From d493f52ecce05b058a56718a479ebcb540848962 Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Thu, 27 Jun 2024 13:50:00 -0700 Subject: [PATCH 01/16] use GoReleaserPro --- .github/workflows/check-sample.yml | 6 +++--- .github/workflows/go.yml | 9 +++++---- src/bin/notarize.sh | 27 +++++++++++++++++++++++++++ 3 files changed, 35 insertions(+), 7 deletions(-) create mode 100755 src/bin/notarize.sh diff --git a/.github/workflows/check-sample.yml b/.github/workflows/check-sample.yml index c49895f9b..516363816 100644 --- a/.github/workflows/check-sample.yml +++ b/.github/workflows/check-sample.yml @@ -10,7 +10,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Check for required files run: | @@ -37,14 +37,14 @@ jobs: - [ ] I have documented how to provision any third-party services in the readme - [ ] I have documented how to run the sample in the readme (locally and with Defang) `; - + // Get the current PR const { data: pullRequest } = await github.rest.pulls.get({ owner: context.repo.owner, repo: context.repo.repo, pull_number: pr_number }); - + // Check if the checklist already exists in the PR description if (!pullRequest.body.includes(checklist)) { // Update the PR description with the checklist diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index bc6e0b49f..6f7badbe1 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -141,11 +141,12 @@ jobs: - name: Run GoReleaser uses: goreleaser/goreleaser-action@v5 with: - # distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' + distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' # version: latest args: release --clean workdir: src env: + GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} GH_PAT_WINGET: ${{ secrets.GH_PAT_WINGET }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }} @@ -158,7 +159,7 @@ jobs: - name: Notarize macOS app shell: bash run: | - xcrun notarytool submit src/dist/defang_*_macOS.zip --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_APP_PW" + bin/notarize.sh src/dist/defang_*_macOS.zip env: MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} @@ -187,7 +188,7 @@ jobs: client-payload: '{"version": "${{ github.ref_name }}"}' - name: Trigger Homebrew Formula Update - uses: peter-evans/repository-dispatch@v1 + uses: peter-evans/repository-dispatch@v3 with: token: ${{ secrets.HOMEBREW_ACTION_TRIGGER_TOKEN }} repository: DefangLabs/homebrew-defang @@ -215,7 +216,7 @@ jobs: # install dependencies npm ci --ignore-scripts - #b uild + # build npm run build # make the cli.js executable diff --git a/src/bin/notarize.sh b/src/bin/notarize.sh new file mode 100755 index 000000000..8c90d4cee --- /dev/null +++ b/src/bin/notarize.sh @@ -0,0 +1,27 @@ +#!/bin/sh +set -e + +# Bail if we didn't get one (and only one) argument +if [ $# -ne 1 ]; then + echo "Usage: $0 " + exit 1 +fi + +if [ -z "$MACOS_NOTARIZATION_APPLE_ID" ]; then + echo "Error: missing env var MACOS_NOTARIZATION_APPLE_ID" + exit 2 +fi + +if [ -z "$MACOS_NOTARIZATION_TEAM_ID" ]; then + echo "Error: missing env var MACOS_NOTARIZATION_TEAM_ID" + exit 3 +fi + +if [ -z "$MACOS_NOTARIZATION_APP_PW" ]; then + echo "Error: missing env var MACOS_NOTARIZATION_APP_PW" + exit 4 +fi + +[ "$ACTIONS_STEP_DEBUG" = 'true' ] || [ "$DEBUG" = 'true' ] && set -x + +xcrun notarytool submit "$1" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_APP_PW" From ab959f6731405c31adca5d10d64218dd082dbde1 Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Fri, 28 Jun 2024 14:52:51 -0700 Subject: [PATCH 02/16] split build --- .github/workflows/go.yml | 68 ++++++++++++++++++----- flake.nix | 1 + src/.goreleaser-prebuilt.yml | 102 +++++++++++++++++++++++++++++++++++ 3 files changed, 158 insertions(+), 13 deletions(-) create mode 100644 src/.goreleaser-prebuilt.yml diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 6f7badbe1..aa1bd4295 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -114,16 +114,12 @@ jobs: run: go run ./cmd/cli compose stop -f tests/sanity/compose.yaml --debug working-directory: src - go-release: - if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits + go-build: + # if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits needs: go-test - runs-on: macos-latest - permissions: - contents: write # to upload archives as GitHub Releases + runs-on: macos-latest # for codesign and notarytool steps: - uses: actions/checkout@v4 - with: - fetch-depth: 0 # for release notes - name: Set up Go uses: actions/setup-go@v5 @@ -141,18 +137,64 @@ jobs: - name: Run GoReleaser uses: goreleaser/goreleaser-action@v5 with: - distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' + # distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' # version: