mirror of
https://github.com/GAM-team/GAM.git
synced 2026-06-28 09:51:36 +00:00
6af38e24af
Some checks failed
Build and test GAM / build (Win64, build, 10, VC-WIN64A, windows-2022) (push) Has been cancelled
Build and test GAM / build (aarch64, build, 3, linux-aarch64, ubuntu-24.04-arm) (push) Has been cancelled
Build and test GAM / build (aarch64, build, 4, linux-aarch64, ubuntu-22.04-arm) (push) Has been cancelled
Build and test GAM / build (aarch64, build, 6, linux-aarch64, ubuntu-22.04-arm, yes) (push) Has been cancelled
Build and test GAM / build (aarch64, build, 8, darwin64-arm64, macos-14) (push) Has been cancelled
Build and test GAM / build (aarch64, build, 9, darwin64-arm64, macos-15) (push) Has been cancelled
Build and test GAM / build (x86_64, build, 1, linux-x86_64, ubuntu-22.04) (push) Has been cancelled
Build and test GAM / build (x86_64, build, 2, linux-x86_64, ubuntu-24.04) (push) Has been cancelled
Build and test GAM / build (x86_64, build, 5, linux-x86_64, ubuntu-22.04, yes) (push) Has been cancelled
Build and test GAM / build (x86_64, build, 7, darwin64-x86_64, macos-13) (push) Has been cancelled
Build and test GAM / build (x86_64, test, 11, ubuntu-24.04, 3.10) (push) Has been cancelled
Build and test GAM / build (x86_64, test, 12, ubuntu-24.04, 3.11) (push) Has been cancelled
Build and test GAM / build (x86_64, test, 13, ubuntu-24.04, 3.12) (push) Has been cancelled
CodeQL / Analyze (python) (push) Has been cancelled
Check for Google Root CA Updates / check-apis (push) Has been cancelled
Build and test GAM / merge (push) Has been cancelled
Build and test GAM / publish (push) Has been cancelled
We currently only have 13 JID accounts available for testing but after Linux arm64 changes needed 14 runners. I'm disabling Python 3.9 tests for now since it's the oldest and due for deprecation in October. If there's any concerns we can re-enable and disable something else or else Jay can rebuild the auth files to add a 14th JID Google account and credentials (not hard but cumbersome and time consuming).
1062 lines
51 KiB
YAML
1062 lines
51 KiB
YAML
name: Build and test GAM
|
|
|
|
on:
|
|
push:
|
|
pull_request:
|
|
schedule:
|
|
- cron: '37 22 * * *'
|
|
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
attestations: write
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
working-directory: src
|
|
|
|
env:
|
|
SCRATCH_COUNTER: 6
|
|
OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0
|
|
OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl
|
|
OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl
|
|
PYTHON_INSTALL_PATH: ${{ github.workspace }}/bin/python
|
|
PYTHON_SOURCE_PATH: ${{ github.workspace }}/src/cpython
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ${{ matrix.os }}
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
include:
|
|
- os: ubuntu-22.04
|
|
jid: 1
|
|
goal: build
|
|
arch: x86_64
|
|
openssl_archs: linux-x86_64
|
|
- os: ubuntu-24.04
|
|
jid: 2
|
|
goal: build
|
|
arch: x86_64
|
|
openssl_archs: linux-x86_64
|
|
- os: ubuntu-24.04-arm
|
|
jid: 3
|
|
goal: build
|
|
arch: aarch64
|
|
openssl_archs: linux-aarch64
|
|
- os: ubuntu-22.04-arm
|
|
jid: 4
|
|
goal: build
|
|
arch: aarch64
|
|
openssl_archs: linux-aarch64
|
|
- os: ubuntu-22.04
|
|
jid: 5
|
|
goal: build
|
|
arch: x86_64
|
|
openssl_archs: linux-x86_64
|
|
staticx: yes
|
|
- os: ubuntu-22.04-arm
|
|
jid: 6
|
|
goal: build
|
|
arch: aarch64
|
|
openssl_archs: linux-aarch64
|
|
staticx: yes
|
|
- os: macos-13
|
|
jid: 7
|
|
goal: build
|
|
arch: x86_64
|
|
openssl_archs: darwin64-x86_64
|
|
- os: macos-14
|
|
jid: 8
|
|
goal: build
|
|
arch: aarch64
|
|
openssl_archs: darwin64-arm64
|
|
- os: macos-15
|
|
jid: 9
|
|
goal: build
|
|
arch: aarch64
|
|
openssl_archs: darwin64-arm64
|
|
- os: windows-2022
|
|
jid: 10
|
|
goal: build
|
|
arch: Win64
|
|
openssl_archs: VC-WIN64A
|
|
# disable 3.9 test for now since it's oldest and due
|
|
# for removal in Oct 2025. We only have 13 jid accounts
|
|
# so we need this one off but can re-enable at some point
|
|
# if we feel the need.
|
|
#- os: ubuntu-24.04
|
|
# goal: test
|
|
# python: "3.9"
|
|
# jid: 11
|
|
# arch: x86_64
|
|
- os: ubuntu-24.04
|
|
goal: test
|
|
python: "3.10"
|
|
jid: 11
|
|
arch: x86_64
|
|
- os: ubuntu-24.04
|
|
goal: test
|
|
python: "3.11"
|
|
jid: 12
|
|
arch: x86_64
|
|
- os: ubuntu-24.04
|
|
goal: test
|
|
python: "3.12"
|
|
jid: 13
|
|
arch: x86_64
|
|
|
|
steps:
|
|
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
persist-credentials: false
|
|
fetch-depth: 0
|
|
|
|
- id: auth
|
|
name: Authenticate to Google Cloud
|
|
uses: google-github-actions/auth@v2
|
|
with:
|
|
workload_identity_provider: projects/297925809119/locations/global/workloadIdentityPools/gha-pool/providers/gha-provider
|
|
service_account: github-actions-testing-for-gam@gam-project-wyo-lub-ivl.iam.gserviceaccount.com
|
|
|
|
- name: Cache multiple paths
|
|
if: matrix.goal == 'build'
|
|
uses: actions/cache@v4
|
|
id: cache-python-ssl
|
|
with:
|
|
path: |
|
|
cache.tar.xz
|
|
key: gam-${{ matrix.jid }}-20250116
|
|
|
|
- name: Untar Cache archive
|
|
if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit == 'true'
|
|
working-directory: ${{ github.workspace }}
|
|
run: |
|
|
tar xvvf cache.tar.xz
|
|
|
|
- name: Use pre-compiled Python for testing
|
|
if: matrix.python != ''
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: ${{ matrix.python }}
|
|
allow-prereleases: true
|
|
|
|
- name: common variables for all runs
|
|
env:
|
|
arch: ${{ matrix.arch }}
|
|
JID: ${{ matrix.jid }}
|
|
ACTIONS_CACHE: ${{ steps.cache-python-ssl.outputs.cache-hit }}
|
|
ACTIONS_GOAL: ${{ matrix.goal }}
|
|
run: |
|
|
echo "arch=${arch}" >> $GITHUB_ENV
|
|
echo "JID=${JID}" >> $GITHUB_ENV
|
|
echo "ACTIONS_CACHE=${ACTIONS_CACHE}" >> $GITHUB_ENV
|
|
echo "ACTIONS_GOAL=${ACTIONS_GOAL}" >> $GITHUB_ENV
|
|
curl_version=$(curl --version | head -n 1 | awk '{ print $2 }')
|
|
echo "cURL is ${curl_version}"
|
|
if [ "$curl_version" == "7.68.0" ]; then
|
|
export curl_retry="--retry 5 --retry-connrefused"
|
|
else
|
|
export curl_retry="--retry 5 --retry-all-errors"
|
|
fi
|
|
echo "curl_retry=${curl_retry}" >> $GITHUB_ENV
|
|
# GAMCFGDIR should be recreated on every run
|
|
GAMCFGDIR="${RUNNER_TEMP}/.gam"
|
|
if [ "$arch" == "Win64" ]; then
|
|
GAMCFGDIR=$(cygpath -u "$GAMCFGDIR")
|
|
fi
|
|
echo "GAMCFGDIR=${GAMCFGDIR}" >> $GITHUB_ENV
|
|
echo "GAMCFGDIR is: ${GAMCFGDIR}"
|
|
if [[ "${RUNNER_OS}" == "macOS" ]]; then
|
|
GAMOS="macos"
|
|
elif [[ "${RUNNER_OS}" == "Linux" ]]; then
|
|
GAMOS="linux"
|
|
elif [[ "${RUNNER_OS}" == "Windows" ]]; then
|
|
GAMOS="windows"
|
|
else
|
|
GAMOS='unknown'
|
|
fi
|
|
echo "GAMOS=${GAMOS}" >> $GITHUB_ENV
|
|
echo "GAMOS is: ${GAMOS}"
|
|
|
|
- name: Set env variables for test
|
|
if: matrix.goal == 'test'
|
|
run: |
|
|
export PYTHON=$(which python3)
|
|
export PIP=$(which pip3)
|
|
export gam="${PYTHON} -m gam"
|
|
export gampath="$(readlink -e .)"
