Update main.yml #404
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Chrome Bisect Script | |
| on: | |
| push: | |
| pull_request: | |
| schedule: | |
| - cron: '30 20 * * 6' | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| OPENSSL_CONFIG_OPTS: no-fips | |
| OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl | |
| OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl | |
| PYTHON_INSTALL_PATH: ${{ github.workspace }}/bin/python | |
| PYTHON_SOURCE_PATH: ${{ github.workspace }}/src/cpython | |
| distpath: ${{ github.workspace }}/chrome_bisect | |
| jobs: | |
| build: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| matrix: | |
| include: | |
| - os: ubuntu-20.04 | |
| jid: 1 | |
| arch: x86_64 | |
| openssl_archs: linux-x86_64 | |
| - os: macos-12 | |
| jid: 2 | |
| arch: universal2 | |
| openssl_archs: darwin64-x86_64 darwin64-arm64 | |
| - os: windows-2022 | |
| jid: 3 | |
| arch: Win64 | |
| openssl_archs: VC-WIN64A | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| fetch-depth: 0 | |
| - name: Cache multiple paths | |
| uses: actions/cache@v4 | |
| id: cache-python-ssl | |
| with: | |
| path: | | |
| bin.tar.xz | |
| src/cpython | |
| key: cbisect-${{ matrix.jid }}-20240903 | |
| - name: Untar Cache archive | |
| if: steps.cache-python-ssl.outputs.cache-hit == 'true' | |
| run: | | |
| tar xvvf bin.tar.xz | |
| - name: MacOS remove Homebrew | |
| if: runner.os == 'macOS-NOPE' | |
| run: | | |
| # remove everything | |
| brew uninstall $(brew list) | |
| - name: Windows Configure VCode | |
| uses: ilammy/msvc-dev-cmd@v1 | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| with: | |
| arch: ${{ matrix.arch }} | |
| - name: Set Env Variables for build | |
| env: | |
| arch: ${{ matrix.arch }} | |
| openssl_archs: ${{ matrix.openssl_archs }} | |
| run: | | |
| echo "We are running on ${RUNNER_OS}" | |
| if [[ "${arch}" == "Win64" ]]; then | |
| PYEXTERNALS_PATH="amd64" | |
| PYBUILDRELEASE_ARCH="x64" | |
| CHOC_OPS="" | |
| elif [[ "${arch}" == "Win32" ]]; then | |
| PYEXTERNALS_PATH="win32" | |
| PYBUILDRELEASE_ARCH="Win32" | |
| CHOC_OPS="--forcex86" | |
| fi | |
| if [[ "${RUNNER_OS}" == "macOS" ]]; then | |
| MAKE=make | |
| MAKEOPT="-j$(sysctl -n hw.logicalcpu)" | |
| PERL=perl | |
| echo "MACOSX_DEPLOYMENT_TARGET=10.15" >> $GITHUB_ENV | |
| echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV | |
| echo "PIP_ARGS=--no-binary=:all:" >> $GITHUB_ENV | |
| elif [[ "${RUNNER_OS}" == "Linux" ]]; then | |
| MAKE=make | |
| MAKEOPT="-j$(nproc)" | |
| PERL=perl | |
| echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV | |
| elif [[ "${RUNNER_OS}" == "Windows" ]]; then | |
| MAKE=nmake | |
| MAKEOPT="" | |
| PERL="c:\strawberry\perl\bin\perl.exe" | |
| echo "PYTHON=${PYTHON_SOURCE_PATH}/PCbuild/${PYEXTERNALS_PATH}/python.exe" >> $GITHUB_ENV | |
| echo "GAM_ARCHIVE_ARCH=${GAM_ARCHIVE_ARCH}" >> $GITHUB_ENV | |
| echo "WIX_ARCH=${WIX_ARCH}" >> $GITHUB_ENV | |
| fi | |
| echo "We'll run make with: ${MAKEOPT}" | |
| echo "arch=${arch}" >> $GITHUB_ENV | |
| echo "MAKE=${MAKE}" >> $GITHUB_ENV | |
| echo "MAKEOPT=${MAKEOPT}" >> $GITHUB_ENV | |
| echo "PERL=${PERL}" >> $GITHUB_ENV | |
| echo "PYEXTERNALS_PATH=${PYEXTERNALS_PATH}" >> $GITHUB_ENV | |
| echo "PYBUILDRELEASE_ARCH=${PYBUILDRELEASE_ARCH}" >> $GITHUB_ENV | |
| echo "openssl_archs=${openssl_archs}" >> $GITHUB_ENV | |
| echo "LD_LIBRARY_PATH=${OPENSSL_INSTALL_PATH}/lib:${PYTHON_INSTALL_PATH}/lib" >> $GITHUB_ENV | |
| #echo "PATH=${PATH}:${PYTHON_INSTALL_PATH}/scripts" >> $GITHUB_ENV | |
| - name: Get latest stable OpenSSL source | |
| if: steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| mkdir -vp "${GITHUB_WORKSPACE}/src" | |
| cd "${GITHUB_WORKSPACE}/src" | |
| git clone https://github.com/openssl/openssl.git | |
| cd "${OPENSSL_SOURCE_PATH}" | |
