From 56a8f7164aa531fc283fc3d123d61d6f22bd5847 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 20 Jan 2025 14:33:46 +0100 Subject: [PATCH 1/5] fixup! release: create initial Windows installer build workflow No need to initialize the `release` environment for the `prereq` job; Originally, the expectation was that this would prevent the repeated need for validating manually that the jobs are allowed to access that environment; However, GitHub Actions does ask for every single job, and for certain reasons it is unlikely that this is ever going to be fixed. Signed-off-by: Johannes Schindelin --- .github/workflows/build-git-installers.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index de13e7df7239eb..e9203c4a357522 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -12,7 +12,6 @@ jobs: # Check prerequisites for the workflow prereqs: runs-on: ubuntu-latest - environment: release outputs: tag_name: ${{ steps.tag.outputs.name }} # The full name of the tag, e.g. v2.32.0.vfs.0.0 tag_version: ${{ steps.tag.outputs.version }} # The version number (without preceding "v"), e.g. 2.32.0.vfs.0.0 From a8adc02ba40eb3b566e0bfae350d11fbcda7591b Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Fri, 17 Jan 2025 16:26:33 +0100 Subject: [PATCH 2/5] fixup! release: build unsigned Ubuntu .deb package Currently, we target whatever GitHub Actions use as `ubuntu-latest`; This, however, led to the unintentional requirement in v2.47.2.vfs.0.0 to run Ubuntu 24.04 (up from 22.04 in v2.47.1.vfs.0.1). It is important to target a wider audience, though, especially in light of CVE-2024-52005 which is only addressed in Git for Windows and `microsoft/git`, but not Git. We could now go back to 22.04; This would only be a temporary band-aid, https://github.blog/changelog/2025-01-15-github-actions-ubuntu-20-runner-image-brownout-dates-and-other-breaking-changes/ already announced that 20.04 is phased out very soon, and 22.04 will be next. Let's just use a Docker container instead that targets the oldest Ubuntu LTS that is still maintained in _some_ shape or form. This requires a few modifications (`sudo` is not available, GitHub Actions' node.js needs to be overridden, and we need to install a couple of packages explicitly). In particular, we now need two jobs because it turned out to be too convoluted to get `debsign` to work in a headless workflow with Ubuntu 16.04; We still resort to `ubuntu-latest` for that instead. By still verifying the resulting binary in `validate-installers`, we ensure that it installs and works on the latest Ubuntu version by virtue of using `runs-on: ubuntu-latest` in _that_ matrix job. Signed-off-by: Johannes Schindelin --- .github/workflows/build-git-installers.yml | 41 +++++++++++++++++++--- 1 file changed, 36 insertions(+), 5 deletions(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index e9203c4a357522..1d8e0e388db4ab 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -490,16 +490,30 @@ jobs: # End build and sign Mac OSX installers # Build and sign Debian package - create-linux-artifacts: + create-linux-unsigned-artifacts: runs-on: ubuntu-latest + container: + image: ubuntu:16.04 # expanded security maintenance until 04/02/2026, according to https://endoflife.date/ubuntu + volumes: + # override /__e/node20 because GitHub Actions uses a version that requires too-recent glibc, see "Install dependencies" below + - /tmp:/__e/node20 needs: prereqs - environment: release steps: - - name: Install git dependencies + - name: Install dependencies run: | set -ex - sudo apt-get update -q - sudo apt-get install -y -q --no-install-recommends gettext libcurl4-gnutls-dev libpcre3-dev asciidoc xmlto + apt-get update -q + apt-get install -y -q --no-install-recommends \ + build-essential \ + tcl tk gettext asciidoc xmlto \ + libcurl4-gnutls-dev libpcre2-dev zlib1g-dev libexpat-dev \ + curl ca-certificates + + # Install a Node.js version that works in older Ubuntu containers (read: does not require very recent glibc) + NODE_VERSION=v20.18.1 && + NODE_URL=https://unofficial-builds.nodejs.org/download/release/$NODE_VERSION/node-$NODE_VERSION-linux-x64-glibc-217.tar.gz && + curl -Lo /tmp/node.tar.gz $NODE_URL && + tar -C /__e/node20 -x --strip-components=1 -f /tmp/node.tar.gz - name: Clone git uses: actions/checkout@v4 @@ -562,6 +576,18 @@ jobs: # Move Debian package for later artifact upload mv "$PKGNAME.deb" "$GITHUB_WORKSPACE" + - name: Upload artifacts + uses: actions/upload-artifact@v4 + with: + name: linux-unsigned-artifacts + path: | + *.deb + + create-linux-artifacts: + runs-on: ubuntu-latest + needs: [prereqs, create-linux-unsigned-artifacts] + environment: release + steps: - name: Log into Azure uses: azure/login@v2 with: @@ -597,6 +623,11 @@ jobs: gpg-connect-agent RELOADAGENT /bye /usr/lib/gnupg2/gpg-preset-passphrase --preset "$keygrip" <<<"$passphrase" + - name: Download artifacts + uses: actions/download-artifact@v4 + with: + name: linux-unsigned-artifacts + - name: Sign Debian package run: | # Sign Debian package From 32d4e9556bf68aae8d506ecb3dd3f5fe135f5210 Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 20 Jan 2025 10:56:45 +0100 Subject: [PATCH 3/5] fixup! release: build unsigned Ubuntu .deb package Do use `apt-get` and ensure that it does not ask for confirmation. Signed-off-by: Johannes Schindelin --- .github/workflows/build-git-installers.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index 1d8e0e388db4ab..4cfe352ad5ef2f 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -603,7 +603,7 @@ jobs: GPG_KEYGRIP_SECRET_NAME: ${{ secrets.GPG_KEYGRIP_SECRET_NAME }} run: | # Install debsigs - sudo apt install debsigs + sudo apt-get install -y debsigs # Download GPG key, passphrase, and keygrip from Azure Key Vault key=$(az keyvault secret show --name $GPG_KEY_SECRET_NAME --vault-name $AZURE_VAULT --query "value") From c4514dc2962c7808246df236725578e5de1f51cb Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 20 Jan 2025 10:09:01 +0100 Subject: [PATCH 4/5] fixup! release: build unsigned Ubuntu .deb package By using cURL for `imap-send`, we can drop the libssl dependency, which is not installed in Ubuntu 16.04 container by default. Signed-off-by: Johannes Schindelin --- .github/workflows/build-git-installers.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index 4cfe352ad5ef2f..ca552a728e7d1f 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -547,6 +547,7 @@ jobs: DESTDIR="$PKGDIR" make -C git -j5 V=1 DEVELOPER=1 \ USE_LIBPCRE=1 \ + USE_CURL_FOR_IMAP_SEND=1 NO_OPENSSL=1 \ NO_CROSS_DIRECTORY_HARDLINKS=1 \ ASCIIDOC8=1 ASCIIDOC_NO_ROFF=1 \ ASCIIDOC='TZ=UTC asciidoc' \ From ed8287b26a6d6d0b364d1968b2b7f6f3117a8f5f Mon Sep 17 00:00:00 2001 From: Johannes Schindelin Date: Mon, 20 Jan 2025 11:18:10 +0100 Subject: [PATCH 5/5] fixup! release: build unsigned Ubuntu .deb package This avoids some Bash-only `sed` invocations to strip quotes where no stripping is required if `az` is asked to output the value in a more appropriate format. Signed-off-by: Johannes Schindelin --- .github/workflows/build-git-installers.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build-git-installers.yml b/.github/workflows/build-git-installers.yml index ca552a728e7d1f..ae442d9e3d51cf 100644 --- a/.github/workflows/build-git-installers.yml +++ b/.github/workflows/build-git-installers.yml @@ -607,14 +607,9 @@ jobs: sudo apt-get install -y debsigs # Download GPG key, passphrase, and keygrip from Azure Key Vault - key=$(az keyvault secret show --name $GPG_KEY_SECRET_NAME --vault-name $AZURE_VAULT --query "value") - passphrase=$(az keyvault secret show --name $GPG_PASSPHRASE_SECRET_NAME --vault-name $AZURE_VAULT --query "value") - keygrip=$(az keyvault secret show --name $GPG_KEYGRIP_SECRET_NAME --vault-name $AZURE_VAULT --query "value") - - # Remove quotes from downloaded values - key=$(sed -e 's/^"//' -e 's/"$//' <<<"$key") - passphrase=$(sed -e 's/^"//' -e 's/"$//' <<<"$passphrase") - keygrip=$(sed -e 's/^"//' -e 's/"$//' <<<"$keygrip") + key="$(az keyvault secret show --name "$GPG_KEY_SECRET_NAME" --vault-name "$AZURE_VAULT" --query "value" --output tsv)" + passphrase="$(az keyvault secret show --name "$GPG_PASSPHRASE_SECRET_NAME" --vault-name "$AZURE_VAULT" --query "value" --output tsv)" + keygrip="$(az keyvault secret show --name "$GPG_KEYGRIP_SECRET_NAME" --vault-name "$AZURE_VAULT" --query "value" --output tsv)" # Import GPG key echo "$key" | base64 -d | gpg --import --no-tty --batch --yes