|
|
echo -e "PYTHON: ${PYTHON}\nPIP: ${PIP}\gam: ${gam}\ngampath: ${gampath}"
|
|
echo "PYTHON=${PYTHON}" >> $GITHUB_ENV
|
|
echo "PIP=${PIP}" >> $GITHUB_ENV
|
|
echo "gam=${gam}" >> $GITHUB_ENV
|
|
echo "gampath=${gampath}" >> $GITHUB_ENV
|
|
|
|
- name: Install necessary Github-hosted Linux packages
|
|
if: runner.os == 'Linux'
|
|
run: |
|
|
echo "RUNNING: apt update..."
|
|
sudo apt-get -qq --yes update
|
|
sudo apt-get -qq --yes install swig libpcsclite-dev libxslt1-dev libsqlite3-dev
|
|
|
|
- name: MacOS install tools
|
|
if: runner.os == 'macOS'
|
|
run: |
|
|
# Install latest Rust
|
|
curl $curl_retry -fsS -o rust.sh https://sh.rustup.rs
|
|
bash ./rust.sh -y
|
|
source $HOME/.cargo/env
|
|
# Install needed packages
|
|
#brew update
|
|
#brew install gpg
|
|
#brew install swig
|
|
#brew install ncurses
|
|
|
|
- name: MacOS import developer certificates for signing
|
|
if: runner.os == 'macOS'
|
|
uses: apple-actions/import-codesign-certs@v3
|
|
with:
|
|
keychain: signing_temp
|
|
p12-file-base64: ${{ secrets.CERTIFICATES_P12 }}
|
|
p12-password: ${{ secrets.CERTIFICATES_P12_PASSWORD }}
|
|
|
|
- name: Windows Configure VCode
|
|
uses: ilammy/msvc-dev-cmd@v1
|
|
if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
with:
|
|
arch: ${{ matrix.arch }}
|
|
|
|
- name: Set Env Variables for build
|
|
if: matrix.goal == 'build'
|
|
env:
|
|
openssl_archs: ${{ matrix.openssl_archs }}
|
|
staticx: ${{ matrix.staticx }}
|
|
run: |
|
|
echo "We are running on ${RUNNER_OS}"
|
|
LD_LIBRARY_PATH="${OPENSSL_INSTALL_PATH}/lib:${PYTHON_INSTALL_PATH}/lib:/usr/local/lib"
|
|
if [[ "${arch}" == "Win64" ]]; then
|
|
PYEXTERNALS_PATH="amd64"
|
|
PYBUILDRELEASE_ARCH="x64"
|
|
GAM_ARCHIVE_ARCH="x86_64"
|
|
WIX_ARCH="x64"
|
|
CHOC_OPS=""
|
|
fi
|
|
if [[ "${RUNNER_OS}" == "macOS" ]]; then
|
|
MAKE=make
|
|
MAKEOPT="-j$(sysctl -n hw.logicalcpu)"
|
|
PERL=perl
|
|
MACOSX_DEPLOYMENT_TARGET=$(sw_vers -productVersion | awk -F '.' '{print $1 "." $2}')
|
|
echo "MACOSX_DEPLOYMENT_TARGET=${MACOSX_DEPLOYMENT_TARGET}" >> $GITHUB_ENV
|
|
echo "We are running on and targetting MacOS ${MACOSX_DEPLOYMENT_TARGET}"
|
|
echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV
|
|
elif [[ "${RUNNER_OS}" == "Linux" ]]; then
|
|
MAKE=make
|
|
MAKEOPT="-j$(nproc)"
|
|
PERL=perl
|
|
echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV
|
|
elif [[ "${RUNNER_OS}" == "Windows" ]]; then
|
|
MAKE=nmake
|
|
MAKEOPT=""
|
|
PERL="c:\strawberry\perl\bin\perl.exe"
|
|
LD_LIBRARY_PATH="${LD_LIBRARY_PATH}:${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}"
|
|
echo "PYTHON=${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}/python.exe" >> $GITHUB_ENV
|
|
echo "GAM_ARCHIVE_ARCH=${GAM_ARCHIVE_ARCH}" >> $GITHUB_ENV
|
|
echo "WIX_ARCH=${WIX_ARCH}" >> $GITHUB_ENV
|
|
fi
|
|
echo "We'll run make with: ${MAKEOPT}"
|
|
echo "staticx=${staticx}" >> $GITHUB_ENV
|
|
echo "LD_LIBRARY_PATH=${LD_LIBRARY_PATH}" >> $GITHUB_ENV
|
|
echo "MAKE=${MAKE}" >> $GITHUB_ENV
|
|
echo "MAKEOPT=${MAKEOPT}" >> $GITHUB_ENV
|
|
echo "PERL=${PERL}" >> $GITHUB_ENV
|
|
echo "PYEXTERNALS_PATH=${PYEXTERNALS_PATH}" >> $GITHUB_ENV
|
|
echo "PYBUILDRELEASE_ARCH=${PYBUILDRELEASE_ARCH}" >> $GITHUB_ENV
|
|
echo "openssl_archs=${openssl_archs}" >> $GITHUB_ENV
|
|
|
|
- name: Get latest stable OpenSSL source
|
|
if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
run: |
|
|
mkdir -vp "${GITHUB_WORKSPACE}/src"
|
|
cd "${GITHUB_WORKSPACE}/src"
|
|
git clone https://github.com/openssl/openssl.git
|
|
cd "${OPENSSL_SOURCE_PATH}"
|
|
export LATEST_STABLE_TAG=$(git tag --list openssl-* | grep -v alpha | grep -v beta | sort -Vr | head -n1)
|
|
echo "Checking out version ${LATEST_STABLE_TAG}"
|
|
git checkout "${LATEST_STABLE_TAG}"
|
|
export COMPILED_OPENSSL_VERSION=${LATEST_STABLE_TAG:8} # Trim the openssl- prefix
|
|
echo "COMPILED_OPENSSL_VERSION=${COMPILED_OPENSSL_VERSION}" >> $GITHUB_ENV
|
|
if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
|
|
for openssl_arch in $openssl_archs; do
|
|
ssldir="${OPENSSL_SOURCE_PATH}-${openssl_arch}"
|
|
mkdir -v "${ssldir}"
|
|
cp -vrf ${OPENSSL_SOURCE_PATH}/* "${ssldir}/"
|
|
done
|
|
rm -vrf "${OPENSSL_SOURCE_PATH}"
|
|
else
|
|
mv -v "${OPENSSL_SOURCE_PATH}" "${OPENSSL_SOURCE_PATH}-${openssl_archs}"
|
|
fi
|
|
|
|
- name: Windows NASM Install
|
|
uses: ilammy/setup-nasm@v1
|
|
if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
|
|
- name: Config OpenSSL
|
|
if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
run: |
|
|
for openssl_arch in $openssl_archs; do
|
|
cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
|
|
# --libdir=lib is needed so Python can find OpenSSL libraries
|
|
"${PERL}" ./Configure "${openssl_arch}" --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS
|
|
done
|
|
|
|
- name: Rename GNU link on Windows
|
|
if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
shell: bash
|
|
run: |
|
|
mv -v /usr/bin/link /usr/bin/gnulink
|
|
|
|
- name: Make OpenSSL
|
|
if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
run: |
|
|
for openssl_arch in $openssl_archs; do
|
|
cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
|
|
$MAKE "${MAKEOPT}"
|
|
done
|
|
|
|
- name: Install OpenSSL
|
|
if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
run: |
|
|
if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
|
|
for openssl_arch in $openssl_archs; do