| export LATEST_STABLE_TAG=$(git tag --list openssl-* | grep -v alpha | grep -v beta | sort -Vr | head -n1) | |
| echo "Checking out version ${LATEST_STABLE_TAG}" | |
| git checkout "${LATEST_STABLE_TAG}" | |
| export COMPILED_OPENSSL_VERSION=${LATEST_STABLE_TAG:8} # Trim the openssl- prefix | |
| echo "COMPILED_OPENSSL_VERSION=${COMPILED_OPENSSL_VERSION}" >> $GITHUB_ENV | |
| if [[ "${RUNNER_OS}" == "macOS" ]]; then | |
| for openssl_arch in $openssl_archs; do | |
| ssldir="${OPENSSL_SOURCE_PATH}-${openssl_arch}" | |
| mkdir -v "${ssldir}" | |
| cp -vrf ${OPENSSL_SOURCE_PATH}/* "${ssldir}/" | |
| done | |
| rm -vrf "${OPENSSL_SOURCE_PATH}" | |
| else | |
| mv -v "${OPENSSL_SOURCE_PATH}" "${OPENSSL_SOURCE_PATH}-${openssl_archs}" | |
| fi | |
| - name: Windows NASM Install | |
| uses: ilammy/setup-nasm@v1 | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| - name: Config OpenSSL | |
| if: steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| for openssl_arch in $openssl_archs; do | |
| cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}" | |
| # --libdir=lib is needed so Python can find OpenSSL libraries | |
| "${PERL}" ./Configure "${openssl_arch}" --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS | |
| done | |
| - name: Rename GNU link on Windows | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| shell: bash | |
| run: mv /usr/bin/link /usr/bin/gnulink | |
| - name: Make OpenSSL | |
| if: steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| for openssl_arch in $openssl_archs; do | |
| cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}" | |
| $MAKE "${MAKEOPT}" | |
| done | |
| - name: Install OpenSSL | |
| if: steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| if [[ "${RUNNER_OS}" == "macOS" ]]; then | |
| for openssl_arch in $openssl_archs; do | |
| cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_arch}" | |
| # install_sw saves us ages processing man pages :-) | |
| $MAKE install_sw | |
| mv "${OPENSSL_INSTALL_PATH}" "${GITHUB_WORKSPACE}/bin/ssl-${openssl_arch}" | |
| done | |
| mkdir -vp "${OPENSSL_INSTALL_PATH}/lib" | |
| mkdir -vp "${OPENSSL_INSTALL_PATH}/bin" | |
| for archlib in libcrypto.3.dylib libssl.3.dylib libcrypto.a libssl.a; do | |
| lipo -create "${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/lib/${archlib}" \ | |
| "${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64/lib/${archlib}" \ | |
| -output "${GITHUB_WORKSPACE}/bin/ssl/lib/${archlib}" | |
| done | |
| mv ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/include ${GITHUB_WORKSPACE}/bin/ssl/ | |
| lipo -create "${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64/bin/openssl" \ | |
| "${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64/bin/openssl" \ | |
| -output "${GITHUB_WORKSPACE}/bin/ssl/bin/openssl" | |
| rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-x86_64 | |
| rm -rf ${GITHUB_WORKSPACE}/bin/ssl-darwin64-arm64 | |
| echo "LDFLAGS=-L${OPENSSL_INSTALL_PATH}/lib" >> $GITHUB_ENV | |
| echo "CRYPTOGRAPHY_SUPPRESS_LINK_FLAGS=1" >> $GITHUB_ENV | |
| echo "CFLAGS=-I${OPENSSL_INSTALL_PATH}/include -arch arm64 -arch x86_64" >> $GITHUB_ENV | |
| echo "ARCHFLAGS=-arch x86_64 -arch arm64" >> $GITHUB_ENV | |
| else | |
| cd "${GITHUB_WORKSPACE}/src/openssl-${openssl_archs}" | |
| # install_sw saves us ages processing man pages :-) | |
| $MAKE install_sw | |
| fi | |
| - name: Run OpenSSL | |
| run: | | |
| "${OPENSSL_INSTALL_PATH}/bin/openssl" version | |
| file "${OPENSSL_INSTALL_PATH}/bin/openssl" | |
| - name: Get latest stable Python source | |
| if: steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd "${GITHUB_WORKSPACE}/src" | |
| git clone https://github.com/python/cpython.git | |
| cd "${PYTHON_SOURCE_PATH}" | |
| export LATEST_STABLE_TAG=$(git tag --list | grep -v a | grep -v rc | grep -v b | sort -Vr | head -n1) | |
