mirror of
https://github.com/containers/podman.git
synced 2026-07-11 15:55:22 -04:00
Template expansions are not aware of shell script syntax, and therefore can potentially result in code injection vulnerabilities when used in code contexts: https://docs.zizmor.sh/audits/#template-injection To avoid this, instead use environment variables to safely store the values of the template expansions. Also (in the process of doing the above) added double-quotes around a some instances of variable expansions in shell scripts, which is necessary to avoid unintended shell splitting and globbing. (I didn't see any instances where this was actually likely to result in erroneous behavior, but it's good practice and makes shell scripts more robust.) Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
186 lines
7.3 KiB
YAML
186 lines
7.3 KiB
YAML
name: Sign and Upload Mac Installer [DEPRECATED]
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: 'Release version to build and upload (e.g. "v9.8.7")'
|
|
required: true
|
|
dryrun:
|
|
description: 'Perform all the steps except uploading to the release page'
|
|
required: true
|
|
default: "true" # 'choice' type requires string value
|
|
type: choice
|
|
options:
|
|
- "true" # Must be quoted string, boolean value not supported.
|
|
- "false"
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: macos-latest
|
|
permissions:
|
|
contents: write
|
|
env:
|
|
APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
|
|
CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
|
|
INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }}
|
|
PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }}
|
|
CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
|
|
|
NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
|
|
NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
|
|
NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
|
|
|
|
KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
|
|
steps:
|
|
- name: Consolidate dryrun setting to always be true or false
|
|
id: actual_dryrun
|
|
env:
|
|
INPUT_DRYRUN: ${{ inputs.dryrun }}
|
|
run: |
|
|
# The 'release' trigger will not have a 'dryrun' input set. Handle
|
|
# this case in a readable/maintainable way.
|
|
if [[ -z "${INPUT_DRYRUN}" ]]
|
|
then
|
|
echo "dryrun=false" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT
|
|
fi
|
|
- name: Dry Run Status
|
|
env:
|
|
DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }}
|
|
run: |
|
|
echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}"
|
|
- name: Determine Version
|
|
id: getversion
|
|
env:
|
|
INPUT_VERSION: ${{ inputs.version }}
|
|
TAG_NAME: ${{ github.event.release.tag_name }}
|
|
run: |
|
|
if [[ -z "${INPUT_VERSION}" ]]
|
|
then
|
|
VERSION=${TAG_NAME}
|
|
else
|
|
VERSION=${INPUT_VERSION}
|
|
fi
|
|
echo
|
|
echo "version=$VERSION" >> $GITHUB_OUTPUT
|
|
- name: Check uploads
|
|
id: check
|
|
env:
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
URI="https://github.com/containers/podman/releases/download/${VERSION}"
|
|
ARM_FILE="podman-installer-macos-arm64.pkg"
|
|
AMD_FILE="podman-installer-macos-amd64.pkg"
|
|
UNIVERSAL_FILE="podman-installer-macos-universal.pkg"
|
|
|
|
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${ARM_FILE}")
|
|
if [[ "$status" == "404" ]] ; then
|
|
echo "buildarm=true" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "::warning::ARM installer already exists, skipping"
|
|
echo "buildarm=false" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${AMD_FILE}")
|
|
if [[ "$status" == "404" ]] ; then
|
|
echo "buildamd=true" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "::warning::AMD installer already exists, skipping"
|
|
echo "buildamd=false" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${UNIVERSAL_FILE}")
|
|
if [[ "$status" == "404" ]] ; then
|
|
echo "builduniversal=true" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "::warning::Universal installer already exists, skipping"
|
|
echo "builduniversal=false" >> $GITHUB_OUTPUT
|
|
fi
|
|
- name: Checkout Version
|
|
if: >-
|
|
steps.check.outputs.buildamd == 'true' ||
|
|
steps.check.outputs.buildarm == 'true' ||
|
|
steps.check.outputs.builduniversal == 'true' ||
|
|
steps.actual_dryrun.outputs.dryrun == 'true'
|
|
uses: actions/checkout@v6
|
|
with:
|
|
ref: ${{steps.getversion.outputs.version}}
|
|
persist-credentials: false
|
|
- name: Set up Go
|
|
# Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases
|
|
if: >-
|
|
steps.check.outputs.buildamd == 'true' ||
|
|
steps.check.outputs.buildarm == 'true' ||
|
|
steps.check.outputs.builduniversal == 'true' ||
|
|
steps.actual_dryrun.outputs.dryrun == 'true'
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
go-version: stable
|
|
cache: false
|
|
- name: Create Keychain
|
|
if: >-
|
|
steps.check.outputs.buildamd == 'true' ||
|
|
steps.check.outputs.buildarm == 'true' ||
|
|
steps.check.outputs.builduniversal == 'true' ||
|
|
steps.actual_dryrun.outputs.dryrun == 'true'
|
|
run: |
|
|
echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
|
|
echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12
|
|
|
|
security create-keychain -p "$KEYCHAIN_PWD" build.keychain
|
|
security default-keychain -s build.keychain
|
|
security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
|
|
security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign
|
|
security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign
|
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null
|
|
|
|
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null
|
|
- name: Build and Sign ARM
|
|
if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
|
|
working-directory: contrib/pkginstaller
|
|
run: |
|
|
make ARCH=aarch64 notarize &> /dev/null
|
|
cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums
|
|
- name: Build and Sign AMD
|
|
if: steps.check.outputs.buildamd == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
|
|
working-directory: contrib/pkginstaller
|
|
run: |
|
|
make ARCH=amd64 notarize &> /dev/null
|
|
cd out && shasum -a 256 podman-installer-macos-amd64.pkg >> shasums
|
|
- name: Build and Sign Universal
|
|
if: steps.check.outputs.builduniversal == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
|
|
working-directory: contrib/pkginstaller
|
|
run: |
|
|
make ARCH=universal notarize &> /dev/null
|
|
cd out && shasum -a 256 podman-installer-macos-universal.pkg >> shasums
|
|
- name: Artifact
|
|
if: >-
|
|
steps.check.outputs.buildamd == 'true' ||
|
|
steps.check.outputs.buildarm == 'true' ||
|
|
steps.check.outputs.builduniversal == 'true' ||
|
|
steps.actual_dryrun.outputs.dryrun == 'true'
|
|
uses: actions/upload-artifact@v5
|
|
with:
|
|
name: installers
|
|
path: |
|
|
contrib/pkginstaller/out/podman-installer-macos-*.pkg
|
|
contrib/pkginstaller/out/shasums
|
|
- name: Upload to Release
|
|
if: >-
|
|
steps.actual_dryrun.outputs.dryrun == 'false' &&
|
|
(steps.check.outputs.buildamd == 'true' ||
|
|
steps.check.outputs.buildarm == 'true'||
|
|
steps.check.outputs.builduniversal == 'true' )
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
(gh release download "${VERSION}" -p "shasums" || exit 0)
|
|
cat contrib/pkginstaller/out/shasums >> shasums
|
|
gh release upload "${VERSION}" contrib/pkginstaller/out/podman-installer-macos-*.pkg
|
|
gh release upload "${VERSION}" --clobber shasums
|