Skip to content

Update main.yml

Update main.yml #423

Workflow file for this run

name: Build Chrome Bisect Script
on:
push:
pull_request:
schedule:
- cron: '30 20 * * 6'
defaults:
run:
shell: bash
env:
OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0
OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl
OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl
PYTHON_INSTALL_PATH: ${{ github.workspace }}/bin/python
PYTHON_SOURCE_PATH: ${{ github.workspace }}/src/cpython
distpath: ${{ github.workspace }}/chrome_bisect
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
include:
- os: ubuntu-20.04
jid: 1
- os: macos-13
jid: 2
- os: macos-14
jid: 3
- os: windows-2022
jid: 4
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
fetch-depth: 0
- name: Cache multiple paths
uses: actions/cache@v4
id: cache-python-ssl
with:
path: |
bin.tar.xz
src/cpython
key: cbisect-${{ matrix.jid }}-20241101
- name: Untar Cache archive
if: steps.cache-python-ssl.outputs.cache-hit == 'true'
run: |
tar xvvf bin.tar.xz
- name: MacOS remove Homebrew
if: runner.os == 'macOS-NOPE'
run: |
# remove everything
# brew uninstall $(brew list)
- name: Windows Configure VCode
uses: ilammy/msvc-dev-cmd@v1
if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
with:
arch: x64
- name: Set Env Variables for build
run: |
echo "We are running on ${RUNNER_OS}"
if [[ "${RUNNER_OS}" == "macOS" ]]; then
MAKE=make
MAKEOPT="-j$(sysctl -n hw.logicalcpu)"
PERL=perl
echo "MacOS version info:"
sw_vers -productVersion
MACOSX_DEPLOYMENT_TARGET=$(sw_vers -productVersion)
echo "MACOSX_DEPLOYMENT_TARGET=${MACOSX_DEPLOYMENT_TARGET}" >> $GITHUB_ENV
echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV
elif [[ "${RUNNER_OS}" == "Linux" ]]; then
MAKE=make
MAKEOPT="-j$(nproc)"
PERL=perl
echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV
elif [[ "${RUNNER_OS}" == "Windows" ]]; then
MAKE=nmake
MAKEOPT=""
PERL="c:\strawberry\perl\bin\perl.exe"
echo "PYTHON=${PYTHON_SOURCE_PATH}/PCbuild/amd64/python.exe" >> $GITHUB_ENV
fi
echo "We'll run make with: ${MAKEOPT}"
echo "MAKE=${MAKE}" >> $GITHUB_ENV
echo "MAKEOPT=${MAKEOPT}" >> $GITHUB_ENV
echo "PERL=${PERL}" >> $GITHUB_ENV
echo "LD_LIBRARY_PATH=${OPENSSL_INSTALL_PATH}/lib:${PYTHON_INSTALL_PATH}/lib" >> $GITHUB_ENV
#echo "PATH=${PATH}:${PYTHON_INSTALL_PATH}/scripts" >> $GITHUB_ENV
- name: Get latest stable OpenSSL source
if: steps.cache-python-ssl.outputs.cache-hit != 'true'
run: |
mkdir -vp "${GITHUB_WORKSPACE}/src"
cd "${GITHUB_WORKSPACE}/src"
git clone https://github.com/openssl/openssl.git
cd "${OPENSSL_SOURCE_PATH}"
export LATEST_STABLE_TAG=$(git tag --list openssl-* | grep -v alpha | grep -v beta | sort -Vr | head -n1)
echo "Checking out version ${LATEST_STABLE_TAG}"
git checkout "${LATEST_STABLE_TAG}"
export COMPILED_OPENSSL_VERSION=${LATEST_STABLE_TAG:8} # Trim the openssl- prefix
echo "COMPILED_OPENSSL_VERSION=${COMPILED_OPENSSL_VERSION}" >> $GITHUB_ENV
- name: Windows NASM Install
uses: ilammy/setup-nasm@v1
if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
- name: Config OpenSSL
if: steps.cache-python-ssl.outputs.cache-hit != 'true'
run: |
cd "$OPENSSL_SOURCE_PATH"
