-
Notifications
You must be signed in to change notification settings - Fork 0
191 lines (162 loc) Β· 6.32 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
---
name: CI
"on":
push:
branches:
- trunk
pull_request:
branches:
- trunk
schedule:
- cron: "0 0 * * TUE"
permissions: {}
jobs:
gpg-sign:
name: GPG Signing
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
with:
version: "latest"
- name: Set up Python
run: uv python install
- name: Clone Artichoke
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
repository: artichoke/artichoke
path: artichoke
# ```
# $ gpg --fingerprint --with-subkey-fingerprints codesign@artichokeruby.org
# pub ed25519 2021-01-03 [SC]
# C983 8F10 4021 F59E E6F6 BCBE B199 D034 7FDA 14A4
# uid [ultimate] Code signing for Artichoke Ruby <codesign@artichokeruby.org>
# sub cv25519 2021-01-03 [E]
# 7719 1B6D 83B2 F4E8 5197 125B A9A3 F70E 710A 15AA
# sub ed25519 2021-01-03 [S]
# 1C4A 856A CF86 EC1E E841 180F AF57 A37C AC06 1452
# ```
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }}
fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452
# Set the GPG key to full trust (value 4) to ensure reliable signing
# and verification in CI. Full trust balances security and practicality
# in automated environments, avoiding prompts or failures that can
# occur with marginal trust, while not compromising security like
# ultimate trust.
trust_level: 4
- name: List keys
run: gpg -K
- name: Build release artifacts
working-directory: artichoke
run: cargo build --verbose --release
- name: GPG sign binary
shell: bash
id: gpg_signing
run: |
uv run python -m artichoke_nightly.gpg_sign "nightly-gpg-sign-test" --artifact artichoke/target/release/artichoke
- name: Verify GPG signature
run: gpg --batch --verify "$SIGNATURE" artichoke/target/release/artichoke
env:
SIGNATURE: ${{ steps.gpg_signing.outputs.signature }}
apple-codesign:
name: Apple Codesigning
runs-on: macos-latest
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
with:
version: "latest"
- name: Set up Python
run: uv python install
- name: Clone Artichoke
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
repository: artichoke/artichoke
path: artichoke
- name: Build release artifacts
working-directory: artichoke
run: cargo build --verbose --release
# This will codesign binaries in place which means that the tarballed
# binaries will be codesigned as well.
- name: Run Apple Codesigning and Notarization
shell: bash
id: apple_codesigning
if: runner.os == 'macOS'
run: |
uv run python -m artichoke_nightly.macos_sign_and_notarize "nightly-apple-codesign-test" \
--binary "artichoke/target/release/artichoke" \
--binary "artichoke/target/release/airb" \
--resource artichoke/LICENSE \
--resource artichoke/README.md \
--dmg-icon-url "https://artichoke.github.io/logo/Artichoke-dmg.icns"
env:
MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }}
- name: Verify code signature
run: |
codesign --verify --check-notarization --deep --strict=all artichoke/target/release/artichoke
codesign --verify --check-notarization --deep --strict=all artichoke/target/release/airb
- name: Verify DMG code signature
run: spctl -a -t open --context context:primary-signature "$CODESIGNED_ASSET" -v
env:
CODESIGNED_ASSET: ${{ steps.apple_codesigning.outputs.asset }}
python:
name: Lint and format Python
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
with:
version: "latest"
- name: Set up Python
run: uv python install
- name: Format with ruff
run: uv run ruff format --diff .
- name: Lint with ruff
run: uv run ruff check --output-format=github .
- name: Run pyright
run: uv run pyright --warnings --stats .
text:
name: Lint and format text
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@4db96194c378173c656ce18a155ffc14a9fc4355 # v5.2.2
with:
version: "latest"
- name: Set up Python
run: uv python install
- name: Setup Node.js runtime
uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
with:
node-version: "lts/*"
- name: Install toolchain
run: npm ci
- name: Lint and check formatting with prettier
run: npx prettier --check '**/*'
- name: Lint YAML sources with yamllint
run: uv run yamllint --strict --format github .