|
|
cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}"
|
|
# install_sw saves us ages processing man pages :-)
|
|
$MAKE install_sw
|
|
mv -v "${OPENSSL_INSTALL_PATH}" "${GITHUB_WORKSPACE}/bin/ssl-${openssl_arch}"
|
|
done
|
|
mkdir -vp "${OPENSSL_INSTALL_PATH}/lib"
|
|
mkdir -vp "${OPENSSL_INSTALL_PATH}/bin"
|
|
for archlib in libcrypto.3.dylib libssl.3.dylib libcrypto.a libssl.a; do
|
|
lipo -create "${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/lib/${archlib}" \
|
|
"${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64/lib/${archlib}" \
|
|
-output "${GITHUB_WORKSPACE}/bin/ssl/lib/${archlib}"
|
|
done
|
|
mv ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/include ${GITHUB_WORKSPACE}/bin/ssl/
|
|
lipo -create "${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/bin/openssl" \
|
|
"${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64/bin/openssl" \
|
|
-output "${GITHUB_WORKSPACE}/bin/ssl/bin/openssl"
|
|
rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64
|
|
rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64
|
|
else
|
|
cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_archs}"
|
|
# install_sw saves us ages processing man pages :-)
|
|
$MAKE install_sw
|
|
fi
|
|
if [[ "${RUNNER_OS}" != "Windows" ]]; then
|
|
echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV
|
|
fi
|
|
echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV
|
|
case $arch in
|
|
universal2)
|
|
echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include -arch arm64 -arch x86_64 ${CFLAGS}" >> $GITHUB_ENV
|
|
echo "ARCHFLAGS=-arch x86_64 -arch arm64" >> $GITHUB_ENV
|
|
;;
|
|
x86_64)
|
|
echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
|
|
echo "ARCHFLAGS=-arch x86_64" >> $GITHUB_ENV
|
|
;;
|
|
aarch64)
|
|
echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include ${CFLAGS}" >> $GITHUB_ENV
|
|
echo "ARCHFLAGS=-arch arm64" >> $GITHUB_ENV
|
|
;;
|
|
esac
|
|
|
|
- name: Run OpenSSL
|
|
if: matrix.goal == 'build'
|
|
run: |
|
|
"${OPENSSL_INSTALL_PATH}/bin/openssl" version -a
|
|
file "${OPENSSL_INSTALL_PATH}/bin/openssl"
|
|
|
|
- name: Get latest stable Python source
|
|
if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
run: |
|
|
cd "${GITHUB_WORKSPACE}/src"
|
|
git clone https://github.com/python/cpython.git
|
|
cd "${PYTHON_SOURCE_PATH}"
|
|
export LATEST_STABLE_TAG=$(git tag --list | grep -v a | grep -v rc | grep -v b | sort -Vr | head -n1)
|
|
git checkout "${LATEST_STABLE_TAG}"
|
|
export COMPILED_PYTHON_VERSION=${LATEST_STABLE_TAG:1} # Trim the "v" prefix
|
|
echo "COMPILED_PYTHON_VERSION=${COMPILED_PYTHON_VERSION}" >> $GITHUB_ENV
|
|
|
|
- name: Mac/Linux Configure Python
|
|
if: matrix.goal == 'build' && runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
run: |
|
|
cd "${PYTHON_SOURCE_PATH}"
|
|
if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
|
|
extra_args=( "--enable-universalsdk" "--with-universal-archs=universal2" )
|
|
else
|
|
extra_args=( )
|
|
fi
|
|
./configure --with-openssl="${OPENSSL_INSTALL_PATH}" \
|
|
--prefix="${PYTHON_INSTALL_PATH}" \
|
|
--enable-shared \
|
|
--with-ensurepip=upgrade \
|
|
--enable-optimizations \
|
|
--with-lto \
|
|
"${extra_args[@]}" || : # exit 0
|
|
cat config.log
|
|
|
|
- name: Windows Get External Python deps
|
|
if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
shell: powershell
|
|
run: |
|
|
cd "${env:PYTHON_SOURCE_PATH}"
|
|
PCBuild\get_externals.bat
|
|
|
|
- name: Windows overwrite external OpenSSL with local
|
|
if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
shell: powershell
|
|
run: |
|
|
cd "${env:PYTHON_SOURCE_PATH}"
|
|
$env:OPENSSL_EXT_PATH = "$(Get-Item externals\openssl-bin-* | Select -exp FullName)\"
|
|
echo "External OpenSSL was downloaded to ${env:OPENSSL_EXT_PATH}"
|
|
Remove-Item -recurse -force "${env:OPENSSL_EXT_PATH}*"
|
|
# Emulate what this script does:
|
|
# https://github.com/python/cpython/blob/main/PCbuild/openssl.vcxproj
|
|
$env:OPENSSL_EXT_TARGET_PATH = "${env:OPENSSL_EXT_PATH}${env:PYEXTERNALS_PATH}"
|
|
echo "Copying our OpenSSL to ${env:OPENSSL_EXT_TARGET_PATH}"
|
|
mkdir "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
|
|
Copy-Item -Path "${env:GITHUB_WORKSPACE}/src/openssl-${env:openssl_archs}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE" -Verbose
|
|
cp -v "$env:OPENSSL_INSTALL_PATH\lib\*" "${env:OPENSSL_EXT_TARGET_PATH}"
|
|
cp -v "$env:OPENSSL_INSTALL_PATH\bin\*" "${env:OPENSSL_EXT_TARGET_PATH}"
|
|
cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\*" "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
|
|
cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\applink.c" "${env:OPENSSL_EXT_TARGET_PATH}\include\"
|
|
|
|
- name: Windows Install sphinx-build
|
|
if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
shell: powershell
|
|
run: |
|
|
pip install --upgrade pip
|
|
pip install --upgrade sphinx
|
|
sphinx-build --version
|
|
|
|
- name: Windows Config/Build Python
|
|
if: matrix.goal == 'build' && runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
shell: powershell
|
|
run: |
|
|
cd "${env:PYTHON_SOURCE_PATH}"
|
|
# We need out custom openssl.props which uses OpenSSL 3 DLL names
|
|
Copy-Item -Path "${env:GITHUB_WORKSPACE}\src\tools\openssl.props" -Destination PCBuild\ -Verbose
|
|
echo "Building for ${env:PYBUILDRELEASE_ARCH}..."