# --libdir=lib is needed so Python can find OpenSSL libraries
"${PERL}" ./Configure --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS
- name: Rename GNU link on Windows
if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
shell: bash
run: mv /usr/bin/link /usr/bin/gnulink
- name: Make OpenSSL
if: steps.cache-python-ssl.outputs.cache-hit != 'true'
run: |
cd "$OPENSSL_SOURCE_PATH"
$MAKE "$MAKEOPT"
- name: Install OpenSSL
if: steps.cache-python-ssl.outputs.cache-hit != 'true'
run: |
cd "$OPENSSL_SOURCE_PATH"
# install_sw saves us ages processing man pages :-)
$MAKE install_sw
- name: Run OpenSSL
run: |
"${OPENSSL_INSTALL_PATH}/bin/openssl" version
file "${OPENSSL_INSTALL_PATH}/bin/openssl"
- name: Get latest stable Python source
if: steps.cache-python-ssl.outputs.cache-hit != 'true'
run: |
cd "${GITHUB_WORKSPACE}/src"
git clone https://github.com/python/cpython.git
cd "${PYTHON_SOURCE_PATH}"
export LATEST_STABLE_TAG=$(git tag --list | grep -v a | grep -v rc | grep -v b | sort -Vr | head -n1)
git checkout "${LATEST_STABLE_TAG}"
export COMPILED_PYTHON_VERSION=${LATEST_STABLE_TAG:1} # Trim the "v" prefix
echo "COMPILED_PYTHON_VERSION=${COMPILED_PYTHON_VERSION}" >> $GITHUB_ENV
- name: Mac/Linux Configure Python
if: runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
run: |
cd "${PYTHON_SOURCE_PATH}"
./configure --with-openssl="${OPENSSL_INSTALL_PATH}" \
--prefix="${PYTHON_INSTALL_PATH}" \
--enable-shared \
--with-ensurepip=upgrade \
--enable-optimizations \
--with-lto
- name: Windows Get External Python deps
if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
shell: powershell
run: |
cd "${env:PYTHON_SOURCE_PATH}"
PCBuild\get_externals.bat
- name: Windows overwrite external OpenSSL with local
if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
shell: powershell
run: |
cd "${env:PYTHON_SOURCE_PATH}"
$env:OPENSSL_EXT_PATH = "$(Get-Item externals\openssl-bin-* | Select -exp FullName)\"
echo "External OpenSSL was downloaded to ${env:OPENSSL_EXT_PATH}"
Remove-Item -recurse -force "${env:OPENSSL_EXT_PATH}*"
# Emulate what this script does:
# https://github.com/python/cpython/blob/main/PCbuild/openssl.vcxproj
$env:OPENSSL_EXT_TARGET_PATH = "${env:OPENSSL_EXT_PATH}amd64"
echo "Copying our OpenSSL to ${env:OPENSSL_EXT_TARGET_PATH}"
mkdir "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
Copy-Item -Path "${env:OPENSSL_SOURCE_PATH}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE"
cp -v "$env:OPENSSL_INSTALL_PATH\lib\*" "${env:OPENSSL_EXT_TARGET_PATH}"
cp -v "$env:OPENSSL_INSTALL_PATH\bin\*" "${env:OPENSSL_EXT_TARGET_PATH}"
cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\*" "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\"
cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\applink.c" "${env:OPENSSL_EXT_TARGET_PATH}\include\"
# Python expects files to not have -x64 in the name
Get-ChildItem "${env:OPENSSL_EXT_TARGET_PATH}" -Recurse | Where {$_.Name -Match '-x64'} | Rename-Item -NewName {$_.name -replace '-x64','' }
- name: Windows Install sphinx-build
if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
shell: powershell
run: |
pip install --upgrade pip
pip install --upgrade sphinx
sphinx-build --version
