From f2fc2bc0ea4e3ec6a419df388b3af01bf53b7f7f Mon Sep 17 00:00:00 2001 From: Victor Lyuboslavsky Date: Mon, 9 Dec 2024 13:24:38 -0600 Subject: [PATCH] Add retry to fleetd base pkg build. (#24489) --- .github/workflows/release-fleetd-base.yml | 17 ++++++++++++----- .github/workflows/verify-fleetd-base.yml | 6 +++--- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release-fleetd-base.yml b/.github/workflows/release-fleetd-base.yml index 9909901964..2178be6fad 100644 --- a/.github/workflows/release-fleetd-base.yml +++ b/.github/workflows/release-fleetd-base.yml @@ -88,9 +88,10 @@ jobs: if: needs.check-for-fleetd-component-updates.outputs.update_needed == 'true' runs-on: macos-latest outputs: - fleetd_base_pkg_sha256: ${{ steps.build-sign-notarize.outputs.fleetd_base_pkg_sha256 }} + fleetd_base_pkg_sha256: ${{ steps.calculate-sha256.outputs.fleetd_base_pkg_sha256 }} env: FULL_DATE_DIR: archive/stable/${{ needs.check-for-fleetd-component-updates.outputs.date_dir }} + timeout-minutes: 120 steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -124,16 +125,22 @@ jobs: rm certificate.p12 - name: Build PKG, sign, and notarize - id: build-sign-notarize env: AC_USERNAME: ${{ secrets.APPLE_USERNAME }} AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }} AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} PACKAGE_SIGNING_IDENTITY_SHA1: D52080FD1F0941DE31346F06DA0F08AED6FACBBF + # We use retry because we've seen Apple notarization fail or timeout + uses: nick-fields/retry@7152eba30c6575329ac0576536151aca5a72780e # v3.0.0 + with: + timeout_minutes: 40 + max_attempts: 10 + command: fleetctl package --type pkg --fleet-desktop --use-system-configuration --sign-identity $PACKAGE_SIGNING_IDENTITY_SHA1 --notarize + + - name: Calculate the SHA256 checksum of the package + id: calculate-sha256 run: | - fleetctl package --type pkg --fleet-desktop --use-system-configuration --sign-identity $PACKAGE_SIGNING_IDENTITY_SHA1 --notarize mv fleet-osquery*.pkg fleetd-base.pkg - : # Calculate the SHA256 checksum of the package echo "fleetd_base_pkg_sha256=$(shasum -a 256 fleetd-base.pkg | cut -d ' ' -f 1)" >> $GITHUB_OUTPUT - name: Create plist @@ -152,7 +159,7 @@ jobs: 32 sha256s - ${{ steps.build-sign-notarize.outputs.fleetd_base_pkg_sha256 }} + ${{ steps.calculate-sha256.outputs.fleetd_base_pkg_sha256 }} url ${{ env.BASE_URL }}/${{ env.FULL_DATE_DIR }}/fleetd-base.pkg diff --git a/.github/workflows/verify-fleetd-base.yml b/.github/workflows/verify-fleetd-base.yml index 4b6d2e6c50..7a129b7cb0 100644 --- a/.github/workflows/verify-fleetd-base.yml +++ b/.github/workflows/verify-fleetd-base.yml @@ -32,7 +32,7 @@ jobs: verify-checksums: runs-on: ubuntu-latest env: - BASE_URL: ${{ github.event.inputs.base-url || 'https://download.fleetdm.com' }} + BASE_URL: ${{ inputs.base-url || 'https://download.fleetdm.com' }} steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -67,7 +67,7 @@ jobs: verify-fleetd-base-msi: runs-on: windows-latest env: - BASE_URL: ${{ github.event.inputs.base-url || 'https://download.fleetdm.com' }} + BASE_URL: ${{ inputs.base-url || 'https://download.fleetdm.com' }} steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0 @@ -94,7 +94,7 @@ jobs: verify-fleetd-base-pkg: runs-on: macos-latest env: - BASE_URL: ${{ github.event.inputs.base-url || 'https://download.fleetdm.com' }} + BASE_URL: ${{ inputs.base-url || 'https://download.fleetdm.com' }} steps: - name: Harden Runner uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0