From 4af0134a38de5c719b22ab7b70f79ef218dea2c6 Mon Sep 17 00:00:00 2001 From: Marek Sobolak Date: Wed, 16 Aug 2023 15:17:43 +0200 Subject: [PATCH 1/2] IOPS-1755 Use GH App Installation token for downloading libwebrtc assets --- azure-pipelines.yml | 155 +++++++++++++++++++++++++++++++++++--------- 1 file changed, 123 insertions(+), 32 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 2d982e650..3d8b07cd8 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -48,6 +48,8 @@ variables: value: RelWithDebInfo - name: LIBWEBRTC_VERSION value: 112.0 + - name: LIBWEBRTC_RELEASE_TAG + value: 'm112-release' - name: OBS_VERSION value: 1.5.1-28.1.2-m112 # for Mac code signing @@ -84,22 +86,60 @@ parameters: jobs: +- job: PreprocessingBuild + pool: + vmImage: 'ubuntu-22.04' + steps: + - checkout: none + - bash: | + python3 -m pip install jwt requests + echo ${GH_APP_RELEASECREATOR_TOKEN_PYTHON_SCRIPT} | base64 -d > $(Pipeline.Workspace)/generate_gh_app_installation_token.py + echo ${GH_APP_RELEASECREATOR_PRIV_KEY} | base64 -d > $(Pipeline.Workspace)/gh_app_priv_key.pem + export PEM_FILE=$(Pipeline.Workspace)/gh_app_priv_key.pem + export GH_ACCESS_TOKEN_1H_EXPIRATION=$( python3 '$(Pipeline.Workspace)'/generate_gh_app_installation_token.py ) + rm $(Pipeline.Workspace)/gh_app_priv_key.pem $(Pipeline.Workspace)/generate_gh_app_installation_token.py + echo "##vso[task.setvariable variable=GH_ACCESS_TOKEN_1H_EXPIRATION;issecret=true;isoutput=true]${GH_ACCESS_TOKEN_1H_EXPIRATION}" + echo "GH_ACCESS_TOKEN_1H_EXPIRATION is ready." + env: + GH_APP_RELEASECREATOR_TOKEN_PYTHON_SCRIPT: $(gh_releasecreator_generate_at_script) + GH_APP_RELEASECREATOR_PRIV_KEY: $(gh_releasecreator_app_priv_key_2) + GH_APP_ID: $(gh_releasecreator_app_id) + GH_APP_INSTALLATION_ID: $(gh_releasecreator_app_installation_id) + name: accessToken + displayName: 'Generate GH App Access Token' + - job: 'Build_macOS' timeoutInMinutes: 800 cancelTimeoutInMinutes: 800 pool: vmImage: 'macOS-12' + dependsOn: ['PreprocessingBuild'] + variables: + GH_ACCESS_TOKEN_1H_EXPIRATION: $[ dependencies.PreprocessingBuild.outputs['accessToken.GH_ACCESS_TOKEN_1H_EXPIRATION'] ] + LIBWEBRTC_ASSETS_PATTERN: "^libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-.*64-Release-H264-OpenSSL_1_1_1.*.dmg.*" steps: - script: git submodule update --init --recursive displayName: 'Checkout Submodules' - - task: DownloadGitHubRelease@0 - inputs: - connection: 'github.com_ludocosmo' - userRepository: 'CoSMoSoftware/libwebrtc-cmake' - defaultVersionType: 'specificTag' - version: 'm112-release' - itemPattern: 'libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-?(x|arm)64-Release-H264-OpenSSL_1_1_1?.dmg' - downloadPath: '$(System.DefaultWorkingDirectory)' + - bash: | + echo $(LIBWEBRTC_ASSETS_PATTERN) + export LIBWEBRTC_RELEASE_URL=$(curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/tags/${LIBWEBRTC_RELEASE_TAG} | jq .url | tr -d '"') + echo "LIBWEBRTC_RELEASE_URL: ${LIBWEBRTC_RELEASE_URL}" + curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" ${LIBWEBRTC_RELEASE_URL}/assets > assets.json + for asset_pair in $(cat assets.json | jq '.