latest - args: release --clean + args: build --clean workdir: src env: - GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} - GH_PAT_WINGET: ${{ secrets.GH_PAT_WINGET }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository + # GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} + # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }} MACOS_P12_BASE64: ${{ secrets.MACOS_P12_BASE64 }} MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + + - name: Notarize macOS app + shell: bash + run: | + bin/notarize.sh src/dist/defang_*_macOS.zip + env: + MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} + MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} + MACOS_NOTARIZATION_APP_PW: ${{ secrets.MACOS_NOTARIZATION_APP_PW }} + + - name: Upload dist folder + uses: actions/upload-artifact@v4 + with: + name: dist + path: src/dist + + go-release: + needs: go-build + runs-on: windows-latest # for signtool + permissions: + contents: write # to upload archives as GitHub Releases + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # for release notes + + - name: Download dist folder + uses: actions/download-artifact@v4 + with: + name: dist + + - name: Run GoReleaser + if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits + uses: goreleaser/goreleaser-action@v5 + with: + distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' + # version: latest + args: release --config .goreleaser-prebuilt.yml + workdir: src + env: + GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} + GH_PAT_WINGET: ${{ secrets.GH_PAT_WINGET }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository + # MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }} + # MACOS_P12_BASE64: ${{ secrets.MACOS_P12_BASE64 }} + # MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }} + # KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }} DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }} @@ -165,7 +207,7 @@ jobs: MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} MACOS_NOTARIZATION_APP_PW: ${{ secrets.MACOS_NOTARIZATION_APP_PW }} - post-build: + post-release: runs-on: ubuntu-latest needs: go-release diff --git a/flake.nix b/flake.nix index d9997d9c5..a085e5525 100644 --- a/flake.nix +++ b/flake.nix @@ -16,6 +16,7 @@ gnumake gnused # force Linux `sed` everywhere go_1_21 + goreleaser nixfmt nodejs_20 # for Pulumi, must match values in package.json pulumi-bin diff --git a/src/.goreleaser-prebuilt.yml b/src/.goreleaser-prebuilt.yml new file mode 100644 index 000000000..29314ae48 --- /dev/null +++ b/src/.goreleaser-prebuilt.yml @@ -0,0 +1,102 @@ +# yaml-language-server: $schema=https://goreleaser.com/static/schema-pro.json +project_name: defang +builds: + - builder: prebuilt + goos: + - linux + - windows + - darwin + goarch: + - amd64 + - arm64 + # - 386 + goamd64: + - v1 + prebuilt: + path: dist-{{ .Os }}/defang_{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/defang{{ .Ext }} + binary: defang + +source: + enabled: false + +archives: + - format_overrides: + - goos: darwin + format: zip + - goos: windows + format: zip + # replace "darwin" with "macOS" in the filename; replace "all" with ""; NOTE: if you change this, also change go.yml GitHub Actions workflow + name_template: '{{ .ProjectName }}_{{ .Version }}_{{ if eq .Os "darwin" }}macOS{{ else }}{{ .Os }}{{ end }}{{ if ne .Arch "all" }}_{{ .Arch }}{{ end }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}' + hooks: + after: + - '{{ if eq .Os "darwin" }}./bin/notarize.sh "{{ .Path }}"{{ else }}true{{ end }}' + +release: + github: + owner: DefangLabs + name: defang + header: | + # Defang CLI + This is the Command Line Interface (CLI) for [Defang](https://defang.io). This is a beta version and is provided as-is, intended primarily for testing purposes. + For alternative installation methods, please check the [README](https://github.com/DefangLabs/defang/blob/main/README.md). + ## Manual installation Instructions + 1. Download the archive file for your Operating System. + 2. Extract the archive. This should reveal the binary file for Defang. + 3. Manually place the binary file in a directory that's included in your system's `PATH` environment variable. + ### Additional Step for MacOS Users + If you're having trouble running the binary on MacOS, please check our [FAQs](https://docs.defang.io/docs/faq#im-having-trouble-running-the-binary-on-my-mac-what-should-i-do). + + Please remember this software is in beta, so please report any issues or feedback through our GitHub page. Your help in improving Defang is greatly appreciated! + # mode: keep-existing + # draft: true + # replace_existing_draft: true + # prerelease: "true" + +nix: + # commit_author: defang-io + - homepage: https://defang.io/ + description: Defang is the easiest way for developers to create and deploy their containerized applications + license: "mit" + repository: + owner: DefangLabs + name: defang + post_install: | + installShellCompletion --cmd defang \ + --bash <($out/bin/defang completion bash) \ + --zsh <($out/bin/defang completion zsh) \ + --fish <($out/bin/defang completion fish) + +changelog: + filters: + exclude: + # Ignore messages like "defang: v0.5.3 -> v0.5.4" (which are actually for the previous version) + - "^defang: v[0-9]+\\.