| git checkout "${LATEST_STABLE_TAG}" | |
| export COMPILED_PYTHON_VERSION=${LATEST_STABLE_TAG:1} # Trim the "v" prefix | |
| echo "COMPILED_PYTHON_VERSION=${COMPILED_PYTHON_VERSION}" >> $GITHUB_ENV | |
| - name: Mac/Linux Configure Python | |
| if: runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd "${PYTHON_SOURCE_PATH}" | |
| if [[ "${RUNNER_OS}" == "macOS" ]]; then | |
| extra_args=( "--enable-universalsdk" "--with-universal-archs=universal2" ) | |
| else | |
| extra_args=( ) | |
| fi | |
| ./configure --with-openssl="${OPENSSL_INSTALL_PATH}" \ | |
| --prefix="${PYTHON_INSTALL_PATH}" \ | |
| --enable-shared \ | |
| --with-ensurepip=upgrade \ | |
| --enable-optimizations \ | |
| --with-lto \ | |
| "${extra_args[@]}" | |
| - name: Windows Get External Python deps | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| shell: powershell | |
| run: | | |
| cd "${env:PYTHON_SOURCE_PATH}" | |
| PCBuild\get_externals.bat | |
| - name: Windows overwrite external OpenSSL with local | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| shell: powershell | |
| run: | | |
| cd "${env:PYTHON_SOURCE_PATH}" | |
| $env:OPENSSL_EXT_PATH = "$(Get-Item externals\openssl-bin-* | Select -exp FullName)\" | |
| echo "External OpenSSL was downloaded to ${env:OPENSSL_EXT_PATH}" | |
| Remove-Item -recurse -force "${env:OPENSSL_EXT_PATH}*" | |
| # Emulate what this script does: | |
| # https://github.com/python/cpython/blob/main/PCbuild/openssl.vcxproj | |
| $env:OPENSSL_EXT_TARGET_PATH = "${env:OPENSSL_EXT_PATH}${env:PYEXTERNALS_PATH}" | |
| echo "Copying our OpenSSL to ${env:OPENSSL_EXT_TARGET_PATH}" | |
| mkdir "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\" | |
| Copy-Item -Path "${env:GITHUB_WORKSPACE}/src/openssl-${env:openssl_archs}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE" | |
| cp -v "$env:OPENSSL_INSTALL_PATH\lib\*" "${env:OPENSSL_EXT_TARGET_PATH}" | |
| cp -v "$env:OPENSSL_INSTALL_PATH\bin\*" "${env:OPENSSL_EXT_TARGET_PATH}" | |
| cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\*" "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\" | |
| cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\applink.c" "${env:OPENSSL_EXT_TARGET_PATH}\include\" | |
| - name: Windows Install sphinx-build | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| shell: powershell | |
| run: | | |
| pip install --upgrade pip | |
| pip install --upgrade sphinx | |
| sphinx-build --version | |
| - name: Windows Config/Build Python | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| shell: powershell | |
| run: | | |
| cd "${env:PYTHON_SOURCE_PATH}" | |
| # We need out custom openssl.props which uses OpenSSL 3 DLL names | |
| Copy-Item -Path "${env:GITHUB_WORKSPACE}\openssl.props" -Destination PCBuild\ | |
| echo "Building for ${env:PYBUILDRELEASE_ARCH}..." | |
| PCBuild\build.bat -m --pgo -c Release -p "${env:PYBUILDRELEASE_ARCH}" | |
| - name: Mac/Linux Build Python | |
| if: runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd "${PYTHON_SOURCE_PATH}" | |
| echo "Running: ${MAKE} ${MAKEOPT}" | |
| $MAKE $MAKEOPT | |
| - name: Mac/Linux Install Python | |
| if: runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd "${PYTHON_SOURCE_PATH}" | |
| $MAKE altinstall | |
| $MAKE bininstall | |
| - name: Run Python | |
| run: | | |
| "${PYTHON}" -V | |
| - name: Upgrade pip, wheel, etc | |
| run: | | |
| curl -O https://bootstrap.pypa.io/get-pip.py | |
| "${PYTHON}" get-pip.py | |
| "${PYTHON}" -m pip install --upgrade pip | |
| "${PYTHON}" -m pip install --upgrade wheel | |
| "${PYTHON}" -m pip install --upgrade setuptools | |
| - name: Install PyInstaller | |
| run: | | |
| git clone https://github.com/pyinstaller/pyinstaller.git | |
| cd pyinstaller | |
