Merge pull request #369 from CoSMoSoftware/CI/gh-actions

IOPS-1755 Use GH App Installation token for downloading libwebrtc assets
CoSMoSoftware · Aug 22, 2023 · 5d84781 · 5d84781
2 parents 5380d73 + dd2078a
commit 5d84781
Showing 1 changed file with 137 additions and 47 deletions.
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -48,6 +48,8 @@ variables:
     value: RelWithDebInfo
   - name: LIBWEBRTC_VERSION
     value: 112.0
+  - name: LIBWEBRTC_RELEASE_TAG
+    value: 'm112-release'
   - name: OBS_VERSION
     value: 1.5.1-28.1.2-m112
 # for Mac code signing
@@ -84,22 +86,59 @@ parameters:
 
 
 jobs:
+- job: PreprocessingBuild
+  pool:
+    vmImage: 'ubuntu-22.04'
+  steps:
+  - checkout: none
+  - bash: |
+      python3 -m pip install jwt requests
+      echo ${GH_APP_RELEASECREATOR_TOKEN_PYTHON_SCRIPT} | base64 -d > $(Pipeline.Workspace)/generate_gh_app_installation_token.py
+      echo ${GH_APP_RELEASECREATOR_PRIV_KEY} | base64 -d > $(Pipeline.Workspace)/gh_app_priv_key.pem
+      export PEM_FILE=$(Pipeline.Workspace)/gh_app_priv_key.pem
+      export GH_ACCESS_TOKEN_1H_EXPIRATION=$( python3 '$(Pipeline.Workspace)'/generate_gh_app_installation_token.py )
+      rm $(Pipeline.Workspace)/gh_app_priv_key.pem $(Pipeline.Workspace)/generate_gh_app_installation_token.py
+      echo "##vso[task.setvariable variable=GH_ACCESS_TOKEN_1H_EXPIRATION;issecret=true;isoutput=true]${GH_ACCESS_TOKEN_1H_EXPIRATION}"
+      echo "GH_ACCESS_TOKEN_1H_EXPIRATION is ready."
+    env:
+      GH_APP_RELEASECREATOR_TOKEN_PYTHON_SCRIPT: $(gh_releasecreator_generate_at_script)
+      GH_APP_RELEASECREATOR_PRIV_KEY: $(gh_releasecreator_app_priv_key_2)
+      GH_APP_ID: $(gh_releasecreator_app_id)
+      GH_APP_INSTALLATION_ID: $(gh_releasecreator_app_installation_id)
+    name: accessToken
+    displayName: 'Generate GH App Access Token'
+
 - job: 'Build_macOS'
   timeoutInMinutes: 800
   cancelTimeoutInMinutes: 800
   pool:
     vmImage: 'macOS-12'
+  dependsOn: ['PreprocessingBuild']
+  variables:
+    GH_ACCESS_TOKEN_1H_EXPIRATION: $[ dependencies.PreprocessingBuild.outputs['accessToken.GH_ACCESS_TOKEN_1H_EXPIRATION'] ]
+    LIBWEBRTC_ASSETS_PATTERN: "^libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-.*64-Release-H264-OpenSSL_1_1_1.*.dmg.*"
   steps:
   - script: git submodule update --init --recursive
     displayName: 'Checkout Submodules'
-  - task: DownloadGitHubRelease@0
-    inputs:
-      connection: 'github.com_ludocosmo'
-      userRepository: 'CoSMoSoftware/libwebrtc-cmake'
-      defaultVersionType: 'specificTag'
-      version: 'm112-release'
-      itemPattern: 'libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-?(x|arm)64-Release-H264-OpenSSL_1_1_1?.dmg'
-      downloadPath: '$(System.DefaultWorkingDirectory)'
+  - bash: |
+      echo $(LIBWEBRTC_ASSETS_PATTERN)
+      export LIBWEBRTC_RELEASE_URL=$(curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/tags/${LIBWEBRTC_RELEASE_TAG} | jq .url | tr -d '"')
+      echo "LIBWEBRTC_RELEASE_URL: ${LIBWEBRTC_RELEASE_URL}"
+      curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" ${LIBWEBRTC_RELEASE_URL}/assets > assets.json
+      for asset_pair in $(cat assets.json | jq '.[] | (.id|tostring) + "|" + .name' | tr -d '"')
+      do
+        asset_pair=( ${asset_pair//|/ } )
+        if [[ $(echo ${asset_pair[1]} | grep -e $(LIBWEBRTC_ASSETS_PATTERN)) ]]; then
+          echo "Downloading ${asset_pair[1]} from GitHub - GH_ASSET_ID: ${asset_pair[0]}..."
