diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml new file mode 100644 index 0000000..fdce68b --- /dev/null +++ b/.github/workflows/main.yml @@ -0,0 +1,126 @@ +name: Build Tools + +on: + push: + branches: + - main + - oz/ci + tags: ['*'] + workflow_dispatch: + +jobs: + build-mac-arm: + runs-on: macos-latest + env: + TAG: ${{ github.ref_name }} + steps: + - uses: actions/checkout@v4 + - name: Install dependencies + run: | + brew install just ninja + rustup install 1.75 + rustup toolchain install 1.75 + rustup default 1.75-aarch64-apple-darwin + - name: Clone + run: just clone + - name: Prepare + run: just prepare + - name: Build rust, cargo and newlib + run: just build-all + - name: Package + env: + APPLE_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_IDENTITY }} + APPLE_CRED: ${{ secrets.APPLE_CRED }} + APPLE_P12_BASE64: ${{ secrets.APPLE_P12_BASE64 }} + APPLE_P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }} + APPLE_TEAMID: ${{ secrets.APPLE_TEAMID }} + APPLE_TEMPKEYCHAIN_PASSWORD: ${{ secrets.APPLE_TEMPKEYCHAIN_PASSWORD }} + run: just package + - uses: actions/upload-artifact@v4 + with: + name: platform-tools-osx-aarch64.tar.bz2 + path: out/platform-tools-osx-aarch64.tar.bz2 + + build-mac-intel: + runs-on: macos-13 + env: + TAG: ${{ github.ref_name }} + steps: + - uses: actions/checkout@v4 + - name: Install dependencies + run: | + brew install just ninja + rustup install 1.75 + rustup toolchain install 1.75 + rustup default 1.75-x86_64-apple-darwin + - name: Clone + run: just clone + - name: Prepare + run: just prepare + - name: Build rust, cargo and newlib + run: just build-all + - name: Package + env: + APPLE_CODESIGN_IDENTITY: ${{ secrets.APPLE_CODESIGN_IDENTITY }} + APPLE_CRED: ${{ secrets.APPLE_CRED }} + APPLE_P12_BASE64: ${{ secrets.APPLE_P12_BASE64 }} + APPLE_P12_PASSWORD: ${{ secrets.APPLE_P12_PASSWORD }} + APPLE_TEAMID: ${{ secrets.APPLE_TEAMID }} + APPLE_TEMPKEYCHAIN_PASSWORD: ${{ secrets.APPLE_TEMPKEYCHAIN_PASSWORD }} + run: just package + - uses: actions/upload-artifact@v4 + with: + name: platform-tools-osx-x86_64.tar.bz2 + path: out/platform-tools-osx-x86_64.tar.bz2 + + build-linux: + runs-on: ubuntu-latest + env: + TAG: ${{ github.ref_name }} + steps: + - uses: actions/checkout@v4 + - name: Install just + uses: taiki-e/install-action@just + - name: Install dependencies + run: | + sudo apt update; sudo apt install ninja-build + rustup install 1.75 + rustup toolchain install 1.75 + rustup default 1.75-x86_64-unknown-linux-gnu + - name: Clone + run: just clone + - name: Prepare + run: just prepare + - name: Build rust, cargo and newlib + run: just build-all + - name: Package + run: just package + - uses: actions/upload-artifact@v4 + with: + name: platform-tools-linux-x86_64.tar.bz2 + path: out/platform-tools-linux-x86_64.tar.bz2 + + release: + runs-on: ubuntu-latest + needs: [build-linux, build-mac-arm, build-mac-intel] + if: startsWith(github.event.ref, 'refs/tags/') # only on new tag creation + env: + TAG: ${{ github.ref_name }} + steps: + - uses: actions/checkout@v4 + - name: Download artifact + uses: actions/download-artifact@v4 + - name: Create a release + env: + GH_TOKEN: ${{ github.token }} + run: | + release_exist=$(gh release view $TAG 2>&1 || exit 0) + if [ "$release_exist" = "release not found" ]; then + gh release create $TAG platform-tools-osx-aarch64.tar.bz2/platform-tools-osx-aarch64.tar.bz2 --title "Release $TAG" --generate-notes --latest + gh release upload $TAG platform-tools-osx-x86_64.tar.bz2/platform-tools-osx-x86_64.tar.bz2 + gh release upload $TAG platform-tools-linux-x86_64.tar.bz2/platform-tools-linux-x86_64.tar.bz2 + else + gh release upload $TAG