[] | (.id|tostring) + "|" + .name' | tr -d '"') + do + asset_pair=( ${asset_pair//|/ } ) + if [[ $(echo ${asset_pair[1]} | grep -e $(LIBWEBRTC_ASSETS_PATTERN)) ]]; then + echo "Downloading ${asset_pair[1]} from GitHub - GH_ASSET_ID: ${asset_pair[0]}..." + curl -L -H "Accept: application/octet-stream" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/assets/${asset_pair[0]} > $(System.DefaultWorkingDirectory)/${asset_pair[1]} + fi + done + rm assets.json + ls -la $(System.DefaultWorkingDirectory) + env: + LIBWEBRTC_RELEASE_TAG: ${{ variables.LIBWEBRTC_RELEASE_TAG }} + name: libWebRTCassets + displayName: 'Download libwebrtc release assets' + - ${{ each arch in parameters.architectures }}: - script: TERM="" ./CI/macos/01_install_dependencies.sh --architecture ${{ arch }} displayName: '${{ arch }} Install dependencies' @@ -231,6 +271,10 @@ jobs: cancelTimeoutInMinutes: 300 pool: vmImage: 'windows-2022' + dependsOn: ['PreprocessingBuild'] + variables: + GH_ACCESS_TOKEN_1H_EXPIRATION: $[ dependencies.PreprocessingBuild.outputs['accessToken.GH_ACCESS_TOKEN_1H_EXPIRATION'] ] + LIBWEBRTC_ASSETS_PATTERN: "^libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-x64-Mt-Release-.*.exe.*" steps: - task: DotNetCoreCLI@2 inputs: @@ -238,14 +282,31 @@ jobs: custom: 'tool' arguments: 'install --global azuresigntool' displayName: Install AzureSignTool - - task: DownloadGitHubRelease@0 - inputs: - connection: 'github.com_ludocosmo' - userRepository: 'CoSMoSoftware/libwebrtc-cmake' - defaultVersionType: 'specificTag' - version: 'm112-release' - itemPattern: 'libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-x64-Mt-Release-*.exe' - downloadPath: '$(System.DefaultWorkingDirectory)' + - powershell: | + cmd.exe where type + $tmp_path = Join-Path -Path $(System.DefaultWorkingDirectory) -ChildPath assets.json + $env:LIBWEBRTC_RELEASE_URL = cmd.exe /c curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" "https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/tags/$env:LIBWEBRTC_RELEASE_TAG" | jq -r .url + Write-Host $env:LIBWEBRTC_RELEASE_URL + + cmd.exe /c curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" $env:LIBWEBRTC_RELEASE_URL/assets > assets.json + cmd.exe /c type .\assets.json | jq -r '.[] | (.id|tostring) + \"|\" + .name' > assets.txt + + Get-Content -Path .\assets.txt | ForEach-Object -Process { + $asset_pair = $_.Split("|") + if ( $asset_pair[1] -match "$(LIBWEBRTC_ASSETS_PATTERN)" ) { + $asset_path = Join-Path -Path $(System.DefaultWorkingDirectory) -ChildPath $asset_pair[1] + $asset_url = "https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/assets/" + $asset_pair[0] + Write-Host "Asset url:" $asset_url + Write-Host "Downloading " $asset_pair[1] " from GitHub - GH_ASSET_ID: " $asset_pair[0] "..." + cmd.exe /c curl -L -H "Accept: application/octet-stream" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" $asset_url --output $asset_path + } + } + Get-ChildItem $(System.DefaultWorkingDirectory) + Remove-Item -Path .\assets.json + Remove-Item -Path .\assets.txt + env: + LIBWEBRTC_RELEASE_TAG: ${{ variables.LIBWEBRTC_RELEASE_TAG }} + displayName: Download libwebrtc - script: git submodule update --init --recursive displayName: 'Checkout Submodules' - powershell: ./CI/windows/01_install_dependencies.ps1 -BuildArch x64 @@ -342,15 +403,30 @@ jobs: - job: 'Build_Ubuntu_20_04' pool: vmImage: 'ubuntu-20.04' + dependsOn: PreprocessingBuild + variables: + GH_ACCESS_TOKEN_1H_EXPIRATION: $[ dependencies.PreprocessingBuild.outputs['accessToken.GH_ACCESS_TOKEN_1H_EXPIRATION'] ] + LIBWEBRTC_ASSETS_PATTERN: "^libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-.*64-Release-.*.sh.