From 239411755bc16ac09ca3b62c4f5b46a355fa08df Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Tue, 8 Apr 2025 08:36:58 +0200 Subject: [PATCH 01/18] fixup! .github/actions/akv-secret: add action to get secrets This fixes "Error: path is not defined" issues in the workflow run. Signed-off-by: Johannes Schindelin --- .github/actions/akv-secret/index.js | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/akv-secret/index.js b/.github/actions/akv-secret/index.js index 72f624f8fb5645..a42b2a239af351 100644 --- a/.github/actions/akv-secret/index.js +++ b/.github/actions/akv-secret/index.js @@ -1,6 +1,7 @@ const { spawnSync } = require('child_process'); const fs = require('fs'); const os = require('os'); +const path = require('path'); // Note that we are not using the `@actions/core` package as it is not available // without either committing node_modules/ to the repository, or using something From 99d0945d2d68f492bfc63e9d256b48133aa722cf Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Tue, 8 Apr 2025 10:35:35 +0200 Subject: [PATCH 02/18] fixup! .github/actions/akv-secret: add action to get secrets Use a buffer rather than a string when handling the output from the `az` command. Handling of binary data (that was base64 encoded) requires that we use a buffer and not a string, or else we will end up writing invalid data to files/output variables. Introduce several new helper functions for working with buffers, including trimming the EOL bytes (CR, LF), and fix up some of the output functions to correctly validate the value passed - it must be something printable (UTF-8-ish). Finally ensure that we correctly mask multi-line secret values by emitting a `::add-mask` command for each line. Co-authored-by: Johannes Schindelin Signed-off-by: Matthew John Cheetham --- .github/actions/akv-secret/index.js | 128 ++++++++++++++++++++-------- 1 file changed, 93 insertions(+), 35 deletions(-) diff --git a/.github/actions/akv-secret/index.js b/.github/actions/akv-secret/index.js index a42b2a239af351..6d0933b46aa632 100644 --- a/.github/actions/akv-secret/index.js +++ b/.github/actions/akv-secret/index.js @@ -2,6 +2,7 @@ const { spawnSync } = require('child_process'); const fs = require('fs'); const os = require('os'); const path = require('path'); +const { isUtf8 } = require("buffer") // Note that we are not using the `@actions/core` package as it is not available // without either committing node_modules/ to the repository, or using something @@ -15,6 +16,35 @@ const escapeData = (s) => { .replace(/\n/g, '%0A') } +const stringify = (value) => { + if (typeof value === 'string') return value; + if (Buffer.isBuffer(value) && isUtf8(value)) return value.toString('utf-8'); + return undefined; +} + +const trimEOL = (buf) => { + let l = buf.length + if (l > 0 && buf[l - 1] === 0x0a) { + l -= l > 1 && buf[l - 2] === 0x0d ? 2 : 1 + } + return buf.slice(0, l) +} + +const writeBufToFile = (buf, file) => { + out = fs.createWriteStream(file) + out.write(buf) + out.end() +} + +const logInfo = (message) => { + process.stdout.write(`${message}${os.EOL}`); +} + +const setFailed = (error) => { + process.stdout.write(`::error::${escapeData(error.message)}${os.EOL}`); + process.exitCode = 1; +} + const writeCommand = (file, name, value) => { // Unique delimiter to avoid conflicts with actual values let delim; @@ -29,24 +59,37 @@ const writeCommand = (file, name, value) => { } const setSecret = (value) => { - process.stdout.write(`::add-mask::${escapeData(value)}${os.EOL}`); + value = stringify(value); + + // Masking a secret that is not a valid UTF-8 string or buffer is not useful + if (value === undefined) return; + + process.stdout.write( + value + .split(/\r?