diff options
author | Signal Linden <signal@lindenlab.com> | 2024-03-07 22:45:49 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-03-07 22:45:49 -0800 |
commit | afc943acbc2bb79e2e1aa5d5eaf448e01b6c2b00 (patch) | |
tree | 68ad01e7c63498ebd37fbc5e89eff68cd0916a7e | |
parent | e07bf1c0a27cfb37c67c5ffdc92bb92975eabbbf (diff) | |
parent | 041c66d59acc1706db37cf5e819f2d72743a7028 (diff) |
Merge pull request #935 from secondlife/gh-osbuild
Make signing and symbol posting jobs conditional on secrets.
-rw-r--r-- | .github/workflows/build.yaml | 50 | ||||
-rwxr-xr-x | build.sh | 22 |
2 files changed, 35 insertions, 37 deletions
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 1dd2c1d5df..13798fc607 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -37,8 +37,6 @@ jobs: DEVELOPER_DIR: ${{ matrix.developer_dir }} # Ensure that Linden viewer builds engage Bugsplat. BUGSPLAT_DB: ${{ matrix.configuration != 'ReleaseOS' && 'SecondLife_Viewer_2018' || '' }} - BUGSPLAT_PASS: ${{ secrets.BUGSPLAT_PASS }} - BUGSPLAT_USER: ${{ secrets.BUGSPLAT_USER }} build_coverity: false build_log_dir: ${{ github.workspace }}/.logs build_viewer: true @@ -250,23 +248,36 @@ jobs: ${{ steps.build.outputs.physicstpv }} sign-and-package-windows: + env: + AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }} + AZURE_CERT_NAME: ${{ secrets.AZURE_CERT_NAME }} + AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} + AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} needs: build runs-on: windows steps: - name: Sign and package Windows viewer + if: env.AZURE_KEY_VAULT_URI && env.AZURE_CERT_NAME && env.AZURE_CLIENT_ID && env.AZURE_CLIENT_SECRET && env.AZURE_TENANT_ID uses: secondlife/viewer-build-util/sign-pkg-windows@v1 with: - vault_uri: "${{ secrets.AZURE_KEY_VAULT_URI }}" - cert_name: "${{ secrets.AZURE_CERT_NAME }}" - client_id: "${{ secrets.AZURE_CLIENT_ID }}" - client_secret: "${{ secrets.AZURE_CLIENT_SECRET }}" - tenant_id: "${{ secrets.AZURE_TENANT_ID }}" + vault_uri: "${{ env.AZURE_KEY_VAULT_URI }}" + cert_name: "${{ env.AZURE_CERT_NAME }}" + client_id: "${{ env.AZURE_CLIENT_ID }}" + client_secret: "${{ env.AZURE_CLIENT_SECRET }}" + tenant_id: "${{ env.AZURE_TENANT_ID }}" sign-and-package-mac: + env: + NOTARIZE_CREDS_MACOS: ${{ secrets.NOTARIZE_CREDS_MACOS }} + SIGNING_CERT_MACOS: ${{ secrets.SIGNING_CERT_MACOS }} + SIGNING_CERT_MACOS_IDENTITY: ${{ secrets.SIGNING_CERT_MACOS_IDENTITY }} + SIGNING_CERT_MACOS_PASSWORD: ${{ secrets.SIGNING_CERT_MACOS_PASSWORD }} needs: build runs-on: macos-latest steps: - name: Unpack Mac notarization credentials + if: env.NOTARIZE_CREDS_MACOS id: note-creds shell: bash run: | @@ -274,7 +285,7 @@ jobs: # USERNAME="..." # PASSWORD="..." # TEAM_ID="..." - eval "${{ secrets.NOTARIZE_CREDS_MACOS }}" + eval "${{ env.NOTARIZE_CREDS_MACOS }}" echo "::add-mask::$USERNAME" echo "::add-mask::$PASSWORD" echo "::add-mask::$TEAM_ID" @@ -286,39 +297,48 @@ jobs: [[ -n "$USERNAME" && -n "$PASSWORD" && -n "$TEAM_ID" ]] - name: Sign and package Mac viewer + if: env.SIGNING_CERT_MACOS && env.SIGNING_CERT_MACOS_IDENTITY && env.SIGNING_CERT_MACOS_PASSWORD && steps.note-creds.outputs.note_user && steps.note-creds.outputs.note_pass && steps.note-creds.outputs.note_team uses: secondlife/viewer-build-util/sign-pkg-mac@v1 with: channel: ${{ needs.build.outputs.viewer_channel }} imagename: ${{ needs.build.outputs.imagename }} - cert_base64: ${{ secrets.SIGNING_CERT_MACOS }} - cert_name: ${{ secrets.SIGNING_CERT_MACOS_IDENTITY }} - cert_pass: ${{ secrets.SIGNING_CERT_MACOS_PASSWORD }} + cert_base64: ${{ env.SIGNING_CERT_MACOS }} + cert_name: ${{ env.SIGNING_CERT_MACOS_IDENTITY }} + cert_pass: ${{ env.SIGNING_CERT_MACOS_PASSWORD }} note_user: ${{ steps.note-creds.outputs.note_user }} note_pass: ${{ steps.note-creds.outputs.note_pass }} note_team: ${{ steps.note-creds.outputs.note_team }} post-windows-symbols: + env: + BUGSPLAT_USER: ${{ secrets.BUGSPLAT_USER }} + BUGSPLAT_PASS: ${{ secrets.BUGSPLAT_PASS }} needs: build runs-on: ubuntu-latest steps: - name: Post Windows symbols + if: env.BUGSPLAT_USER && env.BUGSPLAT_PASS uses: secondlife/viewer-build-util/post-bugsplat-windows@v1 with: - username: ${{ secrets.BUGSPLAT_USER }} - password: ${{ secrets.BUGSPLAT_PASS }} + username: ${{ env.BUGSPLAT_USER }} + password: ${{ env.BUGSPLAT_PASS }} database: "SecondLife_Viewer_2018" channel: ${{ needs.build.outputs.viewer_channel }} version: ${{ needs.build.outputs.viewer_version }} post-mac-symbols: + env: + BUGSPLAT_USER: ${{ secrets.BUGSPLAT_USER }} + BUGSPLAT_PASS: ${{ secrets.BUGSPLAT_PASS }} needs: build runs-on: ubuntu-latest steps: - name: Post Mac symbols + if: env.BUGSPLAT_USER && env.BUGSPLAT_PASS uses: secondlife/viewer-build-util/post-bugsplat-mac@v1 with: - username: ${{ secrets.BUGSPLAT_USER }} - password: ${{ secrets.BUGSPLAT_PASS }} + username: ${{ env.BUGSPLAT_USER }} + password: ${{ env.BUGSPLAT_PASS }} database: "SecondLife_Viewer_2018" channel: ${{ needs.build.outputs.viewer_channel }} version: ${{ needs.build.outputs.viewer_version }} @@ -175,28 +175,6 @@ pre_build() VIEWER_SYMBOL_FILE="$(native_path "$abs_build_dir/newview/$variant/secondlife-symbols-$symplat-${AUTOBUILD_ADDRSIZE}.tar.bz2")" fi - # expect these variables to be set in the environment from GitHub secrets - if [[ -n "$BUGSPLAT_DB" ]] - then - # don't spew credentials into build log - set +x - if [[ -z "$BUGSPLAT_USER" || -z "$BUGSPLAT_PASS" ]] - then - # older mechanism involving build-secrets repo - - # if build_secrets_checkout isn't set, report its name - bugsplat_sh="${build_secrets_checkout:-\$build_secrets_checkout}/bugsplat/bugsplat.sh" - if [ -r "$bugsplat_sh" ] - then # show that we're doing this, just not the contents - echo source "$bugsplat_sh" - source "$bugsplat_sh" - else - fatal "BUGSPLAT_USER or BUGSPLAT_PASS missing, and no $bugsplat_sh" - fi - fi - set -x - export BUGSPLAT_USER BUGSPLAT_PASS - fi - # honor autobuild_configure_parameters same as sling-buildscripts eval_autobuild_configure_parameters=$(eval $(echo echo $autobuild_configure_parameters)) |