diff --git a/.forgejo/workflows/apple-developer-id-kms-csr.yml b/.forgejo/workflows/apple-developer-id-kms-csr.yml index 50f4cbb..4c8901b 100644 --- a/.forgejo/workflows/apple-developer-id-kms-csr.yml +++ b/.forgejo/workflows/apple-developer-id-kms-csr.yml @@ -92,7 +92,7 @@ jobs: EOF - name: Upload CSR Artifact - uses: https://code.forgejo.org/actions/upload-artifact@v4 + uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-developer-id-kms-csr path: dist/apple-developer-id diff --git a/.forgejo/workflows/apple-distribute-testers.yml b/.forgejo/workflows/apple-distribute-testers.yml index 3cc3121..2c5ec64 100644 --- a/.forgejo/workflows/apple-distribute-testers.yml +++ b/.forgejo/workflows/apple-distribute-testers.yml @@ -212,7 +212,7 @@ jobs: //bazel/apple:release_ios_stamp - name: Upload Staged iOS Artifact - uses: https://code.forgejo.org/actions/upload-artifact@v4 + uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-apple-ios-${{ needs.prepare.outputs.build_number }} path: | @@ -313,7 +313,7 @@ jobs: //bazel/apple:release_macos_stamp - name: Upload Staged macOS Artifact - uses: https://code.forgejo.org/actions/upload-artifact@v4 + uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-apple-macos-${{ needs.prepare.outputs.build_number }} path: | @@ -357,7 +357,7 @@ jobs: run: nix develop .#ci -c Scripts/ci/google-wif-auth.sh - name: Download Staged Apple Artifacts - uses: https://code.forgejo.org/actions/download-artifact@v4 + uses: https://code.forgejo.org/actions/download-artifact@v3 with: path: dist/downloaded @@ -389,7 +389,7 @@ jobs: run: nix develop .#ci -c Scripts/ci/upload-release-storage.sh - name: Upload Signed Apple Artifacts - uses: https://code.forgejo.org/actions/upload-artifact@v4 + uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-apple-signed-${{ needs.prepare.outputs.build_number }} path: | @@ -428,7 +428,7 @@ jobs: uses: ./.forgejo/actions/decrypt-release-secrets - name: Download Signed Apple Artifacts - uses: https://code.forgejo.org/actions/download-artifact@v4 + uses: https://code.forgejo.org/actions/download-artifact@v3 with: name: burrow-apple-signed-${{ needs.prepare.outputs.build_number }} path: publish @@ -526,7 +526,7 @@ jobs: run: nix develop .#ci -c Scripts/ci/google-wif-auth.sh - name: Download Signed Apple Artifacts - uses: https://code.forgejo.org/actions/download-artifact@v4 + uses: https://code.forgejo.org/actions/download-artifact@v3 with: name: burrow-apple-signed-${{ needs.prepare.outputs.build_number }} path: publish diff --git a/.forgejo/workflows/apple-ios-distribution-kms-csr.yml b/.forgejo/workflows/apple-ios-distribution-kms-csr.yml index e3fd2ac..d9cb614 100644 --- a/.forgejo/workflows/apple-ios-distribution-kms-csr.yml +++ b/.forgejo/workflows/apple-ios-distribution-kms-csr.yml @@ -93,7 +93,7 @@ jobs: EOF - name: Upload CSR Artifact - uses: https://code.forgejo.org/actions/upload-artifact@v4 + uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-ios-distribution-kms-csr path: dist/apple-ios-distribution diff --git a/.forgejo/workflows/build-release.yml b/.forgejo/workflows/build-release.yml index fbfb016..08f5b26 100644 --- a/.forgejo/workflows/build-release.yml +++ b/.forgejo/workflows/build-release.yml @@ -143,7 +143,7 @@ jobs: nix develop .#ci -c Scripts/ci/package-release-artifacts.sh linux - name: Upload Linux Artifacts - uses: https://code.forgejo.org/actions/upload-artifact@v4 + uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-linux-${{ needs.prepare.outputs.build_number }} path: dist/builds/${{ needs.prepare.outputs.build_number }}/linux/* @@ -188,7 +188,7 @@ jobs: Get-FileHash "dist/builds/$env:BUILD_NUMBER/windows/burrow-$env:BUILD_NUMBER-x86_64-pc-windows-msvc.zip" -Algorithm SHA256 | ForEach-Object { "$($_.Hash.ToLower()) burrow-$env:BUILD_NUMBER-x86_64-pc-windows-msvc.zip" } | Set-Content "dist/builds/$env:BUILD_NUMBER/windows/burrow-$env:BUILD_NUMBER-x86_64-pc-windows-msvc.zip.sha256" - name: Upload Windows Artifacts - uses: https://code.forgejo.org/actions/upload-artifact@v4 + uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-windows-${{ needs.prepare.outputs.build_number }} path: dist/builds/${{ needs.prepare.outputs.build_number }}/windows/* @@ -368,7 +368,7 @@ jobs: "${{ matrix.bazel_target }}" - name: Upload Apple Artifacts - uses: https://code.forgejo.org/actions/upload-artifact@v4 + uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-apple-${{ matrix.platform }}-${{ needs.prepare.outputs.build_number }} path: | @@ -402,7 +402,7 @@ jobs: fetch-depth: 0 - name: Download Artifacts - uses: https://code.forgejo.org/actions/download-artifact@v4 + uses: https://code.forgejo.org/actions/download-artifact@v3 with: path: dist/downloaded diff --git a/.forgejo/workflows/publish-package-repositories.yml b/.forgejo/workflows/publish-package-repositories.yml index 5ab8026..315e43b 100644 --- a/.forgejo/workflows/publish-package-repositories.yml +++ b/.forgejo/workflows/publish-package-repositories.yml @@ -133,7 +133,7 @@ jobs: nix develop .#ci -c Scripts/package/build-repositories.sh all - name: Upload Repository Artifact - uses: https://code.forgejo.org/actions/upload-artifact@v4 + uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-package-repositories-${{ github.event.inputs.channel || 'stable' }}-${{ github.event.inputs.build_number || github.sha }} path: dist/builds/${{ github.event.inputs.build_number || github.sha }}/repositories/** diff --git a/.forgejo/workflows/release.yml b/.forgejo/workflows/release.yml index f2b24bf..cf05fd3 100644 --- a/.forgejo/workflows/release.yml +++ b/.forgejo/workflows/release.yml @@ -57,7 +57,7 @@ jobs: find dist -maxdepth 1 -type f -print | sort - name: Upload release artifacts - uses: https://code.forgejo.org/actions/upload-artifact@v4 + uses: https://code.forgejo.org/actions/upload-artifact@v3 with: name: burrow-release-${{ github.ref_name }} path: dist/* diff --git a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md index b496045..a5d4831 100644 --- a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md +++ b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md @@ -71,6 +71,10 @@ The same change also makes the forge itself the release authority: release tags - Bazel Apple genrules must explicitly pass the Nix CI shell tool path and `PROTOC` into the action environment. Xcode build phases run with a reduced path, and the Rust Network Extension build depends on `protoc`. +- Forgejo release workflows must use the artifact action generation supported + by the deployed forge. The v4 artifact actions assume GitHub's newer artifact + service and fail on this Forgejo install before downstream signing/upload + jobs can consume the staged Apple artifacts. - Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key. - Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`. - Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.