-
Notifications
You must be signed in to change notification settings - Fork 133
229 lines (196 loc) · 10.7 KB
/
nightly.yml
File metadata and controls
229 lines (196 loc) · 10.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
# This workflow will build a Java project with Maven and publish nightly builds
# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven
name: Nightly builds
on:
schedule:
- cron: "0 0 * * *"
jobs:
build:
runs-on: macos-latest
steps:
- uses: actions/checkout@v2
- name: Set up JDK 21
uses: actions/setup-java@v2
with:
java-version: '21'
distribution: 'temurin'
- name: Build with Maven
run: |
# We skip local signing because we will use Azure Cloud Signing next
mvn -e -X clean install -Djarsigner.skip=true -DskipTests=true
- name: Download Jsign
run: |
wget -q https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar || \
curl -L -o jsign-7.4.jar https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar
echo "Downloaded Jsign 7.4"
- name: Authenticate to Azure
run: |
az login --service-principal \
--username ${{ secrets.AZURE_CLIENT_ID }} \
--password ${{ secrets.AZURE_CLIENT_SECRET }} \
--tenant ${{ secrets.AZURE_TENANT_ID }} \
--allow-no-subscriptions
- name: Get Azure Key Vault Access Token
id: get-token
run: |
TOKEN=$(az account get-access-token --resource https://vault.azure.net --query accessToken -o tsv)
echo "::add-mask::$TOKEN"
echo "token=$TOKEN" >> $GITHUB_OUTPUT
- name: Sign JAR files with Azure Key Vault
env:
AZURE_TOKEN: ${{ steps.get-token.outputs.token }}
CERT_CHAIN: ${{ secrets.AZURE_KEYVAULT_CERTCHAIN }}
run: |
# Setup Certificate Chain
CERTCHAIN_ARG=""
if [ -n "$CERT_CHAIN" ]; then
echo "$CERT_CHAIN" > certchain.p7b
CERTCHAIN_ARG="-certchain certchain.p7b"
fi
REPO_DIR="releng/com.espressif.idf.update/target/repository"
SIGFILE="ECLIPSE"
echo "Signing IDF plugin JARs in $REPO_DIR..."
# Find and sign specific Espressif JARs
find "$REPO_DIR" -type f -name "*.jar" | while read -r file; do
if [[ "$file" =~ (plugins|features)/com\.espressif\. ]]; then
echo "Signing: $file"
jarsigner \
-J-cp -Jjsign-7.4.jar \
-J--add-modules -Jjava.sql \
-providerClass net.jsign.jca.JsignJcaProvider \
-providerArg "${{ secrets.AZURE_KEYVAULT_URI }}" \
-keystore NONE \
-storetype AZUREKEYVAULT \
-storepass "$AZURE_TOKEN" \
-sigfile "$SIGFILE" \
-digestalg SHA-256 \
-tsa http://timestamp.digicert.com \
$CERTCHAIN_ARG \
-certs \
-verbose \
"$file" \
"${{ secrets.AZURE_KEYVAULT_CERT_NAME }}"
if [ $? -ne 0 ]; then
echo "Failed to sign: $file"
exit 1
fi
fi
done
- name: Regenerate P2 Metadata
run: |
# Signing changes file checksums, so we must fix the P2 metadata
mvn -f releng/com.espressif.idf.update/pom.xml \
org.eclipse.tycho:tycho-p2-repository-plugin:fix-artifacts-metadata \
-DrepositoryPath="releng/com.espressif.idf.update/target/repository" \
-DskipTests=true
- name: Cleanup
if: always()
run: |
az logout || true
rm -f jsign-7.4.jar || true
rm -f certchain.p7b || true
- name: Codesign Espressif-IDE
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
/usr/bin/security create-keychain -p espressif build.keychain
/usr/bin/security default-keychain -s build.keychain
/usr/bin/security unlock-keychain -p espressif build.keychain
/usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
/usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain
echo "codesigning espressif-ide-macosx.cocoa.x86_64"
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app
echo "codesigning espressif-ide-macosx.cocoa.aarch64"
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app
echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
/usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
- name: Notarization of Espressif-IDE dmg files
env:
NOTARIZATION_USERNAME: ${{ secrets.NOTARIZATION_USERNAME }}
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
NOTARIZATION_TEAM_ID: ${{ secrets.NOTARIZATION_TEAM_ID }}
run: |
echo "Create notary keychain"
/usr/bin/security create-keychain -p espressif notary.keychain
/usr/bin/security default-keychain -s notary.keychain
/usr/bin/security unlock-keychain -p espressif notary.keychain
echo "Create keychain profile"
xcrun notarytool store-credentials "ide-notarytool-profile" --apple-id $NOTARIZATION_USERNAME --team-id $NOTARIZATION_TEAM_ID --password $NOTARIZATION_PASSWORD
xcrun notarytool submit $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg --keychain-profile "ide-notarytool-profile" --wait
echo "Attach staple for x86_64.dmg"
xcrun stapler staple $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
echo "Unlock the notary keychain"
/usr/bin/security unlock-keychain -p espressif notary.keychain
xcrun notarytool submit $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg --keychain-profile "ide-notarytool-profile" --wait
echo "Attach staple for aarch64.dmg"
xcrun stapler staple $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
- name: Upload Espressif-IDE-macosx-cocoa-x86_64.dmg
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: espressif-ide-macosx-cocoa-x86_64
path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg
- name: Upload Espressif-IDE-macosx-cocoa-aarch64.dmg
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: espressif-ide-macosx.cocoa.aarch64
path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
- name: Upload build artifacts
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: com.espressif.idf.update
path: releng/com.espressif.idf.update/target/repository
- name: Upload windows rcp
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: espressif-ide-win32
path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-win32.win32.x86_64.zip
- name: Upload linux rcp
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: espressif-ide-linux
path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-linux.gtk.x86_64.tar.gz
- name: Upload build assets to dl.espressif.com
id: upload-release-asset-espressif
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
run: |
ARCHIVE_DIR="/releng/com.espressif.idf.update/target/"
ARCHIVE_NAME="com.espressif.idf.update*.zip"
echo "${ARCHIVE_DIR}"
echo ${PWD}${ARCHIVE_DIR}
ARCHIVE_FILE_NAME="$(find ${PWD}${ARCHIVE_DIR}${ARCHIVE_NAME})"
echo "${ARCHIVE_FILE_NAME}"
ARCHIVE_PREFIX="com.espressif.idf.update-"
ARCHIVE_SUFFIX="-SNAPSHOT.zip";
tmp=${ARCHIVE_FILE_NAME#*${ARCHIVE_PREFIX}} # remove prefix
ARCHIVE_VERSION=${tmp%${ARCHIVE_SUFFIX}*} # remove suffix
echo "${ARCHIVE_VERSION}"
FOLDER_NAME="v${ARCHIVE_VERSION}"
mkdir "${FOLDER_NAME}" && cd "${FOLDER_NAME}" && unzip -q ${ARCHIVE_FILE_NAME} && cd ..
echo ${PWD}
ARCHIVE_VERSION_NEW="${ARCHIVE_PREFIX}${ARCHIVE_VERSION}.zip"
echo ${ARCHIVE_VERSION_NEW}
mv ${ARCHIVE_FILE_NAME} ${ARCHIVE_VERSION_NEW}
mv releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg "releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64-${FOLDER_NAME}.dmg"
mv releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg "releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64-${FOLDER_NAME}.dmg"
aws s3 rm s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/nightly --recursive
aws s3 cp --acl=public-read --recursive "./${FOLDER_NAME}/" s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/nightly
aws s3 cp --acl=public-read "./releng/index.html" s3://${{ secrets.DL_BUCKET }}/dl/idf-eclipse-plugin/updates/nightly/
aws cloudfront create-invalidation --distribution-id ${{ secrets.DL_DISTRIBUTION_ID }} --paths "/dl/idf-eclipse-plugin/updates/nightly/*"