fleet/.github/workflows/build-orbit.yaml

name: Build, Sign and Notarize Orbit

on:
  pull_request:
    paths:
      - 'orbit/**.go'

# This allows a subsequently queued workflow run to interrupt previous runs
concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
  cancel-in-progress: true

defaults:
  run:
    # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
    shell: bash

permissions:
  contents: read

jobs:
  build:
    runs-on: macos-latest
    steps:
      - name: Checkout
        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2

      - name: Import signing keys
        env:
          APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}
          APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}
          KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
        run: |
          echo "$APPLE_APPLICATION_CERTIFICATE" | base64 --decode > certificate.p12
          security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
          security default-keychain -s build.keychain
          security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
          security import certificate.p12 -k build.keychain -P $APPLE_APPLICATION_CERTIFICATE_PASSWORD -T /usr/bin/codesign
          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
          security find-identity -vv
          rm certificate.p12

      - name: Set up Go
        uses: actions/setup-go@v4.0.1
        with:
          go-version: 1.19.10

      - name: Build, codesign and notarize orbit
        run: go run ./orbit/tools/build/build.go 
        env:
          GITHUB_TOKEN: ${{ secrets.FLEET_RELEASE_GITHUB_PAT }}
          AC_USERNAME: ${{ secrets.APPLE_USERNAME }}
          AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          CODESIGN_IDENTITY: 51049B247B25B3119FAE7E9C0CC4375A43E47237

      - name: Upload orbit
        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2
        with:
          name: orbit
          path: |
            orbit-darwin
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> 2023-02-08 16:08:17 +00:00			`name: Build, Sign and Notarize Orbit`

			`on:`
			`pull_request:`
			`paths:`
			`- 'orbit/**.go'`

			`# This allows a subsequently queued workflow run to interrupt previous runs`
			`concurrency:`
			`group: ${{ github.workflow }}-${{ github.head_ref \|\| github.run_id}}`
			`cancel-in-progress: true`

			`defaults:`
			`run:`
			`# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference`
			`shell: bash`

			`permissions:`
			`contents: read`

			`jobs:`
			`build:`
			`runs-on: macos-latest`
			`steps:`
			`- name: Checkout`
			`uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2`

			`- name: Import signing keys`
			`env:`
			`APPLE_APPLICATION_CERTIFICATE: ${{ secrets.APPLE_APPLICATION_CERTIFICATE }}`
			`APPLE_APPLICATION_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APPLICATION_CERTIFICATE_PASSWORD }}`
			`KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}`
			`run: \|`
			`echo "$APPLE_APPLICATION_CERTIFICATE" \| base64 --decode > certificate.p12`
			`security create-keychain -p $KEYCHAIN_PASSWORD build.keychain`
			`security default-keychain -s build.keychain`
			`security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain`
			`security import certificate.p12 -k build.keychain -P $APPLE_APPLICATION_CERTIFICATE_PASSWORD -T /usr/bin/codesign`
			`security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain`
			`security find-identity -vv`
			`rm certificate.p12`

