Update to vega 0.74.3 (#744) #259
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release binaries | |
on: | |
push: | |
# Sequence of patterns matched against refs/tags | |
tags: | |
- "v*" # Push events to matching v*, i.e. v1.0, v20.15.10 | |
env: | |
VITE_SENTRY_DSN: ${{ secrets.SENTRY_DSN }} | |
WAILS_VERSION: v2.8.0 | |
NODE_VERSION: 18.12.0 | |
GO_VERSION: 1.21.7 | |
jobs: | |
release-macos: | |
name: Release ${{ matrix.network }} on MacOS ${{ matrix.arch }} | |
runs-on: macos-latest | |
strategy: | |
matrix: | |
arch: | |
- amd64 | |
- arm64 | |
network: | |
- mainnet | |
- fairground | |
include: | |
- network: mainnet | |
software-name: Vega Wallet | |
filename: vega-wallet | |
- network: fairground | |
software-name: Fairground Wallet | |
filename: fairground-wallet | |
- arch: amd64 | |
user-friendly-arch: intel | |
- arch: arm64 | |
user-friendly-arch: apple-silicon | |
steps: | |
- name: Set up Node ${{ env.NODE_VERSION }} | |
uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
id: npm | |
- name: Set up Go ${{ env.GO_VERSION }} | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
id: go | |
- name: Get Wails | |
run: go install github.com/wailsapp/wails/v2/cmd/wails@${{ env.WAILS_VERSION }} | |
- name: Check out repository | |
uses: actions/checkout@v3 | |
- name: Prepare "${{ matrix.network }}" bundle | |
shell: bash | |
env: | |
WALLET_OPTIMIZED_FOR: ${{ matrix.network }} | |
run: ./prepare.sh | |
- name: Build binary | |
env: | |
VITE_FEATURE_MODE: ${{ matrix.network }} | |
run: wails build -clean -f -platform=darwin/${{ matrix.arch }} -tags ${{ matrix.network }} | |
- name: Run tests | |
if: ${{ matrix.arch == 'amd64' }} | |
run: go test -v ./... | |
- name: Import DeveloperID Certificate | |
uses: apple-actions/import-codesign-certs@v1 | |
with: | |
keychain: vega | |
create-keychain: true | |
p12-file-base64: ${{ secrets.MACOS_CERTIFICATE }} | |
p12-password: ${{ secrets.MACOS_CERTIFICATE_PASS }} | |
- name: Sign binary | |
working-directory: build/bin | |
# --timestamp | |
# During signing, requests that a timestamp authority server be contacted to authenticate the time of | |
# signing. | |
# --deep | |
# When signing a bundle, specifies that nested code content such as helpers, frameworks, and plug-ins, | |
# should be recursively signed in turn. | |
# --options runtime | |
# On macOS versions >= 10.14.0, opts signed processes into a hardened runtime environment which includes | |
# runtime code signing enforcement, library validation, hard, kill, and debugging restrictions. | |
run: codesign --verbose --sign "${{ secrets.MACOS_CERTIFICATE_IDENTITY_ID }}" --timestamp --options runtime --deep --force "${{ matrix.software-name }}.app" | |
- name: Verify signature | |
working-directory: build/bin | |
run: codesign --verbose --verify --strict --deep "${{ matrix.software-name }}.app" | |
- name: Bundle binary for notarization | |
working-directory: build/bin | |
run: /usr/bin/ditto -c -k --keepParent "${{ matrix.software-name }}.app" "${{ matrix.filename }}-desktop-macos-${{ matrix.user-friendly-arch }}.zip" | |
- name: Store notarization credentials | |
run: | | |
xcrun notarytool store-credentials vega \ | |
--apple-id "${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}" \ | |
--team-id "${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}" \ | |
--password "${{ secrets.MACOS_NOTARIZATION_PASS }}" | |
- name: Notarize app | |
working-directory: build/bin | |
run: | | |
xcrun notarytool submit "${{ matrix.filename }}-desktop-macos-${{ matrix.user-friendly-arch }}.zip" \ | |
--keychain-profile vega \ | |
--output-format json \ | |
--timeout "90m" \ | |
--wait | |
- name: Staple app | |
working-directory: build/bin | |
run: xcrun stapler staple "${{ matrix.software-name }}.app" | |
- name: Delete old archive | |
working-directory: build/bin | |
run: rm -rf ${{ matrix.filename }}-desktop-macos-${{ matrix.user-friendly-arch }}.zip | |
- name: Bundle binary in archive for distribution | |
working-directory: build/bin | |
run: /usr/bin/ditto -c -k --keepParent "${{ matrix.software-name }}.app" "${{ matrix.filename }}-desktop-macos-${{ matrix.user-friendly-arch }}.zip" | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
with: | |
files: build/bin/*.zip | |
prerelease: true | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
release-windows: | |
name: Release ${{ matrix.network }} on Windows ${{ matrix.arch }} | |
runs-on: windows-2019 | |
strategy: | |
matrix: | |
arch: | |
- amd64 | |
network: | |
- mainnet | |
- fairground | |
include: | |
- network: mainnet | |
software-name: Vega Wallet | |
filename: vega-wallet | |
- network: fairground | |
software-name: Fairground Wallet | |
filename: fairground-wallet | |
steps: | |
- name: Set up Node ${{ env.NODE_VERSION }} | |
uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
id: npm | |
- name: Set up Go ${{ env.GO_VERSION }} | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
id: go | |
- name: Get Wails | |
run: go install github.com/wailsapp/wails/v2/cmd/wails@${{ env.WAILS_VERSION }} | |
