k6-studio/.github/workflows/release-test-version.yml at main · grafana/k6-studio · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
name: "Manual Release Test Version"

on:
  workflow_dispatch:
    inputs:
      version:
        description: "Specify a version suffix for the test release (limit to 20 characters or windows build will fail)"
        required: true
        type: string
        default: "test-version"

permissions: {}

jobs:
  publish-studio:
    # required for Azure OIDC
    environment:
      name: azure-trusted-signing
    permissions:
      contents: write
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        platform: [macos-latest, macos-15-intel, windows-latest, ubuntu-latest]

    runs-on: ${{ matrix.platform }}
    steps:
      - id: get-secrets
        uses: grafana/shared-workflows/actions/get-vault-secrets@5d7e361bc7e0a183cde8afe9899fb7b596d2659b # v1.2.0
        with:
          repo_secrets: |
            APPLE_CERTIFICATE_P12=apple-certificates:APPLE_CERTIFICATE_P12
            CERTIFICATE_PASSWORD=apple-certificates:APPLE_CERTIFICATE_P12_PASSWORD
            APPLE_API_KEY_ID=apple-certificates:APPLE_API_KEY_ID
            APPLE_API_ISSUER=apple-certificates:APPLE_API_ISSUER
            APPLE_API_KEY=apple-certificates:APPLE_API_KEY
            SENTRY_DSN=sentry:SENTRY_DSN
            SENTRY_AUTH_TOKEN=sentry:SENTRY_AUTH_TOKEN
      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
        with:
          persist-credentials: false

      - name: Set version for test release
        env:
          PACKAGE_VERSION: ${{ inputs.version }}
        run: python update_version.py

      - name: setup node
        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
        with:
          node-version: 24.11

      # appdmg (used for DMG builds) depends on native modules compiled via node-gyp,
      # which requires Python setuptools. macOS runners ship with Python 3.12+ where
      # setuptools was removed. See https://github.com/electron/forge/issues/3371
      - name: Install setuptools for appdmg
        if: runner.os == 'macOS'
        run: brew install python-setuptools

      - name: install dependencies
        run: npm ci

      - name: setup macos keychain
        if: startsWith(matrix.platform, 'macos-')
        run: |
          echo "$APPLE_API_KEY" > ./apple_api_key.p8
          echo $APPLE_CERTIFICATE_P12 | base64 --decode > certificate.p12
          security create-keychain -p "$CERTIFICATE_PASSWORD" build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p "$CERTIFICATE_PASSWORD" build.keychain
          security import certificate.p12 -k build.keychain -P "$CERTIFICATE_PASSWORD" -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$CERTIFICATE_PASSWORD" build.keychain

      - name: publish macOS arm64
        if: startsWith(matrix.platform, 'macos-latest')
        env:
          NODE_OPTIONS: "--max_old_space_size=8192"
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # apple notarization
          APPLE_API_KEY: ./apple_api_key.p8
          # sentry integration
          # sentry vite plugin integration during build
          SENTRY_ORG: ${{ vars.SENTRY_ORG }}
          SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
        run: |
          npm run publish

      - name: publish macOS x86_64
        if: startsWith(matrix.platform, 'macos-15-intel')
        env:
          NODE_OPTIONS: "--max_old_space_size=8192"
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # apple notarization
          APPLE_API_KEY: ./apple_api_key.p8
          # sentry integration
          # sentry vite plugin integration during build
          SENTRY_ORG: ${{ vars.SENTRY_ORG }}
          SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
        run: |
          npm run publish -- --arch=x64

      - name: Get azure secrets
        id: get-azure-secrets
        uses: grafana/shared-workflows/actions/get-vault-secrets@5d7e361bc7e0a183cde8afe9899fb7b596d2659b # v1.2.0
        if: startsWith(matrix.platform, 'windows-')
        with:
          export_env: false
          repo_secrets: |
            client-id=azure-trusted-signing:client-id
            subscription-id=azure-trusted-signing:subscription-id
            tenant-id=azure-trusted-signing:tenant-id

      - name: Azure log in
        uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
        if: startsWith(matrix.platform, 'windows-')
        with:
          client-id: ${{ fromJSON(steps.get-azure-secrets.outputs.secrets).client-id }}
          subscription-id: ${{ fromJSON(steps.get-azure-secrets.outputs.secrets).subscription-id }}
          tenant-id: ${{ fromJSON(steps.get-azure-secrets.outputs.secrets).tenant-id }}

      - name: Setup .NET SDK
        uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1
        if: startsWith(matrix.platform, 'windows-')
        with:
          # renovate: datasource=dotnet-version depName=dotnet-sdk
          dotnet-version: "8.0.414"

      - name: Install Sign CLI tool
        id: install-sign-tool
        if: startsWith(matrix.platform, 'windows-')
        shell: pwsh
        env:
          # renovate: datasource=nuget depName=sign
          DOTNET_SIGN_VERSION: "0.9.1-beta.25379.1"
        run: |
          $toolPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath (New-Guid).ToString()
          New-Item -ItemType Directory -Path $toolPath | Out-Null

          dotnet tool install --tool-path $toolPath sign --version ${env:DOTNET_SIGN_VERSION}

          if ($LASTEXITCODE -ne 0) {
            Write-Output "::error::Failed to install Sign CLI tool"
            exit 1
          }

          "sign-tool=$toolPath" >> ${env:GITHUB_OUTPUT}

      - name: publish Windows
        if: startsWith(matrix.platform, 'windows-')
        env:
          NODE_OPTIONS: "--max_old_space_size=8192"
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # windows cert
          TRUSTED_SIGNING_ACCOUNT: grafana-premium-eastus
          TRUSTED_SIGNING_ENDPOINT: https://eus.codesigning.azure.net/
          TRUSTED_SIGNING_PROFILE: grafana-production
          SIGNTOOL_PATH: ${{ steps.install-sign-tool.outputs.sign-tool }}\sign
          # sentry integration
          # sentry vite plugin integration during build
          SENTRY_ORG: ${{ vars.SENTRY_ORG }}
          SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
        run: npm run publish

      - name: publish Linux
        if: startsWith(matrix.platform, 'ubuntu-')
        env:
          NODE_OPTIONS: "--max_old_space_size=8192"
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # sentry integration
          # sentry vite plugin integration during build
          SENTRY_ORG: ${{ vars.SENTRY_ORG }}
          SENTRY_PROJECT: ${{ vars.SENTRY_PROJECT }}
        run: |
          sudo apt install -y rpm

          # There is a bug on Ubuntu 22.04 (ubuntu-latest) regarding stripping a binary for a different architecture.
          # https://github.com/electron/forge/issues/3102
          # https://github.com/electron/forge/issues/3701
          echo "%__strip /bin/true" >> ~/.rpmmacros

          npm run publish
          npm run publish -- --arch=arm64

      - name: cleanup macos certificates
        if: startsWith(matrix.platform, 'macos-')
        run: |
          rm apple_api_key.p8
          rm certificate.p12