			`- name: Set up Go`
Bump actions/setup-go from 2.1.3 to 4.0.1 (#12294) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2.1.3 to 4.0.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-go/releases">actions/setup-go's releases</a>.</em></p> <blockquote> <h2>v4.0.1</h2> <h2>What's Changed</h2> <ul> <li>Update documentation for <code>v4</code> by <a href="https://github.com/dsame"><code>@dsame</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/354">actions/setup-go#354</a></li> <li>Fix glob bug in the package.json scripts section by <a href="https://github.com/IvanZosimov"><code>@IvanZosimov</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/359">actions/setup-go#359</a></li> <li>Bump <code>xml2js</code> dependency by <a href="https://github.com/dmitry-shibanov"><code>@dmitry-shibanov</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/370">actions/setup-go#370</a></li> <li>Bump <code>@actions/cache</code> dependency to v3.2.1 by <a href="https://github.com/nikolai-laevskii"><code>@nikolai-laevskii</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/374">actions/setup-go#374</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/nikolai-laevskii"><code>@nikolai-laevskii</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/374">actions/setup-go#374</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v4...v4.0.1">https://github.com/actions/setup-go/compare/v4...v4.0.1</a></p> <h2>v4.0.0</h2> <p>In scope of release we enable cache by default. The action won’t throw an error if the cache can’t be restored or saved. The action will throw a warning message but it won’t stop a build process. The cache can be disabled by specifying <code>cache: false</code>.</p> <pre lang="yaml"><code>steps: - uses: actions/checkout@v3 - uses: actions/setup-go@v4 with: go-version: ‘1.19’ - run: go run hello.go </code></pre> <p>Besides, we introduce such changes as</p> <ul> <li><a href="https://redirect.github.com/actions/setup-go/pull/305">Allow to use only GOCACHE for cache</a></li> <li><a href="https://redirect.github.com/actions/setup-go/pull/315">Bump json5 from 2.2.1 to 2.2.3</a></li> <li><a href="https://redirect.github.com/actions/setup-go/pull/323">Use proper version for primary key in cache</a></li> <li><a href="https://redirect.github.com/actions/setup-go/pull/351">Always add Go bin to the PATH</a></li> <li><a href="https://redirect.github.com/actions/setup-go/pull/350">Add step warning if go-version input is empty</a></li> </ul> <h2>Add support for stable and oldstable aliases</h2> <p>In scope of this release we introduce aliases for the <code>go-version</code> input. The <code>stable</code> alias instals the latest stable version of Go. The <code>oldstable</code> alias installs previous latest minor release (the stable is 1.19.x -> the oldstable is 1.18.x).</p> <h3>Stable</h3> <pre lang="yaml"><code>steps: - uses: actions/checkout@v3 - uses: actions/setup-go@v3 with: go-version: 'stable' - run: go run hello.go </code></pre> <h3>OldStable</h3> <pre lang="yaml"><code>steps: - uses: actions/checkout@v3 - uses: actions/setup-go@v3 </tr></table> </code></pre> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/setup-go/commit/fac708d6674e30b6ba41289acaab6d4b75aa0753"><code>fac708d</code></a> Bump <code>@actions/cache</code> dependency to v3.2.1 (<a href="https://redirect.github.com/actions/setup-go/issues/374">#374</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/dd84a9531a6f8e72c321f2aa3b9048ed359670e4"><code>dd84a95</code></a> Update xml2js (<a href="https://redirect.github.com/actions/setup-go/issues/370">#370</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/41c2024c46acfe1d0b8c9b7f20e28406983e553b"><code>41c2024</code></a> Fix glob bug in package.json scripts section (<a href="https://redirect.github.com/actions/setup-go/issues/359">#359</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/8dbf352f069be09d9a0b567cc1a9d16a5663fc3a"><code>8dbf352</code></a> update README fo v4 (<a href="https://redirect.github.com/actions/setup-go/issues/354">#354</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/4d34df0c2316fe8122ab82dc22947d607c0c91f9"><code>4d34df0</code></a> Update configuration files (<a href="https://redirect.github.com/actions/setup-go/issues/348">#348</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/fdc0d672a12b8fc05ef4c549c3fd5b0f03ebeb4c"><code>fdc0d67</code></a> Add Go bin if go-version input is empty (<a href="https://redirect.github.com/actions/setup-go/issues/351">#351</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/ebfdf6ac95bce0e7e743a60aba7adf59b400885b"><code>ebfdf6a</code></a> add warning if go-version is empty (<a href="https://redirect.github.com/actions/setup-go/issues/350">#350</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/b27d76912e7cb72b7262b5be2ec903b6cfaf358a"><code>b27d769</code></a> fix lockfileVersion (<a href="https://redirect.github.com/actions/setup-go/issues/349">#349</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/c51a7207680f1bee06f4a751214aab70667f9e25"><code>c51a720</code></a> Enable caching by default with default input (<a href="https://redirect.github.com/actions/setup-go/issues/332">#332</a>)</li> <li><a href="https://github.com/actions/setup-go/commit/6b848af622919e18822928df24a57044dc6ea9ab"><code>6b848af</code></a> Merge pull request <a href="https://redirect.github.com/actions/setup-go/issues/343">#343</a> from akv-platform/reusable-workflow</li> <li>Additional commits viewable in <a href="https://github.com/actions/setup-go/compare/v2.1.3...v4.0.1">compare view</a></li> </ul> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-06-23 19:38:42 +00:00			`uses: actions/setup-go@v4.0.1`
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> 2023-02-08 16:08:17 +00:00			`with:`
upgrade go version to 1.19.10 (#12187) for #12177 2023-06-07 20:59:30 +00:00			`go-version: 1.19.10`
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> 2023-02-08 16:08:17 +00:00
			`- name: Build, codesign and notarize orbit`
			`run: go run ./orbit/tools/build/build.go`
			`env:`
Use personal access token for workflows (#12118) 2023-06-02 21:23:23 +00:00			`GITHUB_TOKEN: ${{ secrets.FLEET_RELEASE_GITHUB_PAT }}`
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> 2023-02-08 16:08:17 +00:00			`AC_USERNAME: ${{ secrets.APPLE_USERNAME }}`
			`AC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}`
			`AC_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}`
			`CODESIGN_IDENTITY: 51049B247B25B3119FAE7E9C0CC4375A43E47237`

