mirror of
https://github.com/denoland/deno.git
synced 2025-01-07 06:46:59 -05:00
chore: start codesigning mac release builds (#21303)
- Adds a codesigning step to all mac targets - Adds a new ci-full label to the build to force aarch64 builds on any PR
This commit is contained in:
parent
e3989c0f64
commit
9d30227d16
4 changed files with 78 additions and 16 deletions
38
.github/workflows/ci.generate.ts
vendored
38
.github/workflows/ci.generate.ts
vendored
|
@ -275,14 +275,18 @@ function handleMatrixItems(items: {
|
|||
}
|
||||
|
||||
if (typeof item.skip === "string") {
|
||||
let text = "${{ (";
|
||||
text += removeSurroundingExpression(item.skip.toString()) + ") && ";
|
||||
let text =
|
||||
"${{ (!contains(github.event.pull_request.labels.*.name, 'ci-full') && (";
|
||||
text += removeSurroundingExpression(item.skip.toString()) + ")) && ";
|
||||
text += `'${Runners.ubuntu}' || ${
|
||||
removeSurroundingExpression(item.os)
|
||||
} }}`;
|
||||
|
||||
// deno-lint-ignore no-explicit-any
|
||||
(item as any).runner = text;
|
||||
item.skip =
|
||||
"${{ !contains(github.event.pull_request.labels.*.name, 'ci-full') && (" +
|
||||
removeSurroundingExpression(item.skip.toString()) + ") }}";
|
||||
}
|
||||
|
||||
return {
|
||||
|
@ -526,10 +530,18 @@ const ci = {
|
|||
name: "Install aarch64 lld",
|
||||
run: [
|
||||
"./tools/install_prebuilt.js ld64.lld",
|
||||
"echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH",
|
||||
].join("\n"),
|
||||
if: `matrix.os == '${macosArmRunner}'`,
|
||||
},
|
||||
{
|
||||
name: "Install rust-codesign",
|
||||
run: [
|
||||
"./tools/install_prebuilt.js rcodesign",
|
||||
"echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH",
|
||||
].join("\n"),
|
||||
if:
|
||||
`(matrix.os == '${macosArmRunner}' || matrix.os == '${macosX86Runner}')`,
|
||||
},
|
||||
{
|
||||
name: "Log versions",
|
||||
run: [
|
||||
|
@ -680,7 +692,17 @@ const ci = {
|
|||
"matrix.profile == 'release' &&",
|
||||
"github.repository == 'denoland/deno'",
|
||||
].join("\n"),
|
||||
env: {
|
||||
"APPLE_CODESIGN_KEY": "${{ secrets.APPLE_CODESIGN_KEY }}",
|
||||
"APPLE_CODESIGN_PASSWORD": "${{ secrets.APPLE_CODESIGN_PASSWORD }}",
|
||||
},
|
||||
run: [
|
||||
'echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes"',
|
||||
"rcodesign sign target/release/deno " +
|
||||
"--code-signature-flags=runtime " +
|
||||
'--p12-password="$APPLE_CODESIGN_PASSWORD" ' +
|
||||
"--p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) " +
|
||||
"--entitlements-xml-file=cli/entitlements.plist",
|
||||
"cd target/release",
|
||||
"zip -r deno-x86_64-apple-darwin.zip deno",
|
||||
]
|
||||
|
@ -694,7 +716,17 @@ const ci = {
|
|||
"matrix.profile == 'release' &&",
|
||||
"github.repository == 'denoland/deno'",
|
||||
].join("\n"),
|
||||
env: {
|
||||
"APPLE_CODESIGN_KEY": "${{ secrets.APPLE_CODESIGN_KEY }}",
|
||||
"APPLE_CODESIGN_PASSWORD": "${{ secrets.APPLE_CODESIGN_PASSWORD }}",
|
||||
},
|
||||
run: [
|
||||
'echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes"',
|
||||
"rcodesign sign target/release/deno " +
|
||||
"--code-signature-flags=runtime " +
|
||||
'--p12-password="$APPLE_CODESIGN_PASSWORD" ' +
|
||||
"--p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) " +
|
||||
"--entitlements-xml-file=cli/entitlements.plist",
|
||||
"cd target/release",
|
||||
"zip -r deno-aarch64-apple-darwin.zip deno",
|
||||
]
|
||||
|
|
35
.github/workflows/ci.yml
vendored
35
.github/workflows/ci.yml
vendored
|
@ -60,14 +60,14 @@ jobs:
|
|||
- os: macos-12
|
||||
job: test
|
||||
profile: release
|
||||
skip: '${{ github.event_name == ''pull_request'' }}'
|
||||
runner: '${{ (github.event_name == ''pull_request'') && ''ubuntu-22.04'' || ''macos-12'' }}'
|
||||
skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'') }}'
|
||||
runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'')) && ''ubuntu-22.04'' || ''macos-12'' }}'
|
||||
os_display_name: macos-x86_64
|
||||
- os: macos-13-xlarge
|
||||
job: test
|
||||
profile: release
|
||||
skip: '${{ github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'' }}'
|
||||
runner: '${{ (github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'') && ''ubuntu-22.04'' || ''macos-13-xlarge'' }}'
|
||||
skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'') }}'
|
||||
runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'')) && ''ubuntu-22.04'' || ''macos-13-xlarge'' }}'
|
||||
os_display_name: macos-aarch64
|
||||
- os: windows-2022
|
||||
job: test
|
||||
|
@ -76,8 +76,8 @@ jobs:
|
|||
- os: '${{ github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}'
|
||||
job: test
|
||||
profile: release
|
||||
skip: '${{ github.event_name == ''pull_request'' }}'
|
||||
runner: '${{ (github.event_name == ''pull_request'') && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}'
|
||||
skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'') }}'
|
||||
runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'')) && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}'
|
||||
os_display_name: windows-x86_64
|
||||
- os: '${{ github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}'
|
||||
job: test
|
||||
|
@ -89,8 +89,8 @@ jobs:
|
|||
job: bench
|
||||
profile: release
|
||||
use_sysroot: true
|
||||
skip: '${{ github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench'') }}'
|
||||
runner: '${{ (github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench'')) && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}'
|
||||
skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench'')) }}'
|
||||
runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench''))) && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}'
|
||||
os_display_name: ubuntu-x86_64
|
||||
- os: ubuntu-22.04
|
||||
job: test
|
||||
|
@ -301,10 +301,13 @@ jobs:
|
|||
CFLAGS=-flto=thin --sysroot=/sysroot
|
||||
__0
|
||||
- name: Install aarch64 lld
|
||||
run: |-
|
||||
./tools/install_prebuilt.js ld64.lld
|
||||
echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH
|
||||
run: ./tools/install_prebuilt.js ld64.lld
|
||||
if: '!(matrix.skip) && (matrix.os == ''macos-13-xlarge'')'
|
||||
- name: Install rust-codesign
|
||||
run: |-
|
||||
./tools/install_prebuilt.js rcodesign
|
||||
echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH
|
||||
if: '!(matrix.skip) && ((matrix.os == ''macos-13-xlarge'' || matrix.os == ''macos-12''))'
|
||||
- name: Log versions
|
||||
run: |-
|
||||
python --version
|
||||
|
@ -403,7 +406,12 @@ jobs:
|
|||
matrix.job == 'test' &&
|
||||
matrix.profile == 'release' &&
|
||||
github.repository == 'denoland/deno')
|
||||
env:
|
||||
APPLE_CODESIGN_KEY: '${{ secrets.APPLE_CODESIGN_KEY }}'
|
||||
APPLE_CODESIGN_PASSWORD: '${{ secrets.APPLE_CODESIGN_PASSWORD }}'
|
||||
run: |-
|
||||
echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes"
|
||||
rcodesign sign target/release/deno --code-signature-flags=runtime --p12-password="$APPLE_CODESIGN_PASSWORD" --p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) --entitlements-xml-file=cli/entitlements.plist
|
||||
cd target/release
|
||||
zip -r deno-x86_64-apple-darwin.zip deno
|
||||
- name: Pre-release (mac aarch64)
|
||||
|
@ -412,7 +420,12 @@ jobs:
|
|||
matrix.job == 'test' &&
|
||||
matrix.profile == 'release' &&
|
||||
github.repository == 'denoland/deno')
|
||||
env:
|
||||
APPLE_CODESIGN_KEY: '${{ secrets.APPLE_CODESIGN_KEY }}'
|
||||
APPLE_CODESIGN_PASSWORD: '${{ secrets.APPLE_CODESIGN_PASSWORD }}'
|
||||
run: |-
|
||||
echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes"
|
||||
rcodesign sign target/release/deno --code-signature-flags=runtime --p12-password="$APPLE_CODESIGN_PASSWORD" --p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) --entitlements-xml-file=cli/entitlements.plist
|
||||
cd target/release
|
||||
zip -r deno-aarch64-apple-darwin.zip deno
|
||||
- name: Pre-release (windows)
|
||||
|
|
16
cli/entitlements.plist
Normal file
16
cli/entitlements.plist
Normal file
|
@ -0,0 +1,16 @@
|
|||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||
<plist version="1.0">
|
||||
<dict>
|
||||
<key>com.apple.security.cs.allow-jit</key>
|
||||
<true/>
|
||||
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
|
||||
<true/>
|
||||
<key>com.apple.security.cs.disable-executable-page-protection</key>
|
||||
<true/>
|
||||
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
|
||||
<true/>
|
||||
<key>com.apple.security.cs.disable-library-validation</key>
|
||||
<true/>
|
||||
</dict>
|
||||
</plist>
|
|
@ -17,7 +17,7 @@ const versions = {
|
|||
"dlint": "dlint 0.51.0",
|
||||
};
|
||||
|
||||
const compressed = new Set(["ld64.lld"]);
|
||||
const compressed = new Set(["ld64.lld", "rcodesign"]);
|
||||
|
||||
export const ROOT_PATH = dirname(dirname(fromFileUrl(import.meta.url)));
|
||||
|
||||
|
@ -175,8 +175,9 @@ export function getPrebuiltToolPath(toolName) {
|
|||
return join(PREBUILT_TOOL_DIR, toolName + executableSuffix);
|
||||
}
|
||||
|
||||
const commitId = "c249f61eaed67db26c2934b195dc51e3ab91ae03";
|
||||
const downloadUrl =
|
||||
`https://raw.githubusercontent.com/denoland/deno_third_party/1fd66ef78ab40841db833d4a1efd5c5597faf066/prebuilt/${platformDirName}`;
|
||||
`https://raw.githubusercontent.com/denoland/deno_third_party/${commitId}/prebuilt/${platformDirName}`;
|
||||
|
||||
export async function downloadPrebuilt(toolName) {
|
||||
// Ensure only one download per tool happens at a time
|
||||
|
|
Loading…
Reference in a new issue