Bump azure/trusted-signing-action from 0.3.18 to 0.4.0 #97
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pamplejuce | |
on: | |
workflow_dispatch: # lets you run a build from the UI | |
push: | |
pull_request: | |
# When pushing new commits, cancel any running builds on that branch | |
concurrency: | |
group: ${{ github.ref }} | |
cancel-in-progress: true | |
env: | |
BUILD_TYPE: Release | |
BUILD_DIR: Builds | |
DISPLAY: :0 # linux pluginval needs this | |
HOMEBREW_NO_INSTALL_CLEANUP: 1 | |
SCCACHE_GHA_ENABLED: true | |
IPP_DIR: C:\Program Files (x86)\Intel\oneAPI\ipp\latest\lib\cmake\ipp | |
defaults: | |
run: | |
shell: bash | |
# jobs are run in paralell on different machines | |
# all steps run in series | |
jobs: | |
build_and_test: | |
# don't double run on PRs | |
if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name | |
name: ${{ matrix.name }} | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false # show all errors for each platform (vs. cancel jobs on error) | |
matrix: | |
include: | |
- name: Linux | |
os: ubuntu-22.04 | |
pluginval-binary: ./pluginval | |
- name: macOS | |
os: macos-14 | |
pluginval-binary: pluginval.app/Contents/MacOS/pluginval | |
extra-flags: -DCMAKE_OSX_ARCHITECTURES="arm64;x86_64" | |
- name: Windows | |
os: windows-latest | |
pluginval-binary: ./pluginval.exe | |
steps: | |
# Setup MSVC toolchain and developer command prompt (Windows) | |
- uses: ilammy/msvc-dev-cmd@v1 | |
# Use clang on Linux so we don't introduce a 3rd compiler (Windows and macOS use MSVC and Clang) | |
- name: Set up Clang | |
if: runner.os == 'Linux' | |
uses: egor-tensin/setup-clang@v1 | |
# This also starts up our "fake" display (Xvfb), needed for pluginval | |
- name: Install JUCE's Linux Deps | |
if: runner.os == 'Linux' | |
# Thanks to McMartin & co https://forum.juce.com/t/list-of-juce-dependencies-under-linux/15121/44 | |
run: | | |
sudo apt-get update && sudo apt install libasound2-dev libx11-dev libxinerama-dev libxext-dev libfreetype6-dev libwebkit2gtk-4.0-dev libglu1-mesa-dev xvfb ninja-build | |
sudo /usr/bin/Xvfb $DISPLAY & | |
- name: Cache IPP (Windows) | |
if: runner.os == 'Windows' | |
id: cache-ipp | |
uses: actions/cache@v4 | |
with: | |
key: ipp-v5 | |
path: C:\Program Files (x86)\Intel | |
- name: Install IPP (Windows) | |
if: (runner.os == 'Windows') && (steps.cache-ipp.outputs.cache-hit != 'true') | |
run: | | |
curl --output oneapi.exe https://registrationcenter-download.intel.com/akdlm/IRC_NAS/b4adec02-353b-4144-aa21-f2087040f316/w_ipp_oneapi_p_2021.11.0.533_offline.exe | |
./oneapi.exe -s -x -f oneapi | |
./oneapi/bootstrapper.exe -s -c --action install --components=intel.oneapi.win.ipp.devel --eula=accept -p=NEED_VS2022_INTEGRATION=1 --log-dir=. | |
- name: Save IPP cache (even on CI fail) | |
if: runner.os == 'Windows' && (steps.cache-ipp.outputs.cache-hit != 'true') | |
uses: actions/cache/save@v4 | |
with: | |
path: C:\Program Files (x86)\Intel | |
key: ipp-v5 | |
- name: Install Ninja (Windows) | |
if: runner.os == 'Windows' | |
run: choco install ninja | |
- name: Install macOS Deps | |
if: ${{ matrix.name == 'macOS' }} | |
run: brew install ninja osxutils | |
# This block can be removed once 15.1 is default (JUCE requires it when building on macOS 14) | |
- name: Use latest Xcode on system (macOS) | |
if: ${{ matrix.name == 'macOS' }} | |
uses: maxim-lobanov/setup-xcode@v1 | |
with: | |
