Switch to Flowzone

Change-type: patch
2024-12-18 21:27:51 +00:00 · 2022-11-07 17:40:21 -08:00 · 2022-11-07 17:40:21 -08:00 · 19144163ee
commit 19144163ee
parent 535ffccbad
8 changed files with 360 additions and 37 deletions
--- a/.github/actions/always/action.yml
+++ b/.github/actions/always/action.yml
@ -0,0 +1,38 @@
+---
+name: cleanup
+# https://github.com/product-os/flowzone/tree/master/.github/actions
+inputs:
+  json:
+    description: "JSON stringified object containing all the inputs from the calling workflow"
+    required: true
+  secrets:
+    description: "JSON stringified object containing all the secrets from the calling workflow"
+    required: true
+
+  # --- custom environment
+  VERBOSE:
+    type: string
+    default: "true"
+
+runs:
+  # https://docs.github.com/en/actions/creating-actions/creating-a-composite-action
+  using: "composite"
+  steps:
+    # delete draft releases if the pull request is closed without merging
+    - name: Delete draft release
+      if: |
+        runner.os == 'Linux' &&
+        github.event_name == 'pull_request' &&
+        github.event.pull_request.merged == false &&
+        github.event.action == 'closed'
+
+      shell: bash --noprofile --norc -eo pipefail -x {0}
+      run: |
+        set -ea
+
+        [[ '${{ inputs.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x
+
+        gh release delete --yes '${{ github.event.pull_request.head.ref }}' || true
+
+      env:
+        GITHUB_TOKEN: ${{ fromJSON(inputs.secrets).FLOWZONE_TOKEN }}
--- a/.github/actions/finalize/action.yml
+++ b/.github/actions/finalize/action.yml
@ -0,0 +1,54 @@
+---
+name: publish GitHub release
+# https://github.com/product-os/flowzone/tree/master/.github/actions
+inputs:
+  json:
+    description: "JSON stringified object containing all the inputs from the calling workflow"
+    required: true
+  secrets:
+    description: "JSON stringified object containing all the secrets from the calling workflow"
+    required: true
+
+runs:
+  # https://docs.github.com/en/actions/creating-actions/creating-a-composite-action
+  using: "composite"
+  steps:
+    - name: Get release version
+      if: runner.os == 'Linux'
+      id: get_release
+      shell: bash --noprofile --norc -eo pipefail -x {0}
+      run: |
+        set -ea
+
+        [[ '${{ inputs.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x
+
+        echo "version=$(jq -r '.version' package.json)" >> $GITHUB_OUTPUT
+
+    # https://docs.github.com/en/rest/releases
+    - name: Finalize GitHub release
+      if: runner.os == 'Linux'
+      shell: bash --noprofile --norc -eo pipefail -x {0}
+      run: |
+        set -ea
+
+        [[ '${{ inputs.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x
+
+        previous_tag="$(git tag --sort=-version:refname | head -n 2 | tail -n 1)"
+        release_notes="$(git log ${previous_tag}..HEAD --pretty=reference)"
+
+        gh release edit '${{ github.event.pull_request.head.ref }}' \
+          --notes "${release_notes}" \
+          --title 'v${{ steps.get_release.outputs.version }}' \
+          --tag 'v${{ steps.get_release.outputs.version }}' \
+          --prerelease=false \
+          --draft=false
+
+        release_id="$(gh api "/repos/${{ github.repository }}/releases/tags/v${{ steps.get_release.outputs.version }}" \
+          -H 'Accept: application/vnd.github+json' | jq -r .id)"
+
+        gh api --method PATCH "/repos/${{ github.repository }}/releases/${release_id}" \
+          -H 'Accept: application/vnd.github+json' \
+          -F make_latest="true"
+
+      env:
+        GITHUB_TOKEN: ${{ fromJSON(inputs.secrets).FLOWZONE_TOKEN }}
--- a/.github/actions/publish/action.yml
+++ b/.github/actions/publish/action.yml
@ -0,0 +1,153 @@
+---
+name: package and draft GitHub release
+# https://github.com/product-os/flowzone/tree/master/.github/actions
+inputs:
+  json:
+    description: "JSON stringified object containing all the inputs from the calling workflow"
+    required: true
+  secrets:
+    description: "JSON stringified object containing all the secrets from the calling workflow"
+    required: true
+
+  # --- custom environment
+  XCODE_APP_LOADER_EMAIL:
+    type: string
+    default: "accounts+apple@balena.io"
+  NODE_VERSION:
+    type: string
+    # FIXME: (please) https://github.com/balena-io/balena-cli/issues/2165
+    default: "12.x"
+  VERBOSE:
+    type: string
+    default: "true"
+
+runs:
+  # https://docs.github.com/en/actions/creating-actions/creating-a-composite-action
+  using: "composite"
+  steps:
+    - name: Download custom source artifact
+      uses: actions/download-artifact@v3
+      with:
+        name: custom-${{ github.event.pull_request.head.sha || github.event.head_commit.id }}-${{ runner.os }}
+        path: ${{ runner.temp }}
+
+    - name: Extract custom source artifact
+      shell: pwsh
+      working-directory: .