\n/g) + .map( + value => `::add-mask::${escapeData(value)}${os.EOL}` + ) + .join('') + ); } const setOutput = (name, value) => { + value = stringify(value); + if (value === undefined) { + throw new Error(`Output value '${name}' is not a valid UTF-8 string or buffer`); + } + writeCommand(process.env.GITHUB_OUTPUT, name, value); } const exportVariable = (name, value) => { - writeCommand(process.env.GITHUB_ENV, name, value); -} - -const logInfo = (message) => { - process.stdout.write(`${message}${os.EOL}`); -} + value = stringify(value); + if (value === undefined) { + throw new Error(`Environment variable '${name}' is not a valid UTF-8 string or buffer`); + } -const setFailed = (error) => { - process.stdout.write(`::error::${escapeData(error.message)}${os.EOL}`); - process.exitCode = 1; + writeCommand(process.env.GITHUB_ENV, name, value); } (async () => { @@ -68,9 +111,7 @@ const setFailed = (error) => { // Fetch secrets from Azure Key Vault for (const { input: secretName, encoding, output } of secretMappings) { - let secretValue = ''; - - const az = spawnSync('az', + let az = spawnSync('az', [ 'keyvault', 'secret', @@ -93,10 +134,12 @@ const setFailed = (error) => { if (az.error) throw new Error(az.error, { cause: az.error }); if (az.status !== 0) throw new Error(`az failed with status ${az.status}`); - secretValue = az.stdout.toString('utf-8').trim(); + // az keyvault secret show --output tsv returns a buffer with trailing \n + // (or \r\n on Windows), so we need to trim it specifically. + let secretBuf = trimEOL(az.stdout); // Mask the raw secret value in logs - setSecret(secretValue); + setSecret(secretBuf); // Handle encoded values if specified // Sadly we cannot use the `--encoding` parameter of the `az keyvault @@ -106,31 +149,46 @@ const setFailed = (error) => { if (encoding) { switch (encoding.toLowerCase()) { case 'base64': - secretValue = Buffer.from(secretValue, 'base64').toString(); + secretBuf = Buffer.from(secretBuf.toString('utf-8'), 'base64'); + break; + case 'ascii': + case 'utf8': + case 'utf-8': + // No need to decode the existing buffer from the az command break; default: - // No decoding needed - } + throw new Error(`Unsupported encoding: ${encoding}`); + } - setSecret(secretValue); // Mask the decoded value as well + // Mask the decoded value + setSecret(secretBuf); } - if (output.startsWith('$env:')) { - // Environment variable - const envVarName = output.replace('$env:', '').trim(); - exportVariable(envVarName, secretValue); - logInfo(`Secret set as environment variable: ${envVarName}`); - } else if (output.startsWith('$output:')) { - // GitHub Actions output variable - const outputName = output.replace('$output:', '').trim(); - setOutput(outputName, secretValue); - logInfo(`Secret set as output variable: ${outputName}`); - } else { - // File output - const filePath = output.trim(); - fs.mkdirSync(path.dirname(filePath), { recursive: true }); - fs.writeFileSync(filePath, secretValue); - logInfo(`Secret written to file: ${filePath}`); + const outputType = output.startsWith('$env:') + ? 'env' + : output.startsWith('$output:') + ? 'output' + : 'file'; + + switch (outputType) { + case 'env': + const varName = output.replace('$env:', '').trim(); + exportVariable(varName, secretBuf); + logInfo(`Secret set as environment variable: ${varName}`); + break; + + case 'output': + const outputName = output.replace('$output:', '').trim(); + setOutput(outputName, secretBuf); + logInfo(`Secret set as output variable: ${outputName}`); + break; + + case 'file': + const filePath = output.trim(); + fs.mkdirSync(path.dirname(filePath), { recursive: true }); + writeBufToFile(secretBuf, filePath); + logInfo(`Secret written to file: ${filePath}`); + break; } } })().catch(setFailed); From ad02e8fdf1b492ee273b7bcc36470b5848d45303 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 8 Apr 2025 14:50:42 +0100 Subject: [PATCH 03/18] fixup! .github/actions/akv-secret: add action to get secrets Don't mask empty lines since this isn't possible! Signed-off-by: Matthew John Cheetham --- .github/actions/akv-secret/index.js | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/akv-secret/index.js b/.github/actions/akv-secret/index.js index 6d0933b46aa632..d972c7a816fa33 100644 --- a/.github/actions/akv-secret/index.js +++ b/.github/actions/akv-secret/index.js @@ -67,6 +67,7 @@ const setSecret = (value) => { process.stdout.write( value .split(/\r?