Merge pull request #399 from vdye/feature/build-installers

Implement workflow to create GitHub release with attached `git` installers

Author: vdye

.github/macos-installer/Makefile

@@ -0,0 +1,158 @@
+SHELL := /bin/bash
+SUDO := sudo
+C_INCLUDE_PATH := /usr/include
+CPLUS_INCLUDE_PATH := /usr/include
+LD_LIBRARY_PATH := /usr/lib
+
+OSX_VERSION := $(shell sw_vers -productVersion)
+TARGET_FLAGS := -mmacosx-version-min=$(OSX_VERSION) -DMACOSX_DEPLOYMENT_TARGET=$(OSX_VERSION)
+
+uname_M := $(shell sh -c 'uname -m 2>/dev/null || echo not')
+
+ARCH_UNIV := universal
+ARCH_FLAGS := -arch x86_64 -arch arm64
+
+CFLAGS := $(TARGET_FLAGS) $(ARCH_FLAGS)
+LDFLAGS := $(TARGET_FLAGS) $(ARCH_FLAGS)
+
+PREFIX := /usr/local
+GIT_PREFIX := $(PREFIX)/git
+
+BUILD_DIR := $(GITHUB_WORKSPACE)/payload
+DESTDIR := $(PWD)/stage/git-$(ARCH_UNIV)-$(VERSION)
+ARTIFACTDIR := build-artifacts
+SUBMAKE := $(MAKE) C_INCLUDE_PATH="$(C_INCLUDE_PATH)" CPLUS_INCLUDE_PATH="$(CPLUS_INCLUDE_PATH)" LD_LIBRARY_PATH="$(LD_LIBRARY_PATH)" TARGET_FLAGS="$(TARGET_FLAGS)" CFLAGS="$(CFLAGS)" LDFLAGS="$(LDFLAGS)" NO_GETTEXT=1 NO_DARWIN_PORTS=1 prefix=$(GIT_PREFIX) DESTDIR=$(DESTDIR)
+CORES := $(shell bash -c "sysctl hw.ncpu | awk '{print \$$2}'")
+
+# Guard against environment variables
+APPLE_APP_IDENTITY =
+APPLE_INSTALLER_IDENTITY =
+APPLE_KEYCHAIN_PROFILE =
+
+.PHONY: image pkg payload codesign notarize
+
+.SECONDARY:
+
+$(DESTDIR)$(GIT_PREFIX)/VERSION-$(VERSION)-$(ARCH_UNIV):
+	rm -f $(BUILD_DIR)/git-$(VERSION)/osx-installed*
+	mkdir -p $(DESTDIR)$(GIT_PREFIX)
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-built-keychain:
+	cd $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain; $(SUBMAKE) CFLAGS="$(CFLAGS) -g -O2 -Wall"
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-built:
+	[ -d $(DESTDIR)$(GIT_PREFIX) ] && $(SUDO) rm -rf $(DESTDIR) || echo ok
+	cd $(BUILD_DIR)/git-$(VERSION); $(SUBMAKE) -j $(CORES) all strip
+	echo "================"
+	echo "Dumping Linkage"
+	cd $(BUILD_DIR)/git-$(VERSION); ./git version
+	echo "===="
+	cd $(BUILD_DIR)/git-$(VERSION); /usr/bin/otool -L ./git
+	echo "===="
+	cd $(BUILD_DIR)/git-$(VERSION); /usr/bin/otool -L ./git-http-fetch
+	echo "===="
+	cd $(BUILD_DIR)/git-$(VERSION); /usr/bin/otool -L ./git-http-push
+	echo "===="
+	cd $(BUILD_DIR)/git-$(VERSION); /usr/bin/otool -L ./git-remote-http
+	echo "===="
+	cd $(BUILD_DIR)/git-$(VERSION); /usr/bin/otool -L ./git-gvfs-helper
+	echo "================"
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed-bin: $(BUILD_DIR)/git-$(VERSION)/osx-built $(BUILD_DIR)/git-$(VERSION)/osx-built-keychain
+	cd $(BUILD_DIR)/git-$(VERSION); $(SUBMAKE) install
+	cp $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain $(DESTDIR)$(GIT_PREFIX)/bin/git-credential-osxkeychain
+	mkdir -p $(DESTDIR)$(GIT_PREFIX)/contrib/completion
+	cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-completion.bash $(DESTDIR)$(GIT_PREFIX)/contrib/completion/
+	cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-completion.zsh $(DESTDIR)$(GIT_PREFIX)/contrib/completion/
+	cp $(BUILD_DIR)/git-$(VERSION)/contrib/completion/git-prompt.sh $(DESTDIR)$(GIT_PREFIX)/contrib/completion/
+	# This is needed for Git-Gui, GitK
+	mkdir -p $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl
+	[ ! -f $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl/Error.pm ] && cp $(BUILD_DIR)/git-$(VERSION)/perl/private-Error.pm $(DESTDIR)$(GIT_PREFIX)/lib/perl5/site_perl/Error.pm || echo done
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed-man: $(BUILD_DIR)/git-$(VERSION)/osx-installed-bin
+	mkdir -p $(DESTDIR)$(GIT_PREFIX)/share/man
+	cp -R $(GITHUB_WORKSPACE)/manpages/ $(DESTDIR)$(GIT_PREFIX)/share/man