+      run: tar -xf ${{ runner.temp }}/custom.tgz
+
+    - name: Setup Node.js
+      uses: actions/setup-node@v3
+      with:
+        node-version: ${{ inputs.NODE_VERSION }}
+        cache: npm
+
+    - name: Install additional tools
+      if: runner.os == 'Windows'
+      shell: bash --noprofile --norc -eo pipefail -x {0}
+      run: |
+        choco install yq
+
+    - name: Install additional tools
+      if: runner.os == 'macOS'
+      shell: bash --noprofile --norc -eo pipefail -x {0}
+      run: |
+        brew install coreutils
+
+    # https://www.electron.build/code-signing.html
+    # https://github.com/Apple-Actions/import-codesign-certs
+    - name: Import Apple code signing certificate
+      if: runner.os == 'macOS'
+      uses: apple-actions/import-codesign-certs@v1
+      with:
+        p12-file-base64: ${{ fromJSON(inputs.secrets).APPLE_SIGNING }}
+        p12-password: ${{ fromJSON(inputs.secrets).APPLE_SIGNING_PASSWORD }}
+
+    - name: Import Windows code signing certificate
+      if: runner.os == 'Windows'
+      shell: powershell
+      run: |
+        Set-Content -Path ${{ runner.temp }}/certificate.base64 -Value $env:WINDOWS_CERTIFICATE
+        certutil -decode ${{ runner.temp }}/certificate.base64 ${{ runner.temp }}/certificate.pfx
+        Remove-Item -path ${{ runner.temp }} -include certificate.base64
+
+        Import-PfxCertificate `
+          -FilePath ${{ runner.temp }}/certificate.pfx `
+          -CertStoreLocation Cert:\CurrentUser\My `
+          -Password (ConvertTo-SecureString -String $env:WINDOWS_CERTIFICATE_PASSWORD -Force -AsPlainText)
+
+      env:
+        WINDOWS_CERTIFICATE: ${{ fromJSON(inputs.secrets).WINDOWS_SIGNING }}
+        WINDOWS_CERTIFICATE_PASSWORD: ${{ fromJSON(inputs.secrets).WINDOWS_SIGNING_PASSWORD }}
+
+    # https://github.com/product-os/scripts/tree/master/shared
+    # https://github.com/product-os/balena-concourse/blob/master/pipelines/github-events/template.yml
+    - name: Package release
+      id: package_release
+      shell: bash --noprofile --norc -eo pipefail -x {0}
+      run: |
+        set -ea
+
+        [[ '${{ inputs.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x
+
+        runner_os="$(echo "${RUNNER_OS}" | tr '[:upper:]' '[:lower:]')"
+        runner_arch="$(echo "${RUNNER_ARCH}" | tr '[:upper:]' '[:lower:]')"
+
+        if [[ $runner_os =~ darwin|macos|osx ]]; then
+            CSC_KEY_PASSWORD=${{ fromJSON(inputs.secrets).APPLE_SIGNING_PASSWORD }}
+            CSC_KEYCHAIN=signing_temp
+            CSC_LINK=${{ fromJSON(inputs.secrets).APPLE_SIGNING }}
+
+        elif [[ $runner_os =~ windows|win ]]; then
+            CSC_KEY_PASSWORD=${{ fromJSON(inputs.secrets).WINDOWS_SIGNING_PASSWORD }}
+            CSC_LINK='${{ runner.temp }}\certificate.pfx'
+
+            # patches/all/oclif.patch
+            MSYSSHELLPATH="$(which bash)"
+            MSYSTEM=MSYS
+
+            # (signtool.exe) https://github.com/actions/runner-images/blob/main/images/win/Windows2019-Readme.md#installed-windows-sdks
+            PATH="/c/Program Files (x86)/Windows Kits/10/bin/${runner_arch}:${PATH}"
+        fi
+
+        npm run package
+
+        find dist -type f -maxdepth 1
+
+        echo "version=$(jq -r '.version' package.json)" >> $GITHUB_OUTPUT
+
+      env:
+        # https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/#improvements-for-public-repository-forks
+        # https://docs.github.com/en/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks#about-workflow-runs-from-public-forks
+        CSC_FOR_PULL_REQUEST: true
+        # https://sectigo.com/resource-library/time-stamping-server
+        TIMESTAMP_SERVER: http://timestamp.sectigo.com
+        # Apple notarization (automation/build-bin.ts)
+        XCODE_APP_LOADER_EMAIL: ${{ inputs.XCODE_APP_LOADER_EMAIL }}
+        XCODE_APP_LOADER_PASSWORD: ${{ fromJSON(inputs.secrets).XCODE_APP_LOADER_PASSWORD }}
+
+    # https://github.com/softprops/action-gh-release#-customizing
+    - name: Create draft GitHub (pre)release
+      uses: softprops/action-gh-release@v1
+      with:
+        # use PR branch name for draft releases
+        name: ${{ github.event.pull_request.head.ref }}
+        tag_name: ${{ github.event.pull_request.head.ref }}
+        draft: true
+        prerelease: true
+        token: ${{ fromJSON(inputs.secrets).FLOWZONE_TOKEN }}
+        files: |
+          dist/*.pkg
+          dist/*.exe
+          dist/*.zip
+
+    - name: Compress custom source
+      shell: pwsh
+      run: tar -acf ${{ runner.temp }}/custom.tgz .
+
+    - name: Upload custom artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: custom-${{ github.event.pull_request.head.sha || github.event.head_commit.id }}-${{ runner.os }}
+        path: ${{ runner.temp }}/custom.tgz
+        retention-days: 1
--- a/.github/actions/test/action.yml
+++ b/.github/actions/test/action.yml
@ -0,0 +1,70 @@
+---
+name: test release
+# https://github.com/product-os/flowzone/tree/master/.github/actions
+inputs:
+  json:
+    description: "JSON stringified object containing all the inputs from the calling workflow"
+    required: true
+  secrets:
+    description: "JSON stringified object containing all the secrets from the calling workflow"
+    required: true
+
+  # --- custom environment
+  NODE_VERSION:
+    type: string
+    # FIXME: (please) https://github.com/balena-io/balena-cli/issues/2165
+    default: "12.x"
+  VERBOSE:
+    type: string
+    default: "true"
+
+runs:
+  # https://docs.github.com/en/actions/creating-actions/creating-a-composite-action
+  using: "composite"
+  steps:
+    - name: Delete previous draft release
+      if: runner.os == 'Linux'
+      shell: bash --noprofile --norc -eo pipefail -x {0}
+      run: |
+        set -ea
+
+        [[ '${{ inputs.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x
+
+        gh release delete --yes '${{ github.event.pull_request.head.ref }}' || true
+
+      env:
+        GITHUB_TOKEN: ${{ fromJSON(inputs.secrets).FLOWZONE_TOKEN }}
+
+    # https://github.com/actions/setup-node#caching-global-packages-data
+    - name: Setup Node.js
+      uses: actions/setup-node@v3
+      with:
+        node-version: ${{ inputs.NODE_VERSION }}
+        cache: npm
+
+    - name: Test release
+      shell: bash --noprofile --norc -eo pipefail -x {0}
+      run: |
+        set -ea
+
+        [[ '${{ inputs.VERBOSE }}' =~ on|On|Yes|yes|true|True ]] && set -x
+
+        if [[ -e package-lock.json ]]; then
+            npm ci
+        else
+            npm i
+        fi
+
+        npm run build
+        npm run test
+
+    - name: Compress custom source
+      shell: pwsh
+      run: tar -acf ${{ runner.temp }}/custom.tgz .