\n/g) + .filter(line => line.length > 0) // Cannot mask empty lines .map( value => `::add-mask::${escapeData(value)}${os.EOL}` ) From c579c8258c34e303215e528fdc08d09f3fde7f61 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Tue, 8 Apr 2025 09:07:41 +0200 Subject: [PATCH 04/18] fixup! fixup! release: create initial Windows installer build workflow Since the Azure Portal supports only single-line secrets (but those lines can be _very_ long), the convention is to store GPG keys (which _are_ multi-line) as base64-encoded values. Signed-off-by: Johannes Schindelin --- .github/workflows/build-git-installers.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index ddad1453b119a5..630bf479f8f5f0 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -132,9 +132,9 @@ jobs: with: vault: ${{ secrets.AZURE_VAULT }} secrets: | - ${{ secrets.WIN_GPG_KEYGRIP_SECRET_NAME }} > $output:keygrip - ${{ secrets.WIN_GPG_PRIVATE_SECRET_NAME }} > $output:private-key - ${{ secrets.WIN_GPG_PASSPHRASE_SECRET_NAME }} > $output:passphrase + ${{ secrets.WIN_GPG_KEYGRIP_SECRET_NAME }} > $output:keygrip + ${{ secrets.WIN_GPG_PRIVATE_SECRET_NAME }} base64> $output:private-key + ${{ secrets.WIN_GPG_PASSPHRASE_SECRET_NAME }} > $output:passphrase - name: Prepare home directory for GPG signing if: ${{ steps.gpg-secrets.outputs.keygrip != '' && steps.gpg-secrets.outputs.private-key != '' }} shell: bash From 3d2c7196344f17ea7f5bb076ab3e86d562b052cb Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Tue, 8 Apr 2025 09:49:58 +0200 Subject: [PATCH 05/18] fixup! fixup! release: create initial Windows installer build workflow We need to log into Azure, and check out the custom Action, before we can download secrets from the KeyVault via `akv-secret`. Signed-off-by: Johannes Schindelin --- .github/workflows/build-git-installers.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index 630bf479f8f5f0..5d41c6d365292f 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -218,6 +218,16 @@ jobs: shell: bash run: | git clone --filter=blob:none --single-branch -b main https://github.com/git-for-windows/build-extra /usr/src/build-extra + - name: Log in to Azure + uses: azure/login@v2 + if: env.DO_WIN_CODESIGN == 'true' + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Check out repository (for akv-secret Action) + if: env.DO_WIN_CODESIGN == 'true' + uses: actions/checkout@v4 - name: Download code signing secrets id: codesign-secrets if: env.DO_WIN_CODESIGN == 'true' From 7c261dc7b5ba788c3b719c72e7e4ce0166049456 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 8 Apr 2025 14:46:36 +0100 Subject: [PATCH 06/18] fixup! fixup! release: create initial Windows installer build workflow Ensure that we don't clobber existing directory with the checkout, which in this instance contains downloaded artifacts! Signed-off-by: Matthew John Cheetham --- .github/workflows/build-git-installers.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index 5d41c6d365292f..bea3edc2e91e0a 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -228,10 +228,12 @@ jobs: - name: Check out repository (for akv-secret Action) if: env.DO_WIN_CODESIGN == 'true' uses: actions/checkout@v4 + with: + path: git - name: Download code signing secrets id: codesign-secrets if: env.DO_WIN_CODESIGN == 'true' - uses: ./.github/actions/akv-secret + uses: ./git/.github/actions/akv-secret with: vault: ${{ secrets.AZURE_VAULT }} secrets: | From cbb2a2e08d21e51c6c2425a26d60818b40483cd3 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 8 Apr 2025 15:38:37 +0100 Subject: [PATCH 07/18] fixup! fixup! release: create initial Windows installer build workflow Use the global `DO_WIN_CODESIGN` environment variable rather than re-compute this for the verification of codesigning step. Signed-off-by: Matthew John Cheetham --- .github/workflows/build-git-installers.