mirror of
https://github.com/containers/podman.git
synced 2026-07-12 08:15:23 -04:00
The nightly release validation builds both on main and the latest release branch, we should upload the artifacts with a suffix to differentiate the two Signed-off-by: Ashley Cui <acui@redhat.com>
251 lines
9.5 KiB
YAML
251 lines
9.5 KiB
YAML
name: Build Artifacts
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: 'Git ref to build for test (branch or tag, e.g. "main" or "v9.8.7")'
|
|
required: false
|
|
default: 'main'
|
|
workflow_call:
|
|
inputs:
|
|
version:
|
|
description: 'Git ref to build (tag, branch, or commit hash, e.g. "v9.8.7" or "main")'
|
|
required: true
|
|
type: string
|
|
secrets:
|
|
MACOS_APPLICATION_CERT:
|
|
required: true
|
|
MACOS_APPLICATION_IDENTITY:
|
|
required: true
|
|
MACOS_INSTALLER_CERT:
|
|
required: true
|
|
MACOS_INSTALLER_IDENTITY:
|
|
required: true
|
|
MACOS_CERTIFICATE_PWD:
|
|
required: true
|
|
MACOS_NOTARIZATION_TEAM_ID:
|
|
required: true
|
|
MACOS_NOTARIZATION_APPLE_ID:
|
|
required: true
|
|
MACOS_NOTARIZATION_PWD:
|
|
required: true
|
|
MACOS_CI_KEYCHAIN_PWD:
|
|
required: true
|
|
AZ_CERT_NAME:
|
|
required: true
|
|
AZ_VAULT_ID:
|
|
required: true
|
|
AZ_APP_ID:
|
|
required: true
|
|
AZ_TENANT_ID:
|
|
required: true
|
|
AZ_CLIENT_SECRET:
|
|
required: true
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
get-version:
|
|
name: Determine Version
|
|
runs-on: ubuntu-latest
|
|
if: github.repository == 'podman-container-tools/podman'
|
|
outputs:
|
|
version_display: ${{ steps.set-version.outputs.version_display }}
|
|
steps:
|
|
- name: Checkout Version
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
ref: ${{ inputs.version }}
|
|
persist-credentials: false
|
|
- name: Set display version
|
|
id: set-version
|
|
env:
|
|
VERSION: ${{ inputs.version }}
|
|
run: |
|
|
sha=$(git rev-parse --short HEAD)
|
|
if [[ "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]]; then
|
|
echo "version_display=$VERSION" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "version_display=$VERSION-$sha" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
build-artifacts:
|
|
name: Build Artifacts
|
|
runs-on: ubuntu-latest
|
|
if: github.repository == 'podman-container-tools/podman'
|
|
needs: [get-version]
|
|
steps:
|
|
- name: Checkout Version
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
ref: ${{ inputs.version }}
|
|
persist-credentials: false
|
|
- name: Set up Go
|
|
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
|
|
with:
|
|
go-version: stable
|
|
cache: false
|
|
- name: Set up pandoc
|
|
run: |
|
|
sudo apt-get install -y pandoc
|
|
- name: Build Artifacts
|
|
run: |
|
|
make release-artifacts
|
|
- name: Upload to Actions as artifact
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: release-artifacts-${{ needs.get-version.outputs.version_display }}
|
|
path: release/*
|
|
|
|
mac-pkg:
|
|
name: Build MacOS pkginstaller
|
|
runs-on: macos-latest
|
|
if: github.repository == 'podman-container-tools/podman'
|
|
needs: [get-version]
|
|
env:
|
|
APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
|
|
CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
|
|
INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }}
|
|
PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }}
|
|
CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
|
|
|
NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
|
|
NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
|
|
NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
|
|
|
|
KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
|
|
steps:
|
|
- name: Checkout Version
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
ref: ${{ inputs.version }}
|
|
persist-credentials: false
|
|
- name: Set up Go
|
|
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
|
|
with:
|
|
go-version: stable
|
|
cache: false
|
|
- name: Create Keychain
|
|
run: |
|
|
echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
|
|
echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12
|
|
|
|
security create-keychain -p "$KEYCHAIN_PWD" build.keychain
|
|
security default-keychain -s build.keychain
|
|
security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
|
|
security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign
|
|
security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign
|
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null
|
|
|
|