+          curl -L -H "Accept: application/octet-stream" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/assets/${asset_pair[0]} > $(System.DefaultWorkingDirectory)/${asset_pair[1]}
+        fi
+      done
+      rm assets.json
+      ls -la $(System.DefaultWorkingDirectory)
+    env:
+      LIBWEBRTC_RELEASE_TAG: ${{ variables.LIBWEBRTC_RELEASE_TAG }}
+    name: libWebRTCassets
+    displayName: 'Download libwebrtc release assets'
   - ${{ each arch in parameters.architectures }}:
     - script: TERM="" ./CI/macos/01_install_dependencies.sh --architecture ${{ arch }}
       displayName: '${{ arch }} Install dependencies'
@@ -114,8 +153,8 @@ jobs:
       - task: InstallAppleCertificate@2
         displayName: '🔐 Install CoSMo Signing Certificate'
         inputs:
-          certSecureFile: Certificates.p12
-          certPwd: $(certificatesLudoPassword)
+          certSecureFile: CertificatesCosmo.p12
+          certPwd: $(certificatesCosmoPassword)
     - ${{ if eq( vendor, 'Wowza') }}:
       - task: InstallAppleCertificate@2
         displayName: '🔐 Install Wowza Signing Certificate'
@@ -141,42 +180,42 @@ jobs:
         env:
           CURRENT_ARCH: ${{ arch }}
           CODESIGN_TEAM_ID: $(apple_team_id)
-          CODESIGN_IDENT: $(ludo_apple_developer_identity)
+          CODESIGN_IDENT: $(apple_team_id)
           WOWZA_CODESIGN_IDENT: $(wowza_apple_developer_identity)
-          CODESIGN_IDENT_USER: $(ludo_apple_account_id)
-          NOTARIZE_APP_SPECIFIC_PASSWORD: $(ludo_apple_app_specific_password)
+          CODESIGN_IDENT_USER: $(sapi_apple_account_id)
+          NOTARIZE_APP_SPECIFIC_PASSWORD: $(sapi_apple_app_specific_password)
       - script: TERM="" ./CI/macos/03_package_obs.sh --codesign --notarize --build-dir build_${{ vendor }}_${{ arch }} --architecture ${{ arch }} --vendor ${{ vendor }}
         displayName: '${{ vendor }} ${{ arch }} Package, sign, notarize'
         env:
           CURRENT_ARCH: ${{ arch }}
           CODESIGN_TEAM_ID: $(apple_team_id)
-          CODESIGN_IDENT: $(ludo_apple_developer_identity)
+          CODESIGN_IDENT: $(apple_team_id)
           WOWZA_CODESIGN_IDENT: $(wowza_apple_developer_identity)
-          CODESIGN_IDENT_USER: $(ludo_apple_account_id)
-          NOTARIZE_APP_SPECIFIC_PASSWORD: $(ludo_apple_app_specific_password)
+          CODESIGN_IDENT_USER: $(sapi_apple_account_id)
+          NOTARIZE_APP_SPECIFIC_PASSWORD: $(sapi_apple_app_specific_password)
       # Generate OBS with obs-ndi plugin
       - script: TERM="" ./CI/macos/02_build_obs.sh --codesign --build-dir build_${{ vendor }}_${{ arch }} --architecture ${{ arch }} --vendor ${{ vendor }} --ndi
         displayName: '${{ vendor }} ${{ arch }} Build OBS + plugin obs-ndi'
         env:
           CURRENT_ARCH: ${{ arch }}
           CODESIGN_TEAM_ID: $(apple_team_id)
-          CODESIGN_IDENT: $(ludo_apple_developer_identity)
+          CODESIGN_IDENT: $(apple_team_id)
           WOWZA_CODESIGN_IDENT: $(wowza_apple_developer_identity)
-          CODESIGN_IDENT_USER: $(ludo_apple_account_id)
-          NOTARIZE_APP_SPECIFIC_PASSWORD: $(ludo_apple_app_specific_password)
+          CODESIGN_IDENT_USER: $(sapi_apple_account_id)
+          NOTARIZE_APP_SPECIFIC_PASSWORD: $(sapi_apple_app_specific_password)
