Skip to content
Release binaries

Release/v0.14.1 (#749) #263

Sign in to view logs

Release/v0.14.1 (#749)

Release/v0.14.1 (#749) #263

Workflow file for this run

.github/workflows/release-binaries.yml at 87289f3
name: Release binaries
on:
push:
# Sequence of patterns matched against refs/tags
tags:
- "v*" # Push events to matching v*, i.e. v1.0, v20.15.10
env:
VITE_SENTRY_DSN: ${{ secrets.SENTRY_DSN }}
WAILS_VERSION: v2.8.0
NODE_VERSION: 18.12.0
GO_VERSION: 1.21.7
jobs:
release-macos:
name: Release ${{ matrix.network }} on MacOS ${{ matrix.arch }}
runs-on: macos-latest
strategy:
matrix:
arch:
- amd64
- arm64
network:
- mainnet
- fairground
include:
- network: mainnet
software-name: Vega Wallet
filename: vega-wallet
- network: fairground
software-name: Fairground Wallet
filename: fairground-wallet
- arch: amd64
user-friendly-arch: intel
- arch: arm64
user-friendly-arch: apple-silicon
steps:
- name: Set up Node ${{ env.NODE_VERSION }}
uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
id: npm
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
id: go
- name: Get Wails
run: go install github.com/wailsapp/wails/v2/cmd/wails@${{ env.WAILS_VERSION }}
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare "${{ matrix.network }}" bundle
shell: bash
env:
WALLET_OPTIMIZED_FOR: ${{ matrix.network }}
run: ./prepare.sh
- name: Build binary
env:
VITE_FEATURE_MODE: ${{ matrix.network }}
run: wails build -clean -f -platform=darwin/${{ matrix.arch }} -tags ${{ matrix.network }}
- name: Run tests
if: ${{ matrix.arch == 'amd64' }}
run: go test -v ./...
- name: Import DeveloperID Certificate
uses: apple-actions/import-codesign-certs@v1
with:
keychain: vega
create-keychain: true
p12-file-base64: ${{ secrets.MACOS_CERTIFICATE }}
p12-password: ${{ secrets.MACOS_CERTIFICATE_PASS }}
- name: Sign binary
working-directory: build/bin
# --timestamp
# During signing, requests that a timestamp authority server be contacted to authenticate the time of
# signing.
# --deep
# When signing a bundle, specifies that nested code content such as helpers, frameworks, and plug-ins,
# should be recursively signed in turn.
# --options runtime
# On macOS versions >= 10.14.0, opts signed processes into a hardened runtime environment which includes
# runtime code signing enforcement, library validation, hard, kill, and debugging restrictions.
run: codesign --verbose --sign "${{ secrets.MACOS_CERTIFICATE_IDENTITY_ID }}" --timestamp --options runtime --deep --force "${{ matrix.software-name }}.app"
- name: Verify signature
working-directory: build/bin
run: codesign --verbose --verify --strict --deep "${{ matrix.software-name }}.app"
- name: Bundle binary for notarization
working-directory: build/bin
run: /usr/bin/ditto -c -k --keepParent "${{ matrix.software-name }}.app" "${{ matrix.filename }}-desktop-macos-${{ matrix.user-friendly-arch }}.zip"
- name: Store notarization credentials
run: |
xcrun notarytool store-credentials vega \
--apple-id "${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}" \
--team-id "${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}" \
--password "${{ secrets.MACOS_NOTARIZATION_PASS }}"
- name: Notarize app
working-directory: build/bin
run: |
xcrun notarytool submit "${{ matrix.filename }}-desktop-macos-${{ matrix.user-friendly-arch }}.zip" \
--keychain-profile vega \
--output-format json \
--timeout "90m" \
--wait
- name: Staple app
working-directory: build/bin
run: xcrun stapler staple "${{ matrix.software-name }}.app"
- name: Delete old archive
working-directory: build/bin
run: rm -rf ${{ matrix.filename }}-desktop-macos-${{ matrix.user-friendly-arch }}.zip
- name: Bundle binary in archive for distribution
working-directory: build/bin
run: /usr/bin/ditto -c -k --keepParent "${{ matrix.software-name }}.app" "${{ matrix.filename }}-desktop-macos-${{ matrix.user-friendly-arch }}.zip"
- name: Release
uses: softprops/action-gh-release@v1
with:
files: build/bin/*.zip
prerelease: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-windows:
name: Release ${{ matrix.network }} on Windows ${{ matrix.arch }}
runs-on: windows-2019
strategy:
matrix:
arch:
- amd64
network:
- mainnet
- fairground
include:
- network: mainnet
software-name: Vega Wallet
filename: vega-wallet
- network: fairground
software-name: Fairground Wallet
filename: fairground-wallet
steps:
- name: Set up Node ${{ env.NODE_VERSION }}
uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
id: npm
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
id: go
- name: Get Wails
run: go install github.com/wailsapp/wails/v2/cmd/wails@${{ env.WAILS_VERSION }}
