-
Notifications
You must be signed in to change notification settings - Fork 38
441 lines (384 loc) · 16.8 KB
/
package-client.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
name: Package client
on:
pull_request:
paths:
- .github/workflows/package-client.yml
- client/electron/package.js
- client/electron/snap/*
workflow_call:
inputs:
version:
description: The version to use
type: string
required: true
version_patch_run_id:
description: |
The run id where the version.patch artifact was uploaded.
If not provided, the workflow will generate the patch by itself.
type: string
required: true
commit_sha:
required: true
type: string
description: The commit SHA to use when checkout'ing the repository
default: ${{ github.sha }}
nightly_build:
type: boolean
description: The current build is a nightly build
default: false
secrets:
SENTRY_AUTH_TOKEN:
required: true
workflow_dispatch:
inputs:
version:
description: The version to use (if not provided, will generate one from code space version)
type: string
required: false
# Set `concurrency` to prevent this workflow from being run on code that is not up-to-date on a PR (e.g. when making many push quickly on a PR).
# This behavior is only intended for a PR and not for merge commits on the main branch. Having the workflow run on each merge commit can be useful to spot regressions missed by previous checks.
# To distinguish between these cases, we use `head_ref` that is only defined on `pull-request` and fallback to `run_id` (this is a counter, so it's value is unique between workflow call).
concurrency:
group: package-client-${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
env:
# We use the version 18.12 because the version >= 18.13 have some breaking changes on how they format the date.
# That would break our unit test if we don't update them.
node-version: 18.12.0
wasm-pack-version: 0.12.1
WINFSP_VERSION: 2.0.23075
permissions:
contents: read
jobs:
version:
if: ${{ inputs.version_patch_run_id == '' }}
uses: ./.github/workflows/_parse_version.yml
with:
version: ${{ inputs.version }}
commit_sha: ${{ inputs.commit_sha }}
webapp:
needs: version
# Always run the job if `version` job is skipped otherwise only if `version` job was successful.
if: ${{ inputs.version_patch_run_id != '' && always() || success() }}
runs-on: ubuntu-22.04
name: ⚡ Package web app
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin v4.2.1
with:
ref: ${{ inputs.commit_sha }}
timeout-minutes: 5
- uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # pin v4.0.4
with:
node-version: ${{ env.node-version }}
timeout-minutes: 2
- name: Download version.patch artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # pin v4.1.8
with:
name: version.patch
path: ${{ runner.temp }}/version.patch
run-id: ${{ inputs.version_patch_run_id || github.run_id }}
- name: Apply version.patch
run: git apply --allow-empty ${{ runner.temp }}/version.patch/version.patch
- name: Install dependencies
run: npm clean-install
working-directory: client
# Install syft
- uses: taiki-e/install-action@437c908c7e5ee18b63a261286cbe5147219f8a39 # pin v2.44.44
with:
tool: [email protected], wasm-pack@${{ env.wasm-pack-version }}
- name: Build web bindings
run: npm run build:release
working-directory: bindings/web
- name: Build web app
run: npm run web:release
env:
PARSEC_APP_SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
working-directory: client
- name: Generate SBOM
run: syft packages --config=.syft.yaml --output=spdx-json=client/dist/Parsec-SBOM-Web.spdx.json .
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # pin v4.4.3
with:
name: webapp
path: client/dist/
if-no-files-found: error
electron-snap:
needs: version
runs-on: ubuntu-22.04
# Always run the job if `version` job is skipped otherwise only if `version` job was successful.
if: ${{ inputs.version_patch_run_id != '' && always() || success() }}
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin v4.2.1
with:
ref: ${{ inputs.commit_sha }}
timeout-minutes: 5
- name: Download version.patch artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # pin v4.1.8
with:
name: version.patch
path: ${{ runner.temp }}/version.patch
run-id: ${{ inputs.version_patch_run_id || github.run_id }}
- name: Load version config
id: version
shell: bash
run: |
cat version.patch/version.ini > "$GITHUB_OUTPUT"
cat "$GITHUB_OUTPUT"
working-directory: ${{ runner.temp }}
- name: Apply version.patch
run: git apply --allow-empty ${{ runner.temp }}/version.patch/version.patch
- name: Install snapcraft
uses: samuelmeuli/action-snapcraft@d33c176a9b784876d966f80fb1b461808edc0641 # pin v2.1.1
timeout-minutes: 1
- name: Setup LXD
uses: canonical/setup-lxd@4e959f8e0d9c5feb27d44c5e4d9a330a782edee0 # pin v0.1.1
timeout-minutes: 2
- name: Patch cannot install cypress on lxd
run: npm remove cypress{,-file-upload,-real-events,-vite}
working-directory: client
timeout-minutes: 2
- name: Patch snapcraft for nightly build
if: inputs.nightly_build
run:
sed -i 's/node package.js --mode prod --platform linux dir/& --nightly/' snap/snapcraft.yaml
working-directory: client/electron
# We need to patch the vite.config.js because we cannot pass the secret to the snap build (either via build-args or env).