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-built-subtree:
+	$(SUBMAKE) -C $(BUILD_DIR)/git-$(VERSION)/Documentation asciidoc.conf
+	cd $(BUILD_DIR)/git-$(VERSION)/contrib/subtree; $(SUBMAKE) XML_CATALOG_FILES="$(XML_CATALOG_FILES)" all git-subtree.1
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed-subtree: $(BUILD_DIR)/git-$(VERSION)/osx-built-subtree
+	mkdir -p $(DESTDIR)
+	cd $(BUILD_DIR)/git-$(VERSION)/contrib/subtree; $(SUBMAKE) XML_CATALOG_FILES="$(XML_CATALOG_FILES)" install install-man
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed-assets: $(BUILD_DIR)/git-$(VERSION)/osx-installed-bin
+	mkdir -p $(DESTDIR)$(GIT_PREFIX)/etc
+	cat assets/etc/gitconfig.osxkeychain >> $(DESTDIR)$(GIT_PREFIX)/etc/gitconfig
+	cp assets/uninstall.sh $(DESTDIR)$(GIT_PREFIX)/uninstall.sh
+	sh -c "echo .DS_Store >> $(DESTDIR)$(GIT_PREFIX)/share/git-core/templates/info/exclude"
+
+symlinks:
+	mkdir -p $(ARTIFACTDIR)$(PREFIX)/bin
+	cd $(ARTIFACTDIR)$(PREFIX)/bin; find ../git/bin -type f -exec ln -sf {} \;
+	for man in man1 man3 man5 man7; do mkdir -p $(ARTIFACTDIR)$(PREFIX)/share/man/$$man; (cd $(ARTIFACTDIR)$(PREFIX)/share/man/$$man; ln -sf ../../../git/share/man/$$man/* ./); done
+	ruby ../scripts/symlink-git-hardlinks.rb $(ARTIFACTDIR)
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-installed: $(DESTDIR)$(GIT_PREFIX)/VERSION-$(VERSION)-$(ARCH_UNIV) $(BUILD_DIR)/git-$(VERSION)/osx-installed-man $(BUILD_DIR)/git-$(VERSION)/osx-installed-assets $(BUILD_DIR)/git-$(VERSION)/osx-installed-subtree
+	find $(DESTDIR)$(GIT_PREFIX) -type d -exec chmod ugo+rx {} \;
+	find $(DESTDIR)$(GIT_PREFIX) -type f -exec chmod ugo+r {} \;
+	touch $@
+
+$(BUILD_DIR)/git-$(VERSION)/osx-built-assert-$(ARCH_UNIV): $(BUILD_DIR)/git-$(VERSION)/osx-built
+	File $(BUILD_DIR)/git-$(VERSION)/git
+	File $(BUILD_DIR)/git-$(VERSION)/contrib/credential/osxkeychain/git-credential-osxkeychain
+	touch $@
+
+disk-image/VERSION-$(VERSION)-$(ARCH_UNIV):
+	rm -f disk-image/*.pkg disk-image/VERSION-* disk-image/.DS_Store
+	mkdir disk-image
+	touch "$@"
+
+pkg_cmd := pkgbuild --identifier com.git.pkg --version $(VERSION) \
+	--root $(ARTIFACTDIR)$(PREFIX) --scripts assets/scripts \
+	--install-location $(PREFIX) --component-plist ./assets/git-components.plist
+
+ifdef APPLE_INSTALLER_IDENTITY
+	pkg_cmd += --sign "$(APPLE_INSTALLER_IDENTITY)"
+endif
+
+pkg_cmd += disk-image/git-$(VERSION)-$(ARCH_UNIV).pkg
+disk-image/git-$(VERSION)-$(ARCH_UNIV).pkg: disk-image/VERSION-$(VERSION)-$(ARCH_UNIV) symlinks
+	$(pkg_cmd)
+
+git-%-$(ARCH_UNIV).dmg:
+	hdiutil create git-$(VERSION)-$(ARCH_UNIV).uncompressed.dmg -fs HFS+ -srcfolder disk-image -volname "Git $(VERSION) $(ARCH_UNIV)" -ov 2>&1 | tee err || { \
+		grep "Resource busy" err && \
+		sleep 5 && \
+		hdiutil create git-$(VERSION)-$(ARCH_UNIV).uncompressed.dmg -fs HFS+ -srcfolder disk-image -volname "Git $(VERSION) $(ARCH_UNIV)" -ov; }
+	hdiutil convert -format UDZO -o $@ git-$(VERSION)-$(ARCH_UNIV).uncompressed.dmg
+	rm -f git-$(VERSION)-$(ARCH_UNIV).uncompressed.dmg
+
+payload: $(BUILD_DIR)/git-$(VERSION)/osx-installed $(BUILD_DIR)/git-$(VERSION)/osx-built-assert-$(ARCH_UNIV)
+
+pkg: disk-image/git-$(VERSION)-$(ARCH_UNIV).pkg
+
+image: git-$(VERSION)-$(ARCH_UNIV).dmg
+
+ifdef APPLE_APP_IDENTITY
+codesign:
+	@$(CURDIR)/../scripts/codesign.sh --payload="build-artifacts/usr/local/git" \
+		--identity="$(APPLE_APP_IDENTITY)" \
+		--entitlements="$(CURDIR)/entitlements.xml"
+endif
+
+# Notarization can only happen if the package is fully signed
+ifdef APPLE_KEYCHAIN_PROFILE
+notarize:
+	@$(CURDIR)/../scripts/notarize.sh \
+		--package="disk-image/git-$(VERSION)-$(ARCH_UNIV).pkg" \
+		--keychain-profile="$(APPLE_KEYCHAIN_PROFILE)"
+endif

