From a2e6fc9f2a841c3376623629d553caa26d2f4028 Mon Sep 17 00:00:00 2001 From: David Lane <42013603+ReenigneArcher@users.noreply.github.com> Date: Wed, 12 Nov 2025 10:48:21 -0500 Subject: [PATCH] ci: harden workflows (#4412) --- .github/workflows/ci-flatpak.yml | 39 +++++++++++++++++-------------- .github/workflows/ci-freebsd.yml | 8 +++---- .github/workflows/ci-homebrew.yml | 30 ++++++++++++++---------- .github/workflows/ci-linux.yml | 13 ++++------- .github/workflows/ci-windows.yml | 6 ++--- .github/workflows/ci.yml | 8 +++---- .github/workflows/localize.yml | 21 +++++++++-------- 7 files changed, 65 insertions(+), 60 deletions(-) diff --git a/.github/workflows/ci-flatpak.yml b/.github/workflows/ci-flatpak.yml index d2a84f64..d3184d7e 100644 --- a/.github/workflows/ci-flatpak.yml +++ b/.github/workflows/ci-flatpak.yml @@ -18,6 +18,7 @@ jobs: name: ${{ matrix.arch }} env: APP_ID: dev.lizardbyte.app.Sunshine + MATRIX_ARCH: ${{ matrix.arch }} NODE_VERSION: "20" PLATFORM_VERSION: "24.08" runs-on: ${{ matrix.runner }} @@ -75,9 +76,9 @@ jobs: sudo su "$(whoami)" -c "flatpak --user install -y flathub \ org.flatpak.Builder \ - org.freedesktop.Platform/${{ matrix.arch }}/${PLATFORM_VERSION} \ - org.freedesktop.Sdk/${{ matrix.arch }}/${PLATFORM_VERSION} \ - org.freedesktop.Sdk.Extension.node${NODE_VERSION}/${{ matrix.arch }}/${PLATFORM_VERSION} \ + org.freedesktop.Platform/${MATRIX_ARCH}/${PLATFORM_VERSION} \ + org.freedesktop.Sdk/${MATRIX_ARCH}/${PLATFORM_VERSION} \ + org.freedesktop.Sdk.Extension.node${NODE_VERSION}/${MATRIX_ARCH}/${PLATFORM_VERSION} \ " flatpak run org.flatpak.Builder --version @@ -99,17 +100,19 @@ jobs: - name: Configure Flatpak Manifest env: - BRANCH: ${{ github.ref }} + INPUT_RELEASE_VERSION: ${{ inputs.release_version }} + INPUT_RELEASE_COMMIT: ${{ inputs.release_commit }} + REPOSITORY_CLONE_URL: ${{ github.event.repository.clone_url }} run: | # variables for manifest - branch="${BRANCH}" - build_version="${{ inputs.release_version }}" - commit="${{ inputs.release_commit }}" - clone_url="${{ github.event.repository.clone_url }}" + branch="${GITHUB_REF}" + build_version="${INPUT_RELEASE_VERSION}" + commit="${INPUT_RELEASE_COMMIT}" + clone_url="${REPOSITORY_CLONE_URL}" - if [ "${{ github.event_name }}" == "push" ]; then + if [ "${GITHUB_EVENT_NAME}" == "push" ]; then echo "This is a PUSH event" - branch="${{ github.ref_name }}" + branch="${GITHUB_REF_NAME}" fi echo "Branch: ${branch}" @@ -124,7 +127,7 @@ jobs: mkdir -p build mkdir -p artifacts - cmake -DGITHUB_CLONE_URL=${clone_url} \ + cmake -DGITHUB_CLONE_URL="${clone_url}" \ -B build \ -S . \ -DSUNSHINE_CONFIGURE_FLATPAK_MAN=ON \ @@ -139,14 +142,14 @@ jobs: run: | echo "::add-matcher::.github/matchers/gcc-strip3.json" sudo su "$(whoami)" -c "flatpak run org.flatpak.Builder \ - --arch=${{ matrix.arch }} \ + --arch=${MATRIX_ARCH} \ --force-clean \ --repo=repo \ --sandbox \ --stop-at=cuda build-sunshine ${APP_ID}.yml" cp -r .flatpak-builder copy-of-flatpak-builder sudo su "$(whoami)" -c "flatpak run org.flatpak.Builder \ - --arch=${{ matrix.arch }} \ + --arch=${MATRIX_ARCH} \ --force-clean \ --repo=repo \ --sandbox \ @@ -154,20 +157,20 @@ jobs: rm -rf .flatpak-builder mv copy-of-flatpak-builder .flatpak-builder sudo su "$(whoami)" -c "flatpak build-bundle \ - --arch=${{ matrix.arch }} \ + --arch=${MATRIX_ARCH} \ ./repo \ - ../artifacts/sunshine_${{ matrix.arch }}.flatpak ${APP_ID}" + ../artifacts/sunshine_${MATRIX_ARCH}.flatpak ${APP_ID}" sudo su "$(whoami)" -c "flatpak build-bundle \ --runtime \ - --arch=${{ matrix.arch }} \ + --arch=${MATRIX_ARCH} \ ./repo \ - ../artifacts/sunshine_debug_${{ matrix.arch }}.flatpak ${APP_ID}.Debug" + ../artifacts/sunshine_debug_${MATRIX_ARCH}.flatpak ${APP_ID}.Debug" echo "::remove-matcher owner=gcc-strip3::" - name: Lint Flatpak working-directory: build run: | - exceptions_file="${{ github.workspace }}/packaging/linux/flatpak/exceptions.json" + exceptions_file="${GITHUB_WORKSPACE}/packaging/linux/flatpak/exceptions.json" echo "Linting flatpak manifest" flatpak run --command=flatpak-builder-lint org.flatpak.Builder \ diff --git a/.github/workflows/ci-freebsd.yml b/.github/workflows/ci-freebsd.yml index ab3f5601..ae39ee55 100644 --- a/.github/workflows/ci-freebsd.yml +++ b/.github/workflows/ci-freebsd.yml @@ -169,9 +169,9 @@ jobs: -DSUNSHINE_ENABLE_DRM=OFF \ -DSUNSHINE_ENABLE_WAYLAND=ON \ -DSUNSHINE_ENABLE_X11=ON \ - -DSUNSHINE_PUBLISHER_NAME='${{ github.repository_owner }}' \ - -DSUNSHINE_PUBLISHER_WEBSITE='https://app.lizardbyte.dev' \ - -DSUNSHINE_PUBLISHER_ISSUE_URL='https://app.lizardbyte.dev/support' + -DSUNSHINE_PUBLISHER_NAME="${GITHUB_REPOSITORY_OWNER}" \ + -DSUNSHINE_PUBLISHER_WEBSITE="https://app.lizardbyte.dev" \ + -DSUNSHINE_PUBLISHER_ISSUE_URL="https://app.lizardbyte.dev/support" - name: Build shell: freebsd {0} @@ -265,7 +265,7 @@ jobs: if-no-files-found: error - name: Upload Artifacts - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v5 with: name: build-FreeBSD-${{ matrix.bsd_release }}-${{ matrix.cmake_processor }} path: artifacts/ diff --git a/.github/workflows/ci-homebrew.yml b/.github/workflows/ci-homebrew.yml index 86fd729e..2f1f8383 100644 --- a/.github/workflows/ci-homebrew.yml +++ b/.github/workflows/ci-homebrew.yml @@ -74,27 +74,33 @@ jobs: - name: Configure formula env: - HEAD_REF: ${{ github.head_ref }} + INPUT_RELEASE_VERSION: ${{ inputs.release_version }} + INPUT_RELEASE_COMMIT: ${{ inputs.release_commit }} + INPUT_RELEASE_TAG: ${{ inputs.release_tag }} + MATRIX_RELEASE: ${{ matrix.release }} + PR_CLONE_URL: ${{ github.event.pull_request.head.repo.clone_url }} PR_HEAD_REF: ${{ github.event.pull_request.head.ref }} PR_DEFAULT_BRANCH: ${{ github.event.pull_request.head.repo.default_branch }} + REPOSITORY_CLONE_URL: ${{ github.event.repository.clone_url }} + REPOSITORY_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} run: | # variables for formula - branch="${HEAD_REF}" - build_version="${{ inputs.release_version }}" - clone_url="${{ github.event.repository.clone_url }}" - commit="${{ inputs.release_commit }}" - default_branch="${{ github.event.repository.default_branch }}" - tag="${{ github.ref_name }}" + branch="${GITHUB_HEAD_REF}" + build_version="${INPUT_RELEASE_VERSION}" + clone_url="${REPOSITORY_CLONE_URL}" + commit="${INPUT_RELEASE_COMMIT}" + default_branch="${REPOSITORY_DEFAULT_BRANCH}" + tag="${GITHUB_REF_NAME}" - if [ "${{ github.event_name }}" == "push" ]; then + if [ "${GITHUB_EVENT_NAME}" == "push" ]; then echo "This is a PUSH event" - if [ "${{ matrix.release }}" == "true" ]; then + if [ "${MATRIX_RELEASE}" == "true" ]; then # we will publish the formula with the release tag - tag="${{ inputs.release_tag }}" + tag="${INPUT_RELEASE_TAG}" fi - elif [ "${{ github.event_name }}" == "pull_request" ]; then + elif [ "${GITHUB_EVENT_NAME}" == "pull_request" ]; then echo "This is a PR event" - clone_url=${{ github.event.pull_request.head.repo.clone_url }} + clone_url=${PR_CLONE_URL} branch="${PR_HEAD_REF}" default_branch="${PR_DEFAULT_BRANCH}" tag="${PR_HEAD_REF}" diff --git a/.github/workflows/ci-linux.yml b/.github/workflows/ci-linux.yml index d7c4d16a..54c36520 100644 --- a/.github/workflows/ci-linux.yml +++ b/.github/workflows/ci-linux.yml @@ -18,6 +18,7 @@ jobs: name: ${{ matrix.name }} env: APP_ID: dev.lizardbyte.app.Sunshine + VERSION: ${{ inputs.release_version }} runs-on: ubuntu-${{ matrix.dist }} strategy: fail-fast: false @@ -89,20 +90,14 @@ jobs: chmod +x ./scripts/linux_build.sh echo "::add-matcher::.github/matchers/gcc.json" ./scripts/linux_build.sh \ - --publisher-name='${{ github.repository_owner }}' \ - --publisher-website='https://app.lizardbyte.dev' \ - --publisher-issue-url='https://app.lizardbyte.dev/support' \ + --publisher-name="${GITHUB_REPOSITORY_OWNER}" \ + --publisher-website="https://app.lizardbyte.dev" \ + --publisher-issue-url="https://app.lizardbyte.dev/support" \ --skip-cleanup \ --skip-package \ --ubuntu-test-repo ${{ matrix.EXTRA_ARGS }} echo "::remove-matcher owner=gcc::" - - name: Set AppImage Version - if: matrix.name == 'AppImage' - run: | - version=${{ inputs.release_version }} - echo "VERSION=${version}" >> "${GITHUB_ENV}" - - name: Package Linux - AppImage if: matrix.name == 'AppImage' working-directory: build diff --git a/.github/workflows/ci-windows.yml b/.github/workflows/ci-windows.yml index 2ad2f982..4ea1ce4f 100644 --- a/.github/workflows/ci-windows.yml +++ b/.github/workflows/ci-windows.yml @@ -266,9 +266,9 @@ jobs: -DBUILD_WERROR=ON \ -DCMAKE_BUILD_TYPE=RelWithDebInfo \ -DSUNSHINE_ASSETS_DIR=assets \ - -DSUNSHINE_PUBLISHER_NAME='${{ github.repository_owner }}' \ - -DSUNSHINE_PUBLISHER_WEBSITE='https://app.lizardbyte.dev' \ - -DSUNSHINE_PUBLISHER_ISSUE_URL='https://app.lizardbyte.dev/support' + -DSUNSHINE_PUBLISHER_NAME="${GITHUB_REPOSITORY_OWNER}" \ + -DSUNSHINE_PUBLISHER_WEBSITE="https://app.lizardbyte.dev" \ + -DSUNSHINE_PUBLISHER_ISSUE_URL="https://app.lizardbyte.dev/support" echo "::add-matcher::.github/matchers/gcc.json" ninja -C build echo "::remove-matcher owner=gcc::" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f7c8b99e..b50976d8 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -179,11 +179,11 @@ jobs: - name: Should run id: should_run run: | - if [ ${{ github.event_name }} != 'pull_request' ] || [ ${{ matrix.pr }} == 'true' ]; then - echo "SHOULD_RUN=true" >> "${GITHUB_OUTPUT}" - else - echo "SHOULD_RUN=false" >> "${GITHUB_OUTPUT}" + should_run="false" + if [ "${GITHUB_EVENT_NAME}" != "pull_request" ] || [ ${{ matrix.pr }} == "true" ]; then + should_run="true" fi + echo "SHOULD_RUN=${should_run}" >> "${GITHUB_OUTPUT}" - name: Checkout if: steps.should_run.outputs.SHOULD_RUN == 'true' diff --git a/.github/workflows/localize.yml b/.github/workflows/localize.yml index 6f4b0919..49c30dea 100644 --- a/.github/workflows/localize.yml +++ b/.github/workflows/localize.yml @@ -14,7 +14,7 @@ on: workflow_dispatch: env: - file: ./locale/sunshine.po + FILE: ./locale/sunshine.po jobs: localize: @@ -44,20 +44,21 @@ jobs: - name: Update Strings run: | + new_file=true + # first, try to remove existing file as xgettext does not remove unused translations - if [ -f "${{ env.file }}" ]; + if [ -f "${FILE}" ]; then - rm ${{ env.file }} - echo "new_file=false" >> "${GITHUB_ENV}" - else - echo "new_file=true" >> "${GITHUB_ENV}" + rm "${FILE}" + new_file=false fi + echo "NEW_FILE=${new_file}" >> "${GITHUB_ENV}" # extract the new strings python ./scripts/_locale.py --extract - name: git diff - if: env.new_file == 'false' + if: env.NEW_FILE == 'false' run: | # disable the pager git config --global pager.diff false @@ -67,13 +68,13 @@ jobs: # set the variable with minimal output, replacing `\t` with ` ` OUTPUT=$(git diff --numstat locale/sunshine.po | sed -e "s#\t# #g") - echo "git_diff=${OUTPUT}" >> "${GITHUB_ENV}" + echo "GIT_DIFF=${OUTPUT}" >> "${GITHUB_ENV}" - name: git reset # only run if a single line changed (date/time) and file already existed if: >- - env.git_diff == '1 1 locale/sunshine.po' && - env.new_file == 'false' + env.GIT_DIFF == '1 1 locale/sunshine.po' && + env.NEW_FILE == 'false' run: | git reset --hard