|
| 1 | +name: Build, test and upload .msi to S3 |
| 2 | + |
| 3 | +# TODO: add scheduler and tests |
| 4 | +on: |
| 5 | + workflow_dispatch: |
| 6 | + workflow_call: |
| 7 | + inputs: |
| 8 | + ref_name: |
| 9 | + required: true |
| 10 | + type: string |
| 11 | +env: |
| 12 | + GO111MODULE: on |
| 13 | + |
| 14 | +permissions: |
| 15 | + # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. |
| 16 | + # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings |
| 17 | + id-token: write |
| 18 | + contents: read # This is required for actions/checkout |
| 19 | + |
| 20 | +jobs: |
| 21 | + get-tag-name: |
| 22 | + name: Get tag name |
| 23 | + runs-on: ubuntu-latest |
| 24 | + outputs: |
| 25 | + tag: ${{ steps.check-tag.outputs.tag }} |
| 26 | + version: ${{ steps.check-tag.outputs.version }} |
| 27 | + steps: |
| 28 | + - name: Check tag from workflow input and github ref |
| 29 | + id: check-tag |
| 30 | + run: | |
| 31 | + if [ -n "${{ inputs.ref_name }}" ]; then |
| 32 | + tag=${{ inputs.ref_name }} |
| 33 | + else |
| 34 | + tag=${{ github.ref_name }} |
| 35 | + fi |
| 36 | + echo "tag=$tag" >> ${GITHUB_OUTPUT} |
| 37 | +
|
| 38 | + version=${tag#v} |
| 39 | + if [[ $version =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then |
| 40 | + echo "Version matches format: $version" |
| 41 | + else |
| 42 | + echo "Version $version doesn't match format. Using test version: 0.0.1" |
| 43 | + version="0.0.1" |
| 44 | + fi |
| 45 | + echo "version=$version" >> ${GITHUB_OUTPUT} |
| 46 | + |
| 47 | + windows-msi-build: |
| 48 | + needs: get-tag-name |
| 49 | + runs-on: [self-hosted, windows, amd64, release] |
| 50 | + timeout-minutes: 100 |
| 51 | + steps: |
| 52 | + - name: Configure git CRLF settings |
| 53 | + run: | |
| 54 | + git config --global core.autocrlf false |
| 55 | + git config --global core.eol lf |
| 56 | + - name: Set up Python |
| 57 | + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 |
| 58 | + with: |
| 59 | + python-version: '3.x' |
| 60 | + - name: Install AWS CLI |
| 61 | + run: | |
| 62 | + python -m pip install --upgrade pip |
| 63 | + pip install awscli |
| 64 | + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 |
| 65 | + with: |
| 66 | + ref: ${{ needs.get-tag-name.outputs.tag }} |
| 67 | + fetch-depth: 0 |
| 68 | + persist-credentials: false |
| 69 | + submodules: recursive |
| 70 | + - name: configure aws credentials |
| 71 | + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 |
| 72 | + with: |
| 73 | + role-to-assume: ${{ secrets.WINDOWS_ROLE }} |
| 74 | + role-session-name: windows-msi |
| 75 | + aws-region: ${{ secrets.WINDOWS_REGION }} |
| 76 | + - name: Remove Finch VM |
| 77 | + run: | |
| 78 | + wsl --list --verbose |
| 79 | + wsl --shutdown |
| 80 | + wsl --unregister lima-finch |
| 81 | + wsl --list --verbose |
| 82 | + - name: Clean up previous files |
| 83 | + run: | |
| 84 | + Remove-Item C:\Users\Administrator\.finch -Recurse -ErrorAction Ignore |
| 85 | + Remove-Item C:\Users\Administrator\AppData\Local\.finch -Recurse -ErrorAction Ignore |
| 86 | + make clean |
| 87 | + cd deps/finch-core && make clean |
| 88 | + - name: Build project |
| 89 | + run: | |
| 90 | + make FINCH_ROOTFS_LOCATION_ROOT=/__INSTALLFOLDER__ |
| 91 | + - name: generate and download signed msi |
| 92 | + run: | |
| 93 | + $version="${{ needs.get-tag-name.outputs.version }}" |
| 94 | + $tag="${{ needs.get-tag-name.outputs.tag }}" |
| 95 | + powershell .\msi-builder\BuildFinchMSI.ps1 -Version $version |
| 96 | + $timestamp=[math]::truncate((Get-Date (Get-Date).ToUniversalTime() -UFormat "%s")) |
| 97 | + $unsignedMSI="Finch-$tag-$timestamp.msi" |
| 98 | + Write-Host "Upload unsigned MSI: $unsignedMSI" |
| 99 | +
|
| 100 | + aws s3 cp "./msi-builder/build/Finch-$version.msi" "${{ secrets.WINDOWS_UNSIGNED_BUCKET }}$unsignedMSI" --acl bucket-owner-full-control --no-progress |
| 101 | + New-Item -Path "./msi-builder/build/signed/" -ItemType Directory -Force |
| 102 | +
|
| 103 | + Write-Host "Attemp to download signed MSI" |
| 104 | + $retryCount = 0 |
| 105 | + $maxRetries = 20 |
| 106 | + $delay = 5 |
| 107 | +
|
| 108 | + while ($retryCount -lt $maxRetries) { |
| 109 | + Start-Sleep -Seconds $delay |
| 110 | + $signedMSI = aws s3 ls ${{ secrets.WINDOWS_SIGNED_BUCKET }} 2>&1 | Where-Object { $_ -match "$unsignedMSI" } | Sort-Object -Descending | Select-Object -First 1 | ForEach-Object { ($_ -split '\s+')[-1] } |
| 111 | + if ($signedMSI -and ($signedMSI -notlike "*An error occurred (404) when calling the HeadObject operation*")) { |
| 112 | + try { |
| 113 | + aws s3 cp "${{ secrets.WINDOWS_SIGNED_BUCKET }}$signedMSI" "./msi-builder/build/signed/Finch-$tag.msi" |
| 114 | + break |
| 115 | + } catch { |
| 116 | + Write-Host "Error during copy: $_" |
| 117 | + } |
| 118 | + } else { |
| 119 | + $retryCount++ |
| 120 | + Write-Host "Unable to find the signed MSI or encountered an error. Retry $retryCount/$maxRetries..." |
| 121 | + } |
| 122 | + } |
| 123 | +
|
| 124 | + if ($retryCount -eq $maxRetries) { |
| 125 | + throw "Failed after $maxRetries attempts." |
| 126 | + } |
| 127 | + - name: configure aws credentials for upload signed MSI to installer bucket |
| 128 | + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 |
| 129 | + with: |
| 130 | + role-to-assume: ${{ secrets.ROLE }} |
| 131 | + role-session-name: windows-msi |
| 132 | + aws-region: ${{ secrets.REGION }} |
| 133 | + - name: upload signed MSI to S3 |
| 134 | + run: | |
| 135 | + $tag="${{ needs.get-tag-name.outputs.tag }}" |
| 136 | + aws s3 cp "./msi-builder/build/signed/Finch-$tag.msi" "s3://${{ secrets.INSTALLER_PRIVATE_BUCKET_NAME }}/Finch-$tag.msi" --no-progress |
| 137 | + - name: Remove Finch VM and Clean Up Previous Environment |
| 138 | + if: ${{ always() }} |
| 139 | + run: | |
| 140 | + # We want these cleanup commands to always run, ignore errors so the step completes. |
| 141 | + $ErrorActionPreference = 'Ignore' |
| 142 | + wsl --list --verbose |
| 143 | + wsl --shutdown |
| 144 | + wsl --unregister lima-finch |
| 145 | + wsl --list --verbose |
| 146 | + Remove-Item C:\Users\Administrator\AppData\Local\.finch -Recurse |
| 147 | + make clean |
| 148 | + cd deps/finch-core && make clean |
| 149 | + exit 0 # Cleanup may set the exit code e.g. if a file doesn't exist; just ignore |
| 150 | + |
| 151 | + msi-e2e-tests: |
| 152 | + needs: |
| 153 | + - get-tag-name |
| 154 | + - windows-msi-build |
| 155 | + strategy: |
| 156 | + fail-fast: false |
| 157 | + runs-on: [self-hosted, windows, amd64, release] |
| 158 | + timeout-minutes: 180 |
| 159 | + steps: |
| 160 | + - name: Configure git CRLF settings |
| 161 | + run: | |
| 162 | + git config --global core.autocrlf false |
| 163 | + git config --global core.eol lf |
| 164 | + - name: Set up Python |
| 165 | + uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0 |
| 166 | + with: |
| 167 | + python-version: '3.x' |
| 168 | + - name: Install AWS CLI |
| 169 | + run: | |
| 170 | + python -m pip install --upgrade pip |
| 171 | + pip install awscli |
| 172 | + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 |
| 173 | + with: |
| 174 | + ref: ${{ needs.get-tag-name.outputs.tag }} |
| 175 | + fetch-depth: 0 |
| 176 | + persist-credentials: false |
