forked from natcap/invest-workbench
-
Notifications
You must be signed in to change notification settings - Fork 0
161 lines (132 loc) · 5.88 KB
/
build-electron.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: Build, Test Binaries, & Release
on: [push, pull_request]
defaults:
run:
shell: bash -l {0}
jobs:
build-and-release:
runs-on: ${{ matrix.os }}
strategy:
max-parallel: 4
fail-fast: false
matrix:
os: [macos-latest, windows-latest]
node-version: [14.x]
steps:
- name: Checkout repository
uses: actions/checkout@v2
with:
fetch-depth: 0 # fetch complete history
- name: Fetch git tags
run: git fetch origin +refs/tags/*:refs/tags/*
- name: Install Node.js
uses: actions/setup-node@v2
with:
node-version: ${{ matrix.node-version }}
- name: Install Dependencies
run: |
yarn config set network-timeout 600000 -g
yarn install
- name: Fetch InVEST Binaries
run: yarn run fetch-invest
- name: Run the build script
run: yarn run build
# Steps that use github secrets do not run in pull requests.
# These include codesigning & GCS deploy-related things.
- name: Set up Python for gsutil
# gsutil requires a python, which is not included on Windows
if: github.event_name != 'pull_request' && matrix.os == 'windows-latest'
uses: actions/setup-python@v2
with:
python-version: 3.7
- name: Set up GCP
# Secrets not available in PR so don't use GCP.
if: github.event_name != 'pull_request'
uses: google-github-actions/[email protected]
with:
version: '281.0.0'
service_account_key: ${{ secrets.GOOGLE_SERVICE_ACC_KEY }}
- name: Run electron-builder
env:
GH_TOKEN: env.GITHUB_TOKEN
DEBUG: electron-builder
CSC_IDENTITY_AUTO_DISCOVERY: false # disable electron-builder code signing
run: yarn run dist
# do code signing ourselves because it's easier than with electron-builder
- name: Code signing (MacOS)
if: github.event_name != 'pull_request' && matrix.os == 'macos-latest'
env:
KEYCHAIN_NAME: codesign_keychain
KEYCHAIN_PASS: ${{ secrets.MAC_KEYCHAIN_PASS }}
CERT_PASS: ${{ secrets.MACOS_CODESIGN_CERT_PASS }}
CERT_FILE: 2025-01-16-Expiry-AppStore-App.p12
BIN_TO_SIGN: dist/invest_*.dmg
run: |
gsutil cp gs://stanford_cert/$CERT_FILE ~/$CERT_FILE
# create a new keychain (so that we can know what the password is)
security create-keychain -p $KEYCHAIN_PASS $KEYCHAIN_NAME
# add the keychain to the search list so it can be found
security list-keychains -s $KEYCHAIN_NAME
# unlock the keychain so we can import to it (stays unlocked 5 minutes by default)
security unlock-keychain -p $KEYCHAIN_PASS $KEYCHAIN_NAME
# add the certificate to the keychain
# -T option says that the codesign executable can access the keychain
# for some reason this alone is not enough, also need the following step
security import ~/$CERT_FILE -k "$KEYCHAIN_NAME" -P "$CERT_PASS" -T /usr/bin/codesign
# this is essential to avoid the UI password prompt
security set-key-partition-list -S apple-tool:,apple: -s -k $KEYCHAIN_PASS $KEYCHAIN_NAME
# sign the dmg using certificate that's looked up by unique identifier 'Stanford'
codesign --timestamp --verbose --sign Stanford $BIN_TO_SIGN
# relock the keychain (not sure if this is important?)
security lock-keychain $KEYCHAIN_NAME
- name: Code signing (Windows)
if: github.event_name != 'pull_request' && matrix.os == 'windows-latest'
env:
CLOUDSDK_PYTHON: ${{env.pythonLocation}}\python.exe
CERT_FILE: Stanford-natcap-code-signing-cert-expires-2024-01-26.p12
CERT_PASS: ${{ secrets.WINDOWS_CODESIGN_CERT_PASS }}
BIN_TO_SIGN: dist\invest_*.exe
run: |
gsutil cp gs://stanford_cert/$CERT_FILE ~/$CERT_FILE
# figure out the path to signtool.exe
SIGNTOOL=$(find 'C:\\Program Files (x86)\\Windows Kits\\10' -type f -name 'signtool.exe*' | head -n 1)
"$SIGNTOOL" sign -fd SHA256 -f ~/$CERT_FILE -p $CERT_PASS $BIN_TO_SIGN
"$SIGNTOOL" timestamp -tr http://timestamp.sectigo.com -td SHA256 $BIN_TO_SIGN
- name: Test electron app with puppeteer
run: npx cross-env CI=true yarn run test-electron-app
- name: Upload app logging from puppeteer to github - MacOS
uses: actions/[email protected]
if: matrix.os == 'macos-latest' && always()
with:
name: 'macos_puppeteer_log.zip'
path: '~/Library/Logs/invest-workbench/'
- name: Upload app logging from puppeteer to github - Windows
uses: actions/[email protected]
if: matrix.os == 'windows-latest' && always()
with:
name: 'windows_puppeteer_log.zip'
path: '~/AppData/Roaming/invest-workbench/logs/'
- name: Upload installer artifacts to github
uses: actions/[email protected]
if: ${{ always() }}
with:
name: invest-workbench-${{ matrix.os }}
path: dist/invest_*_workbench_*
- name: Set variables for GCS deploy target
if: github.event_name != 'pull_request'
run: |
echo "VERSION"=$(cat .workbench_version_string.env) >> $GITHUB_ENV
echo "BUCKET=$([ ${{ github.repository_owner }} == 'natcap' ] \
&& echo 'gs://releases.naturalcapitalproject.org/invest-workbench' \
|| echo 'gs://natcap-dev-build-artifacts/invest-workbench/${{ github.repository_owner }}' \
)" >> $GITHUB_ENV
- name: Deploy artifacts to GCS - Windows
if: github.event_name != 'pull_request' && matrix.os == 'windows-latest'
env:
CLOUDSDK_PYTHON: ${{env.pythonLocation}}\python.exe
run: |
gsutil -m rsync dist/ "${{ env.BUCKET }}/${{ env.VERSION }}/"
- name: Deploy artifacts to GCS - macOS
if: github.event_name != 'pull_request' && matrix.os == 'macos-latest'
run: |
gsutil -m rsync dist/ "${{ env.BUCKET }}/${{ env.VERSION }}/"