mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
25e7d326e8
Updating actions/setup-go to v6.3.0 from a mix of different versions. This gets us faster CI runs, with improvements such as: - built in Go module cache AND Go build cache (separate cache no longer needed) - using go.mod resulting in fewer cache invalidations - faster Node 24 runtime - using go.dev download URL, which is more reliable
262 lines
9.2 KiB
YAML
262 lines
9.2 KiB
YAML
name: Generate Fleet Desktop targets for Orbit
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- "orbit-*" # For testing, use a pre-release tag like 'orbit-1.24.0-1'
|
|
|
|
defaults:
|
|
run:
|
|
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
|
|
shell: bash
|
|
|
|
permissions:
|
|
id-token: write
|
|
attestations: write
|
|
contents: read
|
|
|
|
jobs:
|
|
set-version:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
FLEET_DESKTOP_VERSION: ${{ steps.set-version.outputs.FLEET_DESKTOP_VERSION }}
|
|
steps:
|
|
- name: Set FLEET_DESKTOP_VERSION
|
|
id: set-version
|
|
run: |
|
|
# Remove refs/tags prefix and v prefix in version.
|
|
VERSION=$(echo $GITHUB_REF | sed -e 's|refs/tags/.*v||')
|
|
echo "FLEET_DESKTOP_VERSION=$VERSION" >> "$GITHUB_OUTPUT"
|
|
|
|
desktop-macos:
|
|
# Set macOS version to '14' (previously was macos-12/13 until they were deprecated) for
|
|
# building the binary. This ensures compatibility with macOS version 14 and
|
|
# later, avoiding runtime errors on systems using macOS 14 or newer.
|
|
runs-on: macos-14
|
|
needs: set-version
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
- name: Install Go
|
|
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
|
|
- name: Import signing keys
|
|
env:
|
|
APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}
|
|
APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}
|
|
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
|
|
run: |
|
|
echo "$APPLE_APPLICATION_CERTIFICATE" | base64 --decode > certificate.p12
|
|
security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
|
|
security default-keychain -s build.keychain
|
|
security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
|
|
security import certificate.p12 -k build.keychain -P $APPLE_APPLICATION_CERTIFICATE_PASSWORD -T /usr/bin/codesign
|
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
|
|
security find-identity -vv
|
|
rm certificate.p12
|
|
|
|
- name: Generate desktop.app.tar.gz
|
|
env:
|
|
AC_USERNAME: ${{ secrets.APPLE_USERNAME }}
|
|
AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
|
|
AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
|
|
CODESIGN_IDENTITY: 604D877399AAEB7630A78B84F288E2D28A2EDE42
|
|
run: |
|
|
AC_USERNAME=$AC_USERNAME \
|
|
AC_PASSWORD=$AC_PASSWORD \
|
|
AC_TEAM_ID=$AC_TEAM_ID \
|
|
FLEET_DESKTOP_APPLE_AUTHORITY=$CODESIGN_IDENTITY \
|
|
FLEET_DESKTOP_NOTARIZE=true \
|
|
FLEET_DESKTOP_VERSION=${{ needs.set-version.outputs.FLEET_DESKTOP_VERSION }} \
|
|
make desktop-app-tar-gz
|
|
|
|
- name: Extract archive for attestation
|
|
run: |
|
|
mkdir -p extracted
|
|
tar -xzf desktop.app.tar.gz -C extracted
|
|
|
|
- name: Attest binary
|
|
continue-on-error: true
|
|
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
|
|
with:
|
|
subject-path: "extracted/Fleet\ Desktop.app/Contents/MacOS/*"
|
|
|
|
- name: Repackage archive
|
|
run: |
|
|
cd extracted
|
|
tar -czf ../desktop.app.tar.gz ./*
|
|
|
|
- name: Upload desktop.app.tar.gz
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: desktop.app.tar.gz
|
|
path: desktop.app.tar.gz
|
|
|
|
desktop-windows:
|
|
needs: set-version
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
- name: Install Go
|
|
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
