Files
podman/.github/workflows/release-build-artifacts.yml
Ashley Cui f69796b6bc Upload artifacts with build suffix
The nightly release validation builds both on main and the latest release branch,
we should upload the artifacts with a suffix to differentiate the two

Signed-off-by: Ashley Cui <acui@redhat.com>
2026-06-26 16:00:02 -04:00

251 lines
9.5 KiB
YAML

name: Build Artifacts
on:
workflow_dispatch:
inputs:
version:
description: 'Git ref to build for test (branch or tag, e.g. "main" or "v9.8.7")'
required: false
default: 'main'
workflow_call:
inputs:
version:
description: 'Git ref to build (tag, branch, or commit hash, e.g. "v9.8.7" or "main")'
required: true
type: string
secrets:
MACOS_APPLICATION_CERT:
required: true
MACOS_APPLICATION_IDENTITY:
required: true
MACOS_INSTALLER_CERT:
required: true
MACOS_INSTALLER_IDENTITY:
required: true
MACOS_CERTIFICATE_PWD:
required: true
MACOS_NOTARIZATION_TEAM_ID:
required: true
MACOS_NOTARIZATION_APPLE_ID:
required: true
MACOS_NOTARIZATION_PWD:
required: true
MACOS_CI_KEYCHAIN_PWD:
required: true
AZ_CERT_NAME:
required: true
AZ_VAULT_ID:
required: true
AZ_APP_ID:
required: true
AZ_TENANT_ID:
required: true
AZ_CLIENT_SECRET:
required: true
permissions:
contents: read
jobs:
get-version:
name: Determine Version
runs-on: ubuntu-latest
if: github.repository == 'podman-container-tools/podman'
outputs:
version_display: ${{ steps.set-version.outputs.version_display }}
steps:
- name: Checkout Version
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.version }}
persist-credentials: false
- name: Set display version
id: set-version
env:
VERSION: ${{ inputs.version }}
run: |
sha=$(git rev-parse --short HEAD)
if [[ "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]]; then
echo "version_display=$VERSION" >> "$GITHUB_OUTPUT"
else
echo "version_display=$VERSION-$sha" >> "$GITHUB_OUTPUT"
fi
build-artifacts:
name: Build Artifacts
runs-on: ubuntu-latest
if: github.repository == 'podman-container-tools/podman'
needs: [get-version]
steps:
- name: Checkout Version
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.version }}
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version: stable
cache: false
- name: Set up pandoc
run: |
sudo apt-get install -y pandoc
- name: Build Artifacts
run: |
make release-artifacts
- name: Upload to Actions as artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: release-artifacts-${{ needs.get-version.outputs.version_display }}
path: release/*
mac-pkg:
name: Build MacOS pkginstaller
runs-on: macos-latest
if: github.repository == 'podman-container-tools/podman'
needs: [get-version]
env:
APPLICATION_CERTIFICATE: ${{ secrets.MACOS_APPLICATION_CERT }}
CODESIGN_IDENTITY: ${{ secrets.MACOS_APPLICATION_IDENTITY }}
INSTALLER_CERTIFICATE: ${{ secrets.MACOS_INSTALLER_CERT }}
PRODUCTSIGN_IDENTITY: ${{ secrets.MACOS_INSTALLER_IDENTITY }}
CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
NOTARIZE_TEAM: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
NOTARIZE_USERNAME: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
NOTARIZE_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
KEYCHAIN_PWD: ${{ secrets.MACOS_CI_KEYCHAIN_PWD }}
steps:
- name: Checkout Version
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.version }}
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version: stable
cache: false
- name: Create Keychain
run: |
echo $APPLICATION_CERTIFICATE | base64 --decode -o appcert.p12
echo $INSTALLER_CERTIFICATE | base64 --decode -o instcert.p12
security create-keychain -p "$KEYCHAIN_PWD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PWD" build.keychain
security import appcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/codesign
security import instcert.p12 -k build.keychain -P "$CERTIFICATE_PWD" -T /usr/bin/productsign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PWD" build.keychain &> /dev/null
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$NOTARIZE_USERNAME" --team-id "$NOTARIZE_TEAM" --password "$NOTARIZE_PASSWORD" &> /dev/null
