SpacetimeDB/.github/workflows/package.yml at 1be82aff6fd119b4be6fcfb34cce17a806c37f44 · clockworklabs/SpacetimeDB · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
name: Package SpacetimeDB CLI

on:
  push:
    tags:
      - '**'
  workflow_dispatch:

permissions:
  contents: read

jobs:
  build-cli:
    if: ${{ !(startsWith(github.ref, 'refs/tags/') && matrix.target == 'x86_64-pc-windows-msvc') }}
    strategy:
      fail-fast: false
      matrix:
        include:
          # WARNING - do not upgrade this runner to 24.04 or the self hosted runners because it will break downloads for
          #   anyone who uses a linux distro that doesn't have glibc >= GLIBC_2.38
          - { name: x86_64 Linux, target: x86_64-unknown-linux-gnu, runner: ubuntu-22.04 }
          - { name: aarch64 Linux, target: aarch64-unknown-linux-gnu, runner: arm-runner }
          # Disabled because musl builds weren't working and we didn't want to investigate. See https://github.com/clockworklabs/SpacetimeDB/pull/2964.
          # - { name: x86_64 Linux musl, target: x86_64-unknown-linux-musl, runner: bare-metal, container: alpine }
          # FIXME: arm musl build. "JavaScript Actions in Alpine containers are only supported on x64 Linux runners"
          # - { name: aarch64 Linux musl, target: aarch64-unknown-linux-musl, runner: arm-runner }
          - { name: aarch64 macOS, target: aarch64-apple-darwin, runner: macos-latest }
          - { name: x86_64 macOS, target: x86_64-apple-darwin, runner: macos-latest }
          - { name: x86_64 Windows, target: x86_64-pc-windows-msvc, runner: windows-latest }

    name: Build CLI for ${{ matrix.name }}
    runs-on: ${{ matrix.runner }}

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Show arch
        run: uname -a

      - name: Install musl dependencies
        # TODO: Should we use `matrix.container == 'alpine'` instead of the `endsWith` check?
        if: endsWith(matrix.target, '-musl')
        run: apk add gcc g++ bash curl linux-headers perl git make

      - name: Install Rust
        uses: dsherret/rust-toolchain-file@v1
      - name: Set default rust toolchain
        run: rustup default $(rustup show active-toolchain | cut -d' ' -f1)

      - name: Install rust target
        run: rustup target add ${{ matrix.target }}

      - name: Compile
        run: |
          cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update

      - name: Package (unix)
        if: ${{ runner.os != 'Windows' }}
        shell: bash
        run: |
          mkdir build
          cd target/${{matrix.target}}/release
          cp spacetimedb-update ../../../build/spacetimedb-update-${{matrix.target}}
          tar -czf ../../../build/spacetime-${{matrix.target}}.tar.gz spacetimedb-{cli,standalone}

      - name: Package (windows)
        if: ${{ runner.os == 'Windows' }}
        shell: bash
        run: |
          mkdir build
          cd target/${{matrix.target}}/release
          cp spacetimedb-update.exe ../../../build/spacetimedb-update-${{matrix.target}}.exe
          7z a ../../../build/spacetime-${{matrix.target}}.zip spacetimedb-cli.exe spacetimedb-standalone.exe

      - name: Extract branch name
        shell: bash
        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
        id: extract_branch

      - name: Upload to DO Spaces
        uses: shallwefootball/s3-upload-action@master
        with:
          aws_key_id: ${{ secrets.AWS_KEY_ID }}
          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY}}
          aws_bucket: ${{ vars.AWS_BUCKET }}
          source_dir: build
          endpoint: https://nyc3.digitaloceanspaces.com
          destination_dir: ${{ steps.extract_branch.outputs.branch }}

  build-cli-windows-signed:
    if: ${{ startsWith(github.ref, 'refs/tags/') }}
    name: Build and sign CLI for x86_64 Windows
    runs-on: [self-hosted, windows, signing]
    environment: codesign
    concurrency:
      group: codesign-${{ github.ref }}
      cancel-in-progress: false

    steps:
      - name: Checkout
        uses: actions/checkout@v3

      - name: Install Rust
        uses: dsherret/rust-toolchain-file@v1

      - name: Install rust target
        run: rustup target add x86_64-pc-windows-msvc

      - name: Compile
        run: |
          cargo build --release --target x86_64-pc-windows-msvc -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update

      - name: Write certificate file
        shell: powershell
        env:
          DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }}
        run: |
          [IO.File]::WriteAllBytes("digicert.crt", [Convert]::FromBase64String($env:DIGICERT_CERT_B64))

      - name: Sign binaries
        shell: powershell
        env:
          DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }}
        run: |
          $ErrorActionPreference = 'Stop'
          $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
          $certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.crt'

          $signtool = Get-Command signtool.exe -ErrorAction Stop

          $files = @(
            (Join-Path $targetDir 'spacetimedb-update.exe'),
            (Join-Path $targetDir 'spacetimedb-cli.exe'),
            (Join-Path $targetDir 'spacetimedb-standalone.exe')
          )

          foreach ($file in $files) {
            & $signtool.Path sign /csp "DigiCert Signing Manager KSP" /kc $env:DIGICERT_KEYPAIR_ALIAS /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file
            & $signtool.Path verify /v /pa $file
          }

      - name: Package (windows)
        shell: powershell
        run: |
          $ErrorActionPreference = 'Stop'
          New-Item -ItemType Directory -Force -Path build | Out-Null
          $releaseDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'

          Copy-Item (Join-Path $releaseDir 'spacetimedb-update.exe') (Join-Path $env:GITHUB_WORKSPACE 'build\spacetimedb-update-x86_64-pc-windows-msvc.exe')
          Compress-Archive -Force -Path @(
            (Join-Path $releaseDir 'spacetimedb-cli.exe'),
            (Join-Path $releaseDir 'spacetimedb-standalone.exe')
          ) -DestinationPath (Join-Path $env:GITHUB_WORKSPACE 'build\spacetime-x86_64-pc-windows-msvc.zip')

      - name: Extract branch name
        shell: powershell
        run: |
          $ErrorActionPreference = 'Stop'
          $branch = $env:GITHUB_HEAD_REF
          if ([string]::IsNullOrEmpty($branch)) {
            $branch = $env:GITHUB_REF -replace '^refs/heads/', ''
          }
          "branch=$branch" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
        id: extract_branch

      - name: Upload to DO Spaces
        uses: shallwefootball/s3-upload-action@master
        with:
          aws_key_id: ${{ secrets.AWS_KEY_ID }}
          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY}}
          aws_bucket: ${{ vars.AWS_BUCKET }}
          source_dir: build
          endpoint: https://nyc3.digitaloceanspaces.com
          destination_dir: ${{ steps.extract_branch.outputs.branch }}