[0-9]+\\.[0-9]+ -> v[0-9]+\\.[0-9]+\\.[0-9]+$" + - "^Merge branch " + - "^Merge remote-tracking branch " + - "^New version: DefangLabs." + +winget: + - publisher: DefangLabs + name: Defang + short_description: The Defang command-line interface (CLI) + description: Defang is the easiest way for developers to create and deploy their containerized applications to the cloud. + license: MIT + publisher_url: https://defang.io/ + homepage: https://github.com/DefangLabs/defang/ + publisher_support_url: https://github.com/DefangLabs/defang/issues/ + repository: + token: "{{ .Env.GH_PAT_WINGET }}" + owner: DefangLabs + name: winget-pkgs + branch: "Defang-{{.Version}}" + pull_request: + enabled: true + draft: true + base: + owner: microsoft + name: winget-pkgs + branch: master + +announce: + discord: + enabled: true From 0dda7c34328ae4440ac02f72b5c18267c92b224e Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Fri, 28 Jun 2024 14:58:48 -0700 Subject: [PATCH 03/16] test with --snapshot --- .github/workflows/go.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index aa1bd4295..65b2b56b0 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -139,7 +139,7 @@ jobs: with: # distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' # version: latest - args: build --clean + args: build --clean ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' }} workdir: src env: # GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} From 469e4943ea3d6681f3f2dd1bc99ec24ad5961a84 Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Fri, 28 Jun 2024 15:40:25 -0700 Subject: [PATCH 04/16] parallelize windows and darwin --- .github/workflows/go.yml | 84 ++++++++++++++++++++++++++-------------- 1 file changed, 55 insertions(+), 29 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 65b2b56b0..9a1e71282 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -114,8 +114,41 @@ jobs: run: go run ./cmd/cli compose stop -f tests/sanity/compose.yaml --debug working-directory: src - go-build: - # if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits + go-build-win: + needs: go-test + runs-on: windows-latest # for signtool + steps: + - uses: actions/checkout@v4 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: src/go.mod + cache-dependency-path: src/go.sum + + # - name: Download Go dependencies + # run: go mod download + # working-directory: src + + - name: Run GoReleaser + uses: goreleaser/goreleaser-action@v5 + with: + # distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' + # version: latest + args: build --id defang-cli ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' }} + workdir: src + + - name: Sign Windows app + shell: bash + run: echo TODO + + - name: Upload dist-win folder + uses: actions/upload-artifact@v4 + with: + name: dist-win + path: src/dist + + go-build-mac: needs: go-test runs-on: macos-latest # for codesign and notarytool steps: @@ -131,42 +164,40 @@ jobs: run: go mod download working-directory: src - - name: Install Nix (for nix-prefetch-url) - uses: cachix/install-nix-action@v26 - - name: Run GoReleaser uses: goreleaser/goreleaser-action@v5 with: # distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' # version: latest - args: build --clean ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' }} + args: build --id defang-mac ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' }} workdir: src env: - # GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} - # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }} MACOS_P12_BASE64: ${{ secrets.MACOS_P12_BASE64 }} MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - - name: Notarize macOS app + - name: Notarize macOS app # TODO: move to goreleaser.yml shell: bash run: | - bin/notarize.sh src/dist/defang_*_macOS.zip + bin/notarize.sh dist/defang_*_macOS.zip + working-directory: src env: MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} MACOS_NOTARIZATION_APP_PW: ${{ secrets.MACOS_NOTARIZATION_APP_PW }} - - name: Upload dist folder + - name: Upload dist-mac folder uses: actions/upload-artifact@v4 with: - name: dist + name: dist-mac path: src/dist go-release: - needs: go-build - runs-on: windows-latest # for signtool + needs: + - go-build-mac + - go-build-win + runs-on: ubuntu-latest permissions: contents: write # to upload archives as GitHub Releases steps: @@ -174,10 +205,18 @@ jobs: with: fetch-depth: 0 # for release notes - - name: Download dist folder + - name: Install Nix (for nix-prefetch-url) + uses: cachix/install-nix-action@v26 + + - name: Download dist-mac folder + uses: actions/download-artifact@v4 + with: + name: dist-mac + + - name: Download dist-win folder uses: actions/download-artifact@v4 with: - name: dist + name: dist-win - name: Run GoReleaser if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits @@ -191,22 +230,9 @@ jobs: GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} GH_PAT_WINGET: ${{ secrets.GH_PAT_WINGET }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GITHUB_TOKEN is limited to the current repository - # MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }} - # MACOS_P12_BASE64: ${{ secrets.MACOS_P12_BASE64 }} - # MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }} - # KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }} DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }} - - name: Notarize macOS app - shell: bash - run: | - bin/notarize.sh src/dist/defang_*_macOS.zip - env: - MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} - MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} - MACOS_NOTARIZATION_APP_PW: ${{ secrets.MACOS_NOTARIZATION_APP_PW }} - post-release: runs-on: ubuntu-latest needs: go-release From 114d9ddcc630694037adf91a3eb73b79fe48c9ed Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Fri, 28 Jun 2024 20:12:12 -0700 Subject: [PATCH 05/16] split --- .github/workflows/go.yml | 69 ++++++++++++++++++++++++++++------------ src/.goreleaser.yml | 15 +++++---- 2 files changed, 57 insertions(+), 27 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 9a1e71282..d6c214619 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -43,6 +43,7 @@ jobs: nix-shell-test: runs-on: ubuntu-latest + needs: go-test steps: - uses: actions/checkout@v4 @@ -54,7 +55,7 @@ jobs: - name: Check nix-shell default.nix run: | set -o pipefail - nix-shell --pure -E 'with import {}; mkShell { buildInputs = [ (import ./default.nix {}) ]; }' --run defang 2>&1 | sed -u 's|\s\+got:|::error file=pkgs/defang/cli.nix,line=6::Replace the vendorHash with the correct value:|' + nix-shell --pure -E 'with import {}; mkShell { buildInputs = [ (import ./default.nix {}) ]; }' --run defang 2>&1 | sed -u 's|\s\+got:|::error file=pkgs/defang/cli.nix,line=9::Replace the vendorHash with the correct value:|' # go-byoc-test: # runs-on: ubuntu-latest @@ -114,9 +115,14 @@ jobs: run: go run ./cmd/cli compose stop -f tests/sanity/compose.yaml --debug working-directory: src - go-build-win: + build-and-sign: + name: Build app and sign files with Trusted Signing + environment: release needs: go-test runs-on: windows-latest # for signtool + # permissions: + # contents: read + # id-token: write # for GitHub id-token auth steps: - uses: actions/checkout@v4 @@ -130,7 +136,7 @@ jobs: # run: go mod download # working-directory: src - - name: Run GoReleaser + - name: Run GoReleaser (Windows and Linux) uses: goreleaser/goreleaser-action@v5 with: # distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' @@ -138,9 +144,31 @@ jobs: args: build --id defang-cli ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' }} workdir: src - - name: Sign Windows app - shell: bash - run: echo TODO + - name: Trusted Signing + uses: Azure/trusted-signing-action@v0.3.20 + with: + azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} + azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} + azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} # FIXME: replace with OIDC + # azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} TODO + endpoint: https://wus2.codesigning.azure.net/ # from Azure portal + trusted-signing-account-name: DefangLabs # from Azure portal + certificate-profile-name: signed-binary-test # from Azure portal + files-folder: ${{ github.workspace }}\src\dist + files-folder-filter: exe # no dll + file-digest: SHA256 + timestamp-rfc3161: http://timestamp.acs.microsoft.com + timestamp-digest: SHA256 + # exclude-environment-credential: false + # exclude-workload-identity-credential: true + # exclude-managed-identity-credential: true + # exclude-shared-token-cache-credential: true + # exclude-visual-studio-credential: true + # exclude-visual-studio-code-credential: true + # exclude-azure-cli-credential: true + # exclude-azure-powershell-credential: true + # exclude-azure-developer-cli-credential: true + # exclude-interactive-browser-credential: true - name: Upload dist-win folder uses: actions/upload-artifact@v4 @@ -148,7 +176,7 @@ jobs: name: dist-win path: src/dist - go-build-mac: + build-and-sign-mac: needs: go-test runs-on: macos-latest # for codesign and notarytool steps: @@ -164,7 +192,7 @@ jobs: run: go mod download working-directory: src - - name: Run GoReleaser + - name: Run GoReleaser (macOS) uses: goreleaser/goreleaser-action@v5 with: # distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' @@ -177,16 +205,6 @@ jobs: MACOS_P12_PASSWORD: ${{ secrets.MACOS_P12_PASSWORD }} KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} - - name: Notarize macOS app # TODO: move to goreleaser.yml - shell: bash - run: | - bin/notarize.sh dist/defang_*_macOS.zip - working-directory: src - env: - MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} - MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} - MACOS_NOTARIZATION_APP_PW: ${{ secrets.MACOS_NOTARIZATION_APP_PW }} - - name: Upload dist-mac folder uses: actions/upload-artifact@v4 with: @@ -194,9 +212,10 @@ jobs: path: src/dist go-release: + # environment: release needs: - - go-build-mac - - go-build-win + - build-and-sign-mac + - build-and-sign runs-on: ubuntu-latest permissions: contents: write # to upload archives as GitHub Releases @@ -233,6 +252,16 @@ jobs: DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }} DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }} + # - name: Notarize macOS app # TODO: move to goreleaser.yml + # shell: bash + # run: | + # bin/notarize.sh dist/defang_*_macOS.zip + # working-directory: src + # env: + # MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} + # MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} + # MACOS_NOTARIZATION_APP_PW: ${{ secrets.MACOS_NOTARIZATION_APP_PW }} + post-release: runs-on: ubuntu-latest needs: go-release diff --git a/src/.goreleaser.yml b/src/.goreleaser.yml index 542f21779..decac064c 100644 --- a/src/.goreleaser.yml +++ b/src/.goreleaser.yml @@ -9,9 +9,9 @@ builds: goarch: - amd64 - arm64 - hooks: - post: - - ./bin/codesign.sh "{{ .Path }}" + # hooks: + # post: + # - ./bin/codesign.sh "{{ .Path }}" - id: defang-cli main: ./cmd/cli @@ -31,12 +31,13 @@ universal_binaries: ids: - defang-mac replace: true - hooks: - post: - - ./bin/codesign.sh "{{ .Path }}" + # hooks: + # post: + # - ./bin/codesign.sh "{{ .Path }}" archives: - - format_overrides: + - id: defang-archive + format_overrides: - goos: darwin format: zip - goos: windows From b514df8127f543d70b7605e2e75c1b5ea1642c08 Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Fri, 28 Jun 2024 20:20:17 -0700 Subject: [PATCH 06/16] recurse --- .github/workflows/go.yml | 1 + src/.goreleaser.yml | 12 ++++++------ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index d6c214619..8be405c63 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -156,6 +156,7 @@ jobs: certificate-profile-name: signed-binary-test # from Azure portal files-folder: ${{ github.workspace }}\src\dist files-folder-filter: exe # no dll + files-folder-recurse: true file-digest: SHA256 timestamp-rfc3161: http://timestamp.acs.microsoft.com timestamp-digest: SHA256 diff --git a/src/.goreleaser.yml b/src/.goreleaser.yml index decac064c..b111f8df0 100644 --- a/src/.goreleaser.yml +++ b/src/.goreleaser.yml @@ -9,9 +9,9 @@ builds: goarch: - amd64 - arm64 - # hooks: - # post: - # - ./bin/codesign.sh "{{ .Path }}" + hooks: + post: + - ./bin/codesign.sh "{{ .Path }}" - id: defang-cli main: ./cmd/cli @@ -31,9 +31,9 @@ universal_binaries: ids: - defang-mac replace: true - # hooks: - # post: - # - ./bin/codesign.sh "{{ .Path }}" + hooks: + post: + - ./bin/codesign.sh "{{ .Path }}" archives: - id: defang-archive From 129e28214c2c8eb31cf759df4176075bc8f0c72b Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Sun, 30 Jun 2024 06:57:39 -0700 Subject: [PATCH 07/16] use OIDC federated cred for Azure --- .github/workflows/go.yml | 37 +++++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 14 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 8be405c63..683249366 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -144,13 +144,17 @@ jobs: args: build --id defang-cli ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' }} workdir: src + # From https://github.com/Azure/trusted-signing-action/pull/37 + - name: Azure login + uses: azure/login@v1 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + - name: Trusted Signing uses: Azure/trusted-signing-action@v0.3.20 with: - azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} - azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} - azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} # FIXME: replace with OIDC - # azure-subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} TODO endpoint: https://wus2.codesigning.azure.net/ # from Azure portal trusted-signing-account-name: DefangLabs # from Azure portal certificate-profile-name: signed-binary-test # from Azure portal @@ -160,16 +164,16 @@ jobs: file-digest: SHA256 timestamp-rfc3161: http://timestamp.acs.microsoft.com timestamp-digest: SHA256 - # exclude-environment-credential: false - # exclude-workload-identity-credential: true - # exclude-managed-identity-credential: true - # exclude-shared-token-cache-credential: true - # exclude-visual-studio-credential: true - # exclude-visual-studio-code-credential: true - # exclude-azure-cli-credential: true - # exclude-azure-powershell-credential: true - # exclude-azure-developer-cli-credential: true - # exclude-interactive-browser-credential: true + exclude-environment-credential: true + exclude-workload-identity-credential: true + exclude-managed-identity-credential: true + exclude-shared-token-cache-credential: true + exclude-visual-studio-credential: true + exclude-visual-studio-code-credential: true + exclude-azure-cli-credential: false + exclude-azure-powershell-credential: true + exclude-azure-developer-cli-credential: true + exclude-interactive-browser-credential: true - name: Upload dist-win folder uses: actions/upload-artifact@v4 @@ -232,11 +236,16 @@ jobs: uses: actions/download-artifact@v4 with: name: dist-mac + path: src/dist - name: Download dist-win folder uses: actions/download-artifact@v4 with: name: dist-win + path: src/dist + + - name: List files + run: ls -l src/dist - name: Run GoReleaser if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits From 07e05a21655028c9213255b0857a1c80a3cd4e09 Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Sun, 30 Jun 2024 07:39:54 -0700 Subject: [PATCH 08/16] enable notarization --- .github/workflows/go.yml | 51 ++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 683249366..3d59638c5 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -27,13 +27,13 @@ jobs: run: go test -test.short -v ./... working-directory: src - - name: Build MacOS binary - run: GOOS=darwin go build ./cmd/cli - working-directory: src + # - name: Build MacOS binary + # run: GOOS=darwin go build ./cmd/cli + # working-directory: src - - name: Build Windows binary - run: GOOS=windows go build ./cmd/cli - working-directory: src + # - name: Build Windows binary + # run: GOOS=windows go build ./cmd/cli + # working-directory: src - name: Verify Go modules working-directory: src @@ -132,10 +132,6 @@ jobs: go-version-file: src/go.mod cache-dependency-path: src/go.sum - # - name: Download Go dependencies - # run: go mod download - # working-directory: src - - name: Run GoReleaser (Windows and Linux) uses: goreleaser/goreleaser-action@v5 with: @@ -147,6 +143,7 @@ jobs: # From https://github.com/Azure/trusted-signing-action/pull/37 - name: Azure login uses: azure/login@v1 + if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits with: client-id: ${{ secrets.AZURE_CLIENT_ID }} tenant-id: ${{ secrets.AZURE_TENANT_ID }} @@ -154,6 +151,7 @@ jobs: - name: Trusted Signing uses: Azure/trusted-signing-action@v0.3.20 + if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits with: endpoint: https://wus2.codesigning.azure.net/ # from Azure portal trusted-signing-account-name: DefangLabs # from Azure portal @@ -180,8 +178,10 @@ jobs: with: name: dist-win path: src/dist + if-no-files-found: error build-and-sign-mac: + name: Build app and sign MacOS needs: go-test runs-on: macos-latest # for codesign and notarytool steps: @@ -193,9 +193,9 @@ jobs: go-version-file: src/go.mod cache-dependency-path: src/go.sum - - name: Download Go dependencies - run: go mod download - working-directory: src + # - name: Download Go dependencies + # run: go mod download + # working-directory: src - name: Run GoReleaser (macOS) uses: goreleaser/goreleaser-action@v5 @@ -215,13 +215,15 @@ jobs: with: name: dist-mac path: src/dist + if-no-files-found: error go-release: # environment: release + if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits needs: - build-and-sign-mac - build-and-sign - runs-on: ubuntu-latest + runs-on: macos-latest # for notarization permissions: contents: write # to upload archives as GitHub Releases steps: @@ -245,10 +247,9 @@ jobs: path: src/dist - name: List files - run: ls -l src/dist + run: ls -lR src/dist - name: Run GoReleaser - if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits uses: goreleaser/goreleaser-action@v5 with: distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' @@ -262,15 +263,15 @@ jobs: DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }} DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }} - # - name: Notarize macOS app # TODO: move to goreleaser.yml - # shell: bash - # run: | - # bin/notarize.sh dist/defang_*_macOS.zip - # working-directory: src - # env: - # MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} - # MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} - # MACOS_NOTARIZATION_APP_PW: ${{ secrets.MACOS_NOTARIZATION_APP_PW }} + - name: Notarize macOS app # TODO: move to goreleaser.yml + shell: bash + run: | + bin/notarize.sh dist/defang_*_macOS.zip + working-directory: src + env: + MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} + MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} + MACOS_NOTARIZATION_APP_PW: ${{ secrets.MACOS_NOTARIZATION_APP_PW }} post-release: runs-on: ubuntu-latest From 9c261533aaaf160ae7612d75a93d9d1d906c18d6 Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Sun, 30 Jun 2024 11:09:00 -0700 Subject: [PATCH 09/16] speed up setup-go on Windows --- .github/workflows/go.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 3d59638c5..3aa09d86a 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -120,9 +120,10 @@ jobs: environment: release needs: go-test runs-on: windows-latest # for signtool - # permissions: - # contents: read - # id-token: write # for GitHub id-token auth + env: # from https://github.com/spiffe/spire/pull/5158 + GOPATH: 'D:\golang\go' + GOCACHE: 'D:\golang\cache' + GOMODCACHE: 'D:\golang\modcache' steps: - uses: actions/checkout@v4 From 4c790269310220f0ed26006ea7bd8bd9bc191e69 Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Sun, 30 Jun 2024 11:23:07 -0700 Subject: [PATCH 10/16] pre-download go deps --- .github/workflows/go.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 3aa09d86a..b4a7a0eea 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -133,6 +133,10 @@ jobs: go-version-file: src/go.mod cache-dependency-path: src/go.sum + - name: Download Go dependencies + run: go mod download + working-directory: src + - name: Run GoReleaser (Windows and Linux) uses: goreleaser/goreleaser-action@v5 with: From 5690b4a606611c771eb91c8ee9a054fed22cc174 Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Sun, 30 Jun 2024 12:19:22 -0700 Subject: [PATCH 11/16] update flake.lock --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 4fb912424..ac31a7b65 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1701680307, - "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -19,11 +19,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1704842529, - "narHash": "sha256-OTeQA+F8d/Evad33JMfuXC89VMetQbsU4qcaePchGr4=", + "lastModified": 1717112898, + "narHash": "sha256-7R2ZvOnvd9h8fDd65p0JnB7wXfUvreox3xFdYWd1BnY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "eabe8d3eface69f5bb16c18f8662a702f50c20d5", + "rev": "6132b0f6e344ce2fe34fc051b72fb46e34f668e0", "type": "github" }, "original": { From d369127e8ec8891ddf812a58b1f8e6dad3e696b5 Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Tue, 2 Jul 2024 10:07:08 -0700 Subject: [PATCH 12/16] add version target to Makefile --- src/Makefile | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/src/Makefile b/src/Makefile index f1e774c23..7e2cf3d8b 100644 --- a/src/Makefile +++ b/src/Makefile @@ -48,3 +48,16 @@ defang_darwin.zip: defang-arm64 defang-amd64 .PHONY: zips zips: defang_linux_amd64.zip defang_darwin.zip + +.PHONY: no-diff +no-diff: + git diff-index --quiet HEAD -- # check that there are no uncommitted changes + +.PHONY: pull +pull: + git pull + +.PHONY: version +version: no-diff pull test + git tag $$(git tag -l 'v*' --sort=-v:refname | head -n1 | awk -F. '{$$NF = $$NF + 1;} 1' OFS=.) + git push --follow-tags From 4b61b57bc5b6fafcbb110b2457dd391faac8f746 Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Tue, 2 Jul 2024 10:09:14 -0700 Subject: [PATCH 13/16] ensure no diff after go mod tidy --- src/Makefile | 6 +++--- src/README.md | 8 ++++++++ 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/Makefile b/src/Makefile index 7e2cf3d8b..9d5c46824 100644 --- a/src/Makefile +++ b/src/Makefile @@ -57,7 +57,7 @@ no-diff: pull: git pull -.PHONY: version -version: no-diff pull test +.PHONY: release +release: pull test no-diff git tag $$(git tag -l 'v*' --sort=-v:refname | head -n1 | awk -F. '{$$NF = $$NF + 1;} 1' OFS=.) - git push --follow-tags + git push --follow-tags --tags diff --git a/src/README.md b/src/README.md index 44a46f54e..2847871c2 100644 --- a/src/README.md +++ b/src/README.md @@ -19,3 +19,11 @@ To regenerate the `go.mod` file: ``` go mod tidy ``` + +## Release +To release a new version, run: +``` +make release +``` +This will create a new tag (incrementing the patch number) and push it to the +repository, triggering a new build on the CI/CD pipeline. From 12d6f7651784d8767d87a493ef0da79ce37137a2 Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Tue, 2 Jul 2024 10:25:05 -0700 Subject: [PATCH 14/16] remove build-and-sign from env --- .github/workflows/go.