Skip to content

Commit e6da4dd

Browse files
KeavonKeavon
authored
Merge branch 'master' into custom-piviot-snapping
2 parents e315fd0 + 20e12ed commit e6da4dd

114 files changed

Lines changed: 3346 additions & 1279 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.github/workflows/build-dev-and-ci.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ on:
55
branches:
66
- master
77
pull_request: {}
8+
merge_group: {}
89
env:
910
CARGO_TERM_COLOR: always
1011
INDEX_HTML_HEAD_REPLACEMENT: <script defer data-domain="dev.graphite.art" data-api="https://graphite.art/visit/event" src="https://graphite.art/visit/script.hash.js"></script>

.github/workflows/build-linux-bundle.yml

Lines changed: 18 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,16 @@
11
name: Build Linux Bundle
22

33
on:
4-
workflow_dispatch: {}
54
push:
65
branches:
76
- master
7+
workflow_dispatch:
8+
inputs:
9+
push_to_cache:
10+
description: "Push to Nix Cache"
11+
required: false
12+
type: boolean
13+
default: false
814

915
jobs:
1016
build:
@@ -14,11 +20,21 @@ jobs:
1420
steps:
1521
- uses: actions/checkout@v4
1622
- uses: DeterminateSystems/nix-installer-action@main
17-
- uses: DeterminateSystems/magic-nix-cache-action@main
1823

1924
- name: Free disk space
2025
run: sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc /opt/hostedtoolcache
2126

27+
- name: Build Nix Package
28+
run: nix build .nix --no-link --print-out-paths
29+
30+
- name: Push to Nix Cache
31+
if: github.ref == 'refs/heads/master' || inputs.push_to_cache == true
32+
env:
33+
NIX_CACHE_AUTH_TOKEN: ${{ secrets.NIX_CACHE_AUTH_TOKEN }}
34+
run: |
35+
nix run nixpkgs#cachix -- authtoken $NIX_CACHE_AUTH_TOKEN
36+
nix build .nix --no-link --print-out-paths | nix run nixpkgs#cachix -- push graphite
37+
2238
- name: Build Linux Bundle
2339
run: nix build .nix#graphite-bundle.tar.xz && cp ./result ./graphite-linux-bundle.tar.xz
2440