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index bea3edc2e91e0a..3d77aca9393135 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -356,9 +356,7 @@ jobs: fi && openssl dgst -sha256 artifacts/${{matrix.type.fileprefix}}-*.exe | sed "s/.* //" >artifacts/sha-256.txt - name: Verify that .exe files are code-signed - env: - DO_CODE_SIGN: ${{ secrets.WIN_CODESIGN_CERT_SECRET_NAME != '' }} - if: env.DO_CODE_SIGN == 'true' + if: env.DO_WIN_CODESIGN == 'true' shell: bash run: | PATH=$PATH:"/c/Program Files (x86)/Windows Kits/10/App Certification Kit/" \ From 2719153960104f7c11027993a932c4748c2ef331 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 8 Apr 2025 16:10:59 +0100 Subject: [PATCH 08/18] fixup! fixup! release: create initial Windows installer build workflow Replace Bash script (using `signtool`) for validating executables are code-signed correctly with a PowerShell script (which instead uses the `Get-AuthenticodeSignature` cmdlet). The `signtool` is only available in the Windows SDK, which isn't always installed on self-hosted runners (e.g., for ARM64), but PowerShell is always available on our images. Signed-off-by: Matthew John Cheetham --- .github/workflows/build-git-installers.yml | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index 3d77aca9393135..64a99d23946eb9 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -357,10 +357,21 @@ jobs: openssl dgst -sha256 artifacts/${{matrix.type.fileprefix}}-*.exe | sed "s/.* //" >artifacts/sha-256.txt - name: Verify that .exe files are code-signed if: env.DO_WIN_CODESIGN == 'true' - shell: bash + shell: pwsh run: | - PATH=$PATH:"/c/Program Files (x86)/Windows Kits/10/App Certification Kit/" \ - signtool verify //pa artifacts/${{matrix.type.fileprefix}}-*.exe + $ret = 0 + $files = Get-ChildItem -Path artifacts -Filter "${{matrix.type.fileprefix}}-*.exe" + foreach ($file in $files) { + $signature = Get-AuthenticodeSignature -FilePath $file.FullName + if ($signature.Status -eq 'Valid') { + Write-Host "[ VALID ] $($file.FullName)" + } else { + Write-Host "[INVALID] $($file.FullName)" + Write-Host " Message: $($signature.StatusMessage)" + $ret = 1 + } + } + exit $ret - name: Publish ${{matrix.type.name}}-${{matrix.arch.name}} uses: actions/upload-artifact@v4 with: From db0542b4fefa7451eaccd4d0770bffe28b8c6960 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Tue, 8 Apr 2025 09:36:12 +0200 Subject: [PATCH 09/18] fixup! fixup! release: add Mac OSX installer build The custom Action is checked out at a different location than `.github/`... Signed-off-by: Johannes Schindelin --- .github/workflows/build-git-installers.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index 64a99d23946eb9..b9a0fe2ec6bfb9 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -409,7 +409,7 @@ jobs: - name: Download signing secrets id: signing-secrets - uses: ./.github/actions/akv-secret + uses: ./git/.github/actions/akv-secret with: vault: ${{ secrets.AZURE_VAULT }} secrets: | From b76b66657c779b4de92478031565af49f76eb9b6 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Tue, 8 Apr 2025 09:50:49 +0200 Subject: [PATCH 10/18] fixup! fixup! release: add Mac OSX installer build We need to log into Azure before we can access the KeyVault. Signed-off-by: Johannes Schindelin --- .github/workflows/build-git-installers.