       - script: TERM="" ./CI/macos/03_package_obs.sh --codesign --notarize --build-dir build_${{ vendor }}_${{ arch }} --architecture ${{ arch }} --vendor ${{ vendor }} --ndi
         displayName: '${{ vendor }} ${{ arch }} Package, sign, notarize'
         env:
           CURRENT_ARCH: ${{ arch }}
           CODESIGN_TEAM_ID: $(apple_team_id)
-          CODESIGN_IDENT: $(ludo_apple_developer_identity)
+          CODESIGN_IDENT: $(apple_team_id)
           WOWZA_CODESIGN_IDENT: $(wowza_apple_developer_identity)
-          CODESIGN_IDENT_USER: $(ludo_apple_account_id)
-          NOTARIZE_APP_SPECIFIC_PASSWORD: $(ludo_apple_app_specific_password)
+          CODESIGN_IDENT_USER: $(sapi_apple_account_id)
+          NOTARIZE_APP_SPECIFIC_PASSWORD: $(sapi_apple_app_specific_password)
       - ${{ if eq( vendor, 'Millicast') }}:
         - bash: |
             ls -l build_${{ vendor }}_${{ arch }}
-          displayName: ls
+          displayName: "List build_${{ vendor }}_${{ arch }} dir"
         - bash: |
             ARTIFACT_NAME=$(basename $(/usr/bin/find build_${{ vendor }}_${{ arch }} -type f -name "obs-webrtc-${OBS_VERSION}-macos-${{ arch }}.dmg" -depth 1 | head -1))
             mkdir -p ./nightly_${{ vendor }}_${{ arch }}
@@ -231,21 +270,42 @@ jobs:
   cancelTimeoutInMinutes: 300
   pool:
     vmImage: 'windows-2022'
+  dependsOn: ['PreprocessingBuild']
+  variables:
+    GH_ACCESS_TOKEN_1H_EXPIRATION: $[ dependencies.PreprocessingBuild.outputs['accessToken.GH_ACCESS_TOKEN_1H_EXPIRATION'] ]
+    LIBWEBRTC_ASSETS_PATTERN: "^libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-x64-Mt-Release-.*.exe.*"
   steps:
   - task: DotNetCoreCLI@2
     inputs:
       command: 'custom'
       custom: 'tool'
       arguments: 'install --global azuresigntool'
     displayName: Install AzureSignTool
-  - task: DownloadGitHubRelease@0
-    inputs:
-      connection: 'github.com_ludocosmo'
-      userRepository: 'CoSMoSoftware/libwebrtc-cmake'
-      defaultVersionType: 'specificTag'
-      version: 'm112-release'
-      itemPattern: 'libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-x64-Mt-Release-*.exe'
-      downloadPath: '$(System.DefaultWorkingDirectory)'
+  - powershell: |
+      cmd.exe where type
+      $tmp_path = Join-Path -Path $(System.DefaultWorkingDirectory) -ChildPath assets.json
+      $env:LIBWEBRTC_RELEASE_URL = cmd.exe /c curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" "https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/tags/$env:LIBWEBRTC_RELEASE_TAG" | jq -r .url
+      Write-Host $env:LIBWEBRTC_RELEASE_URL
+
+      cmd.exe /c curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" $env:LIBWEBRTC_RELEASE_URL/assets > assets.json
+      cmd.exe /c type .\assets.json | jq -r '.[] | (.id|tostring) + \"|\" + .name' > assets.txt
+
+      Get-Content -Path .\assets.txt | ForEach-Object -Process {
+        $asset_pair = $_.Split("|")
+        if ( $asset_pair[1] -match "$(LIBWEBRTC_ASSETS_PATTERN)" ) {
+          $asset_path = Join-Path -Path $(System.DefaultWorkingDirectory) -ChildPath $asset_pair[1]
+          $asset_url = "https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/assets/" + $asset_pair[0]
+          Write-Host "Asset url:" $asset_url
+          Write-Host "Downloading " $asset_pair[1] " from GitHub - GH_ASSET_ID: " $asset_pair[0] "..."
