CE 8.0 Milestone 03. #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Redis CE MacOS Binary Distributions | |
| on: | |
| push: | |
| branches: [ main ] | |
| paths: | |
| - '.github/workflows/build-binary-dists.yml' | |
| - 'configs/**' | |
| - 'scripts/**' | |
| pull_request_target: | |
| branches: [ main ] | |
| types: [ labeled ] | |
| paths: | |
| - '.github/workflows/build-binary-dists.yml' | |
| - 'configs/**' | |
| - 'scripts/**' | |
| env: | |
| REDIS_VERSION: "8.0-m03" | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| build: | |
| if: ${{ (github.event.label.name == 'build-binary-dists') || (github.event_name == 'push' && github.ref == 'refs/heads/main') }} | |
| name: Build Redis CE MacOS Binary Distributions | |
| strategy: | |
| matrix: | |
| os_version: # See: https://github.com/actions/runner-images/blob/main/README.md#available-images | |
| - macos-13 # macOS 13 x86_64 | |
| - macos-13-xlarge # macOS 13 arm64 | |
| runs-on: ${{ matrix.os_version }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install build dependencies | |
| run: | | |
| export HOMEBREW_NO_AUTO_UPDATE=1 | |
| brew update | |
| brew install coreutils | |
| brew install make | |
| brew install openssl | |
| brew install llvm@18 | |
| brew install cmake | |
| brew install gnu-sed | |
| brew install make | |
| brew install automake | |
| brew install libtool | |
| RUST_INSTALLER=rust-1.80.1-$(if [ "$(uname -m)" = "arm64" ]; then echo "aarch64"; else echo "x86_64"; fi)-apple-darwin | |
| echo "Downloading and installing Rust standalone installer: ${RUST_INSTALLER}" | |
| wget --quiet -O ${RUST_INSTALLER}.tar.xz https://static.rust-lang.org/dist/${RUST_INSTALLER}.tar.xz | |
| tar -xf ${RUST_INSTALLER}.tar.xz | |
| (cd ${RUST_INSTALLER} && sudo ./install.sh) | |
| rm -rf ${RUST_INSTALLER} | |
| - name: Build Redis CE | |
| id: build | |
| run: | | |
| export HOMEBREW_PREFIX="$(brew --prefix)" | |
| export BUILD_WITH_MODULES=yes | |
| export BUILD_TLS=yes | |
| export DISABLE_WERRORS=yes | |
| PATH="$HOMEBREW_PREFIX/opt/libtool/libexec/gnubin:$HOMEBREW_PREFIX/opt/llvm@18/bin:$HOMEBREW_PREFIX/opt/make/libexec/gnubin:$HOMEBREW_PREFIX/opt/gnu-sed/libexec/gnubin:$HOMEBREW_PREFIX/opt/coreutils/libexec/gnubin:$PATH" # Override macOS defaults. | |
| export LDFLAGS="-L$HOMEBREW_PREFIX/opt/llvm@18/lib" | |
| export CPPFLAGS="-I$HOMEBREW_PREFIX/opt/llvm@18/include" | |
| curl -L "https://github.com/redis/redis/archive/refs/tags/${{ vars.BINARY_VERSION_TO_BUILD }}.tar.gz" -o redis.tar.gz | |
| tar xzf redis.tar.gz | |
| mkdir -p build_dir/etc | |
| make -C redis-${{ vars.BINARY_VERSION_TO_BUILD }} -j "$(nproc)" all OS=macos | |
| make -C redis-${{ vars.BINARY_VERSION_TO_BUILD }} install PREFIX=$(pwd)/build_dir OS=macos | |
| cp ./configs/redis.conf build_dir/etc/redis.conf | |
| (cd build_dir && zip -r ../redis-ce-${{ vars.BINARY_VERSION_TO_BUILD }}-$(uname -m).zip .) | |
| echo "UNSIGNED_REDIS_BINARY=unsigned-redis-ce-${{ vars.BINARY_VERSION_TO_BUILD }}-$(uname -m).zip" >> $GITHUB_OUTPUT | |
| - name: Upload Redis CE Binary Distribution | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| path: ./${{ steps.build.outputs.UNSIGNED_REDIS_BINARY }} | |
| name: ${{ steps.build.outputs.UNSIGNED_REDIS_BINARY }} | |
| - name: Setup Keychain and Certificate | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| run: | | |
| # Decode and save certificate | |
| echo "${{ secrets.MACOS_CERTIFICATE }}" | base64 --decode > certificate.p12 | |
| # Create and configure keychain | |
| security create-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain | |
| security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain | |
| security set-keychain-settings -t 3600 -l build.keychain | |
| # Add to search list and set as default | |
| security list-keychains -d user -s build.keychain login.keychain | |
| security default-keychain -s build.keychain | |
| # Import and trust certificate | |
| security import certificate.p12 -k build.keychain -P "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign | |
| security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain | |
| # Debug certificate presence | |
| security find-identity -v -p codesigning build.keychain | |
| - name: Sign Binaries | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| id: sign | |
| run: | | |
| # Get identity from specific keychain | |
| CODESIGN_IDENTITY=$(security find-identity -v -p codesigning build.keychain | grep -o '[0-9A-F]\{40\}' | head -n 1) | |
| echo "Using identity: ${CODESIGN_IDENTITY}" | |
| # Check if entitlements file exists | |
| if [ ! -f configs/entitlements.xml ]; then | |
| echo "Entitlements file not found!" | |
| exit 1 | |
| fi | |
| # Sign binaries with explicit keychain | |
| for i in $(ls build_dir/bin); do | |
| /usr/bin/codesign --keychain build.keychain --options=runtime --timestamp -v --sign "${CODESIGN_IDENTITY}" --entitlements configs/entitlements.xml -f build_dir/bin/$i | |
| done | |
| # Sign libraries with explicit keychain | |
| for i in $(ls build_dir/lib/redis/modules); do | |
| /usr/bin/codesign --keychain build.keychain --options=runtime --timestamp -v --sign "${CODESIGN_IDENTITY}" --entitlements configs/entitlements.xml -f build_dir/lib/redis/modules/$i | |
| done | |
| # Create distribution archive | |
| (cd build_dir && zip -r ../redis-ce-${{ vars.BINARY_VERSION_TO_BUILD }}-$(uname -m).zip .) | |
| echo "REDIS_BINARY=redis-ce-${{ vars.BINARY_VERSION_TO_BUILD }}-$(uname -m).zip" >> $GITHUB_OUTPUT | |
| - name: Notarize Redis CE Binary Distribution | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| run: | | |
| sh scripts/notarize.sh ${{ steps.sign.outputs.REDIS_BINARY }} com.redis.redis ${{ secrets.MAC_NOTARIZE_USERNAME }} ${{ secrets.MAC_NOTARIZE_PASSWORD }} ${{ secrets.MAC_NOTARIZE_TEAM_ID }} | |
| - uses: aws-actions/configure-aws-credentials@v4 | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| with: | |
| aws-region: ${{ secrets.S3_REGION }} | |
| role-to-assume: ${{ secrets.S3_IAM_ARN }} | |
| - name: Upload Redis CE Binary Distribution to S3 | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| run: | | |
| aws s3 cp ${{ steps.sign.outputs.REDIS_BINARY }} s3://${{ secrets.S3_BUCKET }}/homebrew/ --acl public-read |