Deno/deno
1
0
Fork 0
mirror of https://github.com/denoland/deno.git synced 2024-11-21 20:38:55 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

chore: start codesigning mac release builds (#21303)

Browse Source 
- Adds a codesigning step to all mac targets
- Adds a new ci-full label to the build to force aarch64 builds on any
PR
This commit is contained in:
Matt Mastracci 2023-11-23 15:30:26 -07:00 committed by GitHub
parent 6f22d2424a
commit 778e4c9710
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 78 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

38
.github/workflows/ci.generate.ts vendored
View File

@ -275,14 +275,18 @@ function handleMatrixItems(items: {
} }
if (typeof item.skip === "string") { if (typeof item.skip === "string") {
let text = "${{ ("; let text =
text += removeSurroundingExpression(item.skip.toString()) + ") && "; "${{ (!contains(github.event.pull_request.labels.*.name, 'ci-full') && (";
text += removeSurroundingExpression(item.skip.toString()) + ")) && ";
text += `'${Runners.ubuntu}' || ${ text += `'${Runners.ubuntu}' || ${
removeSurroundingExpression(item.os) removeSurroundingExpression(item.os)
} }}`; } }}`;
// deno-lint-ignore no-explicit-any // deno-lint-ignore no-explicit-any
(item as any).runner = text; (item as any).runner = text;
item.skip =
"${{ !contains(github.event.pull_request.labels.*.name, 'ci-full') && (" +
removeSurroundingExpression(item.skip.toString()) + ") }}";
} }
return { return {
@ -526,10 +530,18 @@ const ci = {
name: "Install aarch64 lld", name: "Install aarch64 lld",
run: [ run: [
"./tools/install_prebuilt.js ld64.lld", "./tools/install_prebuilt.js ld64.lld",
"echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH",
].join("\n"), ].join("\n"),
if: `matrix.os == '${macosArmRunner}'`, if: `matrix.os == '${macosArmRunner}'`,
}, },
{
name: "Install rust-codesign",
run: [
"./tools/install_prebuilt.js rcodesign",
"echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH",
].join("\n"),
if:
`(matrix.os == '${macosArmRunner}' || matrix.os == '${macosX86Runner}')`,
},
{ {
name: "Log versions", name: "Log versions",
run: [ run: [
@ -680,7 +692,17 @@ const ci = {
"matrix.profile == 'release' &&", "matrix.profile == 'release' &&",
"github.repository == 'denoland/deno'", "github.repository == 'denoland/deno'",
].join("\n"), ].join("\n"),
env: {
"APPLE_CODESIGN_KEY": "${{ secrets.APPLE_CODESIGN_KEY }}",
"APPLE_CODESIGN_PASSWORD": "${{ secrets.APPLE_CODESIGN_PASSWORD }}",
},
run: [ run: [
'echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes"',
"rcodesign sign target/release/deno " +
"--code-signature-flags=runtime " +
'--p12-password="$APPLE_CODESIGN_PASSWORD" ' +
"--p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) " +
"--entitlements-xml-file=cli/entitlements.plist",
"cd target/release", "cd target/release",
"zip -r deno-x86_64-apple-darwin.zip deno", "zip -r deno-x86_64-apple-darwin.zip deno",
] ]
@ -694,7 +716,17 @@ const ci = {
"matrix.profile == 'release' &&", "matrix.profile == 'release' &&",
"github.repository == 'denoland/deno'", "github.repository == 'denoland/deno'",
].join("\n"), ].join("\n"),
env: {
"APPLE_CODESIGN_KEY": "${{ secrets.APPLE_CODESIGN_KEY }}",
"APPLE_CODESIGN_PASSWORD": "${{ secrets.APPLE_CODESIGN_PASSWORD }}",
},
run: [ run: [
'echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes"',
"rcodesign sign target/release/deno " +
"--code-signature-flags=runtime " +
'--p12-password="$APPLE_CODESIGN_PASSWORD" ' +
"--p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) " +
"--entitlements-xml-file=cli/entitlements.plist",
"cd target/release", "cd target/release",
"zip -r deno-aarch64-apple-darwin.zip deno", "zip -r deno-aarch64-apple-darwin.zip deno",
] ]

