Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reinstate CodeQL on Mac if not signing the build #2569

Closed
wants to merge 12 commits into from
Closed

Reinstate CodeQL on Mac if not signing the build #2569

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
870ac30
Test for codeql and signing conditions
softins Mar 30, 2022
67e8a40
Next test
softins Mar 30, 2022
fd04867
Output macos_signed from setup
softins Mar 30, 2022
24cf550
Give id to setup step and test its output
softins Mar 30, 2022
fde5a10
More corrections
softins Mar 30, 2022
3b42770
Only run CodeQL for Mac when not signing build
softins Mar 30, 2022
5f3bd07
Ignore return from prepare_signing during setup
softins Mar 30, 2022
3ac2f73
Adjust comments and remove test steps
softins Mar 31, 2022
42bf935
Add some missing spaces
softins Apr 4, 2022
c2c951a
Refactor the signing checks for Mac
softins Apr 7, 2022
e554a71
Add spacing as requested
ann0see Apr 30, 2022
60fc9c0
Apply spacing fix again
ann0see Apr 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 12 additions & 1 deletion .github/autobuild/mac.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ setup() {
fi
}

prepare_signing() {
check_if_signing() {
[[ "${SIGN_IF_POSSIBLE:-0}" == "1" ]] || return 1

# Signing was requested, now check all prerequisites:
Expand All @@ -35,6 +35,14 @@ prepare_signing() {

echo "Signing was requested and all dependencies are satisfied"

# Tell Github Workflow to disable CodeQL as it interferes with signing
echo "::set-output name=disable_codeql::true"
return 0
}

prepare_signing() {
check_if_signing || return 1

# Put the cert to a file
echo "${MACOS_CERTIFICATE}" | base64 --decode > certificate.p12

Expand Down Expand Up @@ -73,6 +81,9 @@ pass_artifact_to_job() {
case "${1:-}" in
setup)
setup
# check whether signing will be used and prevent
# a return status of 1 from propagating to the script exit status.
ann0see marked this conversation as resolved.
Show resolved Hide resolved
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# a return status of 1 from propagating to the script exit status.
# a return status of 1 from propagating to the script exit status.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why the spacing didn't work...

check_if_signing || true
;;
build)
build_app_as_dmg_installer
Expand Down
29 changes: 17 additions & 12 deletions .github/workflows/autobuild.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ jobs:
run: python3 ${{ github.workspace }}/.github/actions_scripts/analyse_git_reference.py
id: get-build-vars

- name: Remove release ${{steps.get-build-vars.outputs.RELEASE_TAG}}, if existing
- name: Remove release ${{ steps.get-build-vars.outputs.RELEASE_TAG }}, if existing
if: steps.get-build-vars.outputs.PUBLISH_TO_RELEASE == 'true'
continue-on-error: true
uses: dev-drprasad/delete-tag-and-release@v0.1.2
Expand All @@ -79,7 +79,7 @@ jobs:
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- name: Create Release ${{steps.get-build-vars.outputs.RELEASE_TAG}} ${{steps.get-build-vars.outputs.RELEASE_TITLE}}
- name: Create Release ${{ steps.get-build-vars.outputs.RELEASE_TAG }} ${{ steps.get-build-vars.outputs.RELEASE_TITLE }}
if: steps.get-build-vars.outputs.PUBLISH_TO_RELEASE == 'true'
id: create-release
uses: actions/create-release@v1
Expand Down Expand Up @@ -122,22 +122,21 @@ jobs:
base_command: TARGET_ARCH=armhf ./.github/autobuild/linux_deb.sh
run_codeql: false

- config_name: MacOS (artifacts)
- config_name: MacOS (artifacts+CodeQL)
target_os: macos
# Stay on 10.15 as long as we use dmgbuild which does not work with 11's hdiutil (?):
building_on_os: macos-10.15
base_command: QT_VERSION=5.15.2 SIGN_IF_POSSIBLE=1 ./.github/autobuild/mac.sh
# Disable CodeQL on mac as it interferes with signing the binaries (signing hangs, see #2563 and #2564)
run_codeql: false
# run_codeql will be ignored in the steps below if building a signed image
# for Mac, as it causes the signing process to hang. See #2563 and #2564.
run_codeql: true
hoffie marked this conversation as resolved.
Show resolved Hide resolved
xcode_version: 12.1.1

# Reminder: If Legacy is removed, be sure to add a dedicated job for CodeQL again.
- config_name: MacOS Legacy (artifacts+CodeQL)
- config_name: MacOS Legacy (artifacts)
target_os: macos
building_on_os: macos-10.15
base_command: QT_VERSION=5.9.9 SIGN_IF_POSSIBLE=0 ARTIFACT_SUFFIX=_legacy ./.github/autobuild/mac.sh
# Enable CodeQL on mac legacy as this version does not get signed
run_codeql: true
run_codeql: false
# For Qt5 on Mac, we need to ensure SDK 10.15 is used, and not SDK 11.x.
# Xcode 12.1 is the most-recent release which still ships SDK 10.15:
# https://developer.apple.com/support/xcode/
Expand Down Expand Up @@ -212,12 +211,18 @@ jobs:
key: ${{ matrix.config.target_os }}-${{ hashFiles('.github/workflows/autobuild.yml', '.github/autobuild/android.sh') }}-${{ matrix.config.base_command }}

- name: Set up build dependencies for ${{ matrix.config.config_name }}
id: setup
run: ${{ matrix.config.base_command }} setup
env:
JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERT_PWD }}
MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERT_ID }}
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}

- name: Initialize CodeQL
if: matrix.config.run_codeql
if: matrix.config.run_codeql && steps.setup.outputs.disable_codeql != 'true'
uses: github/codeql-action/init@v1
with:
languages: 'cpp'
Expand All @@ -227,7 +232,7 @@ jobs:
run: ${{ matrix.config.base_command }} build
env:
JAMULUS_BUILD_VERSION: ${{ needs.create_release.outputs.build_version }}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT}}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERT }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERT_PWD }}
MACOS_CERTIFICATE_ID: ${{ secrets.MACOS_CERT_ID }}
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
Expand Down Expand Up @@ -308,5 +313,5 @@ jobs:
asset_content_type: application/octet-stream

- name: Perform CodeQL Analysis
if: matrix.config.run_codeql
if: matrix.config.run_codeql && steps.setup.outputs.disable_codeql != 'true'
uses: github/codeql-action/analyze@v1