xcode-version: latest-stable | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
submodules: true # Get JUCE populated | |
- name: Cache the build | |
uses: mozilla-actions/[email protected] | |
- name: Import Certificates (macOS) | |
uses: apple-actions/import-codesign-certs@v3 | |
if: ${{ matrix.name == 'macOS' }} | |
with: | |
p12-file-base64: ${{ secrets.DEV_ID_APP_CERT }} | |
p12-password: ${{ secrets.DEV_ID_APP_PASSWORD }} | |
- name: Configure | |
run: cmake -B ${{ env.BUILD_DIR }} -G Ninja -DCMAKE_BUILD_TYPE=${{ env.BUILD_TYPE}} -DCMAKE_C_COMPILER_LAUNCHER=sccache -DCMAKE_CXX_COMPILER_LAUNCHER=sccache ${{ matrix.extra-flags }} . | |
- name: Build | |
run: cmake --build ${{ env.BUILD_DIR }} --config ${{ env.BUILD_TYPE }} --parallel 4 | |
- name: Test | |
working-directory: ${{ env.BUILD_DIR }} | |
run: ./Tests | |
- name: Run Benchmarks | |
working-directory: ${{ env.BUILD_DIR }} | |
run: ./Benchmarks | |
- name: Read in .env from CMake # see GitHubENV.cmake | |
run: | | |
cat .env # show us the config | |
cat .env >> $GITHUB_ENV # pull in our PRODUCT_NAME, etc | |
- name: Set additional env vars for next steps | |
run: | | |
ARTIFACTS_PATH=${{ env.BUILD_DIR }}/${{ env.PROJECT_NAME }}_artefacts/${{ env.BUILD_TYPE }} | |
echo "ARTIFACTS_PATH=$ARTIFACTS_PATH" >> $GITHUB_ENV | |
echo "VST3_PATH=$ARTIFACTS_PATH/VST3/${{ env.PRODUCT_NAME }}.vst3" >> $GITHUB_ENV | |
echo "AU_PATH=$ARTIFACTS_PATH/AU/${{ env.PRODUCT_NAME }}.component" >> $GITHUB_ENV | |
echo "AUV3_PATH=$ARTIFACTS_PATH/AUv3/${{ env.PRODUCT_NAME }}.appex" >> $GITHUB_ENV | |
echo "STANDALONE_PATH=$ARTIFACTS_PATH/Standalone/${{ env.PRODUCT_NAME }}.app" >> $GITHUB_ENV | |
echo "ARTIFACT_NAME=${{ env.PRODUCT_NAME }}-${{ env.VERSION }}-${{ matrix.name }}" >> $GITHUB_ENV | |
- name: Pluginval | |
run: | | |
curl -LO "https://github.com/Tracktion/pluginval/releases/download/v1.0.3/pluginval_${{ matrix.name }}.zip" | |
7z x pluginval_${{ matrix.name }}.zip | |
${{ matrix.pluginval-binary }} --strictness-level 10 --verbose --validate "${{ env.VST3_PATH }}" | |
- name: Codesign (macOS) | |
if: ${{ matrix.name == 'macOS' }} | |
run: | | |
# Each plugin must be code signed | |
codesign --force -s "${{ secrets.DEVELOPER_ID_APPLICATION}}" -v "${{ env.VST3_PATH }}" --deep --strict --options=runtime --timestamp | |
codesign --force -s "${{ secrets.DEVELOPER_ID_APPLICATION}}" -v "${{ env.AU_PATH }}" --deep --strict --options=runtime --timestamp | |
codesign --force -s "${{ secrets.DEVELOPER_ID_APPLICATION}}" -v "${{ env.STANDALONE_PATH }}" --deep --strict --options=runtime --timestamp | |
- name: Add Custom Icons (macOS) | |
if: ${{ matrix.name == 'macOS' }} | |
run: | | |
# add the icns as its own icon resource (meta!) | |
sips -i packaging/pamplejuce.icns | |
# Grab the resource, put in tempfile | |
DeRez -only icns packaging/pamplejuce.icns > /tmp/icons | |
# Stuff the resource into the strange Icon? file's resource fork | |
Rez -a /tmp/icons -o "${{ env.VST3_PATH }}/Icon"$'\r' | |
Rez -a /tmp/icons -o "${{ env.AU_PATH }}/Icon"$'\r' | |
# Set custom icon attribute | |
SetFile -a C "${{ env.VST3_PATH }}" | |
SetFile -a C "${{ env.AU_PATH }}" | |
- name: Create DMG, Notarize and Staple (macOS) | |
if: ${{ matrix.name == 'macOS' }} | |
run: | | |
# workaround for https://github.com/LinusU/node-appdmg/issues/234 | |
python3 -m pip install setuptools --break-system-packages | |
npm install -g appdmg | |
mkdir -p packaging/dmg | |