.github/macos-installer/assets/etc/gitconfig.osxkeychain

@@ -0,0 +1,2 @@
+[credential]
+	helper = osxkeychain

.github/macos-installer/assets/git-components.plist

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<array>
+	<dict>
+		<key>BundleHasStrictIdentifier</key>
+		<true/>
+		<key>BundleIsRelocatable</key>
+		<false/>
+		<key>BundleIsVersionChecked</key>
+		<true/>
+		<key>BundleOverwriteAction</key>
+		<string>upgrade</string>
+		<key>RootRelativeBundlePath</key>
+		<string>git/share/git-gui/lib/Git Gui.app</string>
+	</dict>
+</array>
+</plist>

.github/macos-installer/assets/scripts/postinstall

@@ -0,0 +1,62 @@
+#!/bin/bash
+INSTALL_DST="$2"
+SCALAR_C_CMD="$INSTALL_DST/git/bin/scalar"
+SCALAR_DOTNET_CMD="/usr/local/scalar/scalar"
+SCALAR_UNINSTALL_SCRIPT="/usr/local/scalar/uninstall_scalar.sh"
+
+function cleanupScalar()
+{
+    echo "checking whether Scalar was installed"
+    if [ ! -f "$SCALAR_C_CMD" ]; then
+        echo "Scalar not installed; exiting..."
+        return 0
+    fi
+    echo "Scalar is installed!"
+
+    echo "looking for Scalar.NET"
+    if [ ! -f "$SCALAR_DOTNET_CMD" ]; then
+        echo "Scalar.NET not found; exiting..."
+        return 0
+    fi
+    echo "Scalar.NET found!"
+
+    currentUser=$(echo "show State:/Users/ConsoleUser" | scutil | awk '/Name :/ { print $3 }')
+
+    # Re-register Scalar.NET repositories with the newly-installed Scalar
+    for repo in $($SCALAR_DOTNET_CMD list); do
+        (
+            PATH="$INSTALL_DST/git/bin:$PATH"
+            sudo -u "$currentUser" scalar register $repo || \
+                echo "warning: skipping re-registration of $repo"
+        )
+    done
+
+    # Uninstall Scalar.NET
+    echo "removing Scalar.NET"
+
+    # Add /usr/local/bin to path - default install location of Homebrew
+    PATH="/usr/local/bin:$PATH"
+    if (sudo -u "$currentUser" brew list --cask scalar); then
+        # Remove from Homebrew
+        sudo -u "$currentUser" brew remove --cask scalar || echo "warning: Scalar.NET uninstall via Homebrew completed with code $?"
+        echo "Scalar.NET uninstalled via Homebrew!"
+    elif (sudo -u "$currentUser" brew list --cask scalar-azrepos); then
+        sudo -u "$currentUser" brew remove --cask scalar-azrepos || echo "warning: Scalar.NET with GVFS uninstall via Homebrew completed with code $?"
+        echo "Scalar.NET with GVFS uninstalled via Homebrew!"
+    elif [ -f $SCALAR_UNINSTALL_SCRIPT ]; then
+        # If not installed with Homebrew, manually remove package
+        sudo -S sh $SCALAR_UNINSTALL_SCRIPT || echo "warning: Scalar.NET uninstall completed with code $?"
+        echo "Scalar.NET uninstalled!"
+    else
+        echo "warning: Scalar.NET uninstall script not found"
+    fi
+
+    # Re-create the Scalar symlink, in case it was removed by the Scalar.NET uninstall operation
+    mkdir -p $INSTALL_DST/bin
+    /bin/ln -Fs "$SCALAR_C_CMD" "$INSTALL_DST/bin/scalar"
+}
+
+# Run Scalar cleanup (will exit if not applicable)
+cleanupScalar
+
+exit 0