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare "${{ matrix.network }}" bundle
shell: bash
env:
WALLET_OPTIMIZED_FOR: ${{ matrix.network }}
run: ./prepare.sh
- name: Build binary
env:
VITE_FEATURE_MODE: ${{ matrix.network }}
run: wails build -f -platform=windows/${{ matrix.arch }} -tags ${{ matrix.network }}
- name: Run tests
if: ${{ matrix.arch == 'amd64' }}
run: go test -v ./...
- name: Import signing certificate
run: |
echo "${{ secrets.EV_SIGN_CERT_FULL_CHAIN_PEM }}" > certificate_chain.pem
- name: "Download Java v17"
uses: oracle-actions/setup-java@v1
with:
website: oracle.com
release: 17
- name: Setup python
uses: actions/setup-python@v4
with:
python-version: "3.9"
- id: "auth"
uses: "google-github-actions/auth@v1"
with:
credentials_json: "${{ secrets.GCP_CREDENTIALS }}"
- name: "Set up Cloud SDK"
uses: "google-github-actions/setup-gcloud@v1"
env:
CLOUDSDK_PYTHON: "python3"
- name: "Use gcloud CLI"
run: "gcloud info"
- name: Download signing tool and verify sha265 checksum
shell: bash
run: |
curl -L -o jsign.jar "https://github.com/ebourg/jsign/releases/download/4.2/jsign-4.2.jar"
echo '290377fc4f593256200b3ea4061b7409e8276255f449d4c6de7833faf0850cc1 jsign.jar' | sha256sum -c
# We sign binaries with the EV Certificate. You MUST NOT have a key in a file to sign binary.
# The only options to store keys are:
# - HSM architecture(e.g., AWS or Google)
# - Physical USB stick with hardware stored key
# We are using the first option to be able to sign the binaries within the CI servers without
# physical access to them. However, this signing method requires the signing tool supporting the HSM key.
#
# The high-level signing procedure looks like below:
# 1. Calculate the SHA256 Hash for the app
# 2. Send a request to sign the hash to the Google Cloud
# 3. Google signs our signature with a physically stored key on Google's HSM server and returns the signature over the network
# 4. Add our certificate and the signature received from the Google HSM to the EXE file
# 5. Our signature hash is again signed with the timestamp authority's private key, and the final hash is added to our binary.
# 6. Final executable with all necessary signing information included is produced
- name: Sign binary
shell: bash
run: |
cd build/bin && \
java -jar ../../jsign.jar \
--storetype GOOGLECLOUD \
--storepass "$(gcloud auth print-access-token)" \
--keystore "projects/vegaprotocol/locations/europe-west2/keyRings/windows-sign-apps" \
--alias "digicert-ev-signing-key-ecc-256" \
--certfile "../../certificate_chain.pem" \
--tsmode RFC3161 \
--tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 \
"${{ matrix.software-name }}.exe"
- name: Prepare binaries for release
shell: bash
run: |
mkdir -p build/release-bin;
cd build/bin;
cp "${{ matrix.software-name }}.exe" "../release-bin/${{ matrix.filename }}-desktop-windows-${{ matrix.arch }}.exe"
ls -als ../release-bin/*.exe
- name: Release
uses: softprops/action-gh-release@v1
with:
files: build/release-bin/*.exe
prerelease: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-linux:
name: Release ${{ matrix.network }} on Linux ${{ matrix.arch }}
runs-on: ubuntu-latest
strategy:
matrix:
arch:
- amd64
network:
- mainnet
- fairground
include:
- network: mainnet
software-name: Vega Wallet
filename: vega-wallet
- network: fairground
software-name: Fairground Wallet
filename: fairground-wallet
steps:
- name: Set up Node ${{ env.NODE_VERSION }}
uses: actions/setup-node@v3
with:
node-version: ${{ env.NODE_VERSION }}
id: npm
- name: Set up Go ${{ env.GO_VERSION }}
uses: actions/setup-go@v4
with:
go-version: ${{ env.GO_VERSION }}
id: go
- name: Check out repository
uses: actions/checkout@v3
- name: Install Wails dependencies
run: |
sudo apt-get update
sudo apt-get install build-essential libgtk-3-dev libwebkit2gtk-4.0-dev
- name: Get Wails
run: go install github.com/wailsapp/wails/v2/cmd/wails@${{ env.WAILS_VERSION }}
- name: Prepare "${{ matrix.network }}" bundle
shell: bash
env:
WALLET_OPTIMIZED_FOR: ${{ matrix.network }}
run: ./prepare.sh
- name: Build binary
env:
VITE_FEATURE_MODE: ${{ matrix.network }}
run: wails build -clean -f -platform=linux/${{ matrix.arch }} -tags ${{ matrix.network }}
- name: Run tests
if: ${{ matrix.arch == 'amd64' }}
run: go test -v ./...
- name: Bundle binary in archive
uses: thedoctor0/zip-release@master
with:
type: zip
directory: build/bin
filename: ${{ matrix.filename }}-desktop-linux-${{ matrix.arch }}.zip
- name: Release
uses: softprops/action-gh-release@v1
with:
files: build/bin/*.zip
prerelease: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}