*" steps: - - task: DownloadGitHubRelease@0 - inputs: - connection: 'github.com_ludocosmo' - userRepository: 'CoSMoSoftware/libwebrtc-cmake' - defaultVersionType: 'specificTag' - version: 'm112-release' - itemPattern: 'libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-*64-Release-*.sh' - downloadPath: '$(System.DefaultWorkingDirectory)' + - bash: | + export LIBWEBRTC_RELEASE_URL=$(curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/tags/${LIBWEBRTC_RELEASE_TAG} | jq .url | tr -d '"') + echo "LIBWEBRTC_RELEASE_URL: ${LIBWEBRTC_RELEASE_URL}" + curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" ${LIBWEBRTC_RELEASE_URL}/assets > assets.json + for asset_pair in $(cat assets.json | jq '.[] | (.id|tostring) + "|" + .name' | tr -d '"') + do + asset_pair=( ${asset_pair//|/ } ) + if [[ $(echo ${asset_pair[1]} | grep -e $(LIBWEBRTC_ASSETS_PATTERN)) ]]; then + echo "Downloading ${asset_pair[1]} from GitHub - GH_ASSET_ID: ${asset_pair[0]}..." + curl -L -H "Accept: application/octet-stream" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/assets/${asset_pair[0]} > $(System.DefaultWorkingDirectory)/${asset_pair[1]} + fi + done + rm assets.json + ls -la $(System.DefaultWorkingDirectory) + env: + LIBWEBRTC_RELEASE_TAG: ${{ variables.LIBWEBRTC_RELEASE_TAG }} + name: libWebRTCassets + displayName: 'Download libwebrtc release assets' + - bash: | git submodule update --init --recursive ./CI/linux/01_install_dependencies.sh --disable-pipewire @@ -404,15 +480,30 @@ jobs: - job: 'Build_Ubuntu_22_04' pool: vmImage: 'ubuntu-22.04' + dependsOn: PreprocessingBuild + variables: + GH_ACCESS_TOKEN_1H_EXPIRATION: $[ dependencies.PreprocessingBuild.outputs['accessToken.GH_ACCESS_TOKEN_1H_EXPIRATION'] ] + LIBWEBRTC_ASSETS_PATTERN: "^libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-.*64-Release-.*.sh.*" steps: - - task: DownloadGitHubRelease@0 - inputs: - connection: 'github.com_ludocosmo' - userRepository: 'CoSMoSoftware/libwebrtc-cmake' - defaultVersionType: 'specificTag' - version: 'm112-release' - itemPattern: 'libWebRTC-${{ variables.LIBWEBRTC_VERSION }}-*64-Release-*.sh' - downloadPath: '$(System.DefaultWorkingDirectory)' + - bash: | + export LIBWEBRTC_RELEASE_URL=$(curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/tags/${LIBWEBRTC_RELEASE_TAG} | jq .url | tr -d '"') + echo "LIBWEBRTC_RELEASE_URL: ${LIBWEBRTC_RELEASE_URL}" + curl -L -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" ${LIBWEBRTC_RELEASE_URL}/assets > assets.json + for asset_pair in $(cat assets.json | jq '.[] | (.id|tostring) + "|" + .name' | tr -d '"') + do + asset_pair=( ${asset_pair//|/ } ) + if [[ $(echo ${asset_pair[1]} | grep -e $(LIBWEBRTC_ASSETS_PATTERN)) ]]; then + echo "Downloading ${asset_pair[1]} from GitHub - GH_ASSET_ID: ${asset_pair[0]}..." + curl -L -H "Accept: application/octet-stream" -H "Authorization: Bearer $(GH_ACCESS_TOKEN_1H_EXPIRATION)" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/CoSMoSoftware/libwebrtc-cmake/releases/assets/${asset_pair[0]} > $(System.DefaultWorkingDirectory)/${asset_pair[1]} + fi + done + rm assets.json + ls -la $(System.DefaultWorkingDirectory) + env: + LIBWEBRTC_RELEASE_TAG: ${{ variables.LIBWEBRTC_RELEASE_TAG }} + name: libWebRTCassets + displayName: 'Download libwebrtc release assets' + - bash: | git submodule update --init --recursive ./CI/linux/01_install_dependencies.sh --disable-pipewire From 9025510021d2dc7a6816367f43d0c86fddabb981 Mon Sep 17 00:00:00 2001 From: Marek Sobolak Date: Tue, 22 Aug 2023 12:22:32 +0200 Subject: [PATCH 2/2] IOPS-1760 implement sapi@dolby.com apple id --- azure-pipelines.yml | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 3d8b07cd8..4705dfd8b 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -139,7 +139,6 @@ jobs: LIBWEBRTC_RELEASE_TAG: ${{ variables.LIBWEBRTC_RELEASE_TAG }} name: libWebRTCassets displayName: 'Download libwebrtc release assets' - - ${{ each arch in parameters.architectures }}: - script: TERM="" ./CI/macos/01_install_dependencies.sh --architecture ${{ arch }} displayName: '${{ arch }} Install dependencies' @@ -154,8 +153,8 @@ jobs: - task: InstallAppleCertificate@2 displayName: '🔐 Install CoSMo Signing Certificate' inputs: - certSecureFile: Certificates.p12 - certPwd: $(certificatesLudoPassword) + certSecureFile: CertificatesCosmo.p12 + certPwd: $(certificatesCosmoPassword) - ${{ if eq( vendor, 'Wowza') }}: - task: InstallAppleCertificate@2 displayName: '🔐 Install Wowza Signing Certificate' @@ -181,42 +180,42 @@ jobs: env: CURRENT_ARCH: ${{ arch }} CODESIGN_TEAM_ID: $(apple_team_id) - CODESIGN_IDENT: $(ludo_apple_developer_identity) + CODESIGN_IDENT: $(apple_team_id) WOWZA_CODESIGN_IDENT: $(wowza_apple_developer_identity) - CODESIGN_IDENT_USER: $(ludo_apple_account_id) - NOTARIZE_APP_SPECIFIC_PASSWORD: $(ludo_apple_app_specific_password) + CODESIGN_IDENT_USER: $(sapi_apple_account_id) + NOTARIZE_APP_SPECIFIC_PASSWORD: $(sapi_apple_app_specific_password) - script: TERM="" ./CI/macos/03_package_obs.sh --codesign --notarize --build-dir build_${{ vendor }}_${{ arch }} --architecture ${{ arch }} --vendor ${{ vendor }} displayName: '${{ vendor }} ${{ arch }} Package, sign, notarize' env: CURRENT_ARCH: ${{ arch }} CODESIGN_TEAM_ID: $(apple_team_id) - CODESIGN_IDENT: $(ludo_apple_developer_identity) + CODESIGN_IDENT: $(apple_team_id) WOWZA_CODESIGN_IDENT: $(wowza_apple_developer_identity) - CODESIGN_IDENT_USER: $(ludo_apple_account_id) - NOTARIZE_APP_SPECIFIC_PASSWORD: $(ludo_apple_app_specific_password) + CODESIGN_IDENT_USER: $(sapi_apple_account_id) + NOTARIZE_APP_SPECIFIC_PASSWORD: $(sapi_apple_app_specific_password) # Generate OBS with obs-ndi plugin - script: TERM="" ./CI/macos/02_build_obs.sh --codesign --build-dir build_${{ vendor }}_${{ arch }} --architecture ${{ arch }} --vendor ${{ vendor }} --ndi displayName: '${{ vendor }} ${{ arch }} Build OBS + plugin obs-ndi' env: CURRENT_ARCH: ${{ arch }} CODESIGN_TEAM_ID: $(apple_team_id) - CODESIGN_IDENT: $(ludo_apple_developer_identity) + CODESIGN_IDENT: $(apple_team_id) WOWZA_CODESIGN_IDENT: $(wowza_apple_developer_identity) - CODESIGN_IDENT_USER: $(ludo_apple_account_id) - NOTARIZE_APP_SPECIFIC_PASSWORD: $(ludo_apple_app_specific_password) + CODESIGN_IDENT_USER: $(sapi_apple_account_id) + NOTARIZE_APP_SPECIFIC_PASSWORD: $(sapi_apple_app_specific_password) - script: TERM="" ./CI/macos/03_package_obs.sh --codesign --notarize --build-dir build_${{ vendor }}_${{ arch }} --architecture ${{ arch }} --vendor ${{ vendor }} --ndi displayName: '${{ vendor }} ${{ arch }} Package, sign, notarize' env: CURRENT_ARCH: ${{ arch }} CODESIGN_TEAM_ID: $(apple_team_id) - CODESIGN_IDENT: $(ludo_apple_developer_identity) + CODESIGN_IDENT: $(apple_team_id) WOWZA_CODESIGN_IDENT: $(wowza_apple_developer_identity) - CODESIGN_IDENT_USER: $(ludo_apple_account_id) - NOTARIZE_APP_SPECIFIC_PASSWORD: $(ludo_apple_app_specific_password) + CODESIGN_IDENT_USER: $(sapi_apple_account_id) + NOTARIZE_APP_SPECIFIC_PASSWORD: $(sapi_apple_app_specific_password) - ${{ if eq( vendor, 'Millicast') }}: - bash: | ls -l build_${{ vendor }}_${{ arch }} - displayName: ls + displayName: "List build_${{ vendor }}_${{ arch }} dir" - bash: | ARTIFACT_NAME=$(basename $(/usr/bin/find build_${{ vendor }}_${{ arch }} -type f -name "obs-webrtc-${OBS_VERSION}-macos-${{ arch }}.dmg" -depth 1 | head -1)) mkdir -p ./nightly_${{ vendor }}_${{ arch }}