-
Notifications
You must be signed in to change notification settings - Fork 0
190 lines (173 loc) · 6.47 KB
/
ci.yml
File metadata and controls
190 lines (173 loc) · 6.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
name: CI
on:
push:
branches: [main, dev]
tags: [v*]
pull_request:
branches: [main]
workflow_dispatch:
inputs:
dry_run:
description: Dry run (skip GitHub release and marketplace publish)
type: boolean
default: true
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: 24
- run: sudo apt-get install -y git-crypt
- run: npm ci
- run: npm run build
- run: npm test
build-git-crypt:
if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
strategy:
matrix:
include:
- target: darwin
os: macos-15
- target: linux-x64
os: ubuntu-latest
platform: linux/amd64
- target: linux-arm64
os: ubuntu-latest
platform: linux/arm64
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v6
- name: Read git-crypt version
id: version
run: |
echo "version=$(sed -n '1p' git-crypt-version.txt)" >> "$GITHUB_OUTPUT"
echo "checksum=$(sed -n '2p' git-crypt-version.txt)" >> "$GITHUB_OUTPUT"
- name: Download and verify git-crypt source
run: |
curl -fsSL "https://github.com/AGWA/git-crypt/archive/${{ steps.version.outputs.version }}.tar.gz" -o git-crypt-src.tar.gz
echo "${{ steps.version.outputs.checksum }} git-crypt-src.tar.gz" | shasum -a 256 -c
tar xzf git-crypt-src.tar.gz
- name: Build (macOS)
if: runner.os == 'macOS'
run: |
brew install openssl@3
OPENSSL_DIR="$(brew --prefix openssl@3)"
cd "git-crypt-${{ steps.version.outputs.version }}"
# Makefile uses LDFLAGS += -lcrypto (not overridable via command line).
# Patch to link the static archive directly instead.
sed -i '' "s|-lcrypto|${OPENSSL_DIR}/lib/libcrypto.a|" Makefile
make CXXFLAGS="-O2 -Wall -I${OPENSSL_DIR}/include"
strip git-crypt
mkdir -p ../bin
cp git-crypt ../bin/
- name: Set up QEMU
if: matrix.platform == 'linux/arm64'
uses: docker/setup-qemu-action@v4
- name: Build (Linux static)
if: runner.os == 'Linux'
run: |
docker run --rm --platform "${{ matrix.platform }}" \
-v "$PWD:/build" -w /build alpine sh -c "
apk add g++ make musl-dev openssl-dev openssl-libs-static file &&
cd git-crypt-${{ steps.version.outputs.version }} &&
sed -i 's|-lcrypto|/usr/lib/libcrypto.a|' Makefile &&
LDFLAGS='-static' make &&
strip git-crypt &&
./git-crypt --version &&
file git-crypt &&
mkdir -p ../bin &&
cp git-crypt ../bin/
"
- name: Smoke test
if: runner.os == 'macOS'
run: |
./bin/git-crypt --version
file ./bin/git-crypt
- uses: actions/upload-artifact@v7
with:
name: git-crypt-${{ matrix.target }}
path: bin/git-crypt
publish:
needs: [test, build-git-crypt]
if: startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Verify tag is on main
if: startsWith(github.ref, 'refs/tags/v')
run: |
if ! git branch -r --contains "$GITHUB_SHA" | grep -q 'origin/main'; then
echo "Error: tag $GITHUB_REF_NAME is not on the main branch"
exit 1
fi
- uses: actions/setup-node@v6
with:
node-version: 24
- run: npm ci
- name: Verify tag matches package.json version
if: startsWith(github.ref, 'refs/tags/v')
run: |
PKG_VERSION="v$(node -p 'require("./package.json").version')"
if [ "$PKG_VERSION" != "$GITHUB_REF_NAME" ]; then
echo "Error: tag $GITHUB_REF_NAME does not match package.json version $PKG_VERSION"
exit 1
fi
- uses: actions/download-artifact@v8
with:
pattern: git-crypt-*
path: artifacts/
- name: Package platform-specific VSIX files
run: |
for target in darwin-arm64 darwin-x64 linux-x64 linux-arm64; do
mkdir -p bin
# Both darwin targets use the same arm64 binary (Rosetta handles x64)
case "$target" in
darwin-*) ARTIFACT="darwin" ;;
*) ARTIFACT="$target" ;;
esac
cp "artifacts/git-crypt-${ARTIFACT}/git-crypt" bin/git-crypt
chmod +x bin/git-crypt
npm run package -- --target "$target"
rm -rf bin
done
- name: Package universal VSIX (no bundled binary)
run: npm run package
- name: Verify VSIX contents
run: |
for f in git-crypt-vscode-*-*.vsix; do
echo "=== $f ==="
unzip -l "$f" | grep -q 'bin/git-crypt' || { echo "FAIL: bin/git-crypt missing from $f"; exit 1; }
if unzip -l "$f" | grep -q 'artifacts/'; then
echo "FAIL: artifacts/ should not be in $f"
exit 1
fi
done
echo "=== universal ==="
UNIVERSAL=$(ls git-crypt-vscode-*.vsix | grep -v -- '-darwin\|-linux')
if unzip -l "$UNIVERSAL" | grep -q 'bin/git-crypt'; then
echo "FAIL: bin/git-crypt should not be in universal $UNIVERSAL"
exit 1
fi
if unzip -l "$UNIVERSAL" | grep -q 'artifacts/'; then
echo "FAIL: artifacts/ should not be in universal $UNIVERSAL"
exit 1
fi
echo "All VSIX contents verified"
- name: Publish to marketplace
if: ${{ !inputs.dry_run && (startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main') }}
run: npm run publish -- --packagePath git-crypt-vscode-*.vsix
env:
VSCE_PAT: ${{ secrets.VSCE_PAT }}
- name: Create or update GitHub release
if: startsWith(github.ref, 'refs/tags/v') && !inputs.dry_run
run: |
gh release create "$GITHUB_REF_NAME" git-crypt-vscode-*.vsix --title "$GITHUB_REF_NAME" --generate-notes ||
gh release upload "$GITHUB_REF_NAME" git-crypt-vscode-*.vsix --clobber
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}