- name: Patch vite config for snap build
run: >-
sed -i
-e s'/if (process.env.PARSEC_APP_SENTRY_AUTH_TOKEN)/if (true)/'
-e s';authToken: process.env.PARSEC_APP_SENTRY_AUTH_TOKEN;authToken: "${{ secrets.SENTRY_AUTH_TOKEN }}";'
vite.config.ts
working-directory: client
- name: Patch snapcraft file for sentry auth token and vite mode
run: >-
sed -i
-e s';SENTRY_AUTH_TOKEN: __TOKEN__;SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}";'
-e s'/VITE_MODE: development/VITE_MODE: ${{ steps.version.outputs.type }}/'
snap/snapcraft.yaml
working-directory: client/electron
- name: Build snap
run: |
ln -sv client/electron/snap
snapcraft pack --use-lxd -v
timeout-minutes: 30
- name: Rename artifacts
shell: bash
run: |
ARCH=$(uname -m)
mv -v parsec_*_*.snap Parsec_${{ steps.version.outputs.full }}_linux_$ARCH.snap
# Install syft
- uses: taiki-e/install-action@437c908c7e5ee18b63a261286cbe5147219f8a39 # pin v2.44.44
with:
tool: [email protected]
- name: Generate SBOM
run: syft packages --config=.syft.yaml --output=spdx-json=Parsec-SBOM-Electron-linux-snap.spdx.json .
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # pin v4.4.3
with:
name: linux-snap-${{ runner.arch }}-electron
path: |
Parsec_${{ steps.version.outputs.full }}_linux_*.snap
Parsec-SBOM-*.spdx.json
if-no-files-found: error
timeout-minutes: 10
electron-non-snap:
needs: version
# Always run the job if `version` job is skipped otherwise only if `version` job was successful.
if: ${{ inputs.version_patch_run_id != '' && always() || success() }}
strategy:
fail-fast: false
matrix:
include:
- name: 🏁 Windows
platform: windows
os: windows-2022
raw_latest_file: latest.yml
extension: exe
os_alias: win
artifact_tag: windows-exe
- name: 🍎 macOS
platform: macos
os: macos-13
raw_latest_file: latest-mac.yml
extension: "*" # Use wildcard to match dmg and zip extension
os_alias: mac
artifact_tag: macos-dmg
- name: 🐧 AppImage 4 Linux
platform: linux
os: ubuntu-22.04
raw_latest_file: latest-linux.yml
os_alias: linux
extension: AppImage
artifact_tag: linux-appimage
name: "${{matrix.name }}: ⚡ Package electron"
runs-on: ${{ matrix.os }}
timeout-minutes: 60
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # pin v4.2.1
with:
ref: ${{ inputs.commit_sha }}
timeout-minutes: 5
- uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # pin v4.0.4
with:
node-version: ${{ env.node-version }}
timeout-minutes: 2
- name: Download version.patch artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # pin v4.1.8
with:
name: version.patch
path: ${{ runner.temp }}/version.patch
run-id: ${{ inputs.version_patch_run_id || github.run_id }}
- name: Load version config
id: version
shell: bash
run: |
cat version.patch/version.ini > "$GITHUB_OUTPUT"
cat "$GITHUB_OUTPUT"
working-directory: ${{ runner.temp }}
- name: Apply version.patch
run: git apply --allow-empty ${{ runner.temp }}/version.patch/version.patch
- name: Windows > Install WinFSP
if: matrix.platform == 'windows'
shell: bash -eux {0}
run: |
choco install winfsp -y --version=${{ env.WINFSP_VERSION }}
curl -L https://github.com/winfsp/winfsp/releases/download/v2.0/winfsp-tests-${{ env.WINFSP_VERSION }}.zip -o D:/a/_temp/winfsp-tests.zip
unzip D:/a/_temp/winfsp-tests.zip -d D:/a/_temp/
mv 'D:/a/_temp/winfsp-tests-x64.exe' 'C:/Program Files (x86)/WinFsp/bin/'
timeout-minutes: 2
- name: MacOS > Install macFUSE
if: matrix.platform == 'macos'
run: brew install --cask macfuse
timeout-minutes: 5
- name: Linux > Install system dependencies
if: matrix.platform == 'linux'