|
|
PCBuild\build.bat -m --pgo -c Release -p "${env:PYBUILDRELEASE_ARCH}"
|
|
|
|
- name: Mac/Linux Build Python
|
|
if: matrix.goal == 'build' && runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
run: |
|
|
cd "${PYTHON_SOURCE_PATH}"
|
|
echo "Running: ${MAKE} ${MAKEOPT}"
|
|
$MAKE $MAKEOPT
|
|
|
|
- name: Mac/Linux Install Python
|
|
if: matrix.goal == 'build' && runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
run: |
|
|
cd "${PYTHON_SOURCE_PATH}"
|
|
$MAKE altinstall
|
|
$MAKE bininstall
|
|
export PATH="${PATH}:${PYTHON_INSTALL_PATH}/bin"
|
|
echo "PATH=${PATH}" >> $GITHUB_ENV
|
|
echo "PATH: ${PATH}"
|
|
|
|
- name: Run Python
|
|
run: |
|
|
"${PYTHON}" -V
|
|
"${PYTHON}" -c "import ssl; print(f'Using {ssl.OPENSSL_VERSION}')"
|
|
|
|
- name: Upgrade pip, wheel, etc
|
|
run: |
|
|
curl $curl_retry -O https://bootstrap.pypa.io/get-pip.py
|
|
"${PYTHON}" get-pip.py
|
|
"${PYTHON}" -m pip install --upgrade pip
|
|
"${PYTHON}" -m pip install --upgrade wheel
|
|
"${PYTHON}" -m pip install --upgrade setuptools
|
|
|
|
- name: Install pip requirements
|
|
run: |
|
|
echo "before anything..."
|
|
"${PYTHON}" -m pip list
|
|
if ([ "${RUNNER_OS}" == "macOS" ] && [ "$arch" == "universal2" ]); then
|
|
# cffi is a dep of cryptography and doesn't ship
|
|
# a universal2 wheel so we must build one ourself :-/
|
|
export CFLAGS="-arch x86_64 -arch arm64"
|
|
export ARCHFLAGS="-arch x86_64 -arch arm64"
|
|
"${PYTHON}" -m pip install --upgrade --force-reinstall --no-binary :all: \
|
|
--no-cache-dir --no-deps --use-pep517 \
|
|
--use-feature=no-binary-enable-wheel-cache \
|
|
cffi
|
|
echo "before cryptography..."
|
|
"${PYTHON}" -m pip list
|
|
# cryptography has a universal2 wheel but getting it installed
|
|
# on x86-64 MacOS is a royal pain in the keester.
|
|
"${PYTHON}" -m pip download --only-binary :all: \
|
|
--dest . \
|
|
--no-cache \
|
|
--no-deps \
|
|
--platform macosx_10_15_universal2 \
|
|
cryptography
|
|
"${PYTHON}" -m pip install --force-reinstall --no-deps cryptography*.whl
|
|
echo "after cryptography..."
|
|
"${PYTHON}" -m pip list
|
|
"${PYTHON}" -m pip install --upgrade --no-binary :all: -r requirements.txt
|
|
else
|
|
"${PYTHON}" -m pip install --upgrade -r requirements.txt
|
|
echo "after requirements..."
|
|
"${PYTHON}" -m pip list
|
|
"${PYTHON}" -m pip install --force-reinstall --no-deps --upgrade cryptography
|
|
fi
|
|
echo "after everything..."
|
|
"${PYTHON}" -m pip list
|
|
|
|
- name: Install PyInstaller
|
|
if: matrix.goal == 'build'
|
|
run: |
|
|
git clone https://github.com/pyinstaller/pyinstaller.git
|
|
cd pyinstaller
|
|
export latest_release=$(git tag --list | grep -v dev | grep -v rc | sort -Vr | head -n1)
|
|
git checkout "${latest_release}"
|
|
# git checkout "v6.9.0"
|
|
# remove pre-compiled bootloaders so we fail if bootloader compile fails
|
|
rm -rvf PyInstaller/bootloader/*-*/*
|
|
cd bootloader
|
|
export PYINSTALLER_BUILD_ARGS=""
|
|
case "${arch}" in
|
|
"Win64")
|
|
export PYINSTALLER_BUILD_ARGS="--target-arch=64bit"
|
|
;;
|
|
esac
|
|
echo "PyInstaller build arguments: ${PYINSTALLER_BUILD_ARGS}"
|
|
"${PYTHON}" ./waf all $PYINSTALLER_BUILD_ARGS
|
|
cd ..
|
|
echo "---- Installing PyInstaller ----"
|
|
"${PYTHON}" -m pip install .
|
|
|
|
- name: Build GAM with PyInstaller
|
|
if: matrix.goal != 'test'
|
|
run: |
|
|
export distpath="./dist/gam"
|
|
mkdir -p -v "${distpath}"
|
|
if [[ "${RUNNER_OS}" == "macOS" ]]; then
|
|
# Tell our gam.spec to use our code sign certificate
|
|
export codesign_identity="Jay Lee"
|
|
# brew OpenSSL gets picked up by PyInstaller
|
|
# breaking our self-compiled version
|
|
brew uninstall --ignore-dependencies openssl
|
|
elif [[ "${RUNNER_OS}" == "Windows" ]]; then
|
|
# Work around issue where PyInstaller picks up python3.dll from other Python versions
|
|
# https://github.com/pyinstaller/pyinstaller/issues/7102
|
|
export PATH="$(dirname ${PYTHON}):/usr/bin"
|
|
fi
|
|
if [[ "$staticx" != "yes" ]]; then
|
|
export PYINSTALLER_BUILD_ONEDIR=yes
|
|
fi
|
|
"${PYTHON}" -m PyInstaller --clean --noconfirm --distpath="${distpath}" gam.spec
|
|
if [[ "$PYINSTALLER_BUILD_ONEDIR" == "yes" ]]; then
|
|
mv -v "${distpath}/gam" "${distpath}/gam7"
|
|
export gampath="${distpath}/gam7"
|
|
else
|
|
mv -v "$distpath" "${distpath}7"
|
|
export gampath="${distpath}7"
|
|
fi
|
|
export gampath=$(realpath "$gampath")
|
|
echo "gampath ${gampath} results:"
|
|
ls -alRF "$gampath"
|
|
echo "---- WARNINGS FROM build/gam/warn-gam.txt"
|
|
cat build/gam/warn-gam.txt
|
|
echo "---- Analysis FROM build/gam/Analysis-00.toc"
|
|
cat build/gam/Analysis-00.toc
|
|
echo "---- EXE data FROM build/gam/EXE-00.toc"
|
|
cat build/gam/EXE-00.toc
|
|
export gam="${gampath}/gam"
|
|
if [[ "${RUNNER_OS}" == "Windows" ]]; then
|
|
export gam=$(cygpath -w "$gam")
|
|
echo "GAM on Windows at ${gam}"
|
|
else
|
|
export gam=$(realpath "$gam")
|
|
fi
|
|
echo "gampath=${gampath}" >> $GITHUB_ENV
|
|
echo "gam=${gam}" >> $GITHUB_ENV
|
|
echo -e "GAM: ${gam}\nGAMPATH: ${gampath}"
|
|
|
|
- name: Copy extra package files
|
|
if: matrix.goal == 'build'
