2018-07-23 18:41:00 +00:00
|
|
|
# GIT_LFS_SHA is the '--short'-form SHA1 of the current revision of Git LFS.
|
2018-07-19 18:02:25 +00:00
|
|
|
GIT_LFS_SHA ?= $(shell git rev-parse --short HEAD)
|
2018-07-23 18:41:00 +00:00
|
|
|
# VERSION is the longer-form describe output of the current revision of Git LFS,
|
|
|
|
# used for identifying intermediate releases.
|
|
|
|
#
|
|
|
|
# If Git LFS is being built for a published release, VERSION and GIT_LFS_SHA
|
|
|
|
# should be identical.
|
2018-07-19 18:02:25 +00:00
|
|
|
VERSION ?= $(shell git describe HEAD)
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# GO is the name of the 'go' binary used to compile Git LFS.
|
2018-07-16 20:25:44 +00:00
|
|
|
GO ?= go
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# GO_TEST_EXTRA_ARGS are extra arguments given to invocations of 'go test'.
|
|
|
|
#
|
|
|
|
# Examples include:
|
|
|
|
#
|
|
|
|
# make test GO_TEST_EXTRA_ARGS=-v
|
|
|
|
# make test GO_TEST_EXTRA_ARGS='-run TestMyExample'
|
2018-07-16 21:25:54 +00:00
|
|
|
GO_TEST_EXTRA_ARGS =
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# BUILTIN_LD_FLAGS are the internal flags used to pass to the linker. By default
|
|
|
|
# the config.GitCommit variable is always set via this variable, and
|
|
|
|
# DWARF-stripping is enabled unless DWARF=YesPlease.
|
2018-07-19 18:02:25 +00:00
|
|
|
BUILTIN_LD_FLAGS =
|
2019-05-08 18:40:24 +00:00
|
|
|
ifneq ("$(VENDOR)","")
|
|
|
|
BUILTIN_LD_FLAGS += -X github.com/git-lfs/git-lfs/config.Vendor=$(VENDOR)
|
|
|
|
endif
|
2018-07-19 18:02:25 +00:00
|
|
|
BUILTIN_LD_FLAGS += -X github.com/git-lfs/git-lfs/config.GitCommit=$(GIT_LFS_SHA)
|
|
|
|
ifneq ("$(DWARF)","YesPlease")
|
|
|
|
BUILTIN_LD_FLAGS += -s
|
|
|
|
BUILTIN_LD_FLAGS += -w
|
|
|
|
endif
|
2018-07-23 18:41:00 +00:00
|
|
|
# EXTRA_LD_FLAGS are given by the caller, and are passed to the Go linker after
|
2018-12-21 20:16:21 +00:00
|
|
|
# BUILTIN_LD_FLAGS are processed. By default the system LDFLAGS are passed.
|
2019-02-25 21:19:52 +00:00
|
|
|
ifdef LDFLAGS
|
2018-12-21 20:16:21 +00:00
|
|
|
EXTRA_LD_FLAGS ?= -extldflags ${LDFLAGS}
|
2019-02-25 21:19:52 +00:00
|
|
|
endif
|
2018-07-23 18:41:00 +00:00
|
|
|
# LD_FLAGS is the union of the above two BUILTIN_LD_FLAGS and EXTRA_LD_FLAGS.
|
2018-07-19 18:02:25 +00:00
|
|
|
LD_FLAGS = $(BUILTIN_LD_FLAGS) $(EXTRA_LD_FLAGS)
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# BUILTIN_GC_FLAGS are the internal flags used to pass compiler.
|
Makefile: trim paths
When building binaries, Go embeds the source filenames into the
binaries, meaning that on most systems, the build directory is embedded
into the binary. This means that binaries are not reproducible when
built by other users and in addition that the layout of the building
user's system is embedded into the binary.
Go provides an option to trim paths out of the ones stored in the
binary, but unfortunately this only works for one path, and since
git-lfs is now built outside the GOPATH to take advantage of the Go
1.11's automatic support for modules, there are two paths that need to
be stripped.
For the benefit of build reproducibility and general build hygiene,
let's strip out the user's home directory when building the binary. This
is better than the status quo, and we can improve this later if
circumstances change. Use "?=" so users who would like to override this
for their particular situation can.
Note that we use "$$HOME" so that the shell expands paths instead of
make, since this means that on Windows, the shell won't ever see any
unescaped backslashes that make might substitute in.
2018-09-28 19:25:58 +00:00
|
|
|
BUILTIN_GC_FLAGS ?= all=-trimpath="$$HOME"
|
2018-07-23 18:41:00 +00:00
|
|
|
# EXTRA_GC_FLAGS are the caller-provided flags to pass to the compiler.
|
2018-07-19 18:02:25 +00:00
|
|
|
EXTRA_GC_FLAGS =
|
2018-07-23 18:41:00 +00:00
|
|
|
# GC_FLAGS are the union of the above two BUILTIN_GC_FLAGS and EXTRA_GC_FLAGS.
|
2018-07-19 18:02:25 +00:00
|
|
|
GC_FLAGS = $(BUILTIN_GC_FLAGS) $(EXTRA_GC_FLAGS)
|
|
|
|
|
Makefile: trim paths
When building binaries, Go embeds the source filenames into the
binaries, meaning that on most systems, the build directory is embedded
into the binary. This means that binaries are not reproducible when
built by other users and in addition that the layout of the building
user's system is embedded into the binary.
Go provides an option to trim paths out of the ones stored in the
binary, but unfortunately this only works for one path, and since
git-lfs is now built outside the GOPATH to take advantage of the Go
1.11's automatic support for modules, there are two paths that need to
be stripped.
For the benefit of build reproducibility and general build hygiene,
let's strip out the user's home directory when building the binary. This
is better than the status quo, and we can improve this later if
circumstances change. Use "?=" so users who would like to override this
for their particular situation can.
Note that we use "$$HOME" so that the shell expands paths instead of
make, since this means that on Windows, the shell won't ever see any
unescaped backslashes that make might substitute in.
2018-09-28 19:25:58 +00:00
|
|
|
ASM_FLAGS ?= all=-trimpath="$$HOME"
|
|
|
|
|
2019-09-05 21:29:52 +00:00
|
|
|
# TRIMPATH contains arguments to be passed to go to strip paths on Go 1.13 and
|
|
|
|
# newer.
|
|
|
|
TRIMPATH ?= $(shell [ "$$($(GO) version | awk '{print $$3}' | sed -e 's/^[^.]*\.//;s/\..*$$//;')" -ge 13 ] && echo -trimpath)
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# RONN is the name of the 'ronn' program used to generate man pages.
|
2018-07-19 19:03:54 +00:00
|
|
|
RONN ?= ronn
|
2018-07-23 18:41:00 +00:00
|
|
|
# RONN_EXTRA_ARGS are extra arguments given to the $(RONN) program when invoked.
|
2018-07-19 19:03:54 +00:00
|
|
|
RONN_EXTRA_ARGS ?=
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# GREP is the name of the program used for regular expression matching, or
|
|
|
|
# 'grep' if unset.
|
2018-07-16 20:25:44 +00:00
|
|
|
GREP ?= grep
|
2018-07-23 18:41:00 +00:00
|
|
|
# XARGS is the name of the program used to turn stdin into program arguments, or
|
|
|
|
# 'xargs' if unset.
|
2018-07-16 20:25:44 +00:00
|
|
|
XARGS ?= xargs
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# GOIMPORTS is the name of the program formatter used before compiling.
|
2018-07-16 20:25:44 +00:00
|
|
|
GOIMPORTS ?= goimports
|
2018-07-23 18:41:00 +00:00
|
|
|
# GOIMPORTS_EXTRA_OPTS are the default options given to the $(GOIMPORTS)
|
|
|
|
# program.
|
2018-07-16 20:25:44 +00:00
|
|
|
GOIMPORTS_EXTRA_OPTS ?= -w -l
|
|
|
|
|
2018-08-24 15:05:57 +00:00
|
|
|
TAR_XFORM_ARG ?= $(shell tar --version | grep -q 'GNU tar' && echo '--xform' || echo '-s')
|
|
|
|
TAR_XFORM_CMD ?= $(shell tar --version | grep -q 'GNU tar' && echo 's')
|
|
|
|
|
2018-09-24 20:52:46 +00:00
|
|
|
# CERT_SHA1 is the SHA-1 hash of the Windows code-signing cert to use. The
|
|
|
|
# actual signature is made with SHA-256.
|
2019-04-23 17:52:15 +00:00
|
|
|
CERT_SHA1 ?= 824455beeb23fe270e756ca04ec8e902d19c62aa
|
2018-09-24 20:52:46 +00:00
|
|
|
|
2019-09-05 21:50:36 +00:00
|
|
|
# CERT_FILE is the PKCS#12 file holding the certificate.
|
|
|
|
CERT_FILE ?=
|
|
|
|
|
|
|
|
# CERT_PASS is the password for the certificate. It must not contain
|
|
|
|
# double-quotes.
|
|
|
|
CERT_PASS ?=
|
|
|
|
|
|
|
|
# CERT_ARGS are additional arguments to pass when signing Windows binaries.
|
|
|
|
ifneq ("$(CERT_FILE)$(CERT_PASS)","")
|
2019-09-24 17:27:22 +00:00
|
|
|
CERT_ARGS ?= -f "$(CERT_FILE)" -p "$(CERT_PASS)"
|
|
|
|
else
|
|
|
|
CERT_ARGS ?= -sha1 $(CERT_SHA1)
|
2019-09-05 21:50:36 +00:00
|
|
|
endif
|
|
|
|
|
workflows/release: sign and notarize macOS binaries
On macOS, Gatekeeper requires binaries that are signed with a trusted
code-signing certificate and notarized by Apple in order for them to
run. To ease the burden for Mac users, let's start providing signed
binaries.
