Set GPG trust to full in CI and nightly workflows #729
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI | |
"on": | |
push: | |
branches: | |
- trunk | |
pull_request: | |
branches: | |
- trunk | |
schedule: | |
- cron: "0 0 * * TUE" | |
jobs: | |
gpg-sign: | |
name: GPG Signing | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Setup Python | |
uses: actions/[email protected] | |
with: | |
python-version-file: ".python-version" | |
- name: Set Python executable path based on OS | |
shell: bash | |
run: | | |
if [[ "$RUNNER_OS" == "Windows" ]]; then | |
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV | |
else | |
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV | |
fi | |
- name: Install Python dependencies | |
shell: bash | |
run: | | |
python3 -m venv --upgrade-deps venv | |
$VENV_PYTHON -m pip install --upgrade pip wheel | |
$VENV_PYTHON -m pip install --require-hashes -r requirements.txt | |
- name: Clone Artichoke | |
uses: actions/[email protected] | |
with: | |
repository: artichoke/artichoke | |
path: artichoke | |
# ``` | |
# $ gpg --fingerprint --with-subkey-fingerprints [email protected] | |
# pub ed25519 2021-01-03 [SC] | |
# C983 8F10 4021 F59E E6F6 BCBE B199 D034 7FDA 14A4 | |
# uid [ultimate] Code signing for Artichoke Ruby <[email protected]> | |
# sub cv25519 2021-01-03 [E] | |
# 7719 1B6D 83B2 F4E8 5197 125B A9A3 F70E 710A 15AA | |
# sub ed25519 2021-01-03 [S] | |
# 1C4A 856A CF86 EC1E E841 180F AF57 A37C AC06 1452 | |
# ``` | |
- name: Import GPG key | |
id: import_gpg | |
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.GPG_SIGNING_KEY_PASSPHRASE }} | |
fingerprint: 1C4A856ACF86EC1EE841180FAF57A37CAC061452 | |
# Set the GPG key to full trust (value 4) to ensure reliable signing | |
# and verification in CI. Full trust balances security and practicality | |
# in automated environments, avoiding prompts or failures that can | |
# occur with marginal trust, while not compromising security like | |
# ultimate trust. | |
trust_level: 4 | |
- name: List keys | |
run: gpg -K | |
- name: Build release artifacts | |
working-directory: artichoke | |
run: cargo build --verbose --release | |
- name: GPG sign binary | |
shell: bash | |
id: gpg_signing | |
run: | | |
$VENV_PYTHON -m artichoke_nightly.gpg_sign \ | |
"nightly-gpg-sign-test" \ | |
--artifact artichoke/target/release/artichoke | |
- name: Verify GPG signature | |
run: gpg --batch --verify "${{ steps.gpg_signing.outputs.signature }}" artichoke/target/release/artichoke | |
apple-codesign: | |
name: Apple Codesigning | |
runs-on: macos-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Setup Python | |
uses: actions/[email protected] | |
with: | |
python-version-file: ".python-version" | |
- name: Set Python executable path based on OS | |
shell: bash | |
run: | | |
if [[ "$RUNNER_OS" == "Windows" ]]; then | |
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV | |
else | |
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV | |
fi | |
- name: Install Python dependencies | |
shell: bash | |
run: | | |
python3 -m venv --upgrade-deps venv | |
$VENV_PYTHON -m pip install --upgrade pip wheel | |
$VENV_PYTHON -m pip install --require-hashes -r requirements.txt | |
- name: Clone Artichoke | |
uses: actions/[email protected] | |
with: | |
repository: artichoke/artichoke | |
path: artichoke | |
- name: Build release artifacts | |
working-directory: artichoke | |
run: cargo build --verbose --release | |
# This will codesign binaries in place which means that the tarballed | |
# binaries will be codesigned as well. | |
- name: Run Apple Codesigning and Notarization | |
shell: bash | |
id: apple_codesigning | |
if: runner.os == 'macOS' | |
run: | | |
$VENV_PYTHON -m artichoke_nightly.macos_sign_and_notarize "nightly-apple-codesign-test" \ | |
--binary "artichoke/target/release/artichoke" \ | |
--binary "artichoke/target/release/airb" \ | |
--resource artichoke/LICENSE \ | |
--resource artichoke/README.md \ | |
--dmg-icon-url "https://artichoke.github.io/logo/Artichoke-dmg.icns" | |
env: | |
MACOS_NOTARIZE_APP_PASSWORD: ${{ secrets.MACOS_NOTARIZE_APP_PASSWORD }} | |
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | |
MACOS_CERTIFICATE_PASSPHRASE: ${{ secrets.MACOS_CERTIFICATE_PASSPHRASE }} | |
- name: Verify code signature | |
run: | | |
codesign --verify --check-notarization --deep --strict=all artichoke/target/release/artichoke | |
codesign --verify --check-notarization --deep --strict=all artichoke/target/release/airb | |
- name: Verify DMG code signature | |
run: spctl -a -t open --context context:primary-signature "${{ steps.apple_codesigning.outputs.asset }}" -v | |
python: | |
name: Lint and format Python | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Setup Python | |
uses: actions/[email protected] | |
with: | |
python-version-file: ".python-version" | |
- name: Set Python executable path based on OS | |
shell: bash | |
run: | | |
if [[ "$RUNNER_OS" == "Windows" ]]; then | |
echo "VENV_PYTHON=venv\\Scripts\\python" >> $GITHUB_ENV | |
else | |
echo "VENV_PYTHON=venv/bin/python3" >> $GITHUB_ENV | |
fi | |
- name: Install Python dependencies | |
shell: bash | |
run: | | |
python3 -m venv --upgrade-deps venv | |
$VENV_PYTHON -m pip install --upgrade pip wheel | |
$VENV_PYTHON -m pip install --require-hashes -r dev-requirements.txt | |
- name: Run black | |
run: $VENV_PYTHON -m black --check --diff --verbose . | |
- name: Run ruff | |
run: $VENV_PYTHON -m ruff check --output-format=github . | |
- name: Run mypy | |
run: $VENV_PYTHON -m mypy . | |
ruby: | |
name: Lint and format Ruby | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Install Ruby toolchain | |
uses: ruby/setup-ruby@a6e6f86333f0a2523ece813039b8b4be04560854 # v1.190.0 | |
with: | |
ruby-version: ".ruby-version" | |
bundler-cache: true | |
- name: Lint and check formatting with Rubocop | |
run: bundle exec rubocop --format github | |
text: | |
name: Lint and format text | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/[email protected] | |
- name: Setup Node.js runtime | |
uses: actions/[email protected] | |
with: | |
node-version: "lts/*" | |
- name: Install toolchain | |
run: npm ci | |
- name: Lint and check formatting with prettier | |
run: npx prettier --check '**/*' | |
- name: Lint YAML sources with yamllint | |
run: | | |
yamllint --version | |
echo "Linting YAML sources with yamllint ..." | |
yamllint --strict --format github . | |
echo "OK" |