SpacetimeDB/.github/workflows/package.yml at master · clockworklabs/SpacetimeDB · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: Package SpacetimeDB CLI

on:
  push:
    tags:
      - '**'
  workflow_dispatch:

permissions:
  contents: read

jobs:
  build-cli:
    strategy:
      fail-fast: false
      matrix:
        include:
          # WARNING - do not upgrade this runner to 24.04 or the self hosted runners because it will break downloads for
          #   anyone who uses a linux distro that doesn't have glibc >= GLIBC_2.38
          - { name: x86_64 Linux, target: x86_64-unknown-linux-gnu, runner: ubuntu-22.04 }
          - { name: aarch64 Linux, target: aarch64-unknown-linux-gnu, runner: arm-runner }
          # Disabled because musl builds weren't working and we didn't want to investigate. See https://github.com/clockworklabs/SpacetimeDB/pull/2964.
          # - { name: x86_64 Linux musl, target: x86_64-unknown-linux-musl, runner: bare-metal, container: alpine }
          # FIXME: arm musl build. "JavaScript Actions in Alpine containers are only supported on x64 Linux runners"
          # - { name: aarch64 Linux musl, target: aarch64-unknown-linux-musl, runner: arm-runner }
          - { name: aarch64 macOS, target: aarch64-apple-darwin, runner: macos-latest }
          - { name: x86_64 macOS, target: x86_64-apple-darwin, runner: macos-latest }
          - { name: x86_64 Windows, target: x86_64-pc-windows-msvc, runner: spacetimedb-windows-runner }

    name: Build CLI for ${{ matrix.name }}
    runs-on: ${{ matrix.runner }}

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Show arch
        run: uname -a

      - name: Install musl dependencies
        # TODO: Should we use `matrix.container == 'alpine'` instead of the `endsWith` check?
        if: endsWith(matrix.target, '-musl')
        run: apk add gcc g++ bash curl linux-headers perl git make

      - name: Install Rust
        uses: dsherret/rust-toolchain-file@v1
      - name: Set default rust toolchain
        run: rustup default $(rustup show active-toolchain | cut -d' ' -f1)

      - name: Install rust target
        run: rustup target add ${{ matrix.target }}

      - name: Add signtool.exe to PATH
        if: ${{ runner.os == 'Windows' }}
        shell: pwsh
        run: |
          $root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin"
          $signtool = Get-ChildItem $root -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue |
            Where-Object { $_.FullName -match '\\x64\\signtool\.exe$' } |
            Sort-Object FullName -Descending |
            Select-Object -First 1

          if (-not $signtool) { throw "signtool.exe not found under $root" }

          "Found: $($signtool.FullName)"
          $dir = Split-Path $signtool.FullName
          Add-Content -Path $env:GITHUB_PATH -Value $dir

      - name: Decode DigiCert client auth certificate
        if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
        shell: bash
        env:
          SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
        run: |
          echo "$SM_CLIENT_CERT_FILE_B64" | base64 --decode > "$RUNNER_TEMP/Certificate_pkcs12.p12"

      - name: Setup DigiCert Software Trust Manager
        if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
        uses: digicert/code-signing-software-trust-action@v1
        env:
          SM_HOST: ${{ vars.SM_HOST }}
          SM_API_KEY: ${{ secrets.SM_API_KEY }}
          SM_CLIENT_CERT_FILE: ${{ runner.temp }}\Certificate_pkcs12.p12
          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}

      - name: Compile
        run: |
          cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update

      - name: Sign binaries for Windows
        if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
        shell: pwsh
        env:
          SM_HOST: ${{ vars.SM_HOST }}
          SM_API_KEY: ${{ secrets.SM_API_KEY }}
          SM_CLIENT_CERT_FILE: ${{ runner.temp }}\Certificate_pkcs12.p12
          SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
          DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }}
        run: |
          $ErrorActionPreference = 'Stop'
          $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
          foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) {
            $path = Join-Path $targetDir $exe
            Write-Host "Signing $exe..."
            & smctl sign --keypair-alias $env:DIGICERT_KEYPAIR_ALIAS --input $path
            if ($LASTEXITCODE -ne 0) { throw "Signing failed for $exe (exit code $LASTEXITCODE)" }
            Write-Host "$exe signed successfully"
          }

      - name: Verify signatures
        if: ${{ runner.os == 'Windows' && startsWith(github.ref, 'refs/tags/') }}
        shell: pwsh
        run: |
          $ErrorActionPreference = 'Stop'
          $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
          foreach ($exe in @('spacetimedb-update.exe','spacetimedb-cli.exe','spacetimedb-standalone.exe')) {
            $path = Join-Path $targetDir $exe
            & signtool.exe verify /v /pa $path
            if ($LASTEXITCODE -ne 0) { throw "Signature verification failed for $exe" }
          }

      - name: Package (unix)
        if: ${{ runner.os != 'Windows' }}
        shell: bash
        run: |
          mkdir build
          cd target/${{matrix.target}}/release
          cp spacetimedb-update ../../../build/spacetimedb-update-${{matrix.target}}
          tar -czf ../../../build/spacetime-${{matrix.target}}.tar.gz spacetimedb-{cli,standalone}

      - name: Package (windows)
        if: ${{ runner.os == 'Windows' }}
        shell: bash
        run: |
          mkdir build
          cd target/${{matrix.target}}/release
          cp spacetimedb-update.exe ../../../build/spacetimedb-update-${{matrix.target}}.exe
          7z a ../../../build/spacetime-${{matrix.target}}.zip spacetimedb-cli.exe spacetimedb-standalone.exe

      - name: Extract branch name
        shell: bash
        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
        id: extract_branch

      - name: Upload to DO Spaces
        uses: shallwefootball/s3-upload-action@master
        with:
          aws_key_id: ${{ secrets.AWS_KEY_ID }}
          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY}}
          aws_bucket: ${{ vars.AWS_BUCKET }}
          source_dir: build
          endpoint: https://nyc3.digitaloceanspaces.com
          destination_dir: ${{ steps.extract_branch.outputs.branch }}