35
.github/workflows/ci.yml vendored
View File

@ -60,14 +60,14 @@ jobs:
- os: macos-12 - os: macos-12
job: test job: test
profile: release profile: release
skip: '${{ github.event_name == ''pull_request'' }}' skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'') }}'
runner: '${{ (github.event_name == ''pull_request'') && ''ubuntu-22.04'' || ''macos-12'' }}' runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'')) && ''ubuntu-22.04'' || ''macos-12'' }}'
os_display_name: macos-x86_64 os_display_name: macos-x86_64
- os: macos-13-xlarge - os: macos-13-xlarge
job: test job: test
profile: release profile: release
skip: '${{ github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'' }}' skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'') }}'
runner: '${{ (github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'') && ''ubuntu-22.04'' || ''macos-13-xlarge'' }}' runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' || github.ref == ''refs/heads/main'')) && ''ubuntu-22.04'' || ''macos-13-xlarge'' }}'
os_display_name: macos-aarch64 os_display_name: macos-aarch64
- os: windows-2022 - os: windows-2022
job: test job: test
@ -76,8 +76,8 @@ jobs:
- os: '${{ github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}' - os: '${{ github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}'
job: test job: test
profile: release profile: release
skip: '${{ github.event_name == ''pull_request'' }}' skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'') }}'
runner: '${{ (github.event_name == ''pull_request'') && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}' runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'')) && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''windows-2022-xl'' || ''windows-2022'' }}'
os_display_name: windows-x86_64 os_display_name: windows-x86_64
- os: '${{ github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}' - os: '${{ github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}'
job: test job: test
@ -89,8 +89,8 @@ jobs:
job: bench job: bench
profile: release profile: release
use_sysroot: true use_sysroot: true
skip: '${{ github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench'') }}' skip: '${{ !contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench'')) }}'
runner: '${{ (github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench'')) && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}' runner: '${{ (!contains(github.event.pull_request.labels.*.name, ''ci-full'') && (github.event_name == ''pull_request'' && !contains(github.event.pull_request.labels.*.name, ''ci-bench''))) && ''ubuntu-22.04'' || github.repository == ''denoland/deno'' && ''ubuntu-22.04-xl'' || ''ubuntu-22.04'' }}'
os_display_name: ubuntu-x86_64 os_display_name: ubuntu-x86_64
- os: ubuntu-22.04 - os: ubuntu-22.04
job: test job: test
@ -301,10 +301,13 @@ jobs:
CFLAGS=-flto=thin --sysroot=/sysroot CFLAGS=-flto=thin --sysroot=/sysroot
__0 __0
- name: Install aarch64 lld - name: Install aarch64 lld
run: |- run: ./tools/install_prebuilt.js ld64.lld
./tools/install_prebuilt.js ld64.lld
echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH
if: '!(matrix.skip) && (matrix.os == ''macos-13-xlarge'')' if: '!(matrix.skip) && (matrix.os == ''macos-13-xlarge'')'
- name: Install rust-codesign
run: |-
./tools/install_prebuilt.js rcodesign
echo $GITHUB_WORKSPACE/third_party/prebuilt/mac >> $GITHUB_PATH
if: '!(matrix.skip) && ((matrix.os == ''macos-13-xlarge'' || matrix.os == ''macos-12''))'
- name: Log versions - name: Log versions
run: |- run: |-
python --version python --version
@ -403,7 +406,12 @@ jobs:
matrix.job == 'test' && matrix.job == 'test' &&
matrix.profile == 'release' && matrix.profile == 'release' &&
github.repository == 'denoland/deno') github.repository == 'denoland/deno')
env:
APPLE_CODESIGN_KEY: '${{ secrets.APPLE_CODESIGN_KEY }}'
APPLE_CODESIGN_PASSWORD: '${{ secrets.APPLE_CODESIGN_PASSWORD }}'
run: |- run: |-
echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes"
rcodesign sign target/release/deno --code-signature-flags=runtime --p12-password="$APPLE_CODESIGN_PASSWORD" --p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) --entitlements-xml-file=cli/entitlements.plist
cd target/release cd target/release
zip -r deno-x86_64-apple-darwin.zip deno zip -r deno-x86_64-apple-darwin.zip deno
- name: Pre-release (mac aarch64) - name: Pre-release (mac aarch64)
@ -412,7 +420,12 @@ jobs:
matrix.job == 'test' && matrix.job == 'test' &&
matrix.profile == 'release' && matrix.profile == 'release' &&
github.repository == 'denoland/deno') github.repository == 'denoland/deno')
env:
APPLE_CODESIGN_KEY: '${{ secrets.APPLE_CODESIGN_KEY }}'
APPLE_CODESIGN_PASSWORD: '${{ secrets.APPLE_CODESIGN_PASSWORD }}'
run: |- run: |-
echo "Key is $(echo $APPLE_CODESIGN_KEY | base64 -d | wc -c) bytes"
rcodesign sign target/release/deno --code-signature-flags=runtime --p12-password="$APPLE_CODESIGN_PASSWORD" --p12-file=<(echo $APPLE_CODESIGN_KEY | base64 -d) --entitlements-xml-file=cli/entitlements.plist
cd target/release cd target/release
zip -r deno-aarch64-apple-darwin.zip deno zip -r deno-aarch64-apple-darwin.zip deno
- name: Pre-release (windows) - name: Pre-release (windows)

16
cli/entitlements.plist Normal file
View File

@ -0,0 +1,16 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.cs.allow-jit</key>
<true/>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
<key>com.apple.security.cs.disable-executable-page-protection</key>
<true/>
<key>com.apple.security.cs.allow-dyld-environment-variables</key>
<true/>
<key>com.apple.security.cs.disable-library-validation</key>
<true/>
</dict>
</plist>

5
tools/util.js
View File

@ -17,7 +17,7 @@ const versions = {
"dlint": "dlint 0.51.0", "dlint": "dlint 0.51.0",
}; };
const compressed = new Set(["ld64.lld"]); const compressed = new Set(["ld64.lld", "rcodesign"]);
export const ROOT_PATH = dirname(dirname(fromFileUrl(import.meta.url))); export const ROOT_PATH = dirname(dirname(fromFileUrl(import.meta.url)));
@ -175,8 +175,9 @@ export function getPrebuiltToolPath(toolName) {
return join(PREBUILT_TOOL_DIR, toolName + executableSuffix); return join(PREBUILT_TOOL_DIR, toolName + executableSuffix);
} }
const commitId = "c249f61eaed67db26c2934b195dc51e3ab91ae03";
const downloadUrl = const downloadUrl =
`https://raw.githubusercontent.com/denoland/deno_third_party/1fd66ef78ab40841db833d4a1efd5c5597faf066/prebuilt/${platformDirName}`; `https://raw.githubusercontent.com/denoland/deno_third_party/${commitId}/prebuilt/${platformDirName}`;
export async function downloadPrebuilt(toolName) { export async function downloadPrebuilt(toolName) {
// Ensure only one download per tool happens at a time // Ensure only one download per tool happens at a time