suffix: ubuntu-x86_64-skylake-${{ github.ref_name }}
rustflags: "-C target-cpu=skylake"
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "ubuntu-20.04-x86-64"]' || '"ubuntu-20.04"') }}
target: x86_64-unknown-linux-gnu
production_target: target/x86_64-unknown-linux-gnu/production
suffix: ubuntu-x86_64-v2-${{ github.ref_name }}
rustflags: "-C target-cpu=x86-64-v2 -C target-feature=+aes"
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "ubuntu-20.04-x86-64"]' || '"ubuntu-20.04"') }}
target: aarch64-unknown-linux-gnu
production_target: target/aarch64-unknown-linux-gnu/aarch64linux
suffix: ubuntu-aarch64-${{ github.ref_name }}
# TODO: AES flag is such that we have decent performance on ARMv8, remove once `aes` crate bumps MSRV to
# at least 1.61: https://github.com/RustCrypto/block-ciphers/issues/373
rustflags: "-C linker=aarch64-linux-gnu-gcc --cfg aes_armv8"
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "macos-12-arm64"]' || '"macos-12"') }}
target: aarch64-apple-darwin
production_target: target/aarch64-apple-darwin/production
suffix: macos-aarch64-${{ github.ref_name }}
# TODO: AES flag is such that we have decent performance on ARMv8, remove once `aes` crate bumps MSRV to
# at least 1.61: https://github.com/RustCrypto/block-ciphers/issues/373
rustflags: "--cfg aes_armv8"
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "macos-12-arm64"]' || '"macos-12"') }}
target: x86_64-apple-darwin
production_target: target/x86_64-apple-darwin/production
suffix: macos-x86_64-${{ github.ref_name }}
rustflags: ""
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "windows-server-2022-x86-64"]' || '"windows-2022"') }}
target: x86_64-pc-windows-msvc
production_target: target/x86_64-pc-windows-msvc/production
suffix: windows-x86_64-skylake-${{ github.ref_name }}
rustflags: "-C target-cpu=skylake"
- os: ${{ fromJson(github.repository_owner == 'subspace' && '["self-hosted", "windows-server-2022-x86-64"]' || '"windows-2022"') }}
target: x86_64-pc-windows-msvc
production_target: target/x86_64-pc-windows-msvc/production
suffix: windows-x86_64-v2-${{ github.ref_name }}
rustflags: "-C target-cpu=x86-64-v2 -C target-feature=+aes"
runs-on: ${{ matrix.build.os }}
env:
RUSTFLAGS: ${{ matrix.build.rustflags }}
# TODO: use the commented out one when this issue is resolved: https://github.com/tokio-rs/console/issues/299
# RUSTFLAGS: ${{ matrix.build.rustflags }} --cfg tokio_unstable
steps:
- name: Checkout
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # @v3.1.0
# On macOS, we need a proper Clang version, not Apple's custom version without wasm32 support
- name: Install LLVM and Clang
uses: KyleMayes/install-llvm-action@8852e4d5c58653ed05135c0a5d949d9c2febcb00 # v1.6.1
with:
version: "15.0"
if: runner.os == 'macOS'
- name: Install Protoc
uses: arduino/setup-protoc@9b1ee5b22b0a3f1feb8c2ff99b32c89b3c3191e9 # v2.0.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
# Needed for hwloc
- name: Install automake (macOS)
run: brew install automake
if: runner.os == 'macOS'
# Workaround to resolve link error with C:\msys64\mingw64\bin\libclang.dll
- name: Remove msys64
run: Remove-Item -LiteralPath "C:\msys64\" -Force -Recurse
if: runner.os == 'Windows'
continue-on-error: true
- name: Linux AArch64 cross-compile packages
run: |
FLAVOR="$(lsb_release -sc)"
sudo tee /etc/apt/sources.list.d/arm64.list <<LIST
deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR} main restricted
deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR}-updates main restricted
deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR} universe
deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR}-updates universe
deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR} multiverse
deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR}-updates multiverse
deb [arch=arm64] http://ports.ubuntu.com/ ${FLAVOR}-backports main restricted universe multiverse
LIST
sudo sed -i 's/deb http/deb [arch=amd64] http/' /etc/apt/sources.list
# GitHub runners use mirror file
sudo sed -i 's/deb mirror/deb [arch=amd64] mirror/' /etc/apt/sources.list
sudo dpkg --add-architecture arm64
sudo apt-get update
# zlib1g-dev:arm64 is only necessary because amd64 version is present on the host and cross-compilation of
# hwlocality-sys fails otherwise
sudo apt-get install -y --no-install-recommends \
g++-aarch64-linux-gnu \
gcc-aarch64-linux-gnu \
libc6-dev-arm64-cross \
zlib1g-dev:arm64
echo "PKG_CONFIG_ALLOW_CROSS=true" >> $GITHUB_ENV
if: matrix.build.target == 'aarch64-unknown-linux-gnu'
- name: Build the executable (other than aarch64 linux)
