Build Redis CE MacOS Binary Distributions

Redis 8.0.0 - Binaries (#8) #8

Workflow file for this run

.github/workflows/build-binary-dists.yml at d830c7e

	name: Build Redis CE MacOS Binary Distributions

	on:
	push:
	branches: [ main ]
	paths:
	- '.github/workflows/build-binary-dists.yml'
	- 'configs/**'
	- 'scripts/**'

	pull_request:
	branches: [ main ]
	types: [ labeled ]
	paths:
	- '.github/workflows/build-binary-dists.yml'
	- 'configs/**'
	- 'scripts/**'

	permissions:
	id-token: write
	contents: read

	jobs:
	set_variables:
	name: Extract variables from JSON config
	if: ${{ (github.event.label.name == 'build-binary-dists') \|\| (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
	runs-on: ubuntu-latest
	outputs:
	redis_version: ${{ steps.read-attribute.outputs.redis_version }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4

	- id: version
	run: \|
	echo "json<<EOF" >> "$GITHUB_OUTPUT"
	cat ./configs/redis_version.json >> "$GITHUB_OUTPUT"
	echo >> "$GITHUB_OUTPUT"
	echo "EOF" >> "$GITHUB_OUTPUT"

	- name: Extract redis_version
	id: read-attribute
	run: echo "redis_version=${{fromJson(steps.version.outputs.json).ref}}" >> "$GITHUB_OUTPUT"

	build:
	if: ${{ (github.event.label.name == 'build-binary-dists') \|\| (github.event_name == 'push' && github.ref == 'refs/heads/main') }}
	needs: [set_variables]
	name: Build Redis CE MacOS Binary Distributions
	strategy:
	fail-fast: false
	matrix:
	os_version: # See: https://github.com/actions/runner-images/blob/main/README.md#available-images
	- macos-13 # macOS 13 x86_64
	- macos-13-xlarge # macOS 13 arm64

	runs-on: ${{ matrix.os_version }}

	steps:
	- uses: actions/checkout@v4

	- name: Install build dependencies
	run: \|
	scripts/install_deps.sh

	- name: Build Redis CE
	id: build
	run: \|
	scripts/build.sh ${{ needs.set_variables.outputs.redis_version }}
	echo "UNSIGNED_REDIS_BINARY=unsigned-redis-ce-${{ needs.set_variables.outputs.redis_version }}-$(uname -m).zip" >> $GITHUB_OUTPUT

	- name: Upload Redis CE Binary Distribution
	uses: actions/upload-artifact@v4
	with:
	path: ./${{ steps.build.outputs.UNSIGNED_REDIS_BINARY }}
	name: ${{ steps.build.outputs.UNSIGNED_REDIS_BINARY }}

	- name: Setup Keychain and Certificate
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	run: \|
	# Decode and save certificate
	echo "${{ secrets.MACOS_CERTIFICATE }}" \| base64 --decode > certificate.p12

	# Create and configure keychain
	security create-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain
	security unlock-keychain -p "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain
	security set-keychain-settings -t 3600 -l build.keychain

	# Add to search list and set as default
	security list-keychains -d user -s build.keychain login.keychain
	security default-keychain -s build.keychain

	# Import and trust certificate
	security import certificate.p12 -k build.keychain -P "${{ secrets.MACOS_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign
	security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.MACOS_KEYCHAIN_PASSWORD }}" build.keychain

	# Debug certificate presence
	security find-identity -v -p codesigning build.keychain

	- name: Sign Binaries
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	id: sign
	run: \|
	# Get identity from specific keychain
	CODESIGN_IDENTITY=$(security find-identity -v -p codesigning build.keychain \| grep -o '[0-9A-F]\{40\}' \| head -n 1)
	echo "Using identity: ${CODESIGN_IDENTITY}"

	# Check if entitlements file exists
	if [ ! -f configs/entitlements.xml ]; then
	echo "Entitlements file not found!"
	exit 1
	fi

	# Sign binaries with explicit keychain
	for i in $(ls build_dir/bin); do
	/usr/bin/codesign --keychain build.keychain --options=runtime --timestamp -v --sign "${CODESIGN_IDENTITY}" --entitlements configs/entitlements.xml -f build_dir/bin/$i
	done

	# Sign libraries with explicit keychain
	for i in $(ls build_dir/lib/redis/modules); do
	/usr/bin/codesign --keychain build.keychain --options=runtime --timestamp -v --sign "${CODESIGN_IDENTITY}" --entitlements configs/entitlements.xml -f build_dir/lib/redis/modules/$i
	done

	# Create distribution archive
	(cd build_dir && zip -r ../redis-ce-${{ needs.set_variables.outputs.redis_version }}-$(uname -m).zip .)
	echo "REDIS_BINARY=redis-ce-${{ needs.set_variables.outputs.redis_version }}-$(uname -m).zip" >> $GITHUB_OUTPUT

	- name: Notarize Redis CE Binary Distribution
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	run: \|
	sh scripts/notarize.sh ${{ steps.sign.outputs.REDIS_BINARY }} com.redis.redis ${{ secrets.MAC_NOTARIZE_USERNAME }} ${{ secrets.MAC_NOTARIZE_PASSWORD }} ${{ secrets.MAC_NOTARIZE_TEAM_ID }}

	- uses: aws-actions/configure-aws-credentials@v4
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	with:
	aws-region: ${{ secrets.S3_REGION }}
	role-to-assume: ${{ secrets.S3_IAM_ARN }}

	- name: Upload Redis CE Binary Distribution to S3
	if: github.event_name == 'push' && github.ref == 'refs/heads/main'
	run: \|
	aws s3 cp ${{ steps.sign.outputs.REDIS_BINARY }} s3://${{ secrets.S3_BUCKET }}/homebrew/ --acl public-read

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Redis 8.0.0 - Binaries (#8) #8

Workflow file

Redis 8.0.0 - Binaries (#8) #8

Uh oh!

Jobs

Run details

Workflow file for this run