.github/macos-installer/assets/uninstall.sh

@@ -0,0 +1,34 @@
+#!/bin/bash -e
+if [ ! -r "/usr/local/git" ]; then
+  echo "Git doesn't appear to be installed via this installer.  Aborting"
+  exit 1
+fi
+
+if [ "$1" != "--yes" ]; then
+  echo "This will uninstall git by removing /usr/local/git/, and symlinks"
+  printf "Type 'yes' if you are sure you wish to continue: "
+  read response
+else
+  response="yes"
+fi
+
+if [ "$response" == "yes" ]; then
+  # remove all of the symlinks we've created
+  pkgutil --files com.git.pkg | grep bin | while read f; do
+    if [ -L /usr/local/$f ]; then
+      sudo rm /usr/local/$f
+    fi
+  done
+
+  # forget receipts.
+  pkgutil --packages | grep com.git.pkg | xargs -I {} sudo pkgutil --forget {}
+  echo "Uninstalled"
+
+  # The guts all go here.
+  sudo rm -rf /usr/local/git/
+else
+  echo "Aborted"
+  exit 1
+fi
+
+exit 0

.github/macos-installer/entitlements.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+</dict>
+</plist>

.github/scripts/codesign.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+sign_directory () {
+	(
+	cd "$1"
+	for f in *
+	do
+		macho=$(file --mime $f | grep mach)
+		# Runtime sign dylibs and Mach-O binaries
+		if [[ $f == *.dylib ]] || [ ! -z "$macho" ];
+		then
+			echo "Runtime Signing $f"
+			codesign -s "$IDENTITY" $f --timestamp --force --options=runtime --entitlements $ENTITLEMENTS_FILE
+		elif [ -d "$f" ];
+		then
+			echo "Signing files in subdirectory $f"
+			sign_directory "$f"
+
+		else
+			echo "Signing $f"
+			codesign -s "$IDENTITY" $f  --timestamp --force
+		fi
+	done
+	)
+}
+
+for i in "$@"
+do
+case "$i" in
+	--payload=*)
+	SIGN_DIR="${i#*=}"
+	shift # past argument=value
+	;;
+	--identity=*)
+	IDENTITY="${i#*=}"
+	shift # past argument=value
+	;;
+	--entitlements=*)
+	ENTITLEMENTS_FILE="${i#*=}"
+	shift # past argument=value
+	;;
+	*)
+	die "unknown option '$i'"
+	;;
+esac
+done
+
+if [ -z "$SIGN_DIR" ]; then
+    echo "error: missing directory argument"
+    exit 1
+elif [ -z "$IDENTITY" ]; then
+    echo "error: missing signing identity argument"
+    exit 1
+elif [ -z "$ENTITLEMENTS_FILE" ]; then
+    echo "error: missing entitlements file argument"
+    exit 1
+fi
+
+echo "======== INPUTS ========"
+echo "Directory: $SIGN_DIR"
+echo "Signing identity: $IDENTITY"
+echo "Entitlements: $ENTITLEMENTS_FILE"
+echo "======== END INPUTS ========"
+
+sign_directory "$SIGN_DIR"

.github/scripts/notarize.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+for i in "$@"
+do
+case "$i" in
+	--package=*)
+	PACKAGE="${i#*=}"
+	shift # past argument=value
+	;;
+	--keychain-profile=*)
+	KEYCHAIN_PROFILE="${i#*=}"
+	shift # past argument=value
+	;;
+	*)
+	die "unknown option '$i'"
+	;;
+esac
+done
+
+if [ -z "$PACKAGE" ]; then
+    echo "error: missing package argument"
+    exit 1
+elif [ -z "$KEYCHAIN_PROFILE" ]; then
+    echo "error: missing keychain profile argument"
+    exit 1
+fi
+
+# Exit as soon as any line fails
+set -e
+
+# Send the notarization request
+xcrun notarytool submit -v "$PACKAGE" -p "$KEYCHAIN_PROFILE" --wait
+
+# Staple the notarization ticket (to allow offline installation)
+xcrun stapler staple -v "$PACKAGE"