|
|
run: |
|
|
cp -v cacerts.pem "$gampath"
|
|
cp -v LICENSE "$gampath"
|
|
cp -v GamCommands.txt "$gampath"
|
|
cp -v GamUpdate.txt "$gampath"
|
|
if [[ "${RUNNER_OS}" == "Windows" ]]; then
|
|
cp -v gam-setup.bat "$gampath"
|
|
fi
|
|
|
|
- name: Install StaticX
|
|
if: matrix.staticx == 'yes'
|
|
run: |
|
|
sudo apt-get -qq --yes update
|
|
# arm64 needs to build a wheel and needs scons to build
|
|
sudo apt-get -qq --yes install scons
|
|
"${PYTHON}" -m pip install --upgrade patchelf-wrapper
|
|
"${PYTHON}" -m pip install --upgrade staticx
|
|
|
|
- name: Make StaticX
|
|
if: matrix.staticx == 'yes'
|
|
run: |
|
|
case $RUNNER_ARCH in
|
|
X64)
|
|
ldlib=/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
|
|
;;
|
|
ARM64)
|
|
ldlib=/lib/aarch64-linux-gnu/ld-linux-aarch64.so.1
|
|
;;
|
|
esac
|
|
echo "ldlib=${ldlib}"
|
|
$PYTHON -m staticx -l "${ldlib}" "$gam" "${gam}-staticx"
|
|
rm -v "$gam"
|
|
mv -v "${gam}-staticx" "$gam"
|
|
|
|
- name: MacOS send GAM binary for Apple notarization
|
|
if: runner.os == 'macOS'
|
|
env:
|
|
ASP_NOTARIZE: ${{ secrets.ASP_NOTARIZE }}
|
|
run: |
|
|
# Apple wants some kind of "package" submitted so just add gam to a .zip
|
|
# name it something we can track and link in Apple's notarize process
|
|
zipfilename="./gam-${RUNNER_ARCH}-${GITHUB_RUN_ID}-${GITHUB_RUN_NUMBER}.zip"
|
|
zip -r "$zipfilename" "$gampath"
|
|
xcrun notarytool submit --apple-id "jay0lee@gmail.com" --password "$ASP_NOTARIZE" --team-id GZ85H2DRLM "$zipfilename"
|
|
rm -v "$zipfilename"
|
|
|
|
- name: Basic Tests all jobs
|
|
id: basictests
|
|
run: |
|
|
$PYTHON -m unittest discover --start-directory ./ --pattern "*_test.py" --buffer || if [ $? != 5 ]; then exit $?; fi # exit 5 is no tests
|
|
$gam version extended nooffseterror
|
|
export GAMVERSION=$($gam version simple)
|
|
echo "GAM Version ${GAMVERSION}"
|
|
echo "GAMVERSION=${GAMVERSION}" >> $GITHUB_ENV
|
|
|
|
- name: Configure service account auth
|
|
id: configserviceaccount
|
|
env:
|
|
PASSCODE: ${{ secrets.PASSCODE }}
|
|
run: |
|
|
source ../.github/actions/decrypt.sh ../.github/actions/creds.tar.xz.gpg creds.tar.xz "${GAMCFGDIR}"
|
|
mv -v "${GAMCFGDIR}/oauth2.txt-gam-gha-${JID}" "${GAMCFGDIR}/oauth2.txt"
|
|
rm -v $GAMCFGDIR/oauth2.txt-gam*
|
|
$gam create signjwtserviceaccount
|
|
|
|
- name: Upload gam.exe Windows for signing
|
|
if: runner.os == 'Windows' && matrix.goal != 'test'
|
|
run: |
|
|
export folder_number=$(date +%s)
|
|
export folder_id=$($gam user gam-win-signer@pdl.jaylee.us add drivefile drivefilename "UPLOADING_FOR_SIGN ${folder_number}" parentid "1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp" mimetype gfolder returnidonly)
|
|
$gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$gam" parentid "$folder_id"
|
|
$gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
|
|
export signed_folder="SIGNED ${folder_number}"
|
|
zero_results="gam-win-signer@pdl.jaylee.us,0"
|
|
while true; do
|
|
result_counts=$($gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" countsonly)
|
|
echo "$result_counts"
|
|
if [[ ! "$result_counts" =~ "$zero_results" ]]; then
|
|
echo "looks like we have results"
|
|
break
|
|
fi
|
|
echo "no results, sleeping 10..."
|
|
sleep 10
|
|
done
|
|
# download signed gam.exe
|
|
$gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name = 'gam.exe'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$gampath" targetname "signed-gam.exe" overwrite true acknowledgeabuse true
|
|
# delete signed folder on drive
|
|
$gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
|
|
# remove unsigned gam.exe and rename signed-gam.exe
|
|
rm -v -f "${gampath}/gam.exe"
|
|
mv -v -f "${gampath}/signed-gam.exe" "${gampath}/gam.exe"
|
|
#"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$gam"
|
|
|
|
- name: Attest gam executable was generated from this Action
|
|
uses: actions/attest-build-provenance@v1
|
|
if: matrix.goal == 'build'
|
|
with:
|
|
subject-path: ${{ env.gam }}
|
|
|
|
- name: Linux/MacOS package
|
|
if: runner.os != 'Windows' && matrix.goal == 'build'
|
|
run: |
|
|
if [[ "${RUNNER_OS}" == "macOS" ]]; then
|
|
GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-macos${MACOSX_DEPLOYMENT_TARGET}-${arch}.tar.xz"
|
|
elif [[ "${RUNNER_OS}" == "Linux" ]]; then
|
|
if [[ "${staticx}" == "yes" ]]; then
|
|
libver="legacy"
|
|
else
|
|
libver="glibc$(ldd --version | awk '/ldd/{print $NF}')"
|
|
fi
|
|
GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-linux-$(arch)-${libver}.tar.xz"
|
|
fi
|
|
echo "GAM Archive ${GAM_ARCHIVE}"
|
|
tar -C "${gampath}/.." --create --verbose --exclude-from "${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" --file $GAM_ARCHIVE --xz gam7
|
|
|
|
- name: Windows package
|
|
if: runner.os == 'Windows' && matrix.goal != 'test'
|
|
run: |
|
|
echo "started in $(pwd)"
|
|
cd "${gampath}/.."
|
|
echo "moved to $(pwd)"
|
|
GAM_ARCHIVE="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.zip"
|
|
/c/Program\ Files/7-Zip/7z.exe a -tzip "$GAM_ARCHIVE" gam7 "-xr@${GITHUB_WORKSPACE}/.github/actions/package_exclusions.txt" -bb3
|
|
cd ../..