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index b9a0fe2ec6bfb9..21d4efb0c7a927 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -407,6 +407,13 @@ jobs: # Make universal gettext library lipo -create -output libintl.a /usr/local/opt/gettext/lib/libintl.a /opt/homebrew/opt/gettext/lib/libintl.a + - name: Log in to Azure + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Download signing secrets id: signing-secrets uses: ./git/.github/actions/akv-secret From 4fe709df6fe560e109342df325bf4378d089a6aa Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 8 Apr 2025 13:09:24 +0100 Subject: [PATCH 11/18] fixup! fixup! release: add Mac OSX installer build --- .github/workflows/build-git-installers.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index 21d4efb0c7a927..64ebf43dc76ca2 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -427,8 +427,8 @@ jobs: ${{ secrets.APPLE_DEVELOPER_PASSWORD_SECRET_NAME }} > $output:dev-pass ${{ secrets.APPLE_APPCERT_PASS_SECRET_NAME }} > $output:appcert-pass ${{ secrets.APPLE_INSTCERT_PASS_SECRET_NAME }} > $output:instcert-pass - ${{ secrets.APPLE_APPCERT_SECRET_NAME }} base64> appcert.p12 - ${{ secrets.APPLE_INSTCERT_SECRET_NAME }} base64> instcert.p12 + ${{ secrets.APPLE_APPCERT_SECRET_NAME }} base64> ${{ runner.temp }}/appcert.p12 + ${{ secrets.APPLE_INSTCERT_SECRET_NAME }} base64> ${{ runner.temp }}/instcert.p12 - name: Set up signing/notarization infrastructure run: | @@ -439,7 +439,7 @@ jobs: # Prevent re-locking security set-keychain-settings $RUNNER_TEMP/buildagent.keychain - security import appcert.p12 \ + security import $RUNNER_TEMP/appcert.p12 \ -k $RUNNER_TEMP/buildagent.keychain \ -P '${{ steps.signing-secrets.outputs.appcert-pass }}' \ -T /usr/bin/codesign @@ -448,7 +448,7 @@ jobs: -s -k pwd \ $RUNNER_TEMP/buildagent.keychain - security import instcert.p12 \ + security import $RUNNER_TEMP/instcert.p12 \ -k $RUNNER_TEMP/buildagent.keychain \ -P '${{ steps.signing-secrets.outputs.instcert-pass }}' \ -T /usr/bin/pkgbuild From 56dc3ef5596c93897f69544d48dce0bc80308f2e Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Tue, 8 Apr 2025 14:23:53 +0200 Subject: [PATCH 12/18] fixup! fixup! release: add Mac OSX installer build We also need to quote the Apple App identity (because it contains a parenthesis). Signed-off-by: Johannes Schindelin --- .github/workflows/build-git-installers.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index 64ebf43dc76ca2..a879f3b3b1162b 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -524,7 +524,7 @@ jobs: cp -R stage/git-universal-$VERSION/ \ git/.github/macos-installer/build-artifacts make -C git/.github/macos-installer V=1 codesign \ - APPLE_APP_IDENTITY=${{ steps.signing-secrets.outputs.appsign-id }} || die "Creating signed payload failed" + APPLE_APP_IDENTITY='${{ steps.signing-secrets.outputs.appsign-id }}' || die "Creating signed payload failed" # Build and sign pkg make -C git/.github/macos-installer V=1 pkg \ From 26ecfb3d3de320abeea3c1ca198e28df660b7a1b Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 8 Apr 2025 14:47:08 +0100 Subject: [PATCH 13/18] fixup! fixup! release: add Mac OSX installer build We're not using quotes around simple string values like 'git' in other places.. let's be consistent. Signed-off-by: Matthew John Cheetham --- .github/workflows/build-git-installers.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index a879f3b3b1162b..d33b52d4201cd7 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -390,7 +390,7 @@ jobs: - name: Check out repository uses: actions/checkout@v4 with: - path: 'git' + path: git - name: Install Git dependencies run: | From 5aee61e13c52903de46464a629de68bc822570c1 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Tue, 8 Apr 2025 09:36:51 +0200 Subject: [PATCH 14/18] fixup! fixup! release: add signing step for .deb package The `akv-secret` Action must be checked out before it can be used. Signed-off-by: Johannes Schindelin --- .github/workflows/build-git-installers.