Wire Forge-native release infrastructure
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
This commit is contained in:
parent
97c569fb35
commit
002bd382e9
199 changed files with 14268 additions and 185 deletions
98
.forgejo/workflows/apple-developer-id-kms-csr.yml
Normal file
98
.forgejo/workflows/apple-developer-id-kms-csr.yml
Normal file
|
|
@ -0,0 +1,98 @@
|
|||
name: "Apple: Developer ID KMS CSR"
|
||||
run-name: "Apple: Developer ID KMS CSR (${{ github.event.inputs.kms_key || 'apple-developer-id-application' }})"
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
kms_key:
|
||||
description: Google KMS key name in the Burrow identity key ring
|
||||
required: false
|
||||
default: apple-developer-id-application
|
||||
kms_version:
|
||||
description: Google KMS key version
|
||||
required: false
|
||||
default: "1"
|
||||
common_name:
|
||||
description: CSR common name
|
||||
required: false
|
||||
default: Burrow Developer ID Application
|
||||
email_address:
|
||||
description: CSR email address
|
||||
required: false
|
||||
default: release@burrow.net
|
||||
|
||||
permissions:
|
||||
contents: read
|
||||
|
||||
concurrency:
|
||||
group: apple-developer-id-kms-csr-${{ github.ref }}
|
||||
cancel-in-progress: false
|
||||
|
||||
env:
|
||||
BURROW_GOOGLE_PROJECT_ID: ${{ vars.GOOGLE_PROJECT_ID || 'project-88c23ce9-918a-470a-b33' }}
|
||||
GOOGLE_CLOUD_PROJECT: ${{ vars.GOOGLE_PROJECT_ID || 'project-88c23ce9-918a-470a-b33' }}
|
||||
BURROW_GOOGLE_PROJECT_NUMBER: ${{ vars.GOOGLE_PROJECT_NUMBER || '416198671487' }}
|
||||
BURROW_GOOGLE_WIF_POOL_ID: ${{ vars.BURROW_GOOGLE_WIF_POOL_ID || 'burrow-authentik' }}
|
||||
BURROW_GOOGLE_WIF_PROVIDER_ID: ${{ vars.BURROW_GOOGLE_WIF_PROVIDER_ID || 'forgejo-runners' }}
|
||||
BURROW_GOOGLE_WIF_SERVICE_ACCOUNT: ${{ vars.BURROW_GOOGLE_WIF_SERVICE_ACCOUNT || 'burrow-forgejo-runner@project-88c23ce9-918a-470a-b33.iam.gserviceaccount.com' }}
|
||||
BURROW_AUTHENTIK_WIF_ISSUER: ${{ vars.BURROW_AUTHENTIK_WIF_ISSUER || 'https://auth.burrow.net/application/o/google-cloud/' }}
|
||||
BURROW_AUTHENTIK_WIF_AUDIENCE: ${{ vars.BURROW_AUTHENTIK_WIF_AUDIENCE || 'google-wif.burrow.net' }}
|
||||
BURROW_AUTHENTIK_WIF_CLIENT_ID: ${{ vars.BURROW_AUTHENTIK_WIF_CLIENT_ID || 'google-wif.burrow.net' }}
|
||||
BURROW_AUTHENTIK_WIF_CLIENT_SECRET: ${{ secrets.BURROW_AUTHENTIK_WIF_CLIENT_SECRET }}
|
||||
BURROW_KMS_LOCATION: global
|
||||
BURROW_KMS_KEYRING: burrow-identity
|
||||
|
||||
jobs:
|
||||
csr:
|
||||
name: Generate CSR
|
||||
runs-on: [self-hosted, linux, x86_64, burrow-forge]
|
||||
timeout-minutes: 20
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: https://code.forgejo.org/actions/checkout@v4
|
||||
with:
|
||||
token: ${{ github.token }}
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Ensure Nix
|
||||
shell: bash
|
||||
run: bash Scripts/ci/ensure-nix.sh
|
||||
|
||||
- name: Authenticate Google WIF
|
||||
shell: bash
|
||||
run: nix develop .#ci -c Scripts/ci/google-wif-auth.sh
|
||||
|
||||
- name: Generate KMS-backed CSR
|
||||
shell: bash
|
||||
env:
|
||||
BURROW_APPLE_DEVELOPER_ID_KMS_KEY: ${{ github.event.inputs.kms_key || 'apple-developer-id-application' }}
|
||||
BURROW_KMS_VERSION: ${{ github.event.inputs.kms_version || '1' }}
|
||||
BURROW_APPLE_DEVELOPER_ID_CSR_COMMON_NAME: ${{ github.event.inputs.common_name || 'Burrow Developer ID Application' }}
|
||||
BURROW_APPLE_DEVELOPER_ID_CSR_EMAIL: ${{ github.event.inputs.email_address || 'release@burrow.net' }}
|
||||
run: |
|
||||
set -euo pipefail
|
||||
mkdir -p dist/apple-developer-id
|
||||
nix develop .#ci -c Scripts/apple/google-kms-csr.py \
|
||||
--output dist/apple-developer-id/developer-id-application.certSigningRequest \
|
||||
--public-key-output dist/apple-developer-id/google-kms-public-key.pem
|
||||
if command -v openssl >/dev/null 2>&1; then
|
||||
openssl req -in dist/apple-developer-id/developer-id-application.certSigningRequest -noout -verify
|
||||
fi
|
||||
cat > dist/apple-developer-id/README.txt <<'EOF'
|
||||
This CSR is backed by a non-exportable Google Cloud KMS key in the Burrow
|
||||
identity key ring. Apple currently documents Developer ID certificate creation
|
||||
through the Developer website or Xcode, not App Store Connect API creation.
|
||||
|
||||
Upload developer-id-application.certSigningRequest in:
|
||||
Certificates, Identifiers & Profiles -> Certificates -> + -> Developer ID ->
|
||||
Developer ID Application.
|
||||
|
||||
Keep the returned .cer file with release artifacts. The private key remains in
|
||||
Google Cloud KMS and is never exported as a p12.
|
||||
EOF
|
||||
|
||||
- name: Upload CSR Artifact
|
||||
uses: https://code.forgejo.org/actions/upload-artifact@v4
|
||||
with:
|
||||
name: burrow-developer-id-kms-csr
|
||||
path: dist/apple-developer-id
|
||||
Loading…
Add table
Add a link
Reference in a new issue