[CI] Perform the classic sign-notarize of each pkg in parallel. (#14932)
Co-authored-by: Rolf Bjarne Kvinge <rolf@xamarin.com> Co-authored-by: TJ Lambert <50846373+tj-devel709@users.noreply.github.com>
This commit is contained in:
Родитель
bd4fee0cdc
Коммит
fb77743c21
|
@ -49,11 +49,10 @@ steps:
|
|||
|
||||
- template: publish-nugets.yml
|
||||
|
||||
# upload each of the pkgs into the pipeline artifacts
|
||||
# always upload no matter what, since if we are not signing we need the artifact in the pipeline
|
||||
- task: PublishPipelineArtifact@1
|
||||
displayName: 'Publish Notarized Dotnet Artifacts'
|
||||
inputs:
|
||||
targetPath: $(Build.SourcesDirectory)/package
|
||||
artifactName: dotnet-signed
|
||||
continueOnError: true
|
||||
condition: ${{ parameters.condition }}
|
||||
|
|
|
@ -1,4 +1,8 @@
|
|||
# funnel job that will download all the signed artifacts and puts them in the final location
|
||||
parameters:
|
||||
- name: packages
|
||||
type: object
|
||||
|
||||
steps:
|
||||
|
||||
# DO NOT USE THE checkout.yml template. The reason is that the template changes the hash which results in a problem with the artifacts scripts
|
||||
|
@ -17,19 +21,33 @@ steps:
|
|||
- checkout: release-scripts
|
||||
clean: true
|
||||
|
||||
- bash: |
|
||||
mkdir -p $(Build.SourcesDirectory)/package/notarized
|
||||
displayName: 'Create target directories.'
|
||||
|
||||
- task: DownloadPipelineArtifact@2
|
||||
displayName: Download not notarized build
|
||||
displayName: Download notarized build dotnet
|
||||
inputs:
|
||||
artifact: 'dotnet-signed'
|
||||
allowFailedBuilds: true
|
||||
path: $(Build.SourcesDirectory)/package
|
||||
|
||||
- task: DownloadPipelineArtifact@2
|
||||
displayName: Download not notarized build
|
||||
inputs:
|
||||
artifact: 'classic-signed'
|
||||
allowFailedBuilds: true
|
||||
path: $(Build.SourcesDirectory)/package
|
||||
- ${{ each pkg in parameters.packages }}:
|
||||
- task: DownloadPipelineArtifact@2
|
||||
displayName: Download notarized build ${{ pkg.name }}
|
||||
inputs:
|
||||
artifact: 'classic-${{ pkg.name }}-signed'
|
||||
allowFailedBuilds: true
|
||||
path: '$(Build.ArtifactStagingDirectory)/classic-${{ pkg.name }}-signed'
|
||||
|
||||
- bash: |
|
||||
set -x
|
||||
set -e
|
||||
|
||||
FULL_PATH="$(Build.ArtifactStagingDirectory)/classic-${{ pkg.name }}-signed"
|
||||
ls -lR $FULL_PATH
|
||||
cp -a "$FULL_PATH/." "$(Build.SourcesDirectory)/package"
|
||||
displayName: 'Move pkg ${{ pkg.name }} to its final destination'
|
||||
|
||||
- template: generate-workspace-info.yml@templates
|
||||
parameters:
|
||||
|
|
|
@ -11,6 +11,41 @@ parameters:
|
|||
type: boolean
|
||||
default: false # only to be used when testing the CI and we do not need a signed pkg
|
||||
|
||||
- name: packages
|
||||
type: object
|
||||
default: [
|
||||
{
|
||||
job: 'xamarin_ios_sign_notarize',
|
||||
name: 'Xamarin.iOS',
|
||||
pattern: 'xamarin.ios-*',
|
||||
},
|
||||
{
|
||||
job: 'xamarin_mac_sing_notarie',
|
||||
name: 'Xamarin.Mac',
|
||||
pattern: 'xamarin.mac-*',
|
||||
},
|
||||
{
|
||||
job: 'microsoft_ios_sign_notarize',
|
||||
name: 'Microsoft.iOS',
|
||||
pattern: 'Microsoft.iOS.Bundle*.pkg',
|
||||
},
|
||||
{
|
||||
job: 'microsoft_tvos_sign_notarize',
|
||||
name: 'Microsoft.tvOS',
|
||||
pattern: 'Microsoft.tvOS.Bundle*.pkg',
|
||||
},
|
||||
{
|
||||