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index d33b52d4201cd7..d7d429b0d90ee5 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -664,6 +664,9 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Check out repository (for akv-secret Action) + uses: actions/checkout@v4 + - name: Download GPG secrets id: gpg-secrets uses: ./.github/actions/akv-secret From f9bc6c2b86ca1ec01e6cc1d4367979ad6371fe89 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 8 Apr 2025 14:47:45 +0100 Subject: [PATCH 15/18] fixup! fixup! release: add signing step for .deb package Ensure that we don't clobber existing directory with the checkout, which in this instance contains downloaded artifacts! Signed-off-by: Matthew John Cheetham --- .github/workflows/build-git-installers.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index d7d429b0d90ee5..55fd3507863998 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -666,10 +666,12 @@ jobs: - name: Check out repository (for akv-secret Action) uses: actions/checkout@v4 + with: + path: git - name: Download GPG secrets id: gpg-secrets - uses: ./.github/actions/akv-secret + uses: ./git/.github/actions/akv-secret with: vault: ${{ secrets.AZURE_VAULT }} secrets: | From ca38143690711486b2d2733e0beb75d221be1eb1 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Tue, 8 Apr 2025 09:37:30 +0200 Subject: [PATCH 16/18] fixup! fixup! build-git-installers: publish gpg public key The `akv-secret` Action must be checked out before it can be used. Signed-off-by: Johannes Schindelin --- .github/workflows/build-git-installers.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index 55fd3507863998..f9d64915e75c0e 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -842,6 +842,9 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Check out repository (for akv-secret Action) + uses: actions/checkout@v4 + - name: Download Linux GPG public key signature file uses: ./.github/actions/akv-secret with: From e730d37255bba38d14fb909a750a37aa4bd30d91 Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Tue, 8 Apr 2025 14:47:59 +0100 Subject: [PATCH 17/18] fixup! fixup! build-git-installers: publish gpg public key Ensure that we don't clobber existing directory with the checkout, which in this instance contains downloaded artifacts! Signed-off-by: Matthew John Cheetham --- .github/workflows/build-git-installers.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index f9d64915e75c0e..d38b8f4a116a6c 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -844,9 +844,11 @@ jobs: - name: Check out repository (for akv-secret Action) uses: actions/checkout@v4 + with: + path: git - name: Download Linux GPG public key signature file - uses: ./.github/actions/akv-secret + uses: ./git/.github/actions/akv-secret with: vault: ${{ secrets.AZURE_VAULT }} secrets: | From 6a7e3829cac7c3981acb86a018b50ef9092fd47a Mon Sep 17 00:00:00 2001 From: Matthew John Cheetham Date: Wed, 9 Apr 2025 10:31:52 +0100 Subject: [PATCH 18/18] fixup! .github/actions/akv-secret: add action to get secrets Add semi-colon to the `require('buffer')` line to stay consistent with the rest of the index.js file. Signed-off-by: Matthew John Cheetham --- .github/actions/akv-secret/index.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/akv-secret/index.js b/.github/actions/akv-secret/index.js index d972c7a816fa33..19a930db983b0c 100644 --- a/.github/actions/akv-secret/index.js +++ b/.github/actions/akv-secret/index.js @@ -2,7 +2,7 @@ const { spawnSync } = require('child_process'); const fs = require('fs'); const os = require('os'); const path = require('path'); -const { isUtf8 } = require("buffer") +const { isUtf8 } = require("buffer"); // Note that we are not using the `@actions/core` package as it is not available // without either committing node_modules/ to the repository, or using something