Build Chrome Bisect Script #434
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Chrome Bisect Script | |
| on: | |
| push: | |
| pull_request: | |
| schedule: | |
| - cron: '30 20 * * 6' | |
| defaults: | |
| run: | |
| shell: bash | |
| env: | |
| OPENSSL_CONFIG_OPTS: no-fips --api=3.0.0 | |
| OPENSSL_INSTALL_PATH: ${{ github.workspace }}/bin/ssl | |
| OPENSSL_SOURCE_PATH: ${{ github.workspace }}/src/openssl | |
| PYTHON_INSTALL_PATH: ${{ github.workspace }}/bin/python | |
| PYTHON_SOURCE_PATH: ${{ github.workspace }}/src/cpython | |
| distpath: ${{ github.workspace }}/chrome_bisect | |
| jobs: | |
| build: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - os: ubuntu-20.04 | |
| jid: 1 | |
| - os: macos-13 | |
| jid: 2 | |
| - os: macos-14 | |
| jid: 3 | |
| - os: windows-2022 | |
| jid: 4 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| fetch-depth: 0 | |
| - name: Cache multiple paths | |
| uses: actions/cache@v4 | |
| id: cache-python-ssl | |
| with: | |
| path: | | |
| bin.tar.xz | |
| src/cpython | |
| key: cbisect-${{ matrix.jid }}-20241106 | |
| - name: Untar Cache archive | |
| if: steps.cache-python-ssl.outputs.cache-hit == 'true' | |
| run: | | |
| tar xvvf bin.tar.xz | |
| - name: MacOS remove Homebrew | |
| if: runner.os == 'macOS-NOPE' | |
| run: | | |
| # remove everything | |
| # brew uninstall $(brew list) | |
| - name: Windows Configure VCode | |
| uses: ilammy/msvc-dev-cmd@v1 | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| with: | |
| arch: x64 | |
| - name: Set Env Variables for build | |
| run: | | |
| echo "We are running on ${RUNNER_OS}" | |
| if [[ "${RUNNER_OS}" == "macOS" ]]; then | |
| MAKE=make | |
| MAKEOPT="-j$(sysctl -n hw.logicalcpu)" | |
| PERL=perl | |
| echo "MacOS version info:" | |
| sw_vers -productVersion | |
| MACOSX_DEPLOYMENT_TARGET=$(sw_vers -productVersion) | |
| echo "MACOSX_DEPLOYMENT_TARGET=${MACOSX_DEPLOYMENT_TARGET}" >> $GITHUB_ENV | |
| echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV | |
| elif [[ "${RUNNER_OS}" == "Linux" ]]; then | |
| MAKE=make | |
| MAKEOPT="-j$(nproc)" | |
| PERL=perl | |
| echo "PYTHON=${PYTHON_INSTALL_PATH}/bin/python3" >> $GITHUB_ENV | |
| elif [[ "${RUNNER_OS}" == "Windows" ]]; then | |
| MAKE=nmake | |
| MAKEOPT="" | |
| PERL="c:\strawberry\perl\bin\perl.exe" | |
| echo "PYTHON=${PYTHON_SOURCE_PATH}/PCbuild/amd64/python.exe" >> $GITHUB_ENV | |
| fi | |
| echo "We'll run make with: ${MAKEOPT}" | |
| echo "MAKE=${MAKE}" >> $GITHUB_ENV | |
| echo "MAKEOPT=${MAKEOPT}" >> $GITHUB_ENV | |
| echo "PERL=${PERL}" >> $GITHUB_ENV | |
| echo "LD_LIBRARY_PATH=${OPENSSL_INSTALL_PATH}/lib:${PYTHON_INSTALL_PATH}/lib" >> $GITHUB_ENV | |
| #echo "PATH=${PATH}:${PYTHON_INSTALL_PATH}/scripts" >> $GITHUB_ENV | |
| - name: Get latest stable OpenSSL source | |
| if: steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| mkdir -vp "${GITHUB_WORKSPACE}/src" | |
| cd "${GITHUB_WORKSPACE}/src" | |
| git clone https://github.com/openssl/openssl.git | |
| cd "${OPENSSL_SOURCE_PATH}" | |
| export LATEST_STABLE_TAG=$(git tag --list openssl-* | grep -v alpha | grep -v beta | sort -Vr | head -n1) | |
| echo "Checking out version ${LATEST_STABLE_TAG}" | |
| git checkout "${LATEST_STABLE_TAG}" | |
| export COMPILED_OPENSSL_VERSION=${LATEST_STABLE_TAG:8} # Trim the openssl- prefix | |
| echo "COMPILED_OPENSSL_VERSION=${COMPILED_OPENSSL_VERSION}" >> $GITHUB_ENV | |
| - name: Windows NASM Install | |
| uses: ilammy/setup-nasm@v1 | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| - name: Config OpenSSL | |
| if: steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd "$OPENSSL_SOURCE_PATH" | |
