Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CI: Build binaries for tag pushes (GitHub Actions) #782

Merged
merged 1 commit into from
Nov 7, 2023
Merged

CI: Build binaries for tag pushes (GitHub Actions) #782

merged 1 commit into from
Nov 7, 2023

Conversation

DeeDeeG
Copy link
Member

@DeeDeeG DeeDeeG commented Oct 21, 2023
edited
Loading

Issue or RFC Endorsed by Pulsar's Maintainers

We discussed it on Discord, starting here: https://discord.com/channels/992103415163396136/992103415163396139/1163359940660953119

Description of the Change

Run the "build Pulsar binaries" workflow for tag pushes too, not just branch pushes and PRs.

Allows us to get signed macOS intel binaries out of the usual version bump + release flow we do for Regular releases.

(Bonus: The "make signed bins on tag pushes" approach will now be more consistent across CI providers. Creating or pushing a tag triggers it across both Cirrus and GitHub Actions with this change. This should make the task of triggering signed binary builds during Regular release more predictable -- just make sure you tag the version during release. Easy enough, I think?)

Alternate Designs

  • We could sign for any workflow triggers that have adequate credentials associated with them, which I believe would be limited to events triggered by accounts with write access to this repo.
    • Last this was discussed on the Discord, the idea was not to sign any PR binaries, nor binaries form one-off manual runs, since they're not final or review-approved, so they shouldn't be considered officially blessed builds that are signed with the overall seal of approval. This way, the only signed binaries are ones from master branch (Rolling releases) and the ones associated with a tag (Regular Releases). Basically, only Release bins are signed.

Possible Drawbacks

None anticipated.

(Might make putting out Regular releases too easy???)

Verification Process

We could push a random tag with this change on it and see if it signs the macOS bins or not? I guess?

This change matches with the docs (https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushbranchestagsbranches-ignoretags-ignore, https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet), so as long as this doesn't error as invalid syntax, I think it should "just work"™️?

Release Notes

N/A CI-only change. But "Build signed macOS binaries on tag pushes, not just master branch pushes (GitHub Actions)"

@DeeDeeG
CI: Build binaries for tag pushes
cbb4c11 
GitHub Actions was set to only build for branch pushes (only master
branch due to the branch filter), PRs, and manual workflow dispatches.

Now, GitHub Actions will also build for tag pushes.

This helps to ensure Regular releases
get signed binaries built for them.

(GitHub Actions is set to only *sign* the binaries for push events.
Tag creations/pushes will generate push events, so tag pushes should
indeed make signed binaries, not unsigned ones.)
@DeeDeeG DeeDeeG force-pushed the CI-build-binaries-for-tag-pushes branch from 619527f to cbb4c11 Compare October 21, 2023 05:39
@DeeDeeG
Copy link
Member Author

DeeDeeG commented Nov 7, 2023
edited
Loading

To simplify the explanation why this is helpful/needed:

  • We only run the "build binaries" workflow at all for push events to master branch; for PRs; or for manual workflow triggers.
    - We only sign binaries (on macOS) on push events, as of CI: Sign macOS binaries for branch pushes, not PRs #745.
  • This PR expands the types of push events we run the "build binaries" workflow for, to now also include tag pushes.

This PR means a signed binary will be created on tag pushes, ensuring our Regular release (version bump) process always generates a signed build, whereas before it would not, due to our restrictions on signing per #745.

@DeeDeeG DeeDeeG changed the title CI: Build binaries for tag pushes CI: Build binaries for tag pushes (GitHub Actions) Nov 7, 2023
@DeeDeeG
Copy link
Member Author

DeeDeeG commented Nov 7, 2023

Thanks for the approves, I'm merging this one as well! Glad to have several things merged recently, and we can do some more before (Regular) release time comes around.

@DeeDeeG DeeDeeG merged commit 30dc9d2 into master Nov 7, 2023
99 checks passed
@DeeDeeG DeeDeeG deleted the CI-build-binaries-for-tag-pushes branch November 16, 2023 03:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@confused-Techie confused-Techie confused-Techie approved these changes

@mauricioszabo mauricioszabo mauricioszabo approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DeeDeeG @mauricioszabo @confused-Techie