element-desktop/.github/workflows/build_linux.yaml

232 lines
9.0 KiB
YAML
Raw Permalink Normal View History

# This workflow relies on actions/cache to store the hak dependency artifacts as they take a long time to build
# Due to this extra care must be taken to only ever run all build_* scripts against the same branch to ensure
# the correct cache scoping, and additional care must be taken to not run untrusted actions on the develop branch.
on:
2022-12-15 12:00:58 +01:00
workflow_call:
inputs:
2023-04-18 12:38:26 +02:00
arch:
type: string
required: true
description: "The architecture to build for, one of 'amd64' | 'arm64'"
config:
type: string
required: true
description: "The config directory to use"
version:
type: string
required: false
description: "Version string to override the one in package.json, used for non-release builds"
2022-12-15 12:00:58 +01:00
sqlcipher:
type: string
required: true
description: "How to link sqlcipher, one of 'system' | 'static'"
env:
SQLCIPHER_BUNDLED: ${{ inputs.sqlcipher == 'static' && '1' || '' }}
permissions: {} # No permissions required
jobs:
# We build the hak files on native infrastructure as matrix-seshat fails to cross-compile properly
# https://github.com/matrix-org/seshat/issues/135
hak:
runs-on: ${{ inputs.arch == 'arm64' && 'dind-l-arm64' || 'ubuntu-22.04' }}
env:
HAK_DOCKER_IMAGE: ghcr.io/element-hq/element-desktop-dockerbuild
outputs:
cache-key: ${{ steps.cache-key.outputs.key }}
arch: ${{ steps.config.outputs.arch }}
build-args: ${{ steps.config.outputs.build-args }}
2022-12-15 12:00:58 +01:00
steps:
# Workaround for self-hosted runners lacking tools
- name: Install missing tools
if: runner.environment == 'self-hosted'
run: |
# Sanity check that the arch is arm64 as we expect
[[ $(uname -p) == "aarch64" ]] || exit 1
sudo apt-get -qq update
# curl for yarn download, git for tj-actions/changed-files, zstd for actions/cache
sudo apt-get install -y curl git zstd
curl -fsSL --create-dirs -o $HOME/bin/yarn https://github.com/yarnpkg/yarn/releases/download/v1.22.19/yarn-1.22.19.js
chmod +x $HOME/bin/yarn
echo "$HOME/bin" >> $GITHUB_PATH
- name: Resolve docker image tag for push
if: github.event_name == 'push'
run: echo "HAK_DOCKER_IMAGE=$HAK_DOCKER_IMAGE:$GITHUB_REF_NAME" >> $GITHUB_ENV
- name: Resolve docker image tag for release
if: github.event_name == 'release'
run: echo "HAK_DOCKER_IMAGE=$HAK_DOCKER_IMAGE:staging" >> $GITHUB_ENV
- name: Resolve docker image tag for other triggers
if: github.event_name != 'push' && github.event_name != 'release'
run: echo "HAK_DOCKER_IMAGE=$HAK_DOCKER_IMAGE:develop" >> $GITHUB_ENV
- uses: nbucic/variable-mapper@0673f6891a0619ba7c002ecfed0f9f4f39017b6f
2023-04-18 12:38:26 +02:00
id: config
with:
key: "${{ inputs.arch }}"
export_to: output
map: |
{
"amd64": {
"target": "x86_64-unknown-linux-gnu",
"arch": "x86-64"
},
"arm64": {
"target": "aarch64-unknown-linux-gnu",
"arch": "aarch64",
"build-args": "--arm64"
}
}
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
2022-12-15 12:00:58 +01:00
with:
name: webapp
- name: Calculate cache key
id: cache-key
run: |
echo "key=$CACHE_KEY" >> $GITHUB_OUTPUT
env:
CACHE_KEY: ${{ runner.os }}-${{ github.ref_name }}-${{ inputs.sqlcipher }}-${{ inputs.arch }}-${{ hashFiles('hakHash', 'electronVersion', 'dockerbuild/*') }}
2022-12-15 12:00:58 +01:00
- name: Cache .hak
id: cache
uses: actions/cache@v4
2022-12-15 12:00:58 +01:00
with:
key: ${{ steps.cache-key.outputs.key }}
2022-12-15 12:00:58 +01:00
path: |
./.hak
- uses: actions/setup-node@v4
2022-12-15 12:00:58 +01:00
with:
node-version-file: package.json
2022-12-15 12:00:58 +01:00
cache: "yarn"
env:
# Workaround for https://github.com/actions/setup-node/issues/317
FORCE_COLOR: 0
2022-12-15 12:00:58 +01:00
# Does not need branch matching as only analyses this layer
- name: Install Deps
run: "yarn install --frozen-lockfile"
- name: "Get modified files"
id: changed_files
if: steps.cache.outputs.cache-hit != 'true' && github.event_name == 'pull_request'
uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f # v45
with:
files: |
dockerbuild/**
2023-04-18 12:38:26 +02:00
# This allows contributors to test changes to the dockerbuild image within a pull request
- name: Build docker image
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6
if: steps.changed_files.outputs.any_modified == 'true'
with:
context: dockerbuild
load: true
platforms: linux/${{ inputs.arch }}
tags: ${{ env.HAK_DOCKER_IMAGE }}
2023-04-18 12:38:26 +02:00
2022-12-15 12:00:58 +01:00
- name: Build Natives
if: steps.cache.outputs.cache-hit != 'true'
run: |
docker run \