| # --libdir=lib is needed so Python can find OpenSSL libraries | |
| "${PERL}" ./Configure --libdir=lib --prefix="${OPENSSL_INSTALL_PATH}" $OPENSSL_CONFIG_OPTS | |
| - name: Rename GNU link on Windows | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| shell: bash | |
| run: mv /usr/bin/link /usr/bin/gnulink | |
| - name: Make OpenSSL | |
| if: steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd "$OPENSSL_SOURCE_PATH" | |
| $MAKE "$MAKEOPT" | |
| - name: Install OpenSSL | |
| if: steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd "$OPENSSL_SOURCE_PATH" | |
| # install_sw saves us ages processing man pages :-) | |
| $MAKE install_sw | |
| - name: Run OpenSSL | |
| run: | | |
| "${OPENSSL_INSTALL_PATH}/bin/openssl" version | |
| file "${OPENSSL_INSTALL_PATH}/bin/openssl" | |
| - name: Get latest stable Python source | |
| if: steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd "${GITHUB_WORKSPACE}/src" | |
| git clone https://github.com/python/cpython.git | |
| cd "${PYTHON_SOURCE_PATH}" | |
| export LATEST_STABLE_TAG=$(git tag --list | grep -v a | grep -v rc | grep -v b | sort -Vr | head -n1) | |
| git checkout "${LATEST_STABLE_TAG}" | |
| export COMPILED_PYTHON_VERSION=${LATEST_STABLE_TAG:1} # Trim the "v" prefix | |
| echo "COMPILED_PYTHON_VERSION=${COMPILED_PYTHON_VERSION}" >> $GITHUB_ENV | |
| - name: Mac/Linux Configure Python | |
| if: runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd "${PYTHON_SOURCE_PATH}" | |
| ./configure --with-openssl="${OPENSSL_INSTALL_PATH}" \ | |
| --prefix="${PYTHON_INSTALL_PATH}" \ | |
| --enable-shared \ | |
| --with-ensurepip=upgrade \ | |
| --enable-optimizations \ | |
| --with-lto | |
| - name: Windows Get External Python deps | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| shell: powershell | |
| run: | | |
| cd "${env:PYTHON_SOURCE_PATH}" | |
| PCBuild\get_externals.bat | |
| - name: Windows overwrite external OpenSSL with local | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| shell: powershell | |
| run: | | |
| cd "${env:PYTHON_SOURCE_PATH}" | |
| $env:OPENSSL_EXT_PATH = "$(Get-Item externals\openssl-bin-* | Select -exp FullName)\" | |
| echo "External OpenSSL was downloaded to ${env:OPENSSL_EXT_PATH}" | |
| Remove-Item -recurse -force "${env:OPENSSL_EXT_PATH}*" | |
| # Emulate what this script does: | |
| # https://github.com/python/cpython/blob/main/PCbuild/openssl.vcxproj | |
| $env:OPENSSL_EXT_TARGET_PATH = "${env:OPENSSL_EXT_PATH}amd64" | |
| echo "Copying our OpenSSL to ${env:OPENSSL_EXT_TARGET_PATH}" | |
| mkdir "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\" | |
| Copy-Item -Path "${env:OPENSSL_SOURCE_PATH}\LICENSE.txt" -Destination "${env:OPENSSL_EXT_TARGET_PATH}\LICENSE" | |
| cp -v "$env:OPENSSL_INSTALL_PATH\lib\*" "${env:OPENSSL_EXT_TARGET_PATH}" | |
| cp -v "$env:OPENSSL_INSTALL_PATH\bin\*" "${env:OPENSSL_EXT_TARGET_PATH}" | |
| cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\*" "${env:OPENSSL_EXT_TARGET_PATH}\include\openssl\" | |
| cp -v "$env:OPENSSL_INSTALL_PATH\include\openssl\applink.c" "${env:OPENSSL_EXT_TARGET_PATH}\include\" | |
| - name: Windows Install sphinx-build | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| shell: powershell | |
| run: | | |
| pip install --upgrade pip | |
| pip install --upgrade sphinx | |
| sphinx-build --version | |
| - name: Windows Config/Build Python | |
| if: runner.os == 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| shell: powershell | |
| run: | | |
| cd "${env:PYTHON_SOURCE_PATH}" | |
| # We need out custom openssl.props which uses OpenSSL 3 DLL names | |
| Copy-Item -Path "${env:GITHUB_WORKSPACE}\openssl.props" -Destination PCBuild\ | |
