|
7 | 7 |
|
8 | 8 | name: rust-release |
9 | 9 | on: |
10 | | - workflow_dispatch: |
| 10 | + push: |
| 11 | + tags: |
| 12 | + - "rust-v*.*.*" |
11 | 13 |
|
12 | 14 | concurrency: |
13 | 15 | group: ${{ github.workflow }} |
|
45 | 47 |
|
46 | 48 | build: |
47 | 49 | needs: tag-check |
48 | | - name: ${{ matrix.runner }} - ${{ matrix.target }} |
| 50 | + name: Build - ${{ matrix.runner }} - ${{ matrix.target }} |
49 | 51 | runs-on: ${{ matrix.runner }} |
50 | 52 | timeout-minutes: 30 |
51 | 53 | defaults: |
|
56 | 58 | fail-fast: false |
57 | 59 | matrix: |
58 | 60 | include: |
59 | | - - runner: macos-14 |
| 61 | + - runner: macos-15-xlarge |
60 | 62 | target: aarch64-apple-darwin |
61 | | - - runner: macos-14 |
| 63 | + - runner: macos-15-xlarge |
62 | 64 | target: x86_64-apple-darwin |
63 | 65 | - runner: ubuntu-24.04 |
64 | 66 | target: x86_64-unknown-linux-musl |
@@ -92,11 +94,181 @@ jobs: |
92 | 94 | - if: ${{ matrix.target == 'x86_64-unknown-linux-musl' || matrix.target == 'aarch64-unknown-linux-musl'}} |
93 | 95 | name: Install musl build tools |
94 | 96 | run: | |
95 | | - sudo apt install -y musl-tools pkg-config |
| 97 | + sudo apt-get update |
| 98 | + sudo apt-get install -y musl-tools pkg-config |
96 | 99 |
|
97 | 100 | - name: Cargo build |
98 | 101 | run: cargo build --target ${{ matrix.target }} --release --bin codex --bin codex-responses-api-proxy |
99 | 102 |
|
| 103 | + - if: ${{ matrix.runner == 'macos-15-xlarge' }} |
| 104 | + name: Configure Apple code signing |
| 105 | + shell: bash |
| 106 | + env: |
| 107 | + KEYCHAIN_PASSWORD: actions |
| 108 | + APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE_P12 }} |
| 109 | + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} |
| 110 | + run: | |
| 111 | + set -euo pipefail |
| 112 | +
|
| 113 | + if [[ -z "${APPLE_CERTIFICATE:-}" ]]; then |
| 114 | + echo "APPLE_CERTIFICATE is required for macOS signing" |
| 115 | + exit 1 |
| 116 | + fi |
| 117 | +
|
| 118 | + if [[ -z "${APPLE_CERTIFICATE_PASSWORD:-}" ]]; then |
| 119 | + echo "APPLE_CERTIFICATE_PASSWORD is required for macOS signing" |
| 120 | + exit 1 |
| 121 | + fi |
| 122 | +
|
| 123 | + cert_path="${RUNNER_TEMP}/apple_signing_certificate.p12" |
| 124 | + echo "$APPLE_CERTIFICATE" | base64 -d > "$cert_path" |
| 125 | +
|
| 126 | + keychain_path="${RUNNER_TEMP}/codex-signing.keychain-db" |
| 127 | + security create-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path" |
| 128 | + security set-keychain-settings -lut 21600 "$keychain_path" |
| 129 | + security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$keychain_path" |
| 130 | +
|
| 131 | + keychain_args=() |
| 132 | + cleanup_keychain() { |
| 133 | + if ((${#keychain_args[@]} > 0)); then |
| 134 | + security list-keychains -s "${keychain_args[@]}" || true |
| 135 | + security default-keychain -s "${keychain_args[0]}" || true |
| 136 | + else |
| 137 | + security list-keychains -s || true |
| 138 | + fi |
| 139 | + if [[ -f "$keychain_path" ]]; then |
| 140 | + security delete-keychain "$keychain_path" || true |
| 141 | + fi |
| 142 | + } |
| 143 | +
|
| 144 | + while IFS= read -r keychain; do |
| 145 | + [[ -n "$keychain" ]] && keychain_args+=("$keychain") |