- name: Check out repository | |
uses: actions/checkout@v3 | |
- name: Prepare "${{ matrix.network }}" bundle | |
shell: bash | |
env: | |
WALLET_OPTIMIZED_FOR: ${{ matrix.network }} | |
run: ./prepare.sh | |
- name: Build binary | |
env: | |
VITE_FEATURE_MODE: ${{ matrix.network }} | |
run: wails build -f -platform=windows/${{ matrix.arch }} -tags ${{ matrix.network }} | |
- name: Run tests | |
if: ${{ matrix.arch == 'amd64' }} | |
run: go test -v ./... | |
- name: Import signing certificate | |
run: | | |
echo "${{ secrets.EV_SIGN_CERT_FULL_CHAIN_PEM }}" > certificate_chain.pem | |
- name: "Download Java v17" | |
uses: oracle-actions/setup-java@v1 | |
with: | |
website: oracle.com | |
release: 17 | |
- name: Setup python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: "3.9" | |
- id: "auth" | |
uses: "google-github-actions/auth@v1" | |
with: | |
credentials_json: "${{ secrets.GCP_CREDENTIALS }}" | |
- name: "Set up Cloud SDK" | |
uses: "google-github-actions/setup-gcloud@v1" | |
env: | |
CLOUDSDK_PYTHON: "python3" | |
- name: "Use gcloud CLI" | |
run: "gcloud info" | |
- name: Download signing tool and verify sha265 checksum | |
shell: bash | |
run: | | |
curl -L -o jsign.jar "https://github.com/ebourg/jsign/releases/download/4.2/jsign-4.2.jar" | |
echo '290377fc4f593256200b3ea4061b7409e8276255f449d4c6de7833faf0850cc1 jsign.jar' | sha256sum -c | |
# We sign binaries with the EV Certificate. You MUST NOT have a key in a file to sign binary. | |
# The only options to store keys are: | |
# - HSM architecture(e.g., AWS or Google) | |
# - Physical USB stick with hardware stored key | |
# We are using the first option to be able to sign the binaries within the CI servers without | |
# physical access to them. However, this signing method requires the signing tool supporting the HSM key. | |
# | |
# The high-level signing procedure looks like below: | |
# 1. Calculate the SHA256 Hash for the app | |
# 2. Send a request to sign the hash to the Google Cloud | |
# 3. Google signs our signature with a physically stored key on Google's HSM server and returns the signature over the network | |
# 4. Add our certificate and the signature received from the Google HSM to the EXE file | |
# 5. Our signature hash is again signed with the timestamp authority's private key, and the final hash is added to our binary. | |
# 6. Final executable with all necessary signing information included is produced | |
- name: Sign binary | |
shell: bash | |
run: | | |
cd build/bin && \ | |
java -jar ../../jsign.jar \ | |
--storetype GOOGLECLOUD \ | |
--storepass "$(gcloud auth print-access-token)" \ | |
--keystore "projects/vegaprotocol/locations/europe-west2/keyRings/windows-sign-apps" \ | |
--alias "digicert-ev-signing-key-ecc-256" \ | |
--certfile "../../certificate_chain.pem" \ | |
--tsmode RFC3161 \ | |
--tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 \ | |
"${{ matrix.software-name }}.exe" | |
- name: Prepare binaries for release | |
shell: bash | |
run: | | |
mkdir -p build/release-bin; | |
cd build/bin; | |
cp "${{ matrix.software-name }}.exe" "../release-bin/${{ matrix.filename }}-desktop-windows-${{ matrix.arch }}.exe" | |
ls -als ../release-bin/*.exe | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
with: | |
files: build/release-bin/*.exe | |
prerelease: true | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
release-linux: | |
name: Release ${{ matrix.network }} on Linux ${{ matrix.arch }} | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
arch: | |
- amd64 | |
network: | |
- mainnet | |
- fairground | |
include: | |
- network: mainnet | |
software-name: Vega Wallet | |
filename: vega-wallet | |
- network: fairground | |
software-name: Fairground Wallet | |
filename: fairground-wallet | |
steps: | |
- name: Set up Node ${{ env.NODE_VERSION }} | |
uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
id: npm | |
- name: Set up Go ${{ env.GO_VERSION }} | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
id: go | |
- name: Check out repository | |
uses: actions/checkout@v3 | |
- name: Install Wails dependencies | |
run: | | |
sudo apt-get update | |
sudo apt-get install build-essential libgtk-3-dev libwebkit2gtk-4.0-dev | |
- name: Get Wails | |
run: go install github.com/wailsapp/wails/v2/cmd/wails@${{ env.WAILS_VERSION }} | |
- name: Prepare "${{ matrix.network }}" bundle | |
shell: bash | |
env: | |
WALLET_OPTIMIZED_FOR: ${{ matrix.network }} | |
run: ./prepare.sh | |
- name: Build binary | |
env: | |
VITE_FEATURE_MODE: ${{ matrix.network }} | |
run: wails build -clean -f -platform=linux/${{ matrix.arch }} -tags ${{ matrix.network }} | |
- name: Run tests | |
if: ${{ matrix.arch == 'amd64' }} | |
run: go test -v ./... | |
- name: Bundle binary in archive | |
uses: thedoctor0/zip-release@master | |
with: | |
type: zip | |
directory: build/bin | |
filename: ${{ matrix.filename }}-desktop-linux-${{ matrix.arch }}.zip | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
with: | |
files: build/bin/*.zip | |
prerelease: true | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |