name: ci/gh-actions/guix on: [push, pull_request] jobs: cache-sources: runs-on: ubuntu-24.04 steps: - uses: actions/checkout@v4 with: fetch-depth: 0 - name: depends sources cache id: cache uses: actions/cache@v4 with: path: contrib/depends/sources key: sources-${{ hashFiles('contrib/depends/packages/*') }} - name: download depends sources if: steps.cache.outputs.cache-hit != 'true' run: make -C contrib/depends download build-guix: runs-on: ubuntu-24.04 needs: [cache-sources] strategy: fail-fast: false matrix: toolchain: - target: "x86_64-linux-gnu" - target: "x86_64-linux-gnu.no-tor-bundle" - target: "x86_64-linux-gnu.pack" - target: "aarch64-linux-gnu" - target: "arm-linux-gnueabihf" - target: "riscv64-linux-gnu" - target: "x86_64-w64-mingw32" - target: "x86_64-w64-mingw32.installer" - target: "x86_64-apple-darwin" - target: "arm64-apple-darwin" outputs: WIN_INSTALLER_ARTIFACT_ID: ${{ steps.win-installer.outputs.WIN_INSTALLER_ARTIFACT_ID }} WIN_EXECUTABLE_ARTIFACT_ID: ${{ steps.win-executable.outputs.WIN_EXECUTABLE_ARTIFACT_ID }} name: ${{ matrix.toolchain.target }} steps: - uses: actions/checkout@v4 with: fetch-depth: 0 ref: ${{ github.ref }} submodules: recursive # https://github.com/actions/checkout/issues/1467 - name: git fetch tags run: git fetch --tags - name: remove bundled packages run: sudo rm -rf /usr/local - name: depends sources cache uses: actions/cache/restore@v4 with: path: contrib/depends/sources key: sources-${{ hashFiles('contrib/depends/packages/*') }} - name: install dependencies run: sudo apt update; sudo apt -y install guix git ca-certificates apparmor-utils osslsigncode - name: fix apparmor run: sudo cp .github/workflows/guix /etc/apparmor.d/guix; sudo /etc/init.d/apparmor reload; sudo aa-enforce guix || echo "failed" - name: purge apparmor run: sudo apt purge apparmor - name: build run: SUBSTITUTE_URLS='http://bordeaux.guix.gnu.org' HOSTS="${{ matrix.toolchain.target }}" ./contrib/guix/guix-build - name: virustotal scan env: VT_API_KEY: ${{ secrets.VT_API_KEY }} if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32' && env.VT_API_KEY != '' }} uses: crazy-max/ghaction-virustotal@v4 with: vt_api_key: ${{ secrets.VT_API_KEY }} files: | guix/guix-build-*/build/distsrc-*/build/bin/feather.exe - uses: actions/upload-artifact@v4 id: upload-artifact with: name: ${{ matrix.toolchain.target }} path: | guix/guix-build-*/output/${{ matrix.toolchain.target }}/* guix/guix-build-*/logs/${{ matrix.toolchain.target }}/* - if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32.installer' }} id: win-installer run: echo "WIN_INSTALLER_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT" - if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32' }} id: win-executable run: echo "WIN_EXECUTABLE_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT" bundle-logs: runs-on: ubuntu-24.04 needs: [build-guix] steps: - uses: actions/download-artifact@v4 with: merge-multiple: true - name: print hashes run: | echo '```' >> $GITHUB_STEP_SUMMARY uname --machine && find **/output/ -type f -print0 | env LC_ALL=C sort -z | xargs -r0 sha256sum >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY - uses: actions/upload-artifact@v4 with: name: "logs" path: '**/logs/**' - uses: ncipollo/release-action@v1 if: startsWith(github.ref, 'refs/tags/') with: artifacts: "**/*.AppImage,**/*-linux-arm.zip,**/*-linux-arm64.zip,**/*-linux-riscv64.zip,**/*-linux.zip,**/*-mac-arm64.zip,**/*-mac.zip,**/*-win.zip,**/FeatherWalletSetup-*.exe,**/feather-${{github.ref_name}}.tar.gz" draft: true name: v${{github.ref_name}} codesigning: runs-on: ubuntu-24.04 needs: [build-guix, bundle-logs] if: startsWith(github.ref, 'refs/tags/') strategy: fail-fast: false matrix: toolchain: - target: "x86_64-w64-mingw32" - target: "x86_64-w64-mingw32.installer" steps: - name: install dependencies run: sudo apt update; sudo apt -y install osslsigncode - name: "set artifact id" run: | if [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32" ]; then echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_EXECUTABLE_ARTIFACT_ID }}" >> $GITHUB_ENV echo "ARTIFACT_SLUG=executable" >> $GITHUB_ENV elif [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32.installer" ]; then echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_INSTALLER_ARTIFACT_ID }}" >> $GITHUB_ENV echo "ARTIFACT_SLUG=installer" >> $GITHUB_ENV fi - uses: signpath/github-action-submit-signing-request@v1 name: "request signature" with: api-token: '${{ secrets.SIGNPATH_API_KEY }}' organization-id: 'd3e94749-9c69-44e9-82de-c65cb3832869' project-slug: 'feather' signing-policy-slug: 'release-signing' artifact-configuration-slug: ${{ env.ARTIFACT_SLUG }} github-artifact-id: ${{ env.ARTIFACT_ID }} wait-for-completion: true output-artifact-directory: codesigning/ - name: "extract signature" run: osslsigncode extract-signature -in codesigning/guix-build-*/output/${{ matrix.toolchain.target }}/*-unsigned.exe -out codesigning/${{ matrix.toolchain.target }}-${{github.ref_name}}.pem - uses: actions/upload-artifact@v4 name: "upload signature" with: name: ${{ matrix.toolchain.target }}.pem path: | codesigning/${{ matrix.toolchain.target }}-${{github.ref_name}}.pem