Build, test and upload .pkg to S3 #184
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build, test and upload .msi to S3 | |
| # TODO: add scheduler and tests | |
| on: | |
| workflow_dispatch: | |
| workflow_call: | |
| inputs: | |
| ref_name: | |
| required: true | |
| type: string | |
| env: | |
| GO111MODULE: on | |
| permissions: | |
| # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. | |
| # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings | |
| id-token: write | |
| contents: read # This is required for actions/checkout | |
| jobs: | |
| get-tag-name: | |
| name: Get tag name | |
| runs-on: ubuntu-latest | |
| outputs: | |
| tag: ${{ steps.check-tag.outputs.tag }} | |
| version: ${{ steps.check-tag.outputs.version }} | |
| steps: | |
| - name: Check tag from workflow input and github ref | |
| id: check-tag | |
| run: | | |
| if [ -n "${{ inputs.ref_name }}" ]; then | |
| tag=${{ inputs.ref_name }} | |
| else | |
| tag=${{ github.ref_name }} | |
| fi | |
| echo "tag=$tag" >> ${GITHUB_OUTPUT} | |
| version=${tag#v} | |
| if [[ $version =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "Version matches format: $version" | |
| else | |
| echo "Version $version doesn't match format. Using default: 0.0.0" | |
| version="0.0.0" | |
| fi | |
| echo "version=$version" >> ${GITHUB_OUTPUT} | |
| windows-msi-build: | |
| needs: get-tag-name | |
| runs-on: [self-hosted, windows, amd64, release] | |
| timeout-minutes: 100 | |
| steps: | |
| - name: Configure git CRLF settings | |
| run: | | |
| git config --global core.autocrlf false | |
| git config --global core.eol lf | |
| - name: Set up Python | |
| uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1 | |
| with: | |
| python-version: '3.x' | |
| - name: Install AWS CLI | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install awscli | |
| - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0 | |
| with: | |
| ref: ${{ needs.get-tag-name.outputs.tag }} | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| submodules: recursive | |
| - name: Set output variables | |
| id: vars | |
| run: | | |
| $has_creds="${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}" | |
| echo "has_creds=$has_creds" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append | |
| exit 0 # if $has_creds is false, powershell will exit with code 1 and this step will fail | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | |
| with: | |
| role-to-assume: ${{ secrets.WINDOWS_ROLE }} | |
| role-session-name: windows-msi | |
| aws-region: ${{ secrets.WINDOWS_REGION }} | |
| - name: Remove Finch VM | |
| run: | | |
| wsl --list --verbose | |
| wsl --shutdown | |
| wsl --unregister lima-finch | |
| wsl --list --verbose | |
| - name: Clean up previous files | |
| run: | | |
| Remove-Item C:\Users\Administrator\.finch -Recurse -ErrorAction Ignore | |
| Remove-Item C:\Users\Administrator\AppData\Local\.finch -Recurse -ErrorAction Ignore | |
| make clean | |
| cd deps/finch-core && make clean | |
| - name: Build project | |
| run: | | |
| make FINCH_ROOTFS_LOCATION_ROOT=/__INSTALLFOLDER__ | |
| - name: generate msi | |
| run: | | |
| $version="${{ needs.get-tag-name.outputs.version }}" | |
| powershell .\msi-builder\BuildFinchMSI.ps1 -Version $version | |
| aws s3 cp "./msi-builder/build/Finch-$version.msi" "${{ secrets.WINDOWS_UNSIGNED_BUCKET }}Finch-$version.msi" --acl bucket-owner-full-control --no-progress | |
| New-Item -Path "./msi-builder/build/signed/" -ItemType Directory -Force | |
| $retryCount = 0 | |
| $maxRetries = 20 | |
| $delay = 5 | |
| while ($retryCount -lt $maxRetries) { | |
| try { | |
| Start-Sleep -Seconds $delay | |
| $signedMSI = aws s3 ls ${{ secrets.WINDOWS_SIGNED_BUCKET }} | Where-Object { $_ -match "Finch-$version.msi" } | Sort-Object -Descending | Select-Object -First 1 | ForEach-Object { ($_ -split '\s+')[-1] } | |
| aws s3 cp "${{ secrets.WINDOWS_SIGNED_BUCKET }}$signedMSI" "./msi-builder/build/signed/Finch-$version.msi" | |
| break | |
| } catch { | |
| $retryCount++ | |
| Write-Host "Exception: $_" | |
| Write-Host "Retry $retryCount/$maxRetries..." | |
| } | |
| } | |
| if ($retryCount -eq $maxRetries) { | |
| throw "Failed after $maxRetries attempts." | |
| } | |
| - name: configure aws credentials | |
| uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 | |
| with: | |
| role-to-assume: ${{ secrets.ROLE }} | |
| role-session-name: windows-msi | |
| aws-region: ${{ secrets.REGION }} | |
| - name: upload signed MSI to S3 | |
| run: | | |
| $version="${{ needs.get-tag-name.outputs.version }}" | |
| aws s3 cp "./msi-builder/build/signed/Finch-$version.msi" "s3://${{ secrets.INSTALLER_PRIVATE_BUCKET_NAME }}/Finch-$version.msi" --no-progress |