Use Forgejo-compatible artifact actions
Some checks failed
Build Rust / Cargo Test (push) Successful in 4m1s
Build Site / Next.js Build (push) Failing after 4s
Lint Governance / BEP Metadata (push) Successful in 1s

This commit is contained in:
Conrad Kramer 2026-06-07 10:57:05 -07:00
parent ddbfa47587
commit ec407be894
7 changed files with 18 additions and 14 deletions

View file

@ -92,7 +92,7 @@ jobs:
EOF EOF
- name: Upload CSR Artifact - name: Upload CSR Artifact
uses: https://code.forgejo.org/actions/upload-artifact@v4 uses: https://code.forgejo.org/actions/upload-artifact@v3
with: with:
name: burrow-developer-id-kms-csr name: burrow-developer-id-kms-csr
path: dist/apple-developer-id path: dist/apple-developer-id

View file

@ -212,7 +212,7 @@ jobs:
//bazel/apple:release_ios_stamp //bazel/apple:release_ios_stamp
- name: Upload Staged iOS Artifact - name: Upload Staged iOS Artifact
uses: https://code.forgejo.org/actions/upload-artifact@v4 uses: https://code.forgejo.org/actions/upload-artifact@v3
with: with:
name: burrow-apple-ios-${{ needs.prepare.outputs.build_number }} name: burrow-apple-ios-${{ needs.prepare.outputs.build_number }}
path: | path: |
@ -313,7 +313,7 @@ jobs:
//bazel/apple:release_macos_stamp //bazel/apple:release_macos_stamp
- name: Upload Staged macOS Artifact - name: Upload Staged macOS Artifact
uses: https://code.forgejo.org/actions/upload-artifact@v4 uses: https://code.forgejo.org/actions/upload-artifact@v3
with: with:
name: burrow-apple-macos-${{ needs.prepare.outputs.build_number }} name: burrow-apple-macos-${{ needs.prepare.outputs.build_number }}
path: | path: |
@ -357,7 +357,7 @@ jobs:
run: nix develop .#ci -c Scripts/ci/google-wif-auth.sh run: nix develop .#ci -c Scripts/ci/google-wif-auth.sh
- name: Download Staged Apple Artifacts - name: Download Staged Apple Artifacts
uses: https://code.forgejo.org/actions/download-artifact@v4 uses: https://code.forgejo.org/actions/download-artifact@v3
with: with:
path: dist/downloaded path: dist/downloaded
@ -389,7 +389,7 @@ jobs:
run: nix develop .#ci -c Scripts/ci/upload-release-storage.sh run: nix develop .#ci -c Scripts/ci/upload-release-storage.sh
- name: Upload Signed Apple Artifacts - name: Upload Signed Apple Artifacts
uses: https://code.forgejo.org/actions/upload-artifact@v4 uses: https://code.forgejo.org/actions/upload-artifact@v3
with: with:
name: burrow-apple-signed-${{ needs.prepare.outputs.build_number }} name: burrow-apple-signed-${{ needs.prepare.outputs.build_number }}
path: | path: |
@ -428,7 +428,7 @@ jobs:
uses: ./.forgejo/actions/decrypt-release-secrets uses: ./.forgejo/actions/decrypt-release-secrets
- name: Download Signed Apple Artifacts - name: Download Signed Apple Artifacts
uses: https://code.forgejo.org/actions/download-artifact@v4 uses: https://code.forgejo.org/actions/download-artifact@v3
with: with:
name: burrow-apple-signed-${{ needs.prepare.outputs.build_number }} name: burrow-apple-signed-${{ needs.prepare.outputs.build_number }}
path: publish path: publish
@ -526,7 +526,7 @@ jobs:
run: nix develop .#ci -c Scripts/ci/google-wif-auth.sh run: nix develop .#ci -c Scripts/ci/google-wif-auth.sh
- name: Download Signed Apple Artifacts - name: Download Signed Apple Artifacts
uses: https://code.forgejo.org/actions/download-artifact@v4 uses: https://code.forgejo.org/actions/download-artifact@v3
with: with:
name: burrow-apple-signed-${{ needs.prepare.outputs.build_number }} name: burrow-apple-signed-${{ needs.prepare.outputs.build_number }}
path: publish path: publish

View file

@ -93,7 +93,7 @@ jobs:
EOF EOF
- name: Upload CSR Artifact - name: Upload CSR Artifact
uses: https://code.forgejo.org/actions/upload-artifact@v4 uses: https://code.forgejo.org/actions/upload-artifact@v3
with: with:
name: burrow-ios-distribution-kms-csr name: burrow-ios-distribution-kms-csr
path: dist/apple-ios-distribution path: dist/apple-ios-distribution

View file

@ -143,7 +143,7 @@ jobs:
nix develop .#ci -c Scripts/ci/package-release-artifacts.sh linux nix develop .#ci -c Scripts/ci/package-release-artifacts.sh linux
- name: Upload Linux Artifacts - name: Upload Linux Artifacts
uses: https://code.forgejo.org/actions/upload-artifact@v4 uses: https://code.forgejo.org/actions/upload-artifact@v3
with: with:
name: burrow-linux-${{ needs.prepare.outputs.build_number }} name: burrow-linux-${{ needs.prepare.outputs.build_number }}
path: dist/builds/${{ needs.prepare.outputs.build_number }}/linux/* path: dist/builds/${{ needs.prepare.outputs.build_number }}/linux/*
@ -188,7 +188,7 @@ jobs:
Get-FileHash "dist/builds/$env:BUILD_NUMBER/windows/burrow-$env:BUILD_NUMBER-x86_64-pc-windows-msvc.zip" -Algorithm SHA256 | ForEach-Object { "$($_.Hash.ToLower()) burrow-$env:BUILD_NUMBER-x86_64-pc-windows-msvc.zip" } | Set-Content "dist/builds/$env:BUILD_NUMBER/windows/burrow-$env:BUILD_NUMBER-x86_64-pc-windows-msvc.zip.sha256" Get-FileHash "dist/builds/$env:BUILD_NUMBER/windows/burrow-$env:BUILD_NUMBER-x86_64-pc-windows-msvc.zip" -Algorithm SHA256 | ForEach-Object { "$($_.Hash.ToLower()) burrow-$env:BUILD_NUMBER-x86_64-pc-windows-msvc.zip" } | Set-Content "dist/builds/$env:BUILD_NUMBER/windows/burrow-$env:BUILD_NUMBER-x86_64-pc-windows-msvc.zip.sha256"
- name: Upload Windows Artifacts - name: Upload Windows Artifacts
uses: https://code.forgejo.org/actions/upload-artifact@v4 uses: https://code.forgejo.org/actions/upload-artifact@v3
with: with:
name: burrow-windows-${{ needs.prepare.outputs.build_number }} name: burrow-windows-${{ needs.prepare.outputs.build_number }}
path: dist/builds/${{ needs.prepare.outputs.build_number }}/windows/* path: dist/builds/${{ needs.prepare.outputs.build_number }}/windows/*
@ -368,7 +368,7 @@ jobs:
"${{ matrix.bazel_target }}" "${{ matrix.bazel_target }}"
- name: Upload Apple Artifacts - name: Upload Apple Artifacts
uses: https://code.forgejo.org/actions/upload-artifact@v4 uses: https://code.forgejo.org/actions/upload-artifact@v3
with: with:
name: burrow-apple-${{ matrix.platform }}-${{ needs.prepare.outputs.build_number }} name: burrow-apple-${{ matrix.platform }}-${{ needs.prepare.outputs.build_number }}
path: | path: |
@ -402,7 +402,7 @@ jobs:
fetch-depth: 0 fetch-depth: 0
- name: Download Artifacts - name: Download Artifacts
uses: https://code.forgejo.org/actions/download-artifact@v4 uses: https://code.forgejo.org/actions/download-artifact@v3
with: with:
path: dist/downloaded path: dist/downloaded

View file

@ -133,7 +133,7 @@ jobs:
nix develop .#ci -c Scripts/package/build-repositories.sh all nix develop .#ci -c Scripts/package/build-repositories.sh all
- name: Upload Repository Artifact - name: Upload Repository Artifact
uses: https://code.forgejo.org/actions/upload-artifact@v4 uses: https://code.forgejo.org/actions/upload-artifact@v3
with: with:
name: burrow-package-repositories-${{ github.event.inputs.channel || 'stable' }}-${{ github.event.inputs.build_number || github.sha }} name: burrow-package-repositories-${{ github.event.inputs.channel || 'stable' }}-${{ github.event.inputs.build_number || github.sha }}
path: dist/builds/${{ github.event.inputs.build_number || github.sha }}/repositories/** path: dist/builds/${{ github.event.inputs.build_number || github.sha }}/repositories/**

View file

@ -57,7 +57,7 @@ jobs:
find dist -maxdepth 1 -type f -print | sort find dist -maxdepth 1 -type f -print | sort
- name: Upload release artifacts - name: Upload release artifacts
uses: https://code.forgejo.org/actions/upload-artifact@v4 uses: https://code.forgejo.org/actions/upload-artifact@v3
with: with:
name: burrow-release-${{ github.ref_name }} name: burrow-release-${{ github.ref_name }}
path: dist/* path: dist/*

View file

@ -71,6 +71,10 @@ The same change also makes the forge itself the release authority: release tags
- Bazel Apple genrules must explicitly pass the Nix CI shell tool path and - Bazel Apple genrules must explicitly pass the Nix CI shell tool path and
`PROTOC` into the action environment. Xcode build phases run with a reduced `PROTOC` into the action environment. Xcode build phases run with a reduced
path, and the Rust Network Extension build depends on `protoc`. path, and the Rust Network Extension build depends on `protoc`.
- Forgejo release workflows must use the artifact action generation supported
by the deployed forge. The v4 artifact actions assume GitHub's newer artifact
service and fail on this Forgejo install before downstream signing/upload
jobs can consume the staged Apple artifacts.
- Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key. - Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key.
- Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`. - Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`.
- Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow. - Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.