.github/workflows/build-mac-bundle.yml

Lines changed: 157 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,157 @@
1+
name: Build Mac Bundle
2+
3+
on:
4+
workflow_dispatch: {}
5+
push:
6+
branches:
7+
- master
8+
9+
jobs:
10+
build:
11+
runs-on: macos-latest
12+
13+
env:
14+
WASM_BINDGEN_CLI_VERSION: "0.2.100"
15+
16+
steps:
17+
- name: Checkout
18+
uses: actions/checkout@v4
19+
20+
- name: Setup Rust
21+
uses: actions-rust-lang/setup-rust-toolchain@v1
22+
with:
23+
toolchain: stable
24+
override: true
25+
rustflags: ""
26+
target: wasm32-unknown-unknown
27+
28+
- name: Cache Cargo
29+
uses: actions/cache@v4
30+
with:
31+
path: |
32+
~/.cargo/registry
33+
~/.cargo/git
34+
target
35+
key: cargo-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}
36+
37+
- name: Setup Node
38+
uses: actions/setup-node@v4
39+
with:
40+
node-version-file: .nvmrc
41+
cache: npm
42+
cache-dependency-path: |
43+
package-lock.json
44+
frontend/package-lock.json
45+
46+
- name: Install Native Dependencies
47+
env:
48+
GITHUB_TOKEN: ${{ github.token }}
49+
BINSTALL_DISABLE_TELEMETRY: "true"
50+
run: |
51+
brew update
52+
brew install \
53+
pkg-config \
54+
openssl@3 \
55+
binaryen \
56+
llvm \
57+
cargo-binstall
58+
59+
echo "OPENSSL_DIR=$(brew --prefix openssl@3)" >> $GITHUB_ENV
60+
echo "PKG_CONFIG_PATH=$(brew --prefix openssl@3)/lib/pkgconfig" >> $GITHUB_ENV
61+
echo "$(brew --prefix llvm)/bin" >> $GITHUB_PATH
62+
63+
cargo binstall --no-confirm --force wasm-pack
64+
cargo binstall --no-confirm --force cargo-about
65+
cargo binstall --no-confirm --force "wasm-bindgen-cli@${WASM_BINDGEN_CLI_VERSION}"
66+
67+
- name: Build Mac Bundle
68+
env:
69+
CARGO_TERM_COLOR: always
70+
run: npm run build-desktop
71+
72+
- name: Stage Artifacts
73+
shell: bash
74+
run: |
75+
rm -rf target/artifacts
76+
mkdir -p target/artifacts
77+
cp -R target/release/Graphite.app target/artifacts/Graphite.app
78+
79+
- name: Upload Mac Bundle
80+
uses: actions/upload-artifact@v4
81+
with:
82+
name: graphite-mac-bundle
83+
path: target/artifacts
84+
85+
- name: Sign and Notarize Mac Bundle Preparation
86+
if: github.ref == 'refs/heads/master'
87+
env:
88+
APPLE_CERT_BASE64: ${{ secrets.APPLE_CERT_BASE64 }}
89+
APPLE_CERT_PASSWORD: ${{ secrets.APPLE_CERT_PASSWORD }}
90+
run: |
91+
mkdir -p .sign
92+
echo "$APPLE_CERT_BASE64" | base64 --decode > .sign/certificate.p12
93+
94+
security create-keychain -p "" .sign/main.keychain
95+
security default-keychain -s .sign/main.keychain
96+
security unlock-keychain -p "" .sign/main.keychain
97+
security set-keychain-settings -t 3600 -u .sign/main.keychain
98+
99+
security import .sign/certificate.p12 -k .sign/main.keychain -P "$APPLE_CERT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productsign
100+
security set-key-partition-list -S apple-tool:,apple: -s -k "" .sign/main.keychain
101+
102+
cat > .sign/entitlements.plist <<'EOF'
103+
<?xml version="1.0" encoding="UTF-8"?>
104+
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
105+
<plist version="1.0">
106+
<dict>
107+
<key>com.apple.security.cs.allow-jit</key>
108+
<true/>
109+
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
110+
<true/>
111+
<key>com.apple.security.cs.disable-executable-page-protection</key>
112+
<true/>
113+
<key>com.apple.security.cs.disable-library-validation</key>
114+
<true/>
115+
</dict>
116+
</plist>
117+
EOF
118+
119+
- name: Sign and Notarize Mac Bundle
120+
if: github.ref == 'refs/heads/master'
121+
env:
122+
APPLE_EMAIL: ${{ secrets.APPLE_EMAIL }}
123+
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
124+
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
125+
APPLE_CERT_NAME: ${{ secrets.APPLE_CERT_NAME }}
126+
run: |
127+
CERTIFICATE="$APPLE_CERT_NAME"
128+
ENTITLEMENTS=".sign/entitlements.plist"
129+
APP_PATH="target/artifacts/Graphite.app"
130+
ZIP_PATH=".sign/Graphite.zip"
131+
132+
codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Graphite Helper.app"
133+
codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Graphite Helper (GPU).app"
134+
codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Graphite Helper (Renderer).app"
135+
codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework"
136+
codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libcef_sandbox.dylib"
137+
codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libEGL.dylib"
138+
codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libGLESv2.dylib"
139+
codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH/Contents/Frameworks/Chromium Embedded Framework.framework/Libraries/libvk_swiftshader.dylib"
140+
codesign --force --options runtime --entitlements "$ENTITLEMENTS" --sign "$CERTIFICATE" "$APP_PATH" --deep
141+
142+
codesign --verify --deep --strict --verbose=4 "$APP_PATH"
143+
144+
ditto -c -k --keepParent "$APP_PATH" "$ZIP_PATH"
145+
xcrun notarytool submit "$ZIP_PATH" --wait --apple-id "$APPLE_EMAIL" --team-id "$APPLE_TEAM_ID" --password "$APPLE_PASSWORD"
146+
rm "$ZIP_PATH"
147+
148+
xcrun stapler staple -v "$APP_PATH"
149+
150+
spctl -a -vv "$APP_PATH"
151+
152+
- name: Upload Mac Bundle Signed
153+
if: github.ref == 'refs/heads/master'
154+
uses: actions/upload-artifact@v4
155+
with:
156+
name: graphite-mac-bundle-signed
157+
path: target/artifacts