| 177 | + submodules: recursive |
| 178 | + - name: Set output variables |
| 179 | + id: vars |
| 180 | + run: | |
| 181 | + $has_creds="${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}" |
| 182 | + echo "has_creds=$has_creds" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append |
| 183 | + exit 0 # if $has_creds is false, powershell will exit with code 1 and this step will fail |
| 184 | + - name: configure aws credentials |
| 185 | + uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1 |
| 186 | + with: |
| 187 | + role-to-assume: ${{ secrets.ROLE }} |
| 188 | + role-session-name: msi-test |
| 189 | + aws-region: ${{ secrets.REGION }} |
| 190 | + - name: Remove Finch VM |
| 191 | + run: | |
| 192 | + wsl --list --verbose |
| 193 | + wsl --shutdown |
| 194 | + wsl --unregister lima-finch |
| 195 | + wsl --list --verbose |
| 196 | + - name: Clean up previous files |
| 197 | + run: | |
| 198 | + Remove-Item C:\Users\Administrator\.finch -Recurse -ErrorAction Ignore |
| 199 | + Remove-Item C:\Users\Administrator\AppData\Local\.finch -Recurse -ErrorAction Ignore |
| 200 | + make clean |
| 201 | + cd deps/finch-core && make clean |
| 202 | + - name: Uninstall Finch silently |
| 203 | + run: | |
| 204 | + $productCode = (Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Finch*" } | Select-Object -ExpandProperty IdentifyingNumber) |
| 205 | + if ($productCode) { |
| 206 | + msiexec /x $productCode /qn |
| 207 | + } else { |
| 208 | + Write-Output "Finch not found or it wasn't installed using MSI." |
| 209 | + } |
| 210 | + - name: Download MSI from S3 |
| 211 | + run: | |
| 212 | + $tag="${{ needs.get-tag-name.outputs.tag }}" |
| 213 | + aws s3 cp "s3://${{ secrets.INSTALLER_PRIVATE_BUCKET_NAME }}/Finch-$tag.msi" ./Finch.msi |
| 214 | + - name: Install MSI silently |
| 215 | + run: | |
| 216 | + Start-Process 'Finch.msi' -ArgumentList '/quiet' -Wait |
| 217 | + echo "C:\Program Files\Finch\bin" >> $env:GITHUB_PATH |
| 218 | + - name: Run e2e tests |
| 219 | + run: | |
| 220 | + # set path to use newer ssh version |
| 221 | + $newPath = (";C:\Program Files\Git\bin\;" + "C:\Program Files\Git\usr\bin\;" + "$env:Path") |
| 222 | + $env:Path = $newPath |
| 223 | + # set networking config option to allow for VM/container -> host communication |
| 224 | + echo "[experimental]`nnetworkingMode=mirrored`nhostAddressLoopback=true" > C:\Users\Administrator\.wslconfig |
| 225 | + |
| 226 | + git status |
| 227 | + git clean -f -d |
| 228 | + $env:INSTALLED="true" |
| 229 | + make test-e2e |
| 230 | + - name: Uninstall Finch silently |
| 231 | + if: ${{ always() }} |
| 232 | + run: | |
| 233 | + $productCode = (Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like "*Finch*" } | Select-Object -ExpandProperty IdentifyingNumber) |
| 234 | + if ($productCode) { |
| 235 | + msiexec /x $productCode /qn |
| 236 | + } else { |
| 237 | + Write-Output "Finch not found or it wasn't installed using MSI." |
| 238 | + } |
| 239 | + - name: Remove Finch VM and Clean Up Previous Environment |
| 240 | + if: ${{ always() }} |
| 241 | + run: | |
| 242 | + # We want these cleanup commands to always run, ignore errors so the step completes. |
| 243 | + $ErrorActionPreference = 'Ignore' |
| 244 | + wsl --list --verbose |
| 245 | + wsl --shutdown |
| 246 | + wsl --unregister lima-finch |
| 247 | + wsl --list --verbose |
| 248 | + Remove-Item C:\Users\Administrator\AppData\Local\.finch -Recurse |
| 249 | + make clean |
| 250 | + cd deps/finch-core && make clean |
| 251 | + exit 0 # Cleanup may set the exit code e.g. if a file doesn't exist; just ignore |
0 commit comments