- name: Build and Sign ARM
working-directory: contrib/pkginstaller
run: |
make ARCH=aarch64 notarize &> /dev/null
- name: Artifact
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: mac-installers-${{ needs.get-version.outputs.version_display }}
path: |
contrib/pkginstaller/out/podman-installer-macos-*.pkg
windows-installer:
name: Build Windows Installer
strategy:
matrix:
arch: [amd64, arm64]
runs-on: windows-latest
needs: [get-version, build-artifacts]
steps:
- name: Checkout Podman
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
ref: ${{ inputs.version }}
persist-credentials: false
- name: Normalize version for Windows
id: normalized-windows-version
env:
VERSION: ${{ needs.get-version.outputs.version_display }}
run: |
$version = "${env:VERSION}"
if ($version.Length -gt 0 -and $version[0] -eq "v") {
$version = $version.Substring(1)
}
# windows/wix requires a legit version number, so if the ref is a branch and not a version, use rawversion
if ($version -notmatch '^[0-9]+\.[0-9]+\.[0-9]+(-.*)?$') {
$raw = Get-Content -Path "version\rawversion\version.go" -Raw
if ($raw -notmatch 'RawVersion\s*=\s*"([^"]+)"') {
Write-Error "Could not parse RawVersion from version/rawversion/version.go"
exit 1
}
$version = $matches[1].TrimStart('v')
}
Write-Output "version=$version" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
- name: Download Windows zip artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: release-artifacts-${{ needs.get-version.outputs.version_display }}
path: ${{ github.workspace }}\release-artifacts
- name: Set up Go
uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version: stable
cache: false
- name: Set up WiX
run: dotnet tool install --global wix --version 5.0.2
- name: Setup Signature Tooling
env:
AZ_CERT_NAME: ${{ secrets.AZ_CERT_NAME }}
AZ_VAULT_ID: ${{ secrets.AZ_VAULT_ID }}
AZ_APP_ID: ${{ secrets.AZ_APP_ID }}
AZ_TENANT_ID: ${{ secrets.AZ_TENANT_ID }}
AZ_CLIENT_SECRET: ${{ secrets.AZ_CLIENT_SECRET }}
run: |
dotnet tool install --global AzureSignTool --version 3.0.0
echo "CERT_NAME=${env:AZ_CERT_NAME}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "VAULT_ID=${env:AZ_VAULT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "APP_ID=${env:AZ_APP_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "TENANT_ID=${env:AZ_TENANT_ID}" | Out-File -FilePath $env:GITHUB_ENV -Append
echo "CLIENT_SECRET=${env:AZ_CLIENT_SECRET}" | Out-File -FilePath $env:GITHUB_ENV -Append
- name: Pandoc Setup
uses: r-lib/actions/setup-pandoc@d3c5be51b12e724e68f33216ca3c148b66d5f0b6 # v2.12.1
with:
pandoc-version: '3.1.11'
# Note: Windows assigns a UUID to the installer at build time, it's assumed
# by windows that one release version == one UUID (always). Breaking this assumption
# has some rather nasty side-effects in windows, such as possibly breaking 'uninstall'
# functionality. We should avoid clobbering or re-building windows installers in most cases,
# For build-only, the .exe is saved in the workflow artifacts for a human
# to judge.
- name: Build the MSI
id: build
env:
PODMAN_ARCH: ${{ matrix.arch }}
VERSION: ${{ steps.normalized-windows-version.outputs.version }}
run: |
contrib\win-installer\build.ps1 `
-Version "${env:VERSION}" `
-LocalReleaseDirPath "${env:GITHUB_WORKSPACE}\release-artifacts" `
-Architecture "${env:PODMAN_ARCH}"
Exit $LASTEXITCODE
- name: Display structure of built files
run: |
Push-Location contrib\win-installer
Get-ChildItem
Pop-Location
- name: Rename the MSI
env:
PODMAN_ARCH: ${{ matrix.arch }}
VERSION: ${{ steps.normalized-windows-version.outputs.version }}
run: |
Push-Location contrib\win-installer
Copy-Item -Path "podman-${env:VERSION}.msi" -Destination "podman-installer-windows-${env:PODMAN_ARCH}.msi"
Pop-Location
- name: Upload the MSI
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: win-msi-${{ matrix.arch }}-${{ needs.get-version.outputs.version_display }}
path: |
.\contrib\win-installer\podman-installer-windows-${{ matrix.arch }}.msi