run: |
sudo apt-get install -y fuse3 libfuse3-dev
timeout-minutes: 2
- name: Install client dependencies
# Use `--ignore-scripts` to prevent the postinstall script trying to be smarter than us and
# install electron dependencies (as it would use `npm install` instead of `npm clean-install`).
run: npm clean-install --ignore-scripts
working-directory: client
timeout-minutes: 10
- name: Install electron dependencies
run: npm clean-install
working-directory: client/electron
timeout-minutes: 2
- name: Install electron bindings dependencies
run: npm clean-install
working-directory: bindings/electron
timeout-minutes: 1
- name: Build Electron bindings
run: npm run build:release
working-directory: bindings/electron
# MacOS is really slow when build rust
timeout-minutes: 30
- name: Build client for electron
run: npm run native:build -- --mode ${{ steps.version.outputs.type }}
working-directory: client
timeout-minutes: 5
- name: Copy client build result to electron
run: npm exec cap copy @capacitor-community/electron
working-directory: client
timeout-minutes: 1
- name: Prepare codesign
shell: bash
if: matrix.platform == 'macos'
run: |
printenv MACOS_CERT | base64 --decode > certificate.p12
security create-keychain -p "${{ secrets.MACOS_CI_KEYCHAIN_PASSWD }}" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "${{ secrets.MACOS_CI_KEYCHAIN_PASSWD }}" build.keychain
security import certificate.p12 -k build.keychain -P "${{ secrets.MACOS_CERT_PASSWD }}" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.MACOS_CI_KEYCHAIN_PASSWD }}" build.keychain
env:
MACOS_CERT: ${{ secrets.MACOS_CERT }}
timeout-minutes: 2
- name: Build Electron apps
# What's about the extra `--` in `-- --nightly`?
# The reason is for npm to pass the flag `--nightly` to the underlying npm script.
# But since the base npm script `npm run electron:release` call another npm script,
# we need to escape the flag another time by adding another `--`.
run: >-
npm run electron:release
${{ (matrix.platform == 'linux' || inputs.nightly_build || matrix.platform == 'macos') && '--' || '' }}
${{ matrix.platform == 'linux' && 'appimage' || '' }}
${{ inputs.nightly_build && '--nightly' || '' }}
${{ matrix.platform != 'windows' && '--sign' || ''}}
env:
PARSEC_APP_SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
# FIXME: Remove me before merging, I'm just here to test the code signing for macos
CSC_FOR_PULL_REQUEST: true
CSC_LINK: ${{ matrix.platform == 'macos' && secrets.MACOS_CERT}}
CSC_KEY_PASSWORD: ${{ matrix.platform == 'macos' && secrets.MACOS_CERT_PASSWD }}
CSC_NAME: ${{ matrix.platform == 'macos' && secrets.MACOS_CERT_COMMON_NAME }}
CSC_IDENTITY_AUTO_DISCOVERY: ${{ matrix.platform == 'macos' }}
CSC_KEYCHAIN: ${{ matrix.platform == 'macos' && 'build.keychain' }}
APPLE_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID}}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.MACOS_NOTARIZATION_PASSWD }}
working-directory: client/electron
timeout-minutes: 10
- name: Upload client electron sourcemaps
run: npm run sentry:sourcemaps
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
working-directory: client/electron
timeout-minutes: 1
# Install syft
- uses: taiki-e/install-action@437c908c7e5ee18b63a261286cbe5147219f8a39 # pin v2.44.44
with:
tool: [email protected]
- name: Generate SBOM
run: syft packages --config=.syft.yaml --output=spdx-json=client/electron/dist/Parsec-SBOM-Electron-${{ matrix.artifact_tag }}.spdx.json .
- name: Debug dist folder
if: runner.debug || false
run: ls client/electron/dist
- name: Build info
id: build-info
shell: bash
run: |
arch=$(uname -m)
app_file="Parsec_${{ steps.version.outputs.full }}_${{ matrix.os_alias }}_${arch}${{ matrix.platform == 'windows' && '.unsigned' || '' }}.${{ matrix.extension }}"
latest_file="latest-${{ matrix.os_alias }}-${arch}.yml"
cat << EOF | tee -a $GITHUB_OUTPUT
arch=$arch
app_file=$app_file
latest_file=$latest_file
EOF
- name: Rename "latest" file
shell: bash
run: mv -v "${{ matrix.raw_latest_file }}" "${{ steps.build-info.outputs.latest_file }}"
working-directory: client/electron/dist
- name: Sanity check that "latest" file contain the correct application file
shell: bash
run: |
cat "${{ steps.build-info.outputs.latest_file }}"
grep -q -e "${{ steps.build-info.outputs.app_file }}" "${{ steps.build-info.outputs.latest_file }}"
working-directory: client/electron/dist
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # pin v4.4.3
with:
name: ${{ matrix.artifact_tag }}-${{ runner.arch }}-electron
path: |
client/electron/dist/${{ steps.build-info.outputs.app_file }}
client/electron/dist/${{ steps.build-info.outputs.app_file }}.blockmap
client/electron/dist/${{ steps.build-info.outputs.latest_file }}
client/electron/dist/Parsec-SBOM-*.spdx.json
if-no-files-found: error
timeout-minutes: 10
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # pin v4.4.3
if: matrix.platform == 'windows'
with:
name: ${{ matrix.artifact_tag }}-${{ runner.arch }}-electron-pre-built
path: |
client/electron/app
client/electron/build
client/electron/assets
client/electron/scripts
client/electron/package.js
client/electron/package.json
client/electron/package-lock.json
client/electron/sign-windows-package.cmd
client/electron/README.md
if-no-files-found: error
timeout-minutes: 10