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index bf5fd87aa..9cb5c76cc 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -117,7 +117,6 @@ jobs: build-and-sign: name: Build app and sign files with Trusted Signing - environment: release needs: go-test runs-on: windows-latest # for signtool env: # from https://github.com/spiffe/spire/pull/5158 @@ -223,8 +222,8 @@ jobs: if-no-files-found: error go-release: - # environment: release if: startsWith(github.ref, 'refs/tags/v') # only run this step on tagged commits + environment: release needs: - build-and-sign-mac - build-and-sign From 4c4f5aa37651cb5c6c6958b7ff90eebcc83e1ffb Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Tue, 2 Jul 2024 10:55:26 -0700 Subject: [PATCH 15/16] fixes for CI --- .github/workflows/go.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 9cb5c76cc..9e57aecf9 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -90,6 +90,8 @@ jobs: go-playground-test: runs-on: ubuntu-latest needs: go-test + env: + COMPOSE_PROJECT_NAME: ${{ github.run_id }} steps: - uses: actions/checkout@v4 @@ -141,7 +143,7 @@ jobs: with: # distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' # version: latest - args: build --id defang-cli ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' }} + args: build --id defang-cli ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' || '' }} workdir: src # From https://github.com/Azure/trusted-signing-action/pull/37 @@ -206,7 +208,7 @@ jobs: with: # distribution: goreleaser-pro # either 'goreleaser' (default) or 'goreleaser-pro' # version: latest - args: build --id defang-mac ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' }} + args: build --id defang-mac ${{ !startsWith(github.ref, 'refs/tags/v') && '--snapshot' || '' }} workdir: src env: MACOS_CERTIFICATE_NAME: ${{ secrets.MACOS_CERTIFICATE_NAME }} From 198eec516b7b753f38eb81e4d2e6153420329d42 Mon Sep 17 00:00:00 2001 From: Lionello Lunesu Date: Tue, 2 Jul 2024 12:31:48 -0700 Subject: [PATCH 16/16] fix for Go CI --- .github/workflows/go.yml | 5 +++-- src/.goreleaser-prebuilt.yml | 22 +++++++++++----------- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 9e57aecf9..e0be68d06 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -119,6 +119,7 @@ jobs: build-and-sign: name: Build app and sign files with Trusted Signing + environment: release needs: go-test runs-on: windows-latest # for signtool env: # from https://github.com/spiffe/spire/pull/5158 @@ -244,13 +245,13 @@ jobs: uses: actions/download-artifact@v4 with: name: dist-mac - path: src/dist + path: src/distx - name: Download dist-win folder uses: actions/download-artifact@v4 with: name: dist-win - path: src/dist + path: src/distx - name: List files run: ls -lR src/dist diff --git a/src/.goreleaser-prebuilt.yml b/src/.goreleaser-prebuilt.yml index 29314ae48..8bb61fd56 100644 --- a/src/.goreleaser-prebuilt.yml +++ b/src/.goreleaser-prebuilt.yml @@ -13,7 +13,7 @@ builds: goamd64: - v1 prebuilt: - path: dist-{{ .Os }}/defang_{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/defang{{ .Ext }} + path: distx/defang-{{ if eq .Os "darwin" }}mac{{ else }}cli{{ end }}_{{ .Os }}_{{ .Arch }}{{ with .Amd64 }}_{{ . }}{{ end }}/defang{{ .Ext }} binary: defang source: @@ -27,9 +27,9 @@ archives: format: zip # replace "darwin" with "macOS" in the filename; replace "all" with ""; NOTE: if you change this, also change go.yml GitHub Actions workflow name_template: '{{ .ProjectName }}_{{ .Version }}_{{ if eq .Os "darwin" }}macOS{{ else }}{{ .Os }}{{ end }}{{ if ne .Arch "all" }}_{{ .Arch }}{{ end }}{{ with .Arm }}v{{ . }}{{ end }}{{ with .Mips }}_{{ . }}{{ end }}{{ if not (eq .Amd64 "v1") }}{{ .Amd64 }}{{ end }}' - hooks: - after: - - '{{ if eq .Os "darwin" }}./bin/notarize.sh "{{ .Path }}"{{ else }}true{{ end }}' + # hooks: + # after: + # - '{{ if eq .Os "darwin" }}./bin/notarize.sh "{{ .Path }}"{{ else }}true{{ end }}' release: github: @@ -89,13 +89,13 @@ winget: owner: DefangLabs name: winget-pkgs branch: "Defang-{{.Version}}" - pull_request: - enabled: true - draft: true - base: - owner: microsoft - name: winget-pkgs - branch: master + # pull_request: + # enabled: true + # draft: true + # base: + # owner: microsoft + # name: winget-pkgs + # branch: master announce: discord: