mirror of
https://github.com/containers/podman.git
synced 2026-07-09 06:44:58 -04:00
Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection
To avoid this, instead use environment variables to safely store the
values of the template expansions.
Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)
Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>
(cherry picked from commit 67c050bb8e)
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
183 lines
7.3 KiB
YAML
183 lines
7.3 KiB
YAML
name: Sign and Upload Mac Installer [DEPRECATED]
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: 'Release version to build and upload (e.g. "v9.8.7")'
|
|
required: true
|
|
dryrun:
|
|
description: 'Perform all the steps except uploading to the release page'
|
|
required: true
|
|
default: "true" # 'choice' type requires string value
|
|
type: choice
|
|
options:
|
|
- "true" # Must be quoted string, boolean value not supported.
|
|
- "false"
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: macos-latest
|
|
env:
|
|
APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
|
|
CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
|
|
INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }}
|
|
PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }}
|
|
CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
|
|
|
NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
|
|
NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
|
|
NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
|
|
|
|
KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
|
|
steps:
|
|
- name: Consolidate dryrun setting to always be true or false
|
|
id: actual_dryrun
|
|
env:
|
|
INPUT_DRYRUN: ${{ inputs.dryrun }}
|
|
run: |
|
|
# The 'release' trigger will not have a 'dryrun' input set. Handle
|
|
# this case in a readable/maintainable way.
|
|
if [[ -z "${INPUT_DRYRUN}" ]]
|
|
then
|
|
echo "dryrun=false" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "dryrun=${INPUT_DRYRUN}" >> $GITHUB_OUTPUT
|
|
fi
|
|
- name: Dry Run Status
|
|
env:
|
|
DRYRUN: ${{ steps.actual_dryrun.outputs.dryrun }}
|
|
run: |
|
|
echo "::notice::This workflow execution will be a dry-run: ${DRYRUN}"
|
|
- name: Determine Version
|
|
id: getversion
|
|
env:
|
|
INPUT_VERSION: ${{ inputs.version }}
|
|
TAG_NAME: ${{ github.event.release.tag_name }}
|
|
run: |
|
|
if [[ -z "${INPUT_VERSION}" ]]
|
|
then
|
|
VERSION=${TAG_NAME}
|
|
else
|
|
VERSION=${INPUT_VERSION}
|
|
fi
|
|
echo
|
|
echo "version=$VERSION" >> $GITHUB_OUTPUT
|
|
- name: Check uploads
|
|
id: check
|
|
env:
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
URI="https://github.com/containers/podman/releases/download/${VERSION}"
|
|
ARM_FILE="podman-installer-macos-arm64.pkg"
|
|
AMD_FILE="podman-installer-macos-amd64.pkg"
|
|
UNIVERSAL_FILE="podman-installer-macos-universal.pkg"
|
|
|
|
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${ARM_FILE}")
|
|
if [[ "$status" == "404" ]] ; then
|
|
echo "buildarm=true" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "::warning::ARM installer already exists, skipping"
|
|
echo "buildarm=false" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${AMD_FILE}")
|
|
if [[ "$status" == "404" ]] ; then
|
|
echo "buildamd=true" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "::warning::AMD installer already exists, skipping"
|
|
echo "buildamd=false" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
status=$(curl -s -o /dev/null -w "%{http_code}" "${URI}/${UNIVERSAL_FILE}")
|
|
if [[ "$status" == "404" ]] ; then
|
|
echo "builduniversal=true" >> $GITHUB_OUTPUT
|
|
else
|
|
echo "::warning::Universal installer already exists, skipping"
|
|
echo "builduniversal=false" >> $GITHUB_OUTPUT
|
|
fi
|
|
- name: Checkout Version
|
|
if: >-
|
|
steps.check.outputs.buildamd == 'true' ||
|
|
steps.check.outputs.buildarm == 'true' ||
|
|
steps.check.outputs.builduniversal == 'true' ||
|
|
steps.actual_dryrun.outputs.dryrun == 'true'
|
|
uses: actions/checkout@v5
|
|
with:
|
|
ref: ${{steps.getversion.outputs.version}}
|
|
- name: Set up Go
|
|
# Conditional duplication sucks - GHA doesn't grok YAML anchors/aliases
|
|
if: >-
|
|
steps.check.outputs.buildamd == 'true' ||
|
|
steps.check.outputs.buildarm == 'true' ||
|
|
steps.check.outputs.builduniversal == 'true' ||
|
|
steps.actual_dryrun.outputs.dryrun == 'true'
|
|
uses: actions/setup-go@v6
|
|
with:
|
|
go-version: stable
|
|
- name: Create Keychain
|
|
if: >-
|
|
steps.check.outputs.buildamd == 'true' ||
|
|
steps.check.outputs.buildarm == 'true' ||
|
|
steps.check.outputs.builduniversal == 'true' ||
|
|
steps.actual_dryrun.outputs.dryrun == 'true'
|
|
run: |
|
|
echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
|
|
echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12
|
|
|
|
security create-keychain -p "$KEYCHAIN_PWD" build.keychain
|
|
security default-keychain -s build.keychain
|
|
security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
|
|
security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign
|
|
security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign
|
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null
|
|
|
|
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null
|
|
- name: Build and Sign ARM
|
|
if: steps.check.outputs.buildarm == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
|
|
working-directory: contrib/pkginstaller
|
|
run: |
|
|
make ARCH=aarch64 notarize &> /dev/null
|
|
cd out && shasum -a 256 podman-installer-macos-arm64.pkg >> shasums
|
|
- name: Build and Sign AMD
|
|
if: steps.check.outputs.buildamd == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
|
|
working-directory: contrib/pkginstaller
|
|
run: |
|
|
make ARCH=amd64 notarize &> /dev/null
|
|
cd out && shasum -a 256 podman-installer-macos-amd64.pkg >> shasums
|
|
- name: Build and Sign Universal
|
|
if: steps.check.outputs.builduniversal == 'true' || steps.actual_dryrun.outputs.dryrun == 'true'
|
|
working-directory: contrib/pkginstaller
|
|
run: |
|
|
make ARCH=universal notarize &> /dev/null
|
|
cd out && shasum -a 256 podman-installer-macos-universal.pkg >> shasums
|
|
- name: Artifact
|
|
if: >-
|
|
steps.check.outputs.buildamd == 'true' ||
|
|
steps.check.outputs.buildarm == 'true' ||
|
|
steps.check.outputs.builduniversal == 'true' ||
|
|
steps.actual_dryrun.outputs.dryrun == 'true'
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: installers
|
|
path: |
|
|
contrib/pkginstaller/out/podman-installer-macos-*.pkg
|
|
contrib/pkginstaller/out/shasums
|
|
- name: Upload to Release
|
|
if: >-
|
|
steps.actual_dryrun.outputs.dryrun == 'false' &&
|
|
(steps.check.outputs.buildamd == 'true' ||
|
|
steps.check.outputs.buildarm == 'true'||
|
|
steps.check.outputs.builduniversal == 'true' )
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
VERSION: ${{ steps.getversion.outputs.version }}
|
|
run: |
|
|
(gh release download "${VERSION}" -p "shasums" || exit 0)
|
|
cat contrib/pkginstaller/out/shasums >> shasums
|
|
gh release upload "${VERSION}" contrib/pkginstaller/out/podman-installer-macos-*.pkg
|
|
gh release upload "${VERSION}" --clobber shasums
|