			`- name: Upload orbit`
Bump actions/upload-artifact from 3.1.0 to 3.1.2 (#10183) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 3.1.0 to 3.1.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v3.1.2</h2> <ul> <li>Update all <code>@actions/</code> NPM packages to their latest versions- <a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/374">#374</a></li> <li>Update all dev dependencies to their most recent versions - <a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/375">#375</a></li> </ul> <h2>v3.1.1</h2> <ul> <li>Update actions/core package to latest version to remove <code>set-output</code> deprecation warning <a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/351">#351</a></li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/0b7f8abb1508181956e8e162db84b466c27e18ce"><code>0b7f8ab</code></a> ci(github): update action/download-artifact from v1 to v3 (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/312">#312</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/013d2b89baa2f354c5ffec54c68bec4ab39a2534"><code>013d2b8</code></a> Create devcontainer for codespaces + update all dev dependencies (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/375">#375</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/055b8b3f04a4a7ed853f2c6ab04256f83e4874dc"><code>055b8b3</code></a> Bump Actions NPM dependencies (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/374">#374</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/7a5d4831f75130126bffffb8443b412485f7b836"><code>7a5d483</code></a> ci(github): update action/checkout from v2 to v3 (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/315">#315</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/e0057a5b76f2fdad976135e8dd7b691e632b9056"><code>e0057a5</code></a> README: Bump actions/checkout to v3 (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/352">#352</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/7fe6c13ac83e8572a115d6d5e45afc880cc4fe7e"><code>7fe6c13</code></a> Update to latest <code>actions/publish-action</code> (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/363">#363</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/83fd05a356d7e2593de66fc9913b3002723633cb"><code>83fd05a</code></a> Bump actions-core to v1.10.0 (<a href="https://github-redirect.dependabot.com/actions/upload-artifact/issues/356">#356</a>)</li> <li>See full diff in <a href="https://github.com/actions/upload-artifact/compare/3cea5372237819ed00197afe530f5a7ea3e805c8...0b7f8abb1508181956e8e162db84b466c27e18ce">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/upload-artifact&package-manager=github_actions&previous-version=3.1.0&new-version=3.1.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details>> Note* > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 2023-04-24 18:27:56 +00:00			`uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v2`
Add CIS checks for 2.9.X and add `pmset` table to fleetd (#9470) #9253 - ~[ ] Changes file added for user-visible changes in `changes/` or `orbit/changes/`. See [Changes files](https://fleetdm.com/docs/contributing/committing-changes#changes-files) for more information.~ - ~[ ] Documented any API changes (docs/Using-Fleet/REST-API.md or docs/Contributing/API-for-contributors.md)~ - ~[ ] Documented any permissions changes~ - ~[ ] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements)~ - ~[ ] Added support on fleet's osquery simulator `cmd/osquery-perf` for new osquery data ingestion features.~ - [X] Added/updated tests - [X] Manual QA for all new/changed functionality - For Orbit and Fleet Desktop changes: - [X] Manual QA must be performed in the three main OSs, macOS, Windows and Linux. - ~[ ] Auto-update manual QA, from released version of component to new version (see [tools/tuf/test](../tools/tuf/test/README.md)).~ --------- Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com> 2023-02-08 16:08:17 +00:00			`with:`
			`name: orbit`
			`path: \|`
			`orbit-darwin`