+
+    - name: Upload custom artifact
+      uses: actions/upload-artifact@v3
+      with:
+        name: custom-${{ github.event.pull_request.head.sha || github.event.head_commit.id }}-${{ runner.os }}
+        path: ${{ runner.temp }}/custom.tgz
+        retention-days: 1
--- a/.github/workflows/flowzone.yml
+++ b/.github/workflows/flowzone.yml
@ -0,0 +1,16 @@
+name: Flowzone
+
+on:
+  pull_request:
+    types: [opened, synchronize, closed]
+    branches:
+      - "main"
+      - "master"
+
+jobs:
+  flowzone:
+    name: Flowzone
+    uses: product-os/flowzone/.github/workflows/flowzone.yml@master
+    secrets: inherit
+    with:
+      tests_run_on: '["ubuntu-latest","macos-latest","windows-2019"]'
--- a/.resinci.yml
+++ b/.resinci.yml
@ -1,20 +0,0 @@
---
-npm:
-  platforms:
-    - name: linux
-      os: ubuntu
-      architecture: x86_64
-      node_versions:
-        - "12"
-        - "14"
-    ##
-    ## Temporarily skip Alpine tests until the following issues are resolved:
-    ##   * https://github.com/concourse/concourse/issues/7905
-    ##   * https://github.com/product-os/balena-concourse/issues/631
-    ##
-    # - name: linux
-    #   os: alpine
-    #   architecture: x86_64
-    #   node_versions:
-    #     - "12"
-    #     - "14"
--- a/automation/build-bin.ts
+++ b/automation/build-bin.ts
@ -45,8 +45,6 @@ const execFileAsync = promisify(execFile);
 export const packageJSON = loadPackageJson();
 export const version = 'v' + packageJSON.version;
 const arch = process.arch;
-const MSYS2_BASH =
-	process.env.MSYSSHELLPATH || 'C:\\msys64\\usr\\bin\\bash.exe';

 function dPath(...paths: string[]) {
 	return path.join(ROOT, 'dist', ...paths);
@ -425,20 +423,28 @@ async function renameInstallerFiles() {

 /**
 * If the CSC_LINK and CSC_KEY_PASSWORD env vars are set, digitally sign the
- * executable installer by running the balena-io/scripts/shared/sign-exe.sh
- * script (which must be in the PATH) using a MSYS2 bash shell.
+ * executable installer using Microsoft SignTool.exe (Sign Tool)
+ * https://learn.microsoft.com/en-us/dotnet/framework/tools/signtool-exe
 */
 async function signWindowsInstaller() {
 	if (process.env.CSC_LINK && process.env.CSC_KEY_PASSWORD) {
 		const exeName = renamedOclifInstallers[process.platform];
 		console.log(`Signing installer "${exeName}"`);
-		await execFileAsync(MSYS2_BASH, [
-			'sign-exe.sh',
+		// trust ...
+		await execFileAsync('signtool.exe', [
+			'sign',
+			'-t',
+			process.env.TIMESTAMP_SERVER || 'http://timestamp.comodoca.com',
 			'-f',
-			exeName,
+			process.env.CSC_LINK,
+			'-p',
+			process.env.CSC_KEY_PASSWORD,
 			'-d',
 			`balena-cli ${version}`,
+			exeName,
 		]);
+		// ... but verify
+		await execFileAsync('signtool.exe', ['verify', '-pa', '-v', exeName]);
 	} else {
 		console.log(
 			'Skipping installer signing step because CSC_* env vars are not set',
@ -450,14 +456,21 @@ async function signWindowsInstaller() {
 * Wait for Apple Installer Notarization to continue
 */
 async function notarizeMacInstaller(): Promise<void> {
-	const appleId = 'accounts+apple@balena.io';
-	const { notarize } = await import('electron-notarize');
-	await notarize({
-		appBundleId: 'io.balena.etcher',
-		appPath: renamedOclifInstallers.darwin,
-		appleId,
-		appleIdPassword: '@keychain:CLI_PASSWORD',
-	});
+	const appleId =
+		process.env.XCODE_APP_LOADER_EMAIL || 'accounts+apple@balena.io';
+	const appBundleId = packageJSON.oclif.macos.identifier || 'io.balena.cli';
+	const appleIdPassword = process.env.XCODE_APP_LOADER_PASSWORD;
+
+	if (appleIdPassword) {
+		const { notarize } = await import('electron-notarize');
+		// https://github.com/electron/notarize/blob/main/README.md
+		await notarize({
+			appBundleId,
+			appPath: renamedOclifInstallers.darwin,
+			appleId,
+			appleIdPassword,
+		});
+	}
 }

 /**
--- a/package.json
+++ b/package.json
@ -90,8 +90,7 @@
  "author": "Balena Inc. (https://balena.io/)",
  "license": "Apache-2.0",
  "engines": {
-    "node": ">=12.8.0 <13.0.0",
-    "npm": "<7.0.0"
+    "node": ">=12 <16"
  },
  "husky": {
    "hooks": {