job: 'microsoft_mac_sign_notarize',
|
||||
name: 'Microsoft.macOS',
|
||||
pattern: 'Microsoft.macOS.Bundle*.pkg',
|
||||
},
|
||||
{
|
||||
job: 'microsoft_maccatalyst_sign_notarize',
|
||||
name: 'Microsoft.MacCatalyst',
|
||||
pattern: 'Microsoft.MacCatalyst.Bundle*.pkg',
|
||||
},
|
||||
]
|
||||
|
||||
jobs:
|
||||
- job: configure
|
||||
displayName: 'Configure build'
|
||||
|
@ -24,21 +59,24 @@ jobs:
|
|||
steps:
|
||||
- template: ../common/configure.yml
|
||||
|
||||
- job: sign_notarize_classic
|
||||
dependsOn:
|
||||
- configure
|
||||
displayName: 'Sign & Notarize Classic'
|
||||
timeoutInMinutes: 1000
|
||||
pool:
|
||||
vmImage: internal-macos-11
|
||||
workspace:
|
||||
clean: all
|
||||
- ${{ each pkg in parameters.packages }}:
|
||||
- job: ${{ pkg.job }}
|
||||
dependsOn:
|
||||
- configure
|
||||
displayName: 'Sign & Notarize ${{ pkg.name }}'
|
||||
timeoutInMinutes: 1000
|
||||
pool:
|
||||
vmImage: internal-macos-11
|
||||
workspace:
|
||||
clean: all
|
||||
|
||||
steps:
|
||||
- template: sign-and-notarized.yml
|
||||
parameters:
|
||||
keyringPass: ${{ parameters.keyringPass }}
|
||||
skipESRP: ${{ parameters.skipESRP }}
|
||||
steps:
|
||||
- template: sign-and-notarized.yml
|
||||
parameters:
|
||||
keyringPass: ${{ parameters.keyringPass }}
|
||||
skipESRP: ${{ parameters.skipESRP }}
|
||||
packageName: ${{ pkg.name }}
|
||||
packagePattern: ${{ pkg.pattern }}
|
||||
|
||||
- ${{ if eq(parameters.enableDotnet, true) }}:
|
||||
- job: sign_notarize_dotnet
|
||||
|
@ -56,9 +94,10 @@ jobs:
|
|||
|
||||
- job: funnel_job
|
||||
dependsOn:
|
||||
- sign_notarize_classic
|
||||
- ${{ if eq(parameters.enableDotnet, true) }}:
|
||||
- sign_notarize_dotnet
|
||||
- sign_notarize_dotnet
|
||||
- ${{ each pkg in parameters.packages }}:
|
||||
- ${{ pkg.job }}
|
||||
displayName: 'Collect signed artifacts'
|
||||
timeoutInMinutes: 1000
|
||||
pool:
|
||||
|
@ -68,6 +107,8 @@ jobs:
|
|||
|
||||
steps:
|
||||
- template: funnel.yml
|
||||
parameters:
|
||||
packages: ${{ parameters.packages }}
|
||||
|
||||
|
||||
# This job uploads the pkgs generated by the build step in the azure blob storage. This has to be done in a different job
|
||||
|
@ -100,6 +141,7 @@ jobs:
|
|||
displayName: 'Publish GitHub Comment - Artifacts'
|
||||
timeoutInMinutes: 1000
|
||||
dependsOn:
|
||||
- configure
|
||||
- upload_azure_blob
|
||||
condition: succeededOrFailed()
|
||||
variables:
|
||||
|
|
|
@ -12,6 +12,12 @@ parameters:
|
|||
- name: keyringPass
|
||||
type: string
|
||||
|
||||
- name: packageName
|
||||
type: string
|
||||
|
||||
- name: packagePattern
|
||||
type: string
|
||||
|
||||
- name: condition
|
||||
default: and(succeeded(), eq(variables['IsPRBuild'], 'False'))
|
||||
|
||||
|
@ -23,7 +29,7 @@ steps:
|
|||
displayName: Download not notarized build
|
||||
inputs:
|
||||
artifact: 'not-signed-package'
|
||||
patterns: '*.pkg'
|
||||
patterns: ${{ parameters.packagePattern }}
|
||||
allowFailedBuilds: true
|
||||
path: $(Build.SourcesDirectory)/package
|
||||
|
||||
|
@ -31,68 +37,15 @@ steps:
|
|||
set -x
|
||||
set -e
|
||||
|
||||
# output vars for other steps to use and not need to recomputed the paths
|
||||
IOS_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "xamarin.ios-*" | xargs basename)
|
||||
if [ -z "$IOS_PKG" ]; then
|
||||
echo "Xamarin.iOS package not found."