platform-tools-osx-aarch64.tar.bz2/platform-tools-osx-aarch64.tar.bz2 + gh release upload $TAG platform-tools-osx-x86_64.tar.bz2/platform-tools-osx-x86_64.tar.bz2 + gh release upload $TAG platform-tools-linux-x86_64.tar.bz2/platform-tools-linux-x86_64.tar.bz2 + fi diff --git a/justfile b/justfile index 9fd600c..2093e84 100644 --- a/justfile +++ b/justfile @@ -30,11 +30,11 @@ build-cargo: # AG: this fails for me with macport and libiconv # AG: I have to disable libiconv, run this manually # AG: and then re-enable it - cd {{ out_dir }}/cargo && env OPENSSL_STATIC=1 cargo build --release + cd {{ out_dir }}/cargo && env OPENSSL_STATIC=1 cargo +1.75 build --release [linux] build-cargo: - cd {{ out_dir }}/cargo && env OPENSSL_STATIC=1 OPENSSL_LIB_DIR=/usr/lib/x86_64-linux-gnu OPENSSL_INCLUDE_DIR=/usr/include/openssl cargo build --release + cd {{ out_dir }}/cargo && env OPENSSL_STATIC=1 OPENSSL_LIB_DIR=/usr/lib/x86_64-linux-gnu OPENSSL_INCLUDE_DIR=/usr/include/openssl cargo +1.75 build --release [linux,macos] diff --git a/scripts/package.sh b/scripts/package.sh index 65551d3..abf71e3 100755 --- a/scripts/package.sh +++ b/scripts/package.sh @@ -82,6 +82,26 @@ if [[ "${HOST_TRIPLE}" != "x86_64-pc-windows-msvc" ]] ; then #cp -R rust/build/${HOST_TRIPLE}/llvm/lib/python* deploy/llvm/lib/ fi +# Sign macOS binaries - Disabled +# if [[ $HOST_TRIPLE == *apple-darwin* ]] && [[ ! -z "$APPLE_CODESIGN_IDENTITY" ]]; then +# LLVM_BIN="./deploy/llvm/bin" +# RUST_BIN="./deploy/rust/bin" +# RUST_LIB="./deploy/rust/lib" +# RUST_LIB_BIN="$RUST_LIB/rustlib/aarch64-apple-darwin/bin" + +# ../scripts/sign.sh \ +# "$LLVM_BIN/llvm-objdump" \ +# "$LLVM_BIN/llvm-ar" \ +# "$LLVM_BIN/llvm-readobj" \ +# "$LLVM_BIN/llvm-objcopy" \ +# "$RUST_BIN/rustdoc" \ +# "$RUST_BIN/cargo" \ +# "$RUST_LIB/librustc_driver-b4e91886a4c059a0.dylib" \ +# "$RUST_LIB/libstd-6eff127b55c063c2.dylib" \ +# "$RUST_LIB_BIN/rust-lld" +# # "$RUST_BIN/rustc" # Not signing 'rustc' duo to failing cargo build +# fi + # Check the Rust binaries while IFS= read -r f do diff --git a/scripts/sign.sh b/scripts/sign.sh new file mode 100755 index 0000000..9f96c1d --- /dev/null +++ b/scripts/sign.sh @@ -0,0 +1,31 @@ +#!/usr/bin/env bash +set -ex + +FILES_TO_SIGN=$@ + +for FILE_PATH in $FILES_TO_SIGN; do + FILE_NAME=$(basename $FILE_PATH) + APPLE_TEMPKEYCHAIN_NAME=$(echo $FILE_NAME | tr -cd 'a-zA-Z')$(($RANDOM)) # use a random name + + echo "File path: $FILE_PATH" + echo "File name: $FILE_NAME" + echo "Apple temp keychain name: $APPLE_TEMPKEYCHAIN_NAME" + + # create keychain + printf "$APPLE_P12_BASE64" | base64 -d > dev.p12 + security create-keychain -p "$APPLE_TEMPKEYCHAIN_PASSWORD" "$APPLE_TEMPKEYCHAIN_NAME" + security list-keychains -d user -s "$APPLE_TEMPKEYCHAIN_NAME" $(security list-keychains -d user | tr -d '"') + security set-keychain-settings "$APPLE_TEMPKEYCHAIN_NAME" + security import dev.p12 -k "$APPLE_TEMPKEYCHAIN_NAME" -P "$APPLE_P12_PASSWORD" -T "/usr/bin/codesign" + security set-key-partition-list -S apple-tool:,apple: -s -k "$APPLE_TEMPKEYCHAIN_PASSWORD" -D "$APPLE_CODESIGN_IDENTITY" -t private "$APPLE_TEMPKEYCHAIN_NAME" + security default-keychain -d user -s "$APPLE_TEMPKEYCHAIN_NAME" + security unlock-keychain -p "$APPLE_TEMPKEYCHAIN_PASSWORD" "$APPLE_TEMPKEYCHAIN_NAME" + + # sign the binary + codesign -o runtime --force --timestamp -s "$APPLE_CODESIGN_IDENTITY" -v $FILE_PATH + + # notarize binary + ditto -c -k $FILE_PATH $FILE_NAME.zip # notarization require zip files + xcrun notarytool store-credentials --apple-id shelly@certora.com --password "$APPLE_CRED" --team-id "$APPLE_TEAMID" altool + xcrun notarytool submit $FILE_NAME.zip --keychain-profile altool --wait +done