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # @v1.0.1
if: matrix.build.target != 'aarch64-unknown-linux-gnu' && runner.os != 'macOS'
with:
command: build
args: --locked -Z build-std --target ${{ matrix.build.target }} --profile production --bin pulsar
# TODO: get rid of this when we have bigger RAM for aarch64 linux
- name: Build the executable for aarch64 linux separately
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # @v1.0.1
if: matrix.build.target == 'aarch64-unknown-linux-gnu' && runner.os == 'Linux'
with:
command: build
args: --locked -Z build-std --target ${{ matrix.build.target }} --profile aarch64linux --bin pulsar
# We build macOS without `numa` feature, primarily because of https://github.com/HadrienG2/hwlocality/issues/31
- name: Build the executable (macOS)
uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # @v1.0.1
with:
command: build
args: --locked -Z build-std --target ${{ matrix.build.target }} --profile production --no-default-features --bin pulsar
if: runner.os == 'macOS'
- name: Sign and Notarize Application (macOS)
run: |
echo "Importing certificate"
echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12
security create-keychain -p "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" build.keychain
security import certificate.p12 -k build.keychain -P "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" build.keychain
echo "Signing farmer"
codesign --force --options=runtime --entitlements .github/workflows/Entitlements.plist -s "${{ secrets.MACOS_IDENTITY }}" --timestamp ${{ matrix.build.production_target }}/pulsar
echo "Creating an archive"
mkdir ${{ matrix.build.production_target }}/macos-binaries
cp ${{ matrix.build.production_target }}/pulsar ${{ matrix.build.production_target }}/macos-binaries
ditto -c -k --rsrc ${{ matrix.build.production_target }}/macos-binaries subspace-binaries.zip
echo "Notarizing"
brew update
brew install mitchellh/gon/gon
cat << EOF > gon.hcl
source = ["subspace-binaries.zip"]
bundle_id = "${{ secrets.MACOS_BUNDLE_ID }}"
sign {
application_identity = "${{ secrets.MACOS_IDENTITY }}"
}
apple_id {
username = "${{ secrets.MACOS_APPLE_ID }}"
password = "${{ secrets.MACOS_APP_PASSWORD }}"
}
EOF
gon -log-level=info -log-json gon.hcl
# Notarize the ZIP using notarytool
xcrun notarytool submit subspace-binaries.zip --apple-id "${{ secrets.MACOS_APPLE_ID }}" --password "${{ secrets.MACOS_APP_PASSWORD }}" --team-id "${{ secrets.MACOS_TEAM_ID }}" --wait
# // todo stapling for macOS artifacts
# Staple the zip package
# xcrun stapler staple subspace-binaries.zip
echo "Done!"
# Allow code signing to fail on non-release builds and in non-subspace repos (forks)
continue-on-error: ${{ github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }}
if: runner.os == 'macOS'
- name: Sign Application (Windows)
run: |
AzureSignTool sign --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URI }}" --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" --azure-key-vault-certificate "${{ secrets.AZURE_CERT_NAME }}" --file-digest sha512 --timestamp-rfc3161 http://timestamp.digicert.com -v "${{ matrix.build.production_target }}/pulsar.exe"
continue-on-error: ${{ github.repository_owner != 'subspace' || github.event_name != 'push' || github.ref_type != 'tag' }}
if: runner.os == 'Windows'
- name: Prepare executables for uploading (Ubuntu)
run: |
mkdir executables
mv ${{ matrix.build.production_target }}/pulsar executables/pulsar-${{ matrix.build.suffix }}
if: runner.os == 'Linux'
- name: Prepare executables for uploading (macOS)
run: |
mkdir executables
mv ${{ matrix.build.production_target }}/pulsar executables/pulsar-${{ matrix.build.suffix }}
# Zip it so that signature is not lost
ditto -c -k --rsrc executables/pulsar-${{ matrix.build.suffix }} executables/pulsar-${{ matrix.build.suffix }}.zip
rm executables/pulsar-${{ matrix.build.suffix }}
if: runner.os == 'macOS'
- name: Prepare executables for uploading (Windows)
run: |
mkdir executables
mv ${{ matrix.build.production_target }}/pulsar.exe executables/pulsar-${{ matrix.build.suffix }}.exe
if: runner.os == 'Windows'
- name: Upload executable to artifacts
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # @v3.1.1
with:
name: executables-${{ matrix.build.suffix }}
path: |
executables/*
if-no-files-found: error
- name: Upload executable to assets
uses: alexellis/upload-assets@259de5111cb56966d046ced998941e93f91d2c93 # @0.4.0
env:
GITHUB_TOKEN: ${{ github.token }}
with:
asset_paths: '["executables/*"]'
if: github.event_name == 'push' && github.ref_type == 'tag'