|
||||
PACKAGES=$(find $(Build.SourcesDirectory)/package -type f -name "${{ parameters.packagePattern }}" | xargs basename)
|
||||
if [ -z "$PACKAGES" ]; then
|
||||
echo "Packages ${{ parameters.packageName }} not found."
|
||||
else
|
||||
IOS_PKG="$(Build.SourcesDirectory)/package/$IOS_PKG"
|
||||
echo "##vso[task.setvariable variable=IOS_PKG;]$IOS_PKG"
|
||||
echo "Xamarin.iOS package found at $IOS_PKG"
|
||||
fi
|
||||
|
||||
MAC_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "xamarin.mac-*" | xargs basename)
|
||||
if [ -z "$MAC_PKG" ]; then
|
||||
echo "Xamarin.Mac package not found."
|
||||
else
|
||||
MAC_PKG="$(Build.SourcesDirectory)/package/$MAC_PKG"
|
||||
echo "##vso[task.setvariable variable=MAC_PKG;]$MAC_PKG"
|
||||
echo "Xamarin.Mac package found at $MAC_PKG"
|
||||
fi
|
||||
|
||||
IOS_DOTNET_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "Microsoft.iOS.Bundle*.pkg" | xargs basename)
|
||||
if [ -z "$IOS_DOTNET_PKG" ]; then
|
||||
echo "Microsoft.iOS bundle not found."
|
||||
else
|
||||
IOS_DOTNET_PKG="$(Build.SourcesDirectory)/package/$IOS_DOTNET_PKG"
|
||||
echo "##vso[task.setvariable variable=IOS_DOTNET_PKG;]$IOS_DOTNET_PKG"
|
||||
echo "Microsoft.iOS bundle found at $IOS_DOTNET_PKG"
|
||||
fi
|
||||
|
||||
TVOS_DOTNET_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "Microsoft.tvOS.Bundle*.pkg" | xargs basename)
|
||||
if [ -z "$TVOS_DOTNET_PKG" ]; then
|
||||
echo "Microsoft.tvOS bundle not found."
|
||||
else
|
||||
TVOS_DOTNET_PKG="$(Build.SourcesDirectory)/package/$TVOS_DOTNET_PKG"
|
||||
echo "##vso[task.setvariable variable=TVOS_DOTNET_PKG;]$TVOS_DOTNET_PKG"
|
||||
echo "Microsoft.tvOS package found at $TVOS_DOTNET_PKG"
|
||||
fi
|
||||
|
||||
WATCHOS_DOTNET_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "Microsoft.watchOS.Bundle*.pkg" | xargs basename)
|
||||
if [ -z "$WATCHOS_DOTNET_PKG" ]; then
|
||||
echo "Microsoft.watchOS bundle not found."
|
||||
else
|
||||
WATCHOS_DOTNET_PKG="$(Build.SourcesDirectory)/package/$WATCHOS_DOTNET_PKG"
|
||||
echo "##vso[task.setvariable variable=WATCHOS_DOTNET_PKG;]$WATCHOS_DOTNET_PKG"
|
||||
echo "Microsoft.watchOS package found at $WATCHOS_DOTNET_PKG"
|
||||
fi
|
||||
|
||||
MACOS_DOTNET_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "Microsoft.macOS.Bundle*.pkg" | xargs basename)
|
||||
if [ -z "$MACOS_DOTNET_PKG" ]; then
|
||||
echo "Microsoft.macOS bundle not found."
|
||||
else
|
||||
MACOS_DOTNET_PKG="$(Build.SourcesDirectory)/package/$MACOS_DOTNET_PKG"
|
||||
echo "##vso[task.setvariable variable=MACOS_DOTNET_PKG;]$MACOS_DOTNET_PKG"
|
||||
echo "Microsoft.macOS package found at $MACOS_DOTNET_PKG"
|
||||
fi
|
||||
|
||||
MACCATALYST_DOTNET_PKG=$(find $(Build.SourcesDirectory)/package -type f -name "Microsoft.MacCatalyst.Bundle*.pkg" | xargs basename)
|
||||
if [ -z "$MACCATALYST_DOTNET_PKG" ]; then
|
||||
echo "Microsoft.MacCatalyst bundle not found."