-v ${{ github.workspace }}:/work -w /work \
-e SQLCIPHER_BUNDLED \
$HAK_DOCKER_IMAGE \
yarn build:native
- name: Check native libraries
run: |
shopt -s globstar
for filename in ./.hak/hakModules/**/*.node; do
./scripts/glibc-check.sh $filename
done
env:
MAX_VER: 2.31 # bullseye-era glibc
build:
needs: hak
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: webapp
- name: Load .hak
id: cache
uses: actions/cache/restore@v4
with:
key: ${{ needs.hak.outputs.cache-key }}
fail-on-cache-miss: true
path: |
./.hak
- uses: actions/setup-node@v4
with:
node-version-file: package.json
cache: "yarn"
env:
# Workaround for https://github.com/actions/setup-node/issues/317
FORCE_COLOR: 0
# Does not need branch matching as only analyses this layer
- name: Install Deps
run: "yarn install --frozen-lockfile"
Build & EV Sign Windows builds (#517 * Add way to provide apple ID and app password to notarise script * Add utility to generate electron-builder.json for release & nightly builds * Run Build & Test on staging too * First attempt at build & deploy for macOS with signing and notarisation * Fix quote mismatch * use correct quotes * add runs-on * Fix inputs.mode usage * remove quotes * chmod +x * Fix artifact paths * Fix deploy condition * Fix deploy condition * Fix artifact path * Iterate * Fix workflow * Fix env * Iterate * Fix missing env * Fix version calculation * Iterate * Fix config not taking effect * Update build_and_deploy.yaml * Fix alignments * delint * Fix alignment * Update build_macos.yaml * Add ability to EV sign using eSigner CKA * Initial work to build & sign Windows nightlies in CI * Format * Format * Fix gha * fix winSign * Fix install command * Add signtool to path * Update build_and_deploy.yaml * Fix quotes * Test * Fix comments * Fix cmd * Try again * arg slashes * Fix exe path * Fix matrix strategy * Use ampersand-call * fwd slash ftw? * ls * * 🌲 * tree dist * prepend path * Specify /fd and /td to modern signtool * /tr not /t for CKA * Test signing * missing comma * 🤦‍♂️ * Fix wrong mv * Lets sign * Fix config gen * Debug * Fix typo * Multiple drives why * Try NVL sandbox creds * Update * Attempt to disable logger * Try again * Iterate * Update build_macos.yaml * Update build_and_deploy.yaml * Update build_macos.yaml * Update build_and_deploy.yaml * Update build_and_deploy.yaml * Try custom build of eSigner CKA * Fix typos * Update build_windows.yaml * Update build_and_deploy.yaml * Update build_windows.yaml * Update build_and_deploy.yaml * Fix symlinking * Fix working-directory incantation * exe * remove debug * Prettier * Vendor check in SSL.com executable * Download CKA from packages.element.io instead * Use demo creds * StrictMode * Switch back to 0207 (unsigned) * Fix call syntax * Revert env inc * Partial rollback * Trace * Trace less * Fix CN being passed wrong * DEBUG * Debug 2 * Fix ConvertFrom-StringData * 0214 * Test * Test * Untested * Revert to 0207 * stash * Try with 20230221 * Restore scripts/electron_winSign.js * Prepare for merge * Update build_windows.yaml * Update build_and_deploy.yaml * Restore .github/workflows/build_and_deploy.yaml * Restore .github/workflows/build_and_deploy.yaml * Fix bad restore
2023-02-22 14:51:19 +01:00
- name: "[Nightly] Resolve version"
if: inputs.version != ''
run: |
echo "ED_NIGHTLY=${{ inputs.version }}" >> $GITHUB_ENV
- name: Generate debian files and arguments
run: |
if [ -f changelog.Debian ]; then
echo "ED_DEBIAN_CHANGELOG=changelog.Debian" >> $GITHUB_ENV
fi
2022-12-15 12:00:58 +01:00
- name: Build App
run: yarn build --publish never -l ${{ needs.hak.outputs.build-args }}
2023-04-18 12:38:26 +02:00
- name: Check native libraries
run: |
2023-04-18 12:38:26 +02:00
set -x
shopt -s globstar
FILES=$(file dist/**/*.node)
echo "$FILES"
if [ grep -v "$ARCH" ]; then
exit 1
fi
LIBS=$(readelf -d dist/**/*.node | grep NEEDED)
echo "$LIBS"
set +x
assert_contains_string() { [[ "$1" == *"$2"* ]]; }
! assert_contains_string "$LIBS" "libcrypto.so.1.1"
if [ "$SQLCIPHER_BUNDLED" == "1" ]; then
! assert_contains_string "$LIBS" "libsqlcipher.so.0"
else
assert_contains_string "$LIBS" "libsqlcipher.so.0"
fi
2024-05-14 09:31:28 +02:00
./scripts/glibc-check.sh dist/linux-*unpacked/element-desktop*
env:
ARCH: ${{ needs.hak.outputs.arch }}
# We exclude *-unpacked as it loses permissions and the tarball contains it with correct permissions
2022-12-15 12:00:58 +01:00
- name: Upload Artifacts
uses: actions/upload-artifact@v4
2022-12-15 12:00:58 +01:00
with:
name: linux-${{ inputs.arch }}-sqlcipher-${{ inputs.sqlcipher }}
path: |
dist
!dist/*-unpacked/**
2022-12-15 12:00:58 +01:00
retention-days: 1