|
|
echo "moved to $(pwd)"
|
|
export MSI_FILENAME="${GITHUB_WORKSPACE}/gam-${GAMVERSION}-windows-${GAM_ARCHIVE_ARCH}.msi"
|
|
# auto-generate a lib.wxs based on the files PyInstaller created for the lib/ directory
|
|
/c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/heat.exe dir "${gampath}/lib" -ke -srd -cg Lib -gg -dr lib -directoryid lib -out lib.wxs
|
|
$PYTHON tools/gen-wix-xml-filelist.py lib.wxs
|
|
echo "-- begin lib.wxs --"
|
|
cat lib.wxs
|
|
echo "-- end lib.wxs --"
|
|
/c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/candle.exe -arch "${WIX_ARCH}" gam.wxs lib.wxs
|
|
/c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/light.exe -ext /c/Program\ Files\ \(x86\)/WiX\ Toolset\ v3.14/bin/WixUIExtension.dll gam.wixobj lib.wixobj -b "${gampath}/lib" -o "$MSI_FILENAME" || true;
|
|
rm -v -f *.wixpdb
|
|
rm -v -f *.wixobj
|
|
echo "MSI_FILENAME=${MSI_FILENAME}" >> $GITHUB_ENV
|
|
|
|
- name: Upload gam MSI Windows for signing
|
|
if: runner.os == 'Windows' && matrix.goal != 'test'
|
|
run: |
|
|
export folder_number=$(date +%s)
|
|
export folder_id=$($gam user gam-win-signer@pdl.jaylee.us add drivefile drivefilename "UPLOADING_FOR_SIGN ${folder_number}" parentid "1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp" mimetype gfolder returnidonly)
|
|
$gam user gam-win-signer@pdl.jaylee.us add drivefile localfile "$MSI_FILENAME" parentid "$folder_id"
|
|
rm -f -v "$MSI_FILENAME"
|
|
$gam user gam-win-signer@pdl.jaylee.us update drivefile "$folder_id" newfilename "READYTOSIGN ${folder_number}"
|
|
export signed_folder="SIGNED ${folder_number}"
|
|
zero_results="gam-win-signer@pdl.jaylee.us,0"
|
|
while true; do
|
|
result_counts=$($gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" countsonly)
|
|
echo "$result_counts"
|
|
if [[ ! "$result_counts" =~ "$zero_results" ]]; then
|
|
echo "looks like we have results"
|
|
break
|
|
fi
|
|
echo "no results, sleeping 10..."
|
|
sleep 10
|
|
done
|
|
# download signed package
|
|
$gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us print filelist query "'~~id~~' in parents and name contains '.msi'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us get drivefile ~id targetfolder "$GITHUB_WORKSPACE" targetname "$MSI_FILENAME" overwrite true acknowledgeabuse true
|
|
# delete signed folder on drive
|
|
$gam user gam-win-signer@pdl.jaylee.us print filelist query "name = '${signed_folder}' and '1Xz3hYq4Mfa_r6D8EcBZHLDtHDFurYSvp' in parents and mimeType = 'application/vnd.google-apps.folder'" id | $gam csv - gam user gam-win-signer@pdl.jaylee.us trash drivefile "~id"
|
|
#"/c/Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe" verify /v /pa "$MSI_FILENAME"
|
|
|
|
- name: Attest that gam package files were generated from this Action
|
|
uses: actions/attest-build-provenance@v1
|
|
if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal == 'build'
|
|
with:
|
|
subject-path: |
|
|
gam*.tar.xz
|
|
gam*.zip
|
|
gam*.msi
|
|
|
|
- name: Archive production artifacts
|
|
uses: actions/upload-artifact@v4
|
|
if: (github.event_name == 'push' || github.event_name == 'schedule') && matrix.goal != 'test'
|
|
with:
|
|
name: gam-binaries-${{ env.GAMOS }}-${{ env.arch }}-${{ matrix.jid }}
|
|
path: |
|
|
gam*.tar.xz
|
|
gam*.zip
|
|
gam*.msi
|
|
|
|
- name: Basic Tests build jobs only
|
|
if: matrix.goal != 'test' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
run: |
|
|
export voutput=$($gam version extended nooffseterror)
|
|
export python_line=$(echo -e "${voutput}" | grep "Python ")
|
|
export python_arr=($python_line)
|
|
export this_python=${python_arr[1]}
|
|
if [[ "${this_python}" != "${COMPILED_PYTHON_VERSION}" ]]; then
|
|
echo "ERROR: Tried to compile Python ${COMPILED_PYTHON_VERSION} but ended up with ${this_python}"
|
|
exit 1
|
|
fi
|
|
export openssl_line=$(echo -e "${voutput}" | grep "OpenSSL ")
|
|
export openssl_arr=($openssl_line)
|
|
export this_openssl="${openssl_arr[1]}"
|
|
if [[ "${this_openssl}" != "${COMPILED_OPENSSL_VERSION}" ]]; then
|
|
echo "ERROR: Tried to compile OpenSSL ${COMPILED_OPENSSL_VERSION} but ended up with ${this_openssl}"
|
|
exit 1
|
|
fi
|
|
echo "We successfully compiled Python ${this_python} and OpenSSL ${this_openssl}"
|
|
|
|
- name: Live API tests push only
|
|
if: (github.event_name == 'push' || github.event_name == 'schedule')
|
|
run: |
|
|
export gam_user="gam-gha-${JID}@pdl.jaylee.us"
|
|
echo "gam_user=${gam_user}" >> $GITHUB_ENV
|
|
$gam config customer_id "C03uzfv2s" save
|
|
$gam config domain "pdl.jaylee.us" save
|
|
$gam config admin_email "${gam_user}" save
|
|
$gam config enable_dasa false save
|
|
$gam oauth info
|
|
$gam oauth refresh
|
|
$gam config enable_dasa true save
|
|
$gam checkconn
|
|
$gam user "$gam_user" check serviceaccount
|
|
$gam info domain
|
|
$gam info user
|
|
export tstamp=$($PYTHON -c "import time; print(time.time_ns())")
|
|
export newbase="gha_test_${JID}_${tstamp}"
|
|
export newuser="${newbase}@pdl.jaylee.us"
|
|
export newgroup="${newbase}-group@pdl.jaylee.us"
|
|
export newalias="${newbase}-alias@pdl.jaylee.us"
|
|
export newbuilding="${newbase}-building"
|
|
export newresource="${newbase}-resource"
|
|
export newou="aaaGithub Actions/${newbase}"
|
|
|
|
# cleanup old runs
|
|
$gam config enable_dasa false save
|
|
$gam config csv_output_row_filter "name:regex:gha_test_${JID}_" print vaultholds || if [ $? != 55 ]; then exit $?; fi | $gam csv - gam delete vaulthold "id:~~holdId~~" matter "id:~~matterId~~"
|
|
$gam config csv_output_row_filter "name:regex:gha_test_${HID}_" print vaultmatters matterstate OPEN | $gam csv - gam update vaultmatter "id:~~matterId~~" action close
|
|
$gam config csv_output_row_filter "name:regex:gha_test_${HID}_" print vaultmatters matterstate CLOSED | $gam csv - gam update vaultmatter "id:~~matterId~~" action delete
|
|
$gam config enable_dasa true save
|
|
$gam config csv_output_row_filter "name:regex:gha_test_${JID}_" print features | $gam csv - gam delete feature ~name
|
|
$gam config csv_output_row_filter "name:regex:^gha_test_${JID}_" user $gam_user print shareddrives asadmin | $gam csv - gam user $gam_user delete shareddrive ~id nukefromorbit
