fleet/.github/workflows/build-orbit.yaml

name: Build, Sign and Notarize Orbit

on:
  pull_request:
    paths:
      - 'orbit/**.go'

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
  cancel-in-progress: true

defaults:
  run:
    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
    shell: bash

permissions:
  contents: read

jobs:
  build:
    runs-on: macos-latest
    steps:
      - name: Checkout
        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

      - name: Import signing keys
        env:
          APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}
          APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        run: |
          echo "$APPLE_APPLICATION_CERTIFICATE" | base64 --decode > certificate.p12
          security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
          security import certificate.p12 -k build.keychain -P $APPLE_APPLICATION_CERTIFICATE_PASSWORD -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
          security find-identity -vv
          rm certificate.p12

      - name: Set up Go
        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
        with:
          go-version: 1.19.11

      - name: Build, codesign and notarize orbit
        run: go run ./orbit/tools/build/build.go 
        env:
          GITHUB_TOKEN: ${{ secrets.FLEET_RELEASE_GITHUB_PAT }}
          AC_USERNAME: ${{ secrets.APPLE_USERNAME }}
          AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          CODESIGN_IDENTITY: 51049B247B25B3119FAE7E9C0CC4375A43E47237

      - name: Upload orbit
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
        with:
          name: orbit
          path: |
            orbit-darwin
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> 2023-02-08 16:08:17 +00:00			`name: Build, Sign and Notarize Orbit`

			`on:`
			`pull_request:`
			`paths:`
			`- 'orbit/**.go'`

			`# This allows a subsequently queued workflow run to interrupt previous runs`
			`concurrency:`
			`group: ${{ github.workflow }}-${{ github.head_ref \|\| github.run_id}}`
			`cancel-in-progress: true`

			`defaults:`
			`run:`
			`# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference`
			`shell: bash`

			`permissions:`
			`contents: read`

			`jobs:`
			`build:`
			`runs-on: macos-latest`
			`steps:`
			`- name: Checkout`
Pin all workflow actions versions by commit (#13462) 2023-08-31 17:09:21 +00:00			`uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3`
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> 2023-02-08 16:08:17 +00:00
			`- name: Import signing keys`
			`env:`
			`APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}`
			`APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}`
			`KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}`
			`run: \|`
			`echo "$APPLE_APPLICATION_CERTIFICATE" \| base64 --decode > certificate.p12`
			`security create-keychain -p $KEYCHAIN_PASSWORD build.keychain`
			`security default-keychain -s build.keychain`
			`security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain`
			`security import certificate.p12 -k build.keychain -P $APPLE_APPLICATION_CERTIFICATE_PASSWORD -T /usr/bin/codesign`
			`security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain`
			`security find-identity -vv`
			`rm certificate.p12`

			`- name: Set up Go`
Pin all workflow actions versions by commit (#13462) 2023-08-31 17:09:21 +00:00			`uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0`
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> 2023-02-08 16:08:17 +00:00			`with:`
upgrade Go version to 1.19.11 (#12902) 2023-07-26 18:09:22 +00:00			`go-version: 1.19.11`
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> 2023-02-08 16:08:17 +00:00
			`- name: Build, codesign and notarize orbit`
			`run: go run ./orbit/tools/build/build.go`
			`env:`
Use personal access token for workflows (#12118) 2023-06-02 21:23:23 +00:00			`GITHUB_TOKEN: ${{ secrets.FLEET_RELEASE_GITHUB_PAT }}`
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> 2023-02-08 16:08:17 +00:00			`AC_USERNAME: ${{ secrets.APPLE_USERNAME }}`
			`AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}`
			`AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}`
			`CODESIGN_IDENTITY: 51049B247B25B3119FAE7E9C0CC4375A43E47237`

			`- name: Upload orbit`
Bump actions/upload-artifact from 3.1.0 to 3.1.2 (#10183) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.0 to 3.1.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v3.1.2</h2> <ul> <li>Update all <code>@actions/</code> NPM packages to their latest versions- <a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/374">#374</a></li> <li>Update all dev dependencies to their most recent versions - <a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/375">#375</a></li> </ul> <h2>v3.1.1</h2> <ul> <li>Update actions/core package to latest version to remove <code>set-output</code> deprecation warning <a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/351">#351</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/0b7f8abb1508181956e8e162db84b466c27e18ce"><code>0b7f8ab</code></a> ci(github): update action/download-artifact from v1 to v3 (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/312">#312</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/013d2b89baa2f354c5ffec54c68bec4ab39a2534"><code>013d2b8</code></a> Create devcontainer for codespaces + update all dev dependencies (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/375">#375</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/055b8b3f04a4a7ed853f2c6ab04256f83e4874dc"><code>055b8b3</code></a> Bump Actions NPM dependencies (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/374">#374</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/7a5d4831f75130126bffffb8443b412485f7b836"><code>7a5d483</code></a> ci(github): update action/checkout from v2 to v3 (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/315">#315</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/e0057a5b76f2fdad976135e8dd7b691e632b9056"><code>e0057a5</code></a> README: Bump actions/checkout to v3 (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/352">#352</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/7fe6c13ac83e8572a115d6d5e45afc880cc4fe7e"><code>7fe6c13</code></a> Update to latest <code>actions/publish-action</code> (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/363">#363</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/83fd05a356d7e2593de66fc9913b3002723633cb"><code>83fd05a</code></a> Bump actions-core to v1.10.0 (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/356">#356</a>)</li> <li>See full diff in <a href="https://github.com/actions/upload-artifact/compare/3cea5372237819ed00197afe530f5a7ea3e805c8...0b7f8abb1508181956e8e162db84b466c27e18ce">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=3.1.0&new-version=3.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>> Note* > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-04-24 18:27:56 +00:00			`uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2`
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> 2023-02-08 16:08:17 +00:00			`with:`
			`name: orbit`
			`path: \|`
			`orbit-darwin`