mirror of
https://github.com/larksuite/cli.git
synced 2026-07-07 17:45:15 +08:00
Replace the cgo Security.framework bindings with runtime FFI (ebitengine/purego) so the keychain_signer builds with CGO_ENABLED=0 and cross-compiles for darwin from any host. Same non-extractable-key security model (SecKeyCreateSignature on an OS-held key). Release goes back to a single ubuntu runner; a macos-latest job validates the FFI round-trip on real hardware as a release gate.
80 lines
2.5 KiB
YAML
80 lines
2.5 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
# All platforms (incl. darwin keychain_signer) are CGO-free and cross-compiled
|
|
# on a single ubuntu runner in one goreleaser run (one checksums.txt). The
|
|
# darwin signer's runtime FFI is validated separately by the signer-test job.
|
|
goreleaser:
|
|
needs: signer-test-macos
|
|
runs-on: ubuntu-22.04
|
|
permissions:
|
|
contents: write
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
|
|
with:
|
|
go-version: '1.23'
|
|
|
|
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
|
|
with:
|
|
python-version: '3.x'
|
|
|
|
- name: Run GoReleaser
|
|
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6
|
|
with:
|
|
version: '~> v2'
|
|
args: release --clean
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
# Validate the macOS keychain signer on real hardware. The release binaries are
|
|
# cross-compiled on ubuntu (CGO-free purego FFI), so this is the only step that
|
|
# needs a Mac — and it gates the release rather than producing it.
|
|
signer-test-macos:
|
|
runs-on: macos-latest
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
- uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5
|
|
with:
|
|
go-version: '1.23'
|
|
- name: Keychain signer round-trip (CGO-free purego FFI)
|
|
run: LARK_KEYCHAIN_IT=1 CGO_ENABLED=0 go test -tags keychain_signer -run Keychain -v ./extension/keysigner/
|
|
|
|
publish-npm:
|
|
needs: goreleaser
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
|
|
|
|
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
|
|
with:
|
|
node-version: '20'
|
|
registry-url: 'https://registry.npmjs.org'
|
|
|
|
- name: Download checksums from release
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
set -euo pipefail
|
|
TAG="${GITHUB_REF_NAME}"
|
|
gh release download "${TAG}" --pattern checksums.txt --dir .
|
|
test -s checksums.txt || { echo "checksums.txt missing or empty for ${TAG}"; exit 1; }
|
|
|
|
- name: Publish to npm
|
|
env:
|
|
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
|
run: npm publish --access public
|