From 778e4c971077e38bf8f7d03b8b299d3dd111ba22 Mon Sep 17 00:00:00 2001 From: Matt Mastracci Date: Thu, 23 Nov 2023 15:30:26 -0700 Subject: [PATCH] chore: start codesigning mac release builds (#21303) - Adds a codesigning step to all mac targets - Adds a new ci-full label to the build to force aarch64 builds on any PR --- .github/workflows/ci.generate.ts | 38 +++++++++++++++++++++++++++++--- .github/workflows/ci.yml | 35 ++++++++++++++++++++--------- cli/entitlements.plist | 16 ++++++++++++++ tools/util.js | 5 +++-- 4 files changed, 78 insertions(+), 16 deletions(-) create mode 100644 cli/entitlements.plist diff --git a/.github/workflows/ci.generate.ts b/.github/workflows/ci.generate.ts index be71828e32..10bf59521d 100755 --- a/.github/workflows/ci.generate.ts +++ b/.github/workflows/ci.generate.ts @@ -275,14 +275,18 @@ function handleMatrixItems(items: { } if (typeof item.skip === "string") { - let text = "${{ ("; - text += removeSurroundingExpression(item.skip.toString()) + ") && "; + let text = + "${{ (!contains(github.event.pull_request.labels.*.name, 'ci-full') && ("; + text += removeSurroundingExpression(item.skip.toString()) + ")) && "; text += `'${Runners.ubuntu}' || ${ removeSurroundingExpression(item.os) } }}`; // deno-lint-ignore no-explicit-any (item as any).runner = text; + item.skip = + "${{ !contains(github.event.pull_request.labels.*.name, 'ci-full') && (" + + removeSurroundingExpression(item.skip.toString()) + ") }}"; } return { @@ -526,10 +530,18 @@ const ci = { name: "Install aarch64 lld", run: [ "./tools/install_prebuilt.js ld64.lld", - "echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH", ].join("\n"), if: `matrix.os == '${macosArmRunner}'`, }, + { + name: "Install rust-codesign", + run: [ + "./tools/install_prebuilt.js rcodesign", + "echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH", + ].join("\n"), + if: + `(matrix.os == '${macosArmRunner}' || matrix.os == '${macosX86Runner}')`, + }, { name: "Log versions", run: [ @@ -680,7 +692,17 @@ const ci = { "matrix.profile == 'release' &&", "github.repository == 'denoland/deno'", ].join("\n"), + env: { + "APPLE_CODESIGN_KEY": "${{ secrets.APPLE_CODESIGN_KEY }}", + "APPLE_CODESIGN_PASSWORD": "${{ secrets.APPLE_CODESIGN_PASSWORD }}", + }, run: [ + 'echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes"', + "rcodesign sign target/release/deno " + + "--code-signature-flags=runtime " + + '--p12-password="$APPLE_CODESIGN_PASSWORD" ' + + "--p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) " + + "--entitlements-xml-file=cli/entitlements.plist", "cd target/release", "zip -r deno-x86_64-apple-darwin.zip deno", ] @@ -694,7 +716,17 @@ const ci = { "matrix.profile == 'release' &&", "github.repository == 'denoland/deno'", ].join("\n"), + env: { + "APPLE_CODESIGN_KEY": "${{ secrets.APPLE_CODESIGN_KEY }}", + "APPLE_CODESIGN_PASSWORD": "${{ secrets.APPLE_CODESIGN_PASSWORD }}", + }, run: [ + 'echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes"', + "rcodesign sign target/release/deno " + + "--code-signature-flags=runtime " + + '--p12-password="$APPLE_CODESIGN_PASSWORD" ' + + "--p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) " + + "--entitlements-xml-file=cli/entitlements.plist", "cd target/release", "zip -r deno-aarch64-apple-darwin.zip deno", ] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2a88523cb2..dfc0371163 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -60,14 +60,14 @@ jobs: - os: macos-12 job: test profile: release - skip: '${{ github.event_name == ''pull_request'' }}' - runner: '${{ (github.event_name == ''pull_request'') && ''ubuntu-22.04'' || ''macos-12'' }}' + skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'') }}' + runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'')) && ''ubuntu-22.04'' || ''macos-12'' }}' os_display_name: macos-x86_64 - os: macos-13-xlarge job: test profile: release - skip: '${{ github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'' }}' - runner: '${{ (github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'') && ''ubuntu-22.04'' || ''macos-13-xlarge'' }}' + skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'') }}' + runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'')) && ''ubuntu-22.04'' || ''macos-13-xlarge'' }}' os_display_name: macos-aarch64 - os: windows-2022 job: test @@ -76,8 +76,8 @@ jobs: - os: '${{ github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}' job: test profile: release - skip: '${{ github.event_name == ''pull_request'' }}' - runner: '${{ (github.event_name == ''pull_request'') && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}' + skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'') }}' + runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'')) && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}' os_display_name: windows-x86_64 - os: '${{ github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}' job: test @@ -89,8 +89,8 @@ jobs: job: bench profile: release use_sysroot: true - skip: '${{ github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench'') }}' - runner: '${{ (github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench'')) && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}' + skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench'')) }}' + runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench''))) && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}' os_display_name: ubuntu-x86_64 - os: ubuntu-22.04 job: test @@ -301,10 +301,13 @@ jobs: CFLAGS=-flto=thin --sysroot=/sysroot __0 - name: Install aarch64 lld - run: |- - ./tools/install_prebuilt.js ld64.lld - echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH + run: ./tools/install_prebuilt.js ld64.lld if: '!(matrix.skip) && (matrix.os == ''macos-13-xlarge'')' + - name: Install rust-codesign + run: |- + ./tools/install_prebuilt.js rcodesign + echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH + if: '!(matrix.skip) && ((matrix.os == ''macos-13-xlarge'' || matrix.os == ''macos-12''))' - name: Log versions run: |- python --version @@ -403,7 +406,12 @@ jobs: matrix.job == 'test' && matrix.profile == 'release' && github.repository == 'denoland/deno') + env: + APPLE_CODESIGN_KEY: '${{ secrets.APPLE_CODESIGN_KEY }}' + APPLE_CODESIGN_PASSWORD: '${{ secrets.APPLE_CODESIGN_PASSWORD }}' run: |- + echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes" + rcodesign sign target/release/deno --code-signature-flags=runtime --p12-password="$APPLE_CODESIGN_PASSWORD" --p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) --entitlements-xml-file=cli/entitlements.plist cd target/release zip -r deno-x86_64-apple-darwin.zip deno - name: Pre-release (mac aarch64) @@ -412,7 +420,12 @@ jobs: matrix.job == 'test' && matrix.profile == 'release' && github.repository == 'denoland/deno') + env: + APPLE_CODESIGN_KEY: '${{ secrets.APPLE_CODESIGN_KEY }}' + APPLE_CODESIGN_PASSWORD: '${{ secrets.APPLE_CODESIGN_PASSWORD }}' run: |- + echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes" + rcodesign sign target/release/deno --code-signature-flags=runtime --p12-password="$APPLE_CODESIGN_PASSWORD" --p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) --entitlements-xml-file=cli/entitlements.plist cd target/release zip -r deno-aarch64-apple-darwin.zip deno - name: Pre-release (windows) diff --git a/cli/entitlements.plist b/cli/entitlements.plist new file mode 100644 index 0000000000..73375ea910 --- /dev/null +++ b/cli/entitlements.plist @@ -0,0 +1,16 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-executable-page-protection + + com.apple.security.cs.allow-dyld-environment-variables + + com.apple.security.cs.disable-library-validation + + + diff --git a/tools/util.js b/tools/util.js index 20a2f210b7..8fab4dfa35 100644 --- a/tools/util.js +++ b/tools/util.js @@ -17,7 +17,7 @@ const versions = { "dlint": "dlint 0.51.0", }; -const compressed = new Set(["ld64.lld"]); +const compressed = new Set(["ld64.lld", "rcodesign"]); export const ROOT_PATH = dirname(dirname(fromFileUrl(import.meta.url))); @@ -175,8 +175,9 @@ export function getPrebuiltToolPath(toolName) { return join(PREBUILT_TOOL_DIR, toolName + executableSuffix); } +const commitId = "c249f61eaed67db26c2934b195dc51e3ab91ae03"; const downloadUrl = - `https://raw.githubusercontent.com/denoland/deno_third_party/1fd66ef78ab40841db833d4a1efd5c5597faf066/prebuilt/${platformDirName}`; + `https://raw.githubusercontent.com/denoland/deno_third_party/${commitId}/prebuilt/${platformDirName}`; export async function downloadPrebuilt(toolName) { // Ensure only one download per tool happens at a time