| 146 | + done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g') |
| 147 | +
|
| 148 | + if ((${#keychain_args[@]} > 0)); then |
| 149 | + security list-keychains -s "$keychain_path" "${keychain_args[@]}" |
| 150 | + else |
| 151 | + security list-keychains -s "$keychain_path" |
| 152 | + fi |
| 153 | +
|
| 154 | + security default-keychain -s "$keychain_path" |
| 155 | + security import "$cert_path" -k "$keychain_path" -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign -T /usr/bin/security |
| 156 | + security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" "$keychain_path" > /dev/null |
| 157 | +
|
| 158 | + codesign_hashes=() |
| 159 | + while IFS= read -r hash; do |
| 160 | + [[ -n "$hash" ]] && codesign_hashes+=("$hash") |
| 161 | + done < <(security find-identity -v -p codesigning "$keychain_path" \ |
| 162 | + | sed -n 's/.*\([0-9A-F]\{40\}\).*/\1/p' \ |
| 163 | + | sort -u) |
| 164 | +
|
| 165 | + if ((${#codesign_hashes[@]} == 0)); then |
| 166 | + echo "No signing identities found in $keychain_path" |
| 167 | + cleanup_keychain |
| 168 | + rm -f "$cert_path" |
| 169 | + exit 1 |
| 170 | + fi |
| 171 | +
|
| 172 | + if ((${#codesign_hashes[@]} > 1)); then |
| 173 | + echo "Multiple signing identities found in $keychain_path:" |
| 174 | + printf ' %s\n' "${codesign_hashes[@]}" |
| 175 | + cleanup_keychain |
| 176 | + rm -f "$cert_path" |
| 177 | + exit 1 |
| 178 | + fi |
| 179 | +
|
| 180 | + APPLE_CODESIGN_IDENTITY="${codesign_hashes[0]}" |
| 181 | +
|
| 182 | + rm -f "$cert_path" |
| 183 | +
|
| 184 | + echo "APPLE_CODESIGN_IDENTITY=$APPLE_CODESIGN_IDENTITY" >> "$GITHUB_ENV" |
| 185 | + echo "APPLE_CODESIGN_KEYCHAIN=$keychain_path" >> "$GITHUB_ENV" |
| 186 | + echo "::add-mask::$APPLE_CODESIGN_IDENTITY" |
| 187 | +
|
| 188 | + - if: ${{ matrix.runner == 'macos-15-xlarge' }} |
| 189 | + name: Sign macOS binaries |
| 190 | + shell: bash |
| 191 | + run: | |
| 192 | + set -euo pipefail |
| 193 | +
|
| 194 | + if [[ -z "${APPLE_CODESIGN_IDENTITY:-}" ]]; then |
| 195 | + echo "APPLE_CODESIGN_IDENTITY is required for macOS signing" |
| 196 | + exit 1 |
| 197 | + fi |
| 198 | +
|
| 199 | + keychain_args=() |
| 200 | + if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" && -f "${APPLE_CODESIGN_KEYCHAIN}" ]]; then |
| 201 | + keychain_args+=(--keychain "${APPLE_CODESIGN_KEYCHAIN}") |
| 202 | + fi |
| 203 | +
|
| 204 | + for binary in codex codex-responses-api-proxy; do |
| 205 | + path="target/${{ matrix.target }}/release/${binary}" |
| 206 | + codesign --force --options runtime --timestamp --sign "$APPLE_CODESIGN_IDENTITY" "${keychain_args[@]}" "$path" |
| 207 | + done |
| 208 | +
|
| 209 | + - if: ${{ matrix.runner == 'macos-15-xlarge' }} |
| 210 | + name: Notarize macOS binaries |
| 211 | + shell: bash |
| 212 | + env: |
| 213 | + APPLE_NOTARIZATION_KEY_P8: ${{ secrets.APPLE_NOTARIZATION_KEY_P8 }} |
| 214 | + APPLE_NOTARIZATION_KEY_ID: ${{ secrets.APPLE_NOTARIZATION_KEY_ID }} |
| 215 | + APPLE_NOTARIZATION_ISSUER_ID: ${{ secrets.APPLE_NOTARIZATION_ISSUER_ID }} |
| 216 | + run: | |
| 217 | + set -euo pipefail |
| 218 | +
|
| 219 | + for var in APPLE_NOTARIZATION_KEY_P8 APPLE_NOTARIZATION_KEY_ID APPLE_NOTARIZATION_ISSUER_ID; do |
| 220 | + if [[ -z "${!var:-}" ]]; then |