+          cmd.exe /c curl -L -H "Accept: application/octet-stream" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" $asset_url --output $asset_path
+        }
+      }
+      Get-ChildItem $(System.DefaultWorkingDirectory)
+      Remove-Item -Path .\assets.json
+      Remove-Item -Path .\assets.txt
+    env:
+      LIBWEBRTC_RELEASE_TAG: ${{ variables.LIBWEBRTC_RELEASE_TAG }}
+    displayName: Download libwebrtc
   - script: git submodule update --init --recursive
     displayName: 'Checkout Submodules'
   - powershell: ./CI/windows/01_install_dependencies.ps1 -BuildArch x64
@@ -342,15 +402,30 @@ jobs:
 - job: 'Build_Ubuntu_20_04'
   pool:
     vmImage: 'ubuntu-20.04'
+  dependsOn: PreprocessingBuild
+  variables:
+    GH_ACCESS_TOKEN_1H_EXPIRATION: $[ dependencies.PreprocessingBuild.outputs['accessToken.GH_ACCESS_TOKEN_1H_EXPIRATION'] ]
+    LIBWEBRTC_ASSETS_PATTERN: "^libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-.*64-Release-.*.sh.*"
   steps:
-  - task: DownloadGitHubRelease@0
-    inputs:
-      connection: 'github.com_ludocosmo'
-      userRepository: 'CoSMoSoftware/libwebrtc-cmake'
-      defaultVersionType: 'specificTag'
-      version: 'm112-release'
-      itemPattern: 'libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-*64-Release-*.sh'
-      downloadPath: '$(System.DefaultWorkingDirectory)'
+  - bash: |
+      export LIBWEBRTC_RELEASE_URL=$(curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/tags/${LIBWEBRTC_RELEASE_TAG} | jq .url | tr -d '"')
+      echo "LIBWEBRTC_RELEASE_URL: ${LIBWEBRTC_RELEASE_URL}"
+      curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" ${LIBWEBRTC_RELEASE_URL}/assets > assets.json
+      for asset_pair in $(cat assets.json | jq '.[] | (.id|tostring) + "|" + .name' | tr -d '"')
+      do
+        asset_pair=( ${asset_pair//|/ } )
+        if [[ $(echo ${asset_pair[1]} | grep -e $(LIBWEBRTC_ASSETS_PATTERN)) ]]; then
+          echo "Downloading ${asset_pair[1]} from GitHub - GH_ASSET_ID: ${asset_pair[0]}..."
+          curl -L -H "Accept: application/octet-stream" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/assets/${asset_pair[0]} > $(System.DefaultWorkingDirectory)/${asset_pair[1]}
+        fi
+      done
+      rm assets.json
+      ls -la $(System.DefaultWorkingDirectory)
+    env:
+      LIBWEBRTC_RELEASE_TAG: ${{ variables.LIBWEBRTC_RELEASE_TAG }}
+    name: libWebRTCassets
+    displayName: 'Download libwebrtc release assets'
+
   - bash: |
       git submodule update --init --recursive
       ./CI/linux/01_install_dependencies.sh --disable-pipewire
@@ -404,15 +479,30 @@ jobs:
 - job: 'Build_Ubuntu_22_04'
   pool:
     vmImage: 'ubuntu-22.04'
+  dependsOn: PreprocessingBuild
+  variables:
+    GH_ACCESS_TOKEN_1H_EXPIRATION: $[ dependencies.PreprocessingBuild.outputs['accessToken.GH_ACCESS_TOKEN_1H_EXPIRATION'] ]
+    LIBWEBRTC_ASSETS_PATTERN: "^libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-.*64-Release-.*.sh.*"
   steps:
-  - task: DownloadGitHubRelease@0
-    inputs:
-      connection: 'github.com_ludocosmo'
-      userRepository: 'CoSMoSoftware/libwebrtc-cmake'
-      defaultVersionType: 'specificTag'
-      version: 'm112-release'
-      itemPattern: 'libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-*64-Release-*.sh'
-      downloadPath: '$(System.DefaultWorkingDirectory)'
+  - bash: |
+      export LIBWEBRTC_RELEASE_URL=$(curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/tags/${LIBWEBRTC_RELEASE_TAG} | jq .url | tr -d '"')
+      echo "LIBWEBRTC_RELEASE_URL: ${LIBWEBRTC_RELEASE_URL}"
+      curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" ${LIBWEBRTC_RELEASE_URL}/assets > assets.json
+      for asset_pair in $(cat assets.json | jq '.[] | (.id|tostring) + "|" + .name' | tr -d '"')
+      do
+        asset_pair=( ${asset_pair//|/ } )
+        if [[ $(echo ${asset_pair[1]} | grep -e $(LIBWEBRTC_ASSETS_PATTERN)) ]]; then
+          echo "Downloading ${asset_pair[1]} from GitHub - GH_ASSET_ID: ${asset_pair[0]}..."
+          curl -L -H "Accept: application/octet-stream" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/assets/${asset_pair[0]} > $(System.DefaultWorkingDirectory)/${asset_pair[1]}
+        fi
+      done
+      rm assets.json
+      ls -la $(System.DefaultWorkingDirectory)
+    env:
+      LIBWEBRTC_RELEASE_TAG: ${{ variables.LIBWEBRTC_RELEASE_TAG }}
+    name: libWebRTCassets
+    displayName: 'Download libwebrtc release assets'
+
   - bash: |
       git submodule update --init --recursive
       ./CI/linux/01_install_dependencies.sh --disable-pipewire