| export latest_release=$(git tag --list | grep -v dev | grep -v rc | sort -Vr | head -n1) | |
| git checkout "${latest_release}" | |
| # remove pre-compiled bootloaders so we fail if bootloader compile fails | |
| rm -rvf PyInstaller/bootloader/*-*/* | |
| cd bootloader | |
| case "${arch}" in | |
| "Win32") | |
| export PYINSTALLER_BUILD_ARGS="--target-arch=32bit" | |
| ;; | |
| "Win64") | |
| export PYINSTALLER_BUILD_ARGS="--target-arch=64bit" | |
| ;; | |
| esac | |
| echo "PyInstaller build arguments: ${PYINSTALLER_BUILD_ARGS}" | |
| "${PYTHON}" ./waf all $PYINSTALLER_BUILD_ARGS | |
| "${PYTHON}" -m pip install .. | |
| - name: Install requirements | |
| run: | | |
| "${PYTHON}" -m pip install --user -r requirements.txt --no-binary=:all: | |
| - name: Download bisect script | |
| run: | | |
| curl -s --basic -n "https://chromium.googlesource.com/chromium/src/+/refs/heads/main/tools/bisect-builds.py?format=TEXT" | base64 -d > ./bisect_builds.py | |
| file ./bisect_builds.py | |
| "${PYTHON}" ./bisect_builds.py --help | |
| - name: Download Google CA bundle | |
| run: curl -o ./roots.pem https://pki.goog/roots.pem | |
| - name: Compile bisect script | |
| run: | | |
| if [[ "${RUNNER_OS}" == "macOS" ]]; then | |
| pyi_args="--target-arch=universal2" | |
| fi | |
| "${PYTHON}" -m PyInstaller --onedir --distpath $distpath $pyi_args chrome_bisect.py | |
| cp roots.pem $distpath/chrome_bisect/ | |
| $distpath/chrome_bisect/chrome_bisect --help | |
| #- name: Linux install patchelf/staticx | |
| # if: runner.os == 'Linux' | |
| # run: | | |
| # "${PYTHON}" -m pip install --upgrade patchelf-wrapper | |
| # "${PYTHON}" -m pip install --upgrade staticx | |
| #- name: Linux make StaticX | |
| # if: runner.os == 'Linux' | |
| # run: | | |
| # case $RUNNER_ARCH in | |
| # X64) | |
| # ldlib=/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 | |
| # ;; | |
| # ARM64) | |
| # ldlib=/lib/aarch64-linux-gnu/ld-linux-aarch64.so.1 | |
| # ;; | |
| # esac | |
| # echo "ldlib=${ldlib}" | |
| # $PYTHON -m staticx -l "${ldlib}" "${distpath}/chrome_bisect" "${distpath}/chrome_bisect-staticx" | |
| # ${distpath}/chrome_bisect-staticx --help | |
| # rm -v ${distpath}/chrome_bisect | |
| # mv -v ${distpath}/chrome_bisect-staticx ${distpath}/chrome_bisect | |
| - name: Package binaries | |
| run: | | |
| export archivefile="chrome-bisect-${RUNNER_OS}-${arch}.zip" | |
| echo "archive file will be ${archivefile} when zipped." | |
| cd "${distpath}" | |
| if [ "${RUNNER_OS}" == 'Windows' ]; then | |
| /c/Program\ Files/7-Zip/7z.exe a -tzip $archivefile . | |
| else | |
| zip -r $archivefile . | |
| fi | |
| mv -v $archivefile "${GITHUB_WORKSPACE}" | |
| - name: upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: chrome-bisect-${{ matrix.os }}-${{ matrix.arch }} | |
| path: | | |
| chrome-bisect-*.zip | |
| - name: Tar Cache archive | |
| if: steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| tar cJvvf bin.tar.xz bin/ | |
| publish: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - name: Download artifacts | |
| uses: actions/[email protected] | |
| - name: Set datetime version string | |
| id: dateversion | |
| run: | | |
| export dateversion="$(date +'%Y%m%d.%H%M%S')" | |
| echo "Date version: ${dateversion}" | |
| echo "dateversion=${dateversion}" >> $GITHUB_OUTPUT | |
| - name: VirusTotal Scan | |
| uses: crazy-max/ghaction-virustotal@v4 | |
| with: | |
| vt_api_key: ${{ secrets.VT_API_KEY }} | |
| files: | | |
| chrome-bisect-*/*.zip | |
| - uses: "marvinpinto/action-automatic-releases@latest" | |
| with: | |
| repo_token: "${{ secrets.GITHUB_TOKEN }}" | |
| automatic_release_tag: ${{ steps.dateversion.outputs.dateversion }} | |
| prerelease: false | |
| draft: false | |
| title: "Chrome Bisect ${{ steps.dateversion.outputs.dateversion }}" | |
| files: | | |
| chrome-bisect-*/*.zip |