- name: Windows Config/Build Python
if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
shell: powershell
run: |
cd "${env:PYTHON_SOURCE_PATH}"
PCBuild\build.bat -m --pgo -c Release
- name: Mac/Linux Build Python
if: runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
run: |
cd "${PYTHON_SOURCE_PATH}"
echo "Running: ${MAKE} ${MAKEOPT}"
$MAKE $MAKEOPT
- name: Mac/Linux Install Python
if: runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true'
run: |
cd "${PYTHON_SOURCE_PATH}"
$MAKE altinstall
$MAKE bininstall
- name: Run Python
run: |
"${PYTHON}" -V
- name: Upgrade pip, wheel, etc
run: |
curl -O https://bootstrap.pypa.io/get-pip.py
"${PYTHON}" get-pip.py
"${PYTHON}" -m pip install --upgrade pip
"${PYTHON}" -m pip install --upgrade wheel
"${PYTHON}" -m pip install --upgrade setuptools
- name: Install PyInstaller
run: |
git clone https://github.com/pyinstaller/pyinstaller.git
cd pyinstaller
export latest_release=$(git tag --list | grep -v dev | grep -v rc | sort -Vr | head -n1)
git checkout "${latest_release}"
# remove pre-compiled bootloaders so we fail if bootloader compile fails
rm -rvf PyInstaller/bootloader/*-*/*
cd bootloader
"${PYTHON}" ./waf all
"${PYTHON}" -m pip install ..
- name: Install requirements
run: |
"${PYTHON}" -m pip install --user -r requirements.txt
- name: Download bisect script
run: |
curl -s --basic -n "https://chromium.googlesource.com/chromium/src/+/refs/heads/main/tools/bisect-builds.py?format=TEXT" | base64 -d > ./bisect_builds.py
file ./bisect_builds.py
"${PYTHON}" ./bisect_builds.py --help
- name: Download Google CA bundle
run: curl -o ./roots.pem https://pki.goog/roots.pem
- name: Compile bisect script
run: |
"${PYTHON}" -m PyInstaller --onedir --clean --noconfirm --distpath $distpath chrome_bisect.py
cp roots.pem $distpath/chrome_bisect/
$distpath/chrome_bisect/chrome_bisect --help
- name: Package binaries
run: |
export arch=$(uname -m)
export archivefile="chrome-bisect-${RUNNER_OS}-${arch}.zip"
echo "archive file will be named ${archivefile}."
cd "${distpath}"
if [ "${RUNNER_OS}" == 'Windows' ]; then
/c/Program\ Files/7-Zip/7z.exe a -tzip $archivefile .
else
zip -r $archivefile .
fi
mv -v $archivefile "${GITHUB_WORKSPACE}"
- name: upload artifacts
uses: actions/upload-artifact@v4
with:
name: chrome-bisect-${{ matrix.jid }}
path: |
chrome-bisect-*.zip
- name: Tar Cache archive
if: steps.cache-python-ssl.outputs.cache-hit != 'true'
run: |
tar cJvvf bin.tar.xz bin/
publish:
runs-on: ubuntu-latest
needs: build
steps:
- name: Download artifacts
uses: actions/[email protected]
- name: Set datetime version string
id: dateversion
run: |
export dateversion="$(date +'%Y%m%d.%H%M%S')"
echo "Date version: ${dateversion}"
echo "dateversion=${dateversion}" >> $GITHUB_OUTPUT
- name: VirusTotal Scan
uses: crazy-max/ghaction-virustotal@v4
with:
vt_api_key: ${{ secrets.VT_API_KEY }}
files: |
chrome-bisect-*/*.zip
- uses: "marvinpinto/action-automatic-releases@latest"
with:
repo_token: "${{ secrets.GITHUB_TOKEN }}"
automatic_release_tag: ${{ steps.dateversion.outputs.dateversion }}
prerelease: false
draft: false
title: "Chrome Bisect ${{ steps.dateversion.outputs.dateversion }}"
files: |
chrome-bisect-*/*.zip