| 221 | + echo "$var is required for notarization" |
| 222 | + exit 1 |
| 223 | + fi |
| 224 | + done |
| 225 | +
|
| 226 | + notary_key_path="${RUNNER_TEMP}/notarytool.key.p8" |
| 227 | + echo "$APPLE_NOTARIZATION_KEY_P8" | base64 -d > "$notary_key_path" |
| 228 | + cleanup_notary() { |
| 229 | + rm -f "$notary_key_path" |
| 230 | + } |
| 231 | + trap cleanup_notary EXIT |
| 232 | +
|
| 233 | + notarize_binary() { |
| 234 | + local binary="$1" |
| 235 | + local source_path="target/${{ matrix.target }}/release/${binary}" |
| 236 | + local archive_path="${RUNNER_TEMP}/${binary}.zip" |
| 237 | +
|
| 238 | + if [[ ! -f "$source_path" ]]; then |
| 239 | + echo "Binary $source_path not found" |
| 240 | + exit 1 |
| 241 | + fi |
| 242 | +
|
| 243 | + rm -f "$archive_path" |
| 244 | + ditto -c -k --keepParent "$source_path" "$archive_path" |
| 245 | +
|
| 246 | + submission_json=$(xcrun notarytool submit "$archive_path" \ |
| 247 | + --key "$notary_key_path" \ |
| 248 | + --key-id "$APPLE_NOTARIZATION_KEY_ID" \ |
| 249 | + --issuer "$APPLE_NOTARIZATION_ISSUER_ID" \ |
| 250 | + --output-format json \ |
| 251 | + --wait) |
| 252 | +
|
| 253 | + status=$(printf '%s\n' "$submission_json" | jq -r '.status // "Unknown"') |
| 254 | + submission_id=$(printf '%s\n' "$submission_json" | jq -r '.id // ""') |
| 255 | +
|
| 256 | + if [[ -z "$submission_id" ]]; then |
| 257 | + echo "Failed to retrieve submission ID for $binary" |
| 258 | + exit 1 |
| 259 | + fi |
| 260 | +
|
| 261 | + echo "::notice title=Notarization::$binary submission ${submission_id} completed with status ${status}" |
| 262 | +
|
| 263 | + if [[ "$status" != "Accepted" ]]; then |
| 264 | + echo "Notarization failed for ${binary} (submission ${submission_id}, status ${status})" |
| 265 | + exit 1 |
| 266 | + fi |
| 267 | + } |
| 268 | +
|
| 269 | + notarize_binary "codex" |
| 270 | + notarize_binary "codex-responses-api-proxy" |
| 271 | +
|
100 | 272 | - name: Stage artifacts |
101 | 273 | shell: bash |
102 | 274 | run: | |
@@ -155,6 +327,29 @@ jobs: |
155 | 327 | zstd -T0 -19 --rm "$dest/$base" |
156 | 328 | done |
157 | 329 |
|
| 330 | + - name: Remove signing keychain |
| 331 | + if: ${{ always() && matrix.runner == 'macos-15-xlarge' }} |
| 332 | + shell: bash |
| 333 | + env: |
| 334 | + APPLE_CODESIGN_KEYCHAIN: ${{ env.APPLE_CODESIGN_KEYCHAIN }} |
| 335 | + run: | |
| 336 | + set -euo pipefail |
| 337 | + if [[ -n "${APPLE_CODESIGN_KEYCHAIN:-}" ]]; then |
| 338 | + keychain_args=() |
| 339 | + while IFS= read -r keychain; do |
| 340 | + [[ "$keychain" == "$APPLE_CODESIGN_KEYCHAIN" ]] && continue |
| 341 | + [[ -n "$keychain" ]] && keychain_args+=("$keychain") |
| 342 | + done < <(security list-keychains | sed 's/^[[:space:]]*//;s/[[:space:]]*$//;s/"//g') |
| 343 | + if ((${#keychain_args[@]} > 0)); then |
| 344 | + security list-keychains -s "${keychain_args[@]}" |
| 345 | + security default-keychain -s "${keychain_args[0]}" |
| 346 | + fi |
| 347 | +
|
| 348 | + if [[ -f "$APPLE_CODESIGN_KEYCHAIN" ]]; then |
| 349 | + security delete-keychain "$APPLE_CODESIGN_KEYCHAIN" |
| 350 | + fi |
| 351 | + fi |
| 352 | +
|
158 | 353 | - uses: actions/upload-artifact@v4 |
159 | 354 | with: |
160 | 355 | name: ${{ matrix.target }} |
|
0 commit comments