|
|
$gam print users query "gha.jid=$JID" | $gam csv - gam delete user ~primaryEmail
|
|
$gam config csv_output_row_filter "name:regex:^gha_test_${JID}_" print ous fromparent "aaaGithub Actions" | $gam csv - gam delete ou ~orgUnitId
|
|
$gam config csv_output_row_filter "email:regex:^gha_test_${JID}_" print cigroups | $gam csv - gam delete cigroup ~email
|
|
$gam config csv_output_row_filter "resourceId:regex:^gha_test_${JID}_" print resources | $gam csv - gam delete resource ~resourceId
|
|
$gam config csv_output_row_filter "buildingId:regex:^gha_test_${JID}_" print buildings | $gam csv - gam delete building ~buildingId
|
|
$gam config csv_output_row_filter "Emails.1.address:regex:^gha_test-${JID}_" print contacts | $gam csv - gam delete contact ~ContactID
|
|
|
|
echo "Creating OrgUnit ${newou}"
|
|
$gam create ou "${newou}"
|
|
export GAM_THREADS=5
|
|
echo email > sample.csv;
|
|
for i in {1..10}; do
|
|
echo "${newbase}-bulkuser-$i" >> sample.csv;
|
|
done
|
|
driveid=$($gam user $gam_user add shareddrive "${newbase}" returnidonly)
|
|
echo "Created shared drive ${driveid}"
|
|
$gam create user $newuser firstname GHA lastname $JID displayname "Github Actions ${JID}" password random recoveryphone 12125121110 recoveryemail jay0lee@gmail.com gha.jid $JID languages en+,en-GB- ou "${newou}"
|
|
$gam user $newuser add license workspaceenterpriseplus
|
|
$gam user $newuser update photo https://dummyimage.com/400x600/000/fff
|
|
$gam user $newuser get photo
|
|
$gam user $newuser delete photo
|
|
$gam create alias $newalias user $newuser
|
|
$gam create group $newgroup name "GHA $JID group" description "This is a description" isarchived true
|
|
$gam user $gam_user sendemail recipient dev-null@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
|
|
$gam config enable_dasa false save
|
|
# don't expose policy output
|
|
$gam show policies > policies.csv
|
|
$gam create contact firstname GHA lastname "$JID" email work "${newbase}@example.com" primary
|
|
$gam print contacts
|
|
$gam print privileges
|
|
$gam config enable_dasa true save
|
|
$gam update cigroup $newgroup security memberrestriction 'member.type == 1 || member.customer_id == groupCustomerId()'
|
|
$gam info cigroup $newgroup
|
|
$gam update group $newgroup add owner $gam_user
|
|
$gam update group $newgroup add member $newuser
|
|
$gam config enable_dasa false save
|
|
# 9/17/24 temp disable due to Google API sluggishness to see new users for admin commands
|
|
# $gam create admin $newuser _GROUPS_EDITOR_ROLE CUSTOMER # condition nonsecuritygroup
|
|
$gam create admin $newgroup _HELP_DESK_ADMIN_ROLE org_unit "${newou}"
|
|
$gam config csv_output_row_filter "assignedToUser:regex:${newuser}" print admins | $gam csv - gam delete admin "~roleAssignmentId"
|
|
$gam config csv_output_row_filter "assignedToGroup:regex:${newgroup}" print admins | $gam csv - gam delete admin "~roleAssignmentId"
|
|
$gam config enable_dasa false save
|
|
$gam csv sample.csv gam create user ~~email~~ firstname "GHA Bulk" lastname ~~email~~ gha.jid $JID ou "${newou}"
|
|
$gam csv sample.csv gam update user ~~email~~ recoveryphone 12125121110 recoveryemail jay0lee@gmail.com password random displayname "GitHub Actions Bulk ${JID}"
|
|
$gam csv sample.csv gam update user ~~email~~ recoveryphone "" recoveryemail ""
|
|
$gam config enable_dasa false save
|
|
$gam csv sample.csv gam user ~email add license workspaceenterpriseplus
|
|
$gam config enable_dasa true save
|
|
$gam csv sample.csv gam user $gam_user sendemail recipient ~~email~~@pdl.jaylee.us subject "test message $newbase" message "GHA test message"
|
|
$gam csv sample.csv gam update group $newgroup add member ~email
|
|
$gam info group $newgroup
|
|
$gam info cigroup $newgroup membertree
|
|
# confirm mailbox is provisoned before continuing
|
|
$gam user $newuser waitformailbox retries 50
|
|
$gam user $newuser imap on
|
|
$gam user $newuser show imap
|
|
$gam user $newuser show delegates
|
|
#$gam user $newuser add contactdelegate "${newbase}-bulkuser-1"
|
|
#$gam user $newuser print contactdelegates
|
|
export biohazard=$(echo -e '\xe2\x98\xa3')
|
|
$gam user $newuser label "$biohazard unicode biohazard $biohazard"
|
|
$gam user $newuser show labels
|
|
$gam user $newuser show labels > labels.txt
|
|
$gam user $gam_user importemail subject "GHA import $newbase" message "This is a test import" labels IMPORTANT,UNREAD,INBOX,STARRED
|
|
$gam user $gam_user insertemail subject "GHA insert $newbase" file gam.py labels INBOX,UNREAD # yep body is gam code
|
|
$gam user $gam_user sendemail subject "GHA send $gam_user $newbase" file gam.py recipient admin@pdl.jaylee.us
|
|
$gam user $gam_user draftemail subject "GHA draft $newbase" message "Draft message test"
|
|
$gam csvfile sample.csv:email waitformailbox retries 20
|
|
$gam user $newuser delegate to "${newbase}-bulkuser-1" || if [ $? != 50 ]; then exit $?; fi # expect a 50 return code (delegation failed)
|
|
$gam users "$gam_user $newbase-bulkuser-1 $newbase-bulkuser-2 $newbase-bulkuser-3" delete messages query in:anywhere maxtodelete 99999 doit || if [ $? != 60 ]; then exit $?; fi # expect a 60 return code (no messages)
|
|
$gam users "$newbase-bulkuser-4 $newbase-bulkuser-5 $newbase-bulkuser-6" trash messages query in:anywhere maxtotrash 99999 doit || if [ $? != 60 ]; then exit $?; fi # expect a 60 return code (no messages)
|
|
$gam users "$newbase-bulkuser-7 $newbase-bulkuser-8 $newbase-bulkuser-9" modify messages query in:anywhere maxtomodify 99999 addlabel IMPORTANT addlabel STARRED doit || if [ $? != 60 ]; then exit $?; fi # expect a 60 return code (no messages)
|
|
$gam user $newuser delete label --ALL_LABELS--
|
|
$gam config csv_output_row_filter "name:regex:gha-test-${JID}" print features | $gam csv - gam delete feature ~name
|
|
$gam create feature name VC-$newbase
|
|
$gam create feature name Whiteboard-$newbase
|
|
$gam create building "My Building - $newbase" id $newbuilding floors 1,2,3,4,5,6,7,8,9,10,11,12,14,15 description "No 13th floor here..."
|
|
$gam create resource $newresource "Resource Calendar $tstamp" capacity 25 features Whiteboard-$newbase,VC-$newbase building $newbuilding floor 15 type Room
|
|
$gam info resource $newresource
|
|
$gam user $newuser add drivefile drivefilename "TPS Reports" mimetype gfolder
|
|
$gam user $newuser show filelist
|
|
$gam calendar $gam_user printacl | $gam csv - gam calendar $gam_user delete ~id # clear ACLs
|
|
$gam calendar $gam_user add read domain
|
|
$gam calendar $gam_user add freebusy default
|
|
$gam calendar $gam_user add editor $newuser
|
|
$gam calendar $gam_user showacl
|
|
$gam calendar $gam_user printacl | $gam csv - gam calendar $gam_user delete ~id
|
|
$gam calendar $gam_user addevent summary "GHA test event" start +1h end +2h attendee $newgroup hangoutsmeet guestscanmodify true sendupdates all
|
|
$gam calendar $gam_user printevents after -0d
|
|
$gam config enable_dasa false save
|
|
matterid=uid:$($gam create vaultmatter name "GHA matter $newbase" description "test matter" collaborators $newuser returnidonly)
|
|
$gam create vaulthold matter $matterid name "GHA hold $newbase" corpus mail accounts $newuser
|
|
$gam print vaultmatters matterstate open
|
|
$gam print vaultholds matter $matterid
|
|
$gam print vaultcount matter $matterid corpus mail everyone todrive tdnobrowser
|
|
$gam create vaultexport matter $matterid name "GHA export $newbase" corpus mail accounts $newuser
|
|
$gam print exports matter $matterid | $gam csv - gam info export $matterid id:~~id~~
|
|
$gam config enable_dasa true save
|
|
$gam csv sample.csv gam user ~email add calendar id:$newresource
|
|
$gam delete resource $newresource
|
|
$gam delete feature Whiteboard-$newbase
|
|
$gam delete feature VC-$newbase
|
|
$gam delete building $newbuilding
|
|
$gam delete group $newgroup
|
|
$gam config enable_dasa false save
|
|
echo start
|
|
$gam user $newuser delete license workspaceenterpriseplus
|
|
echo finish
|
|
$gam config enable_dasa true save
|
|
$gam whatis $newuser || if [ $? != 20 ]; then exit $?; fi # expect a 20 return code (is a user)
|
|
$gam user $gam_user show tokens
|
|
$gam config enable_dasa false save
|
|
download_dir="${RUNNER_TEMP}/TEMP_DELETE_ME"
|
|
mkdir -v "$download_dir"
|
|
$gam print exports matter $matterid | $gam csv - gam download export $matterid id:~~id~~ targetfolder "$download_dir"
|
|
rm -rvf "$download_dir"
|
|
$gam delete hold "GHA hold $newbase" matter $matterid
|
|
$gam update matter $matterid action close
|
|
$gam update matter $matterid action delete
|
|
# shakes off vault hold on user so we can delete
|
|
$gam print users query "email:${newuser}" orgunitpath | $gam csv - gam update user ~primaryEmail ou ~orgUnitPath
|
|
$gam user $newuser show holds || if [ $? != 55 ]; then exit $?; fi # expect a 55 return code
|
|
export sn="$JID$JID$JID$JID-$(openssl rand -base64 32 | sed 's/[^a-zA-Z0-9]//g')"
|
|
$gam create device serialnumber $sn devicetype android
|
|
$gam config enable_dasa true save
|
|
$gam print users query "gha.jid=$JID" | $gam csv - gam delete user ~primaryEmail || if [ $? != 50 ]; then exit $?; fi # expect a 50 return code (vault hold on user)
|
|
$gam delete contacts emailmatchpattern "^${newbase}@example.com$"
|
|
$gam print mobile
|
|
$gam print devices
|
|
$gam print browsers
|
|
$gam print cros allfields orderby serialnumber
|
|
$gam show crostelemetry storagepercentonly
|
|
$gam report usageparameters customer
|
|
$gam report usage customer parameters gmail:num_emails_sent,accounts:num_1day_logins
|
|
$gam report customer todrive tdnobrowser
|
|
#$gam report users fields accounts:is_less_secure_apps_access_allowed,gmail:last_imap_time,gmail:last_pop_time filters "accounts:last_login_time>2019-01-01T00:00:00.000Z" todrive tdnobrowser
|
|
$gam report users todrive tdnobrowser
|
|
$gam report admin start -3d todrive tdnobrowser
|
|
$gam print devices nopersonaldevices nodeviceusers filter "serial:$JID$JID$JID$JID-" | $gam csv - gam delete device id ~name
|
|
$gam config enable_dasa false save
|
|
$gam print userinvitations
|
|
$gam print userinvitations | $gam csv - gam send userinvitation ~name
|
|
$gam config enable_dasa false save
|
|
$gam create caalevel "zzz_${newbase}" basic condition ipsubnetworks 1.1.1.1/32,2.2.2.2/32 endcondition
|
|
$gam print caalevels
|
|
$gam delete caalevel "zzz_${newbase}"
|
|
$gam user $gam_user add drivefile localfile gam.py parentid "${driveid}"
|
|
$gam user $gam_user update shareddrive "${driveid}" ou "${newou}"
|
|
$gam user $gam_user show shareddrives asadmin
|
|
$gam user $gam_user update shareddrive "${driveid}" ou "aaaGithub Actions" # so we can delete our OU...
|
|
$gam user $gam_user delete shareddrive "${driveid}" nukefromorbit
|
|
ssoprofile=$($gam config debug_level 1 create inboundssoprofile name "El Goog ${newbase}" loginurl https://www.google.com logouturl https://www.google.com changepasswordurl https://www.google.com entityid ElGoog return_name_only)
|
|
if [ ${ssoprofile} != 'inProgress' ]; then
|
|
$gam create inboundssocredential profile "id:${ssoprofile}" generate_key
|
|
#$gam create inboundssoassignment profile "id:${ssoprofile}" orgunit "${newou}" mode SAML_SSO
|
|
#$gam delete inboundssoassignment "orgunit:${newou}"
|
|
$gam delete inboundssoprofile "id:${ssoprofile}"
|
|
fi
|
|
echo "printer model count:"
|
|
$gam print printermodels | wc -l
|
|
$gam print printers
|
|
printerid=$($gam create printer displayname "${newbase}" uri ipp://localhost:631 driverless description "made by ${gam_user}" ou "${newou}" nodetails | awk '{print substr($2, 1, length($2)-1)}')
|
|
$gam info printer "$printerid"
|
|
$gam delete printer "$printerid"
|
|
$gam delete ou "${newou}"
|
|
|
|
- name: Tar Cache archive
|
|
if: matrix.goal == 'build' && steps.cache-python-ssl.outputs.cache-hit != 'true'
|
|
working-directory: ${{ github.workspace }}
|
|
run: |
|
|
if [[ "${RUNNER_OS}" == "Windows" ]]; then
|
|
tar_folders="src/cpython/ bin/ssl"
|
|
else
|
|
tar_folders="bin/"
|
|
fi
|
|
tar cJvvf cache.tar.xz $tar_folders
|
|
|
|
merge:
|
|
if: (github.event_name == 'push' || github.event_name == 'schedule')
|
|
runs-on: ubuntu-latest
|
|
needs: build
|
|
permissions:
|
|
contents: write
|
|
packages: write
|
|
steps:
|
|
- name: Merge Artifacts
|
|
uses: actions/upload-artifact/merge@v4
|
|
with:
|
|
name: gam-binaries
|
|
pattern: gam-binaries-*
|
|
|
|
publish:
|
|
if: github.event_name == 'push'
|
|
runs-on: ubuntu-latest
|
|
needs: merge
|
|
permissions:
|
|
contents: write
|
|
packages: write
|
|
pull-requests: read
|
|
|
|
steps:
|
|
|
|
- uses: actions/checkout@v4
|
|
with:
|
|
persist-credentials: false
|
|
fetch-depth: 0
|
|
|
|
- name: Download artifacts
|
|
uses: actions/download-artifact@v4
|
|
|
|
- name: VirusTotal Scan
|
|
uses: crazy-max/ghaction-virustotal@v4
|
|
with:
|
|
vt_api_key: ${{ secrets.VT_API_KEY }}
|
|
files: |
|
|
gam-binaries/*
|
|
|
|
- name: Set datetime version string
|
|
id: dateversion
|
|
run: |
|
|
export dateversion="$(date +'%Y%m%d.%H%M%S')"
|
|
echo "Date version: ${dateversion}"
|
|
echo "dateversion=${dateversion}" >> $GITHUB_OUTPUT
|
|
|
|
- uses: "marvinpinto/action-automatic-releases@latest"
|
|
name: Publish draft release
|
|
with:
|
|
repo_token: "${{ secrets.GITHUB_TOKEN }}"
|
|
automatic_release_tag: "${{ steps.dateversion.outputs.dateversion }}"
|
|
prerelease: false
|
|
draft: true
|
|
files: |
|
|
gam-binaries/*
|