|
|
- name: Generate fleet-desktop.exe
|
|
run: |
|
|
FLEET_DESKTOP_VERSION=${{ needs.set-version.outputs.FLEET_DESKTOP_VERSION }} \
|
|
make desktop-windows
|
|
|
|
- name: Upload fleet-desktop.exe
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: unsigned-windows
|
|
path: fleet-desktop.exe
|
|
|
|
code-sign-windows:
|
|
needs: desktop-windows
|
|
uses: ./.github/workflows/code-sign-windows.yml
|
|
permissions:
|
|
contents: read
|
|
id-token: write # required for code-sign-windows
|
|
attestations: write # required for code-sign-windows
|
|
with:
|
|
attest: true
|
|
filename: fleet-desktop.exe
|
|
upload_name: fleet-desktop.exe
|
|
secrets:
|
|
DIGICERT_KEYLOCKER_CERTIFICATE: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE }}
|
|
DIGICERT_KEYLOCKER_PASSWORD: ${{ secrets.DIGICERT_KEYLOCKER_PASSWORD }}
|
|
DIGICERT_KEYLOCKER_HOST_URL: ${{ secrets.DIGICERT_KEYLOCKER_HOST_URL }}
|
|
DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }}
|
|
DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT }}
|
|
|
|
desktop-windows-arm64:
|
|
needs: set-version
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
- name: Install Go
|
|
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
|
|
- name: Generate fleet-desktop.exe
|
|
run: |
|
|
FLEET_DESKTOP_VERSION=${{ needs.set-version.outputs.FLEET_DESKTOP_VERSION }} \
|
|
make desktop-windows-arm64
|
|
|
|
- name: Upload fleet-desktop.exe
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: unsigned-windows-arm64
|
|
path: fleet-desktop.exe
|
|
|
|
code-sign-windows-arm64:
|
|
needs: desktop-windows-arm64
|
|
uses: ./.github/workflows/code-sign-windows.yml
|
|
permissions:
|
|
contents: read
|
|
id-token: write # required for code-sign-windows
|
|
attestations: write # required for code-sign-windows
|
|
with:
|
|
attest: true
|
|
filename: fleet-desktop.exe
|
|
upload_name: fleet-desktop-arm64.exe
|
|
download_name: unsigned-windows-arm64
|
|
secrets:
|
|
DIGICERT_KEYLOCKER_CERTIFICATE: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE }}
|
|
DIGICERT_KEYLOCKER_PASSWORD: ${{ secrets.DIGICERT_KEYLOCKER_PASSWORD }}
|
|
DIGICERT_KEYLOCKER_HOST_URL: ${{ secrets.DIGICERT_KEYLOCKER_HOST_URL }}
|
|
DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }}
|
|
DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT: ${{ secrets.DIGICERT_KEYLOCKER_CERTIFICATE_FINGERPRINT }}
|
|
|
|
desktop-linux:
|
|
needs: set-version
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
- name: Install Go
|
|
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
|
|
- name: Generate desktop.tar.gz
|
|
run: |
|
|
FLEET_DESKTOP_VERSION=${{ needs.set-version.outputs.FLEET_DESKTOP_VERSION }} \
|
|
make desktop-linux
|
|
|
|
- name: Attest binary
|
|
continue-on-error: true
|
|
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
|
|
with:
|
|
subject-path: "desktop.tar.gz"
|
|
|
|
- name: Upload desktop.tar.gz
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: desktop.tar.gz
|
|
path: desktop.tar.gz
|
|
|
|
desktop-linux-arm64:
|
|
needs: set-version
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
- name: Install Go
|
|
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
|
|
- name: Generate desktop.tar.gz
|
|
run: |
|
|
FLEET_DESKTOP_VERSION=${{ needs.set-version.outputs.FLEET_DESKTOP_VERSION }} \
|
|
make desktop-linux-arm64
|
|
|
|
- name: Attest binary
|
|
continue-on-error: true
|
|
uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0
|
|
with:
|
|
subject-path: 'desktop.tar.gz'
|
|
|
|
- name: Upload desktop.tar.gz
|
|
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # 4.3.3
|
|
with:
|
|
name: desktop-arm64.tar.gz
|
|
path: desktop.tar.gz
|