# Create directories for the dmg symlinks | |
sudo mkdir -m 755 -p /Library/Audio/Plug-Ins/Components && sudo mkdir -m 755 -p /Library/Audio/Plug-Ins/VST3 | |
ln -s /Library/Audio/Plug-Ins/Components "packaging/dmg/Your Mac's Component folder" | |
ln -s /Library/Audio/Plug-Ins/VST3 "packaging/dmg/Your Mac's VST3 folder" | |
mv "${{ env.VST3_PATH }}" packaging/dmg | |
mv "${{ env.AU_PATH }}" packaging/dmg | |
mv "${{ env.STANDALONE_PATH }}" packaging/dmg | |
# Run appdmg to create the .dmg | |
cd packaging && appdmg dmg.json "${{ env.ARTIFACT_NAME}}.dmg" | |
codesign -s "${{ secrets.DEVELOPER_ID_APPLICATION}}" --timestamp -i ${{ env.BUNDLE_ID }} --force "${{ env.ARTIFACT_NAME }}.dmg" | |
xcrun notarytool submit "${{ env.ARTIFACT_NAME }}.dmg" --apple-id ${{ secrets.NOTARIZATION_USERNAME }} --password ${{ secrets.NOTARIZATION_PASSWORD }} --team-id ${{ secrets.TEAM_ID }} --wait | |
xcrun stapler staple "${{ env.ARTIFACT_NAME }}.dmg" | |
- name: Zip | |
if: ${{ matrix.name == 'Linux' }} | |
working-directory: ${{ env.ARTIFACTS_PATH }} | |
run: 7z a -tzip "${{ env.ARTIFACT_NAME }}.zip" "-xr!lib${{ env.PRODUCT_NAME }}_SharedCode.a" . | |
- name: Generate Installer | |
if: ${{ matrix.name == 'Windows' }} | |
run: | | |
iscc "packaging\installer.iss" | |
mv "packaging/Output/${{ env.ARTIFACT_NAME }}.exe" "${{ env.ARTIFACTS_PATH }}/" | |
- name: Codesign with Azure Trusted Signing | |
if: ${{ matrix.name == 'Windows' }} | |
uses: azure/[email protected] | |
with: | |
# The Azure Active Directory tenant (directory) ID. | |
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
# The client (application) ID of an App Registration in the tenant. | |
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
# A client secret that was generated for the App Registration. | |
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} | |
# The Code Signing Account endpoint. The URI value must have a URI that aligns to the region your Code Signing Account and Certificate Profile you are specifying were created in during the setup of these resources. | |
endpoint: ${{ secrets.AZURE_ENDPOINT }} | |
# The Code Signing Account name. | |
trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }} | |
# The Certificate Profile name. | |
certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }} | |
# This signs all exes inside the folder | |
files-folder: ${{ env.ARTIFACTS_PATH }} | |
files-folder-filter: exe | |
- name: Upload Exe (Windows) | |
if: ${{ matrix.name == 'Windows' }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.ARTIFACT_NAME }}.exe | |
path: "${{ env.ARTIFACTS_PATH }}/${{ env.ARTIFACT_NAME }}.exe" | |
- name: Upload Zip (Linux) | |
if: ${{ matrix.name == 'Linux' }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.ARTIFACT_NAME }}.zip | |
path: "${{ env.ARTIFACTS_PATH }}/${{ env.ARTIFACT_NAME }}.zip" | |
- name: Upload DMG (macOS) | |
if: ${{ matrix.name == 'macOS' }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ${{ env.ARTIFACT_NAME }}.dmg | |
path: packaging/${{ env.ARTIFACT_NAME }}.dmg | |
release: | |
if: contains(github.ref, 'tags/v') | |
runs-on: ubuntu-latest | |
needs: build_and_test | |
steps: | |
- name: Get Artifacts | |
uses: actions/download-artifact@v4 | |
- name: Create Release | |
uses: softprops/action-gh-release@v2 | |
with: | |
prerelease: true | |
# download-artifact puts these files in their own dirs... | |
# Using globs sidesteps having to pass the version around | |
files: | | |
*/*.exe | |
*/*.zip | |
*/*.dmg |