| PCBuild\build.bat -m --pgo -c Release | |
| - name: Mac/Linux Build Python | |
| if: runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd "${PYTHON_SOURCE_PATH}" | |
| echo "Running: ${MAKE} ${MAKEOPT}" | |
| $MAKE $MAKEOPT | |
| - name: Mac/Linux Install Python | |
| if: runner.os != 'Windows' && steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| cd "${PYTHON_SOURCE_PATH}" | |
| $MAKE altinstall | |
| $MAKE bininstall | |
| - name: Run Python | |
| run: | | |
| "${PYTHON}" -V | |
| "${PYTHON}" -c "import ssl; print(f'Using {ssl.OPENSSL_VERSION}')" | |
| - name: Upgrade pip, wheel, etc | |
| run: | | |
| curl -O https://bootstrap.pypa.io/get-pip.py | |
| "${PYTHON}" get-pip.py | |
| "${PYTHON}" -m pip install --upgrade pip | |
| "${PYTHON}" -m pip install --upgrade wheel | |
| "${PYTHON}" -m pip install --upgrade setuptools | |
| - name: Install PyInstaller | |
| run: | | |
| git clone https://github.com/pyinstaller/pyinstaller.git | |
| cd pyinstaller | |
| export latest_release=$(git tag --list | grep -v dev | grep -v rc | sort -Vr | head -n1) | |
| git checkout "${latest_release}" | |
| # remove pre-compiled bootloaders so we fail if bootloader compile fails | |
| rm -rvf PyInstaller/bootloader/*-*/* | |
| cd bootloader | |
| "${PYTHON}" ./waf all | |
| "${PYTHON}" -m pip install .. | |
| - name: Install requirements | |
| run: | | |
| "${PYTHON}" -m pip install --user -r requirements.txt | |
| - name: Download bisect script | |
| run: | | |
| curl -s --basic -n "https://chromium.googlesource.com/chromium/src/+/refs/heads/main/tools/bisect-builds.py?format=TEXT" | base64 -d > ./bisect_builds.py | |
| file ./bisect_builds.py | |
| "${PYTHON}" ./bisect_builds.py --help | |
| - name: Download Google CA bundle | |
| run: curl -o ./roots.pem https://pki.goog/roots.pem | |
| - name: Compile bisect script | |
| run: | | |
| "${PYTHON}" -m PyInstaller --onedir --clean --noconfirm --distpath $distpath chrome_bisect.py | |
| cp roots.pem $distpath/chrome_bisect/ | |
| $distpath/chrome_bisect/chrome_bisect --help | |
| - name: Package binaries | |
| run: | | |
| export arch=$(uname -m) | |
| export archivefile="chrome-bisect-${RUNNER_OS}-${arch}.zip" | |
| echo "archive file will be named ${archivefile}." | |
| cd "${distpath}" | |
| if [ "${RUNNER_OS}" == 'Windows' ]; then | |
| /c/Program\ Files/7-Zip/7z.exe a -tzip $archivefile . | |
| else | |
| zip -r $archivefile . | |
| fi | |
| mv -v $archivefile "${GITHUB_WORKSPACE}" | |
| - name: upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: chrome-bisect-${{ matrix.jid }} | |
| path: | | |
| chrome-bisect-*.zip | |
| - name: Tar Cache archive | |
| if: steps.cache-python-ssl.outputs.cache-hit != 'true' | |
| run: | | |
| tar cJvvf bin.tar.xz bin/ | |
| publish: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| steps: | |
| - name: Download artifacts | |
| uses: actions/[email protected] | |
| - name: Set datetime version string | |
| id: dateversion | |
| run: | | |
| export dateversion="$(date +'%Y%m%d.%H%M%S')" | |
| echo "Date version: ${dateversion}" | |
| echo "dateversion=${dateversion}" >> $GITHUB_OUTPUT | |
| - name: VirusTotal Scan | |
| uses: crazy-max/ghaction-virustotal@v4 | |
| with: | |
| vt_api_key: ${{ secrets.VT_API_KEY }} | |
| files: | | |
| chrome-bisect-*/*.zip | |
| - uses: "marvinpinto/action-automatic-releases@latest" | |
| with: | |
| repo_token: "${{ secrets.GITHUB_TOKEN }}" | |
| automatic_release_tag: ${{ steps.dateversion.outputs.dateversion }} | |
| prerelease: false | |
| draft: false | |
| title: "Chrome Bisect ${{ steps.dateversion.outputs.dateversion }}" | |
| files: | | |
| chrome-bisect-*/*.zip |