.github/workflows/build-win-bundle.yml

Lines changed: 172 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,172 @@
1+
name: Build Windows Bundle
2+
3+
on:
4+
workflow_dispatch: {}
5+
push:
6+
branches:
7+
- master
8+
9+
permissions:
10+
contents: read
11+
id-token: write
12+
13+
jobs:
14+
build:
15+
runs-on: windows-latest
16+
17+
env:
18+
WASM_BINDGEN_CLI_VERSION: "0.2.100"
19+
20+
steps:
21+
- name: Checkout
22+
uses: actions/checkout@v4
23+
24+
- name: Setup Rust
25+
uses: actions-rust-lang/setup-rust-toolchain@v1
26+
with:
27+
toolchain: stable
28+
override: true
29+
rustflags: ""
30+
target: wasm32-unknown-unknown
31+
32+
- name: Cache Cargo
33+
uses: actions/cache@v4
34+
with:
35+
path: |
36+
${{ env.USERPROFILE }}\.cargo\registry
37+
${{ env.USERPROFILE }}\.cargo\git
38+
target
39+
key: cargo-${{ runner.os }}-${{ hashFiles('**/Cargo.lock') }}
40+
41+
- name: Setup Node
42+
uses: actions/setup-node@v4
43+
with:
44+
node-version-file: .nvmrc
45+
cache: npm
46+
cache-dependency-path: |
47+
package-lock.json
48+
frontend/package-lock.json
49+
50+
- name: Setup Cargo Binstall
51+
uses: cargo-bins/cargo-binstall@main
52+
53+
- name: Install Native Dependencies
54+
shell: pwsh
55+
env:
56+
GITHUB_TOKEN: ${{ github.token }}
57+
BINSTALL_DISABLE_TELEMETRY: "true"
58+
run: |
59+
winget install --id LLVM.LLVM -e --accept-package-agreements --accept-source-agreements
60+
winget install --id Kitware.CMake -e --accept-package-agreements --accept-source-agreements
61+
winget install --id OpenSSL.OpenSSL -e --accept-package-agreements --accept-source-agreements
62+
winget install --id WebAssembly.Binaryen -e --accept-package-agreements --accept-source-agreements
63+
winget install --id GnuWin32.PkgConfig -e --accept-package-agreements --accept-source-agreements
64+
65+
"OPENSSL_DIR=C:\Program Files\OpenSSL-Win64" | Out-File -FilePath $env:GITHUB_ENV -Append
66+
"PKG_CONFIG_PATH=C:\Program Files\OpenSSL-Win64\lib\pkgconfig" | Out-File -FilePath $env:GITHUB_ENV -Append
67+
68+
cargo binstall --no-confirm --force wasm-pack
69+
cargo binstall --no-confirm --force cargo-about
70+
cargo binstall --no-confirm --force "wasm-bindgen-cli@$env:WASM_BINDGEN_CLI_VERSION"
71+
72+
- name: Build Windows Bundle
73+
env:
74+
CARGO_TERM_COLOR: always
75+
run: npm run build-desktop
76+
77+
- name: Stage Artifacts
78+
shell: bash
79+
run: |
80+
rm -rf target/artifacts
81+
mkdir -p target/artifacts
82+
cp -R target/release/Graphite target/artifacts/Graphite
83+
84+
- name: Upload Windows Bundle
85+
uses: actions/upload-artifact@v4
86+
with:
87+
name: graphite-windows-bundle
88+
path: target/artifacts
89+
90+
- name: Azure login
91+
if: github.ref == 'refs/heads/master'
92+
uses: azure/login@v1
93+
with:
94+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
95+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
96+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
97+
enable-AzPSSession: true
98+
99+
- name: Sign
100+
if: github.ref == 'refs/heads/master'
101+
uses: azure/artifact-signing-action@v1
102+
with:
103+
endpoint: https://eus.codesigning.azure.net/
104+
signing-account-name: Graphite
105+
certificate-profile-name: Graphite
106+
files: |
107+
${{ github.workspace }}\target\artifacts\Graphite\Graphite.exe
108+
${{ github.workspace }}\target\artifacts\Graphite\libcef.dll
109+
${{ github.workspace }}\target\artifacts\Graphite\chrome_elf.dll
110+
${{ github.workspace }}\target\artifacts\Graphite\vulkan-1.dll
111+
${{ github.workspace }}\target\artifacts\Graphite\dxcompiler.dll
112+
${{ github.workspace }}\target\artifacts\Graphite\libEGL.dll
113+
${{ github.workspace }}\target\artifacts\Graphite\libGLESv2.dll
114+
${{ github.workspace }}\target\artifacts\Graphite\vk_swiftshader.dll
115+
file-digest: SHA256
116+
timestamp-rfc3161: http://timestamp.acs.microsoft.com
117+
timestamp-digest: SHA256
118+
correlation-id: ${{ github.sha }}
119+
120+
- name: Verify Signatures
121+
if: github.ref == 'refs/heads/master'
122+
shell: pwsh
123+
run: |
124+
$ErrorActionPreference = "Stop"
125+
126+
$TargetDir = "target\artifacts\Graphite"
127+
128+
if (-not (Test-Path $TargetDir)) {
129+
throw "TargetDir not found: $TargetDir"
130+
}
131+
132+
$UnsignedOrBad = @()
133+
134+
Get-ChildItem -Path $TargetDir -Recurse -File -Include *.exe,*.dll | ForEach-Object {
135+
$sig = Get-AuthenticodeSignature -FilePath $_.FullName
136+
137+
if ($sig.Status -ne 'Valid') {
138+
$UnsignedOrBad += "$($_.FullName) (Status=$($sig.Status))"
139+
}
140+
}
141+
142+
if ($UnsignedOrBad.Count -gt 0) {
143+
Write-Host "Unsigned or invalid binaries detected:"
144+
$UnsignedOrBad | ForEach-Object {
145+
Write-Host "::error::$_"
146+
}
147+
148+
if ($env:GITHUB_STEP_SUMMARY) {
149+
"### ❌ Unsigned or invalid binaries detected" |
150+
Out-File $env:GITHUB_STEP_SUMMARY -Append -Encoding utf8
151+
"" | Out-File $env:GITHUB_STEP_SUMMARY -Append -Encoding utf8
152+
$UnsignedOrBad | ForEach-Object {
153+
"* `$_" | Out-File $env:GITHUB_STEP_SUMMARY -Append -Encoding utf8
154+
}
155+
}
156+
157+
exit 1
158+
}
159+
160+
Write-Host "All binaries are signed and valid."
161+
162+
if ($env:GITHUB_STEP_SUMMARY) {
163+
"### ✅ All binaries are signed and valid" |
164+
Out-File $env:GITHUB_STEP_SUMMARY -Append -Encoding utf8
165+
}
166+
167+
- name: Upload Windows Bundle Signed
168+
if: github.ref == 'refs/heads/master'
169+
uses: actions/upload-artifact@v4
170+
with:
171+
name: graphite-windows-bundle-signed
172+
path: target/artifacts

0 commit comments

Comments
 (0)