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null
|
|
- name: Build and Sign ARM
|
|
working-directory: contrib/pkginstaller
|
|
run: |
|
|
make ARCH=aarch64 notarize &> /dev/null
|
|
- name: Artifact
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: mac-installers-${{ needs.get-version.outputs.version_display }}
|
|
path: |
|
|
contrib/pkginstaller/out/podman-installer-macos-*.pkg
|
|
|
|
windows-installer:
|
|
name: Build Windows Installer
|
|
strategy:
|
|
matrix:
|
|
arch: [amd64, arm64]
|
|
runs-on: windows-latest
|
|
needs: [get-version, build-artifacts]
|
|
steps:
|
|
- name: Checkout Podman
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
ref: ${{ inputs.version }}
|
|
persist-credentials: false
|
|
- name: Normalize version for Windows
|
|
id: normalized-windows-version
|
|
env:
|
|
VERSION: ${{ needs.get-version.outputs.version_display }}
|
|
run: |
|
|
$version = "${env:VERSION}"
|
|
if ($version.Length -gt 0 -and $version[0] -eq "v") {
|
|
$version = $version.Substring(1)
|
|
}
|
|
# windows/wix requires a legit version number, so if the ref is a branch and not a version, use rawversion
|
|
if ($version -notmatch '^[0-9]+\.[0-9]+\.[0-9]+(-.*)?$') {
|
|
$raw = Get-Content -Path "version\rawversion\version.go" -Raw
|
|
if ($raw -notmatch 'RawVersion\s*=\s*"([^"]+)"') {
|
|
Write-Error "Could not parse RawVersion from version/rawversion/version.go"
|
|
exit 1
|
|
}
|
|
$version = $matches[1].TrimStart('v')
|
|
}
|
|
Write-Output "version=$version" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
|
|
- name: Download Windows zip artifact
|
|
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
|
|
with:
|
|
name: release-artifacts-${{ needs.get-version.outputs.version_display }}
|
|
path: ${{ github.workspace }}\release-artifacts
|
|
- name: Set up Go
|
|
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
|
|
with:
|
|
go-version: stable
|
|
cache: false
|
|
- name: Set up WiX
|
|
run: dotnet tool install --global wix --version 5.0.2
|
|
- name: Setup Signature Tooling
|
|
env:
|
|
AZ_CERT_NAME: ${{ secrets.AZ_CERT_NAME }}
|
|
AZ_VAULT_ID: ${{ secrets.AZ_VAULT_ID }}
|
|
AZ_APP_ID: ${{ secrets.AZ_APP_ID }}
|
|
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
|
|
AZ_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }}
|
|
run: |
|
|
dotnet tool install --global AzureSignTool --version 3.0.0
|
|
echo "CERT_NAME=${env:AZ_CERT_NAME}" | Out-File -FilePath $env:GITHUB_ENV -Append
|
|
echo "VAULT_ID=${env:AZ_VAULT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
|
|
echo "APP_ID=${env:AZ_APP_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
|
|
echo "TENANT_ID=${env:AZ_TENANT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
|
|
echo "CLIENT_SECRET=${env:AZ_CLIENT_SECRET}" | Out-File -FilePath $env:GITHUB_ENV -Append
|
|
- name: Pandoc Setup
|
|
uses: r-lib/actions/setup-pandoc@d3c5be51b12e724e68f33216ca3c148b66d5f0b6 # v2.12.1
|
|
with:
|
|
pandoc-version: '3.1.11'
|
|
# Note: Windows assigns a UUID to the installer at build time, it's assumed
|
|
# by windows that one release version == one UUID (always). Breaking this assumption
|
|
# has some rather nasty side-effects in windows, such as possibly breaking 'uninstall'
|
|
# functionality. We should avoid clobbering or re-building windows installers in most cases,
|
|
# For build-only, the .exe is saved in the workflow artifacts for a human
|
|
# to judge.
|
|
- name: Build the MSI
|
|
id: build
|
|
env:
|
|
PODMAN_ARCH: ${{ matrix.arch }}
|
|
VERSION: ${{ steps.normalized-windows-version.outputs.version }}
|
|
run: |
|
|
contrib\win-installer\build.ps1 `
|
|
-Version "${env:VERSION}" `
|
|
-LocalReleaseDirPath "${env:GITHUB_WORKSPACE}\release-artifacts" `
|
|
-Architecture "${env:PODMAN_ARCH}"
|
|
Exit $LASTEXITCODE
|
|
- name: Display structure of built files
|
|
run: |
|
|
Push-Location contrib\win-installer
|
|
Get-ChildItem
|
|
Pop-Location
|
|
- name: Rename the MSI
|
|
env:
|
|
PODMAN_ARCH: ${{ matrix.arch }}
|
|
VERSION: ${{ steps.normalized-windows-version.outputs.version }}
|
|
run: |
|
|
Push-Location contrib\win-installer
|
|
Copy-Item -Path "podman-${env:VERSION}.msi" -Destination "podman-installer-windows-${env:PODMAN_ARCH}.msi"
|
|
Pop-Location
|
|
- name: Upload the MSI
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: win-msi-${{ matrix.arch }}-${{ needs.get-version.outputs.version_display }}
|
|
path: |
|
|
.\contrib\win-installer\podman-installer-windows-${{ matrix.arch }}.msi
|