feather/.github/workflows/guix.yml

name: ci/gh-actions/guix

on: [push, pull_request]

jobs:
  cache-sources:
    runs-on: ubuntu-24.04
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: depends sources cache
        id: cache
        uses: actions/cache@v4
        with:
          path: contrib/depends/sources
          key: sources-${{ hashFiles('contrib/depends/packages/*') }}
      - name: download depends sources
        if: steps.cache.outputs.cache-hit != 'true'
        run: make -C contrib/depends download

  build-guix:
    runs-on: ubuntu-24.04
    needs: [cache-sources]
    strategy:
      fail-fast: false
      matrix:
        toolchain:
          - target: "x86_64-linux-gnu"
          - target: "x86_64-linux-gnu.no-tor-bundle"
          - target: "x86_64-linux-gnu.pack"
          - target: "aarch64-linux-gnu"
          - target: "arm-linux-gnueabihf"
          - target: "riscv64-linux-gnu"
          - target: "x86_64-w64-mingw32"
          - target: "x86_64-w64-mingw32.installer"
          - target: "x86_64-apple-darwin"
          - target: "arm64-apple-darwin"
    outputs:
      WIN_INSTALLER_ARTIFACT_ID: ${{ steps.win-installer.outputs.WIN_INSTALLER_ARTIFACT_ID }}
      WIN_EXECUTABLE_ARTIFACT_ID: ${{ steps.win-executable.outputs.WIN_EXECUTABLE_ARTIFACT_ID }}
    name: ${{ matrix.toolchain.target }}
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
          ref: ${{ github.ref }}
          submodules: recursive
      # https://github.com/actions/checkout/issues/1467
      - name: git fetch tags
        run: git fetch --tags
      - name: remove bundled packages
        run: sudo rm -rf /usr/local
      - name: depends sources cache
        uses: actions/cache/restore@v4
        with:
          path: contrib/depends/sources
          key: sources-${{ hashFiles('contrib/depends/packages/*') }}
      - name: install dependencies
        run: sudo apt update; sudo apt -y install guix git ca-certificates apparmor-utils osslsigncode
      - name: fix apparmor
        run: sudo cp .github/workflows/guix /etc/apparmor.d/guix; sudo /etc/init.d/apparmor reload; sudo aa-enforce guix || echo "failed"
      - name: purge apparmor
        run: sudo apt purge apparmor
      - name: build
        run: SUBSTITUTE_URLS='http://bordeaux.guix.gnu.org' HOSTS="${{ matrix.toolchain.target }}" ./contrib/guix/guix-build
      - name: virustotal scan
        env:
          VT_API_KEY: ${{ secrets.VT_API_KEY }}
        if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32' && env.VT_API_KEY != '' }}
        uses: crazy-max/ghaction-virustotal@v4
        with:
          vt_api_key: ${{ secrets.VT_API_KEY }}
          files: |
            guix/guix-build-*/build/distsrc-*/build/bin/feather.exe
      - uses: actions/upload-artifact@v4
        id: upload-artifact
        with:
          name: ${{ matrix.toolchain.target }}
          path: |
            guix/guix-build-*/output/${{ matrix.toolchain.target }}/*
            guix/guix-build-*/logs/${{ matrix.toolchain.target }}/*
      - if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32.installer' }}
        id: win-installer
        run: echo "WIN_INSTALLER_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT"
      - if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32' }}
        id: win-executable
        run: echo "WIN_EXECUTABLE_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT"

  bundle-logs:
    runs-on: ubuntu-24.04
    needs: [build-guix]
    steps:
      - uses: actions/download-artifact@v4
        with:
          merge-multiple: true
      - name: print hashes
        run: |
          echo '```' >> $GITHUB_STEP_SUMMARY
          uname --machine && find **/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum >> $GITHUB_STEP_SUMMARY
          echo '```' >> $GITHUB_STEP_SUMMARY
      - uses: actions/upload-artifact@v4
        with:
          name: "logs"
          path: '**/logs/**'
      - uses: ncipollo/release-action@v1
        if: startsWith(github.ref, 'refs/tags/')
        with:
          artifacts: "**/*.AppImage,**/*-linux-arm.zip,**/*-linux-arm64.zip,**/*-linux-riscv64.zip,**/*-linux.zip,**/*-mac-arm64.zip,**/*-mac.zip,**/*-win.zip,**/FeatherWalletSetup-*.exe,**/feather-${{github.ref_name}}.tar.gz"
          draft: true
          name: v${{github.ref_name}}

  codesigning:
    runs-on: ubuntu-24.04
    needs: [build-guix, bundle-logs]
    if: startsWith(github.ref, 'refs/tags/')
    strategy:
      fail-fast: false
      matrix:
        toolchain:
          - target: "x86_64-w64-mingw32"
          - target: "x86_64-w64-mingw32.installer"
    steps:
      - name: install dependencies
        run: sudo apt update; sudo apt -y install osslsigncode
      - name: "set artifact id"
        run: |
          if [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32" ]; then
            echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_EXECUTABLE_ARTIFACT_ID }}" >> $GITHUB_ENV
            echo "ARTIFACT_SLUG=executable" >> $GITHUB_ENV
          elif [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32.installer" ]; then
            echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_INSTALLER_ARTIFACT_ID }}" >> $GITHUB_ENV
            echo "ARTIFACT_SLUG=installer" >> $GITHUB_ENV
          fi
      - uses: signpath/github-action-submit-signing-request@v1
        name: "request signature"
        with:
          api-token: '${{ secrets.SIGNPATH_API_KEY }}'
          organization-id: 'd3e94749-9c69-44e9-82de-c65cb3832869'
          project-slug: 'feather'
          signing-policy-slug: 'release-signing'
          artifact-configuration-slug: ${{ env.ARTIFACT_SLUG }}
          github-artifact-id: ${{ env.ARTIFACT_ID }}
          wait-for-completion: true
          output-artifact-directory: codesigning/
      - name: "extract signature"
        run: osslsigncode extract-signature -in codesigning/guix-build-*/output/${{ matrix.toolchain.target }}/*-unsigned.exe -out codesigning/${{ matrix.toolchain.target }}-${{github.ref_name}}.pem
      - uses: actions/upload-artifact@v4
        name: "upload signature"
        with:
          name: ${{ matrix.toolchain.target }}.pem
          path: |
            codesigning/${{ matrix.toolchain.target }}-${{github.ref_name}}.pem
add github workflow for guix builds 2023-05-28 14:21:48 +00:00			`name: ci/gh-actions/guix`

workflows: run on pull request 2023-12-06 02:10:35 +00:00			`on: [push, pull_request]`
add github workflow for guix builds 2023-05-28 14:21:48 +00:00
			`jobs:`
actions: optimize sources caching 2023-05-30 15:58:48 +00:00			`cache-sources:`
ci: bump ubuntu to 24.04 2024-08-09 09:16:23 +00:00			`runs-on: ubuntu-24.04`
actions: optimize sources caching 2023-05-30 15:58:48 +00:00			`steps:`
guix: add logdir 2024-03-13 10:44:29 +00:00			`- uses: actions/checkout@v4`
actions: optimize sources caching 2023-05-30 15:58:48 +00:00			`with:`
			`fetch-depth: 0`
			`- name: depends sources cache`
actions: optimize guix cache 2023-05-31 00:33:24 +00:00			`id: cache`
guix: add logdir 2024-03-13 10:44:29 +00:00			`uses: actions/cache@v4`
actions: optimize sources caching 2023-05-30 15:58:48 +00:00			`with:`
			`path: contrib/depends/sources`
			`key: sources-${{ hashFiles('contrib/depends/packages/*') }}`
			`- name: download depends sources`
actions: optimize guix cache 2023-05-31 00:33:24 +00:00			`if: steps.cache.outputs.cache-hit != 'true'`
actions: optimize sources caching 2023-05-30 15:58:48 +00:00			`run: make -C contrib/depends download`

actions: optimize guix cache 2023-05-31 00:33:24 +00:00			`build-guix:`
ci: bump ubuntu to 24.04 2024-08-09 09:16:23 +00:00			`runs-on: ubuntu-24.04`
actions: fix workflow 2024-03-13 11:14:37 +00:00			`needs: [cache-sources]`
add github workflow for guix builds 2023-05-28 14:21:48 +00:00			`strategy:`
			`fail-fast: false`
			`matrix:`
			`toolchain:`
guix: add logdir 2024-03-13 10:44:29 +00:00			`- target: "x86_64-linux-gnu"`
			`- target: "x86_64-linux-gnu.no-tor-bundle"`
			`- target: "x86_64-linux-gnu.pack"`
			`- target: "aarch64-linux-gnu"`
			`- target: "arm-linux-gnueabihf"`
			`- target: "riscv64-linux-gnu"`
			`- target: "x86_64-w64-mingw32"`
			`- target: "x86_64-w64-mingw32.installer"`
			`- target: "x86_64-apple-darwin"`
			`- target: "arm64-apple-darwin"`
ci: integrate signpath 2024-11-03 19:12:45 +00:00			`outputs:`
			`WIN_INSTALLER_ARTIFACT_ID: ${{ steps.win-installer.outputs.WIN_INSTALLER_ARTIFACT_ID }}`
			`WIN_EXECUTABLE_ARTIFACT_ID: ${{ steps.win-executable.outputs.WIN_EXECUTABLE_ARTIFACT_ID }}`
guix: add logdir 2024-03-13 10:44:29 +00:00			`name: ${{ matrix.toolchain.target }}`
add github workflow for guix builds 2023-05-28 14:21:48 +00:00			`steps:`
guix: add logdir 2024-03-13 10:44:29 +00:00			`- uses: actions/checkout@v4`
add github workflow for guix builds 2023-05-28 14:21:48 +00:00			`with:`
			`fetch-depth: 0`
ci: get tag for tag build 2024-10-17 18:59:19 +00:00			`ref: ${{ github.ref }}`
add github workflow for guix builds 2023-05-28 14:21:48 +00:00			`submodules: recursive`
ci: get tag for tag build 2024-10-17 18:59:19 +00:00			`# https://github.com/actions/checkout/issues/1467`
			`- name: git fetch tags`
			`run: git fetch --tags`
guix: add logdir 2024-03-13 10:44:29 +00:00			`- name: remove bundled packages`
			`run: sudo rm -rf /usr/local`
add github workflow for guix builds 2023-05-28 14:21:48 +00:00			`- name: depends sources cache`
guix: add logdir 2024-03-13 10:44:29 +00:00			`uses: actions/cache/restore@v4`
add github workflow for guix builds 2023-05-28 14:21:48 +00:00			`with:`
			`path: contrib/depends/sources`
actions: optimize sources caching 2023-05-30 15:58:48 +00:00			`key: sources-${{ hashFiles('contrib/depends/packages/*') }}`
add github workflow for guix builds 2023-05-28 14:21:48 +00:00			`- name: install dependencies`
ci: integrate signpath 2024-11-03 19:12:45 +00:00			`run: sudo apt update; sudo apt -y install guix git ca-certificates apparmor-utils osslsigncode`
ci: fix apparmor for 24.04 2024-08-09 11:10:26 +00:00			`- name: fix apparmor`
ci: purge apparmor 2024-08-09 11:24:47 +00:00			`run: sudo cp .github/workflows/guix /etc/apparmor.d/guix; sudo /etc/init.d/apparmor reload; sudo aa-enforce guix \|\| echo "failed"`
			`- name: purge apparmor`
			`run: sudo apt purge apparmor`
add github workflow for guix builds 2023-05-28 14:21:48 +00:00			`- name: build`
ci: remove ci.guix.gnu.org substitute Causes 403 forbidden errors on GitHub CI. 2024-08-09 13:43:43 +00:00			`run: SUBSTITUTE_URLS='http://bordeaux.guix.gnu.org' HOSTS="${{ matrix.toolchain.target }}" ./contrib/guix/guix-build`
ci: add virustotal scan for windows exe 2024-08-16 12:01:58 +00:00			`- name: virustotal scan`
ci: don't run virustotal scan if key is missing [2] 2024-10-17 12:01:00 +00:00			`env:`
			`VT_API_KEY: ${{ secrets.VT_API_KEY }}`
			`if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32' && env.VT_API_KEY != '' }}`
ci: add virustotal scan for windows exe 2024-08-16 12:01:58 +00:00			`uses: crazy-max/ghaction-virustotal@v4`
			`with:`
			`vt_api_key: ${{ secrets.VT_API_KEY }}`
			`files: \|`
			`guix/guix-build-/build/distsrc-/build/bin/feather.exe`
guix: add logdir 2024-03-13 10:44:29 +00:00			`- uses: actions/upload-artifact@v4`
ci: integrate signpath 2024-11-03 19:12:45 +00:00			`id: upload-artifact`
add github workflow for guix builds 2023-05-28 14:21:48 +00:00			`with:`
guix: add logdir 2024-03-13 10:44:29 +00:00			`name: ${{ matrix.toolchain.target }}`
add github workflow for guix builds 2023-05-28 14:21:48 +00:00			`path: \|`
guix: add logdir 2024-03-13 10:44:29 +00:00			`guix/guix-build-/output/${{ matrix.toolchain.target }}/`
			`guix/guix-build-/logs/${{ matrix.toolchain.target }}/`
ci: integrate signpath 2024-11-03 19:12:45 +00:00			`- if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32.installer' }}`
			`id: win-installer`
			`run: echo "WIN_INSTALLER_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT"`
			`- if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32' }}`
			`id: win-executable`
			`run: echo "WIN_EXECUTABLE_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT"`
guix: add logdir 2024-03-13 10:44:29 +00:00
			`bundle-logs:`
ci: bump ubuntu to 24.04 2024-08-09 09:16:23 +00:00			`runs-on: ubuntu-24.04`
guix: add logdir 2024-03-13 10:44:29 +00:00			`needs: [build-guix]`
			`steps:`
			`- uses: actions/download-artifact@v4`
			`with:`
			`merge-multiple: true`
ci: print hashes, draft release 2024-09-17 14:10:19 +00:00			`- name: print hashes`
			`run: \|`
ci: properly format hashes 2024-09-29 10:53:32 +00:00			echo '```' >> $GITHUB_STEP_SUMMARY
ci: print hashes, draft release 2024-09-17 14:10:19 +00:00			`uname --machine && find **/output/ -type f -print0 \| env LC_ALL=C sort -z \| xargs -r0 sha256sum >> $GITHUB_STEP_SUMMARY`
ci: properly format hashes 2024-09-29 10:53:32 +00:00			echo '```' >> $GITHUB_STEP_SUMMARY
guix: add logdir 2024-03-13 10:44:29 +00:00			`- uses: actions/upload-artifact@v4`
			`with:`
			`name: "logs"`
			`path: '/logs/'`
ci: print hashes, draft release 2024-09-17 14:10:19 +00:00			`- uses: ncipollo/release-action@v1`
			`if: startsWith(github.ref, 'refs/tags/')`
			`with:`
ci: fix ref_name 2024-10-17 19:32:34 +00:00			`artifacts: "*/.AppImage,*/-linux-arm.zip,*/-linux-arm64.zip,*/-linux-riscv64.zip,*/-linux.zip,*/-mac-arm64.zip,*/-mac.zip,*/-win.zip,*/FeatherWalletSetup-.exe,**/feather-${{github.ref_name}}.tar.gz"`
ci: print hashes, draft release 2024-09-17 14:10:19 +00:00			`draft: true`
			`name: v${{github.ref_name}}`
ci: integrate signpath 2024-11-03 19:12:45 +00:00
			`codesigning:`
			`runs-on: ubuntu-24.04`
			`needs: [build-guix, bundle-logs]`
			`if: startsWith(github.ref, 'refs/tags/')`
			`strategy:`
			`fail-fast: false`
			`matrix:`
			`toolchain:`
			`- target: "x86_64-w64-mingw32"`
			`- target: "x86_64-w64-mingw32.installer"`
			`steps:`
			`- name: install dependencies`
			`run: sudo apt update; sudo apt -y install osslsigncode`
			`- name: "set artifact id"`
			`run: \|`
			`if [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32" ]; then`
			`echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_EXECUTABLE_ARTIFACT_ID }}" >> $GITHUB_ENV`
			`echo "ARTIFACT_SLUG=executable" >> $GITHUB_ENV`
			`elif [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32.installer" ]; then`
			`echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_INSTALLER_ARTIFACT_ID }}" >> $GITHUB_ENV`
			`echo "ARTIFACT_SLUG=installer" >> $GITHUB_ENV`
			`fi`
			`- uses: signpath/github-action-submit-signing-request@v1`
			`name: "request signature"`
			`with:`
			`api-token: '${{ secrets.SIGNPATH_API_KEY }}'`
			`organization-id: 'd3e94749-9c69-44e9-82de-c65cb3832869'`
			`project-slug: 'feather'`
			`signing-policy-slug: 'release-signing'`
			`artifact-configuration-slug: ${{ env.ARTIFACT_SLUG }}`
			`github-artifact-id: ${{ env.ARTIFACT_ID }}`
			`wait-for-completion: true`
			`output-artifact-directory: codesigning/`
			`- name: "extract signature"`
			`run: osslsigncode extract-signature -in codesigning/guix-build-/output/${{ matrix.toolchain.target }}/-unsigned.exe -out codesigning/${{ matrix.toolchain.target }}-${{github.ref_name}}.pem`
			`- uses: actions/upload-artifact@v4`
			`name: "upload signature"`
			`with:`
			`name: ${{ matrix.toolchain.target }}.pem`
			`path: \|`
			`codesigning/${{ matrix.toolchain.target }}-${{github.ref_name}}.pem`