|
||||
else
|
||||
MACCATALYST_DOTNET_PKG="$(Build.SourcesDirectory)/package/$MACCATALYST_DOTNET_PKG"
|
||||
echo "##vso[task.setvariable variable=MACCATALYST_DOTNET_PKG;]$MACCATALYST_DOTNET_PKG"
|
||||
echo "Microsoft.MacCatalyst package found at $MACCATALYST_DOTNET_PKG"
|
||||
PACKAGES_PATH="$(Build.SourcesDirectory)/package/$PACKAGES"
|
||||
set +x
|
||||
echo "##vso[task.setvariable variable=PACKAGES;]$PACKAGES_PATH"
|
||||
echo "${{ parameters.packageName }} package found at $PACKAGES_PATH"
|
||||
set -x
|
||||
fi
|
||||
displayName: 'Retrieve packages to sign'
|
||||
condition: ${{ parameters.condition }}
|
||||
|
@ -101,9 +54,6 @@ steps:
|
|||
- ${{ if or(eq(parameters.skipESRP, true), eq(variables['IsPR'], 'True')) }}:
|
||||
- bash: |
|
||||
security unlock-keychain -p $PRODUCTSIGN_KEYCHAIN_PASSWORD builder.keychain
|
||||
PACKAGES="$IOS_PKG $MAC_PKG $IOS_DOTNET_PKG $TVOS_DOTNET_PKG $WATCHOS_DOTNET_PKG $MACOS_DOTNET_PKG $MACCATALYST_DOTNET_PKG"
|
||||
echo "Packages found at $PACKAGES"
|
||||
|
||||
echo "$PACKAGES" | xargs python $(Build.SourcesDirectory)/release-scripts/sign_and_notarize.py --no_notarization -a "$APP_ID" -i "$INSTALL_ID" -u "$APPLE_ACCOUNT" -p "$APPLE_PASS" -t "$TEAM_ID" -d $(Build.SourcesDirectory)/package/notarized -e "$MAC_ENTITLEMENTS" -k "$KEYCHAIN"
|
||||
env:
|
||||
PRODUCTSIGN_KEYCHAIN_PASSWORD: ${{ parameters.keyringPass }}
|
||||
|
@ -122,8 +72,6 @@ steps:
|
|||
- ${{ else }}:
|
||||
- bash: |
|
||||
security unlock-keychain -p $PRODUCTSIGN_KEYCHAIN_PASSWORD builder.keychain
|
||||
PACKAGES="$IOS_PKG $MAC_PKG $IOS_DOTNET_PKG $TVOS_DOTNET_PKG $WATCHOS_DOTNET_PKG $MACOS_DOTNET_PKG $MACCATALYST_DOTNET_PKG"
|
||||
echo "Packages found at $PACKAGES"
|
||||
if [[ "$SYSTEM_DEBUG" == "true" ]]; then
|
||||
export ESRP_TEMP="$WORKING_DIR/esrp"
|
||||
echo "Temp dir is $ESRP_TEMP"
|
||||
|
@ -155,7 +103,7 @@ steps:
|
|||
displayName: 'Publish Artifact: ESRP temp'
|
||||
inputs:
|
||||
targetPath: '$(Build.ArtifactStagingDirectory)/esrp.zip'
|
||||
artifactName: ESRP-tmp
|
||||
artifactName: ESRP-tmp-${{ parameters.packageName }}
|
||||
continueOnError: true
|
||||
condition: and(${{ parameters.condition }}, eq(variables['System.debug'], 'true'))
|
||||
|
||||
|
@ -165,11 +113,10 @@ steps:
|
|||
displayName: 'Notarize & verify packages (ESRP)'
|
||||
condition: ${{ parameters.condition }}
|
||||
|
||||
# upload each of the pkgs into the pipeline artifacts
|
||||
# always upload no matter what, since if we are not signing we need the artifact in the pipeline
|
||||
- task: PublishPipelineArtifact@1
|
||||
displayName: 'Publish Notarized Classic Artifacts'
|
||||
inputs:
|
||||
targetPath: $(Build.SourcesDirectory)/package
|
||||
artifactName: classic-signed
|
||||
artifactName: classic-${{ parameters.packageName }}-signed
|
||||
continueOnError: true
|
||||
condition: ${{ parameters.condition }}
|
||||
|
|
Загрузка…
Ссылка в новой задаче