scottk/UltraGrid
1
0
Fork 0
mirror of https://github.com/outbackdingo/UltraGrid.git synced 2026-03-20 12:40:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
bfbaddb2f01eca23289c326e01c8db32f178453a
UltraGrid/.github/workflows
History
Martin Pulec 960a36288d CI: compute checksums 
compute SHA256 checksums for builds

this is useful at least for 2 reasons:
1. user can ensure that the build comes really from the CI (isn't
tampered)
2. can identify or match version with appropriate action run (the $VERSION
is usually always "continuous", except for releases)

The sha256 sum is currently only show in the protocol, not uploaded
to GH releases - this doesn't seem to be needed because GH currently
already prints the checksum by itself on the download (releases) page.

Skip computing checksum in Win when uplad-artifact is used - the zip
is actually created by the Action so we cannot compute the checksum
on it.

/sbin/sha256sum is not present in CI mac workers for some reason
2025-10-31 16:18:57 +01:00
..
arm-build.yml
GH arm+coverity builds: add -f to curl
2025-07-15 09:20:42 +02:00
ccpp.yml
CI: compute checksums
2025-10-31 16:18:57 +01:00
coverity-scan.yml
minor fixes
2025-09-04 10:40:22 +02:00
README.md
CI macos: re-enable DELTACAST
2024-10-24 16:14:34 +02:00

README.md

UltraGrid GitHub workflows

Table of contents

Dependencies

Further are described external dependencies needed to build proprietary parts of UltraGrid. The dependencies are not required - UltraGrid would build also without.

These additional dependencies must be provided at URL specified by a secret SDK_URL.

Further subsection briefly describe individual assets and how to obtain them. All assets are unmodified files downloaded from vendor website. However, rename may be required.

macOS

  • videomaster-macos-dev.tar.gz - VideoMaster SDK for Mac from DELTACAST

Windows

  • videomaster-win.x64-dev.zip - VideoMaster SDK from DELTACAST for Windows

Linux

Note: VideoMaster SDK is not used because DELTACAST doesn't provide redistributable libraries for Linux (as does for macOS and Windows).

Secrets

  • NOTARYTOOL_CREDENTIALS - Apple developer credentials to be used with notarytool for macOS build (username:password:teamid) notarization in format "user:password" (app-specific password is strongly recommended)
  • APPLE_KEY_P12_B64 - base64-encoded signing Apple key in P12 (see below)
  • APPIMAGE_KEY - GPG exported (armored) private key to sign AppImage
  • COVERITY_TOKEN - Coverity token to be used for build upload
  • NDI_REMOTE_SSH_KEY - SSH key to upload NDI builds over SSH (see Workflows for additional details)
  • SDK_URL - URL where are located the Dependencies assets

Note: not all secrets are used by all workflows (see Workflows for details)

Generating Apple keys to sign the image

This section contains a procedure to get and process keys to be used as APPLE_KEY_P12_B64 above.

  • first generate signing request (replace subject if needed):

    openssl genrsa -out mykey.key 2048 openssl req -new -key mykey.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=ultragrid-dev@cesnet.cz, CN=CESNET, C=CZ"

  • then login to Apple developer and generate a certificate from the above signing request for "Developer ID Application" and download developerID_application.cer

  • convert certificate to to PEM:

    openssl x509 -inform DER -outform PEM -text -in developerID_application.cer -out developerID_application.pem

  • export private key with password "dummy":

    openssl pkcs12 -export -out signing_key.p12 -in developerID_application.pem -inkey mykey.key -passout pass:dummy

  • add GitHub action secret APPLE_KEY_P12_B64 from output of:

    base64 signing_key.p12

Workflows

Currently all workflows are triggered by push to the respective branch. There are 3 workflows:

ARM builds

Creates ARM AppImages. Trigerred by push to branch arm-build. In CESNET/UltraGrid repo creates a release asset, otherwise a build artifact. No secret are used.

Coverity

Sends build for analysis to Coverity service. Trigerred by push to coverity_scan - requires COVERITY_TOKEN, useful is also SDK_URL to increase code coverage.

C/C++ CI

This is the basic workflow, has multiple modes depending on which branch is pushed to. Whether or not triggered from official repository influences where will the build be uploaded:

  • push to official repository (branches master or release/*) - triggers rebuild of release asset (continuous for master) and uploads to release assets.
  • push to other repositories (branches master or release/*) - creates build artifacts
  • push to branch ndi-build - builds with NDI support - requires NDI SDKs to be present in SDK_URL, otherwise the NDI support won't be enabled.

    • reads NDI_REMOTE_SSH_KEY, if found, uploads the builds to predefined location (defined in upload-ndi-build.sh). For non-official repositiry you would also need to set environment variables NDI_REMOTE_SSH and NDI_REMOTE_SSH_HOST_KEY_URL to override defaults in the script - add following lines to ccpp.yml:

      env:
  NDI_REMOTE_SSH: <user>@<host>:<path>
  NDI_REMOTE_SSH_HOST_KEY_URL: https://<path_to_host_key>

    • If the secret NDI_REMOTE_SSH_KEY is not defined, builds are uploaded as a build artifact.

This worflow utilizes ALTOOL_CREDENTIALS, APPLE_KEY_P12_B64, APPIMAGE_KEY, SDK_URL and SSH_KEY (NDI only).

Reference in New Issue View Git Blame Copy Permalink