The macOS codesign tool can only read certificates from a keychain.
However, setting keychains up to work in a non-interactive way is
complex and error prone. We create a target to import the certificates
from a PKCS #12 file and pull them into a temporary keychain which has
been specially set up to work in CI. This requires multiple complex and
poorly documented incantations to work correctly, but it does currently
work. These incantations are not to be meant run on a user system
because they modify various keychain properties, such as the default
keychain, so add a comment to that effect.
We sign both the binary and the zip file, since we cannot notarize the
binary alone but would like to have a signed binary. Only zip files,
pkg files, and disk images can be notarized; this is why we have
switched to a zip file for macOS.
Note that the notarization process requires a particular developer to
submit the binary for notarization using their Apple account. That
developer's ID and their app password are specified from the environment
and can be read from the secret store. This is so that this can easily
be rotated to reflect a new user without needing to involve code
changes. Similarly, the cert ID, although not secret, is passed in in a
similar way.
When we perform the notarization, we do it in a loop, since Apple's
servers can sometimes "forget" the fact that we submitted a request and
therefore cause gon, the notarization tool we use, to spuriously fail
when it checks on the status of our request. We don't use seq to count
in our loop because it is not portable to non-Linux systems.
Finally, we use "darwin" in the Makefile because everything else in the
Makefile already uses that, but we use "MACOS" for secrets for
consistency with the GitHub Actions workflow, which uses that. We
translate in the workflow file.
2020-04-10 19:39:23 +00:00
|
|
|
# DARWIN_CERT_ID is a portion of the common name of the signing certificatee.
|
|
|
|
DARWIN_CERT_ID ?=
|
|
|
|
|
|
|
|
# DARWIN_KEYCHAIN_ID is the name of the keychain (with suffix) where the
|
|
|
|
# certificate is located.
|
|
|
|
DARWIN_KEYCHAIN_ID ?= CI.keychain
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# SOURCES is a listing of all .go files in this and child directories, excluding
|
|
|
|
# that in vendor.
|
|
|
|
SOURCES = $(shell find . -type f -name '*.go' | grep -v vendor)
|
2021-11-09 21:23:20 +00:00
|
|
|
|
|
|
|
# MSGFMT is the GNU gettext msgfmt binary.
|
|
|
|
MSGFMT ?= msgfmt
|
|
|
|
|
|
|
|
# PO is a list of all the po (gettext source) files.
|
|
|
|
PO = $(wildcard po/*.po)
|
|
|
|
|
|
|
|
# MO is a list of all the mo (gettext compiled) files to be built.
|
|
|
|
MO = $(patsubst po/%.po,po/build/%.mo,$(PO))
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# PKGS is a listing of packages that are considered to be a part of Git LFS, and
|
|
|
|
# are used in package-specific commands, such as the 'make test' targets. For
|
|
|
|
# example:
|
|
|
|
#
|
|
|
|
# make test # run 'go test' in all packages
|
|
|
|
# make PKGS='config git/githistory' test # run 'go test' in config and
|
|
|
|
# # git/githistory
|
|
|
|
#
|
|
|
|
# By default, it is a listing of all packages in Git LFS. When new packages (or
|
|
|
|
# sub-packages) are created, they should be added here.
|
2018-07-16 21:10:31 +00:00
|
|
|
ifndef PKGS
|
|
|
|
PKGS =
|
|
|
|
PKGS += commands
|
|
|
|
PKGS += config
|
2018-09-19 15:05:48 +00:00
|
|
|
PKGS += creds
|
2018-07-16 21:10:31 +00:00
|
|
|
PKGS += errors
|
|
|
|
PKGS += filepathfilter
|
|
|
|
PKGS += fs
|
|
|
|
PKGS += git
|
|
|
|
PKGS += git/gitattr
|
|
|
|
PKGS += git/githistory
|
|
|
|
PKGS += git
|
|
|
|
PKGS += lfs
|
|
|
|
PKGS += lfsapi
|
2018-09-06 21:42:41 +00:00
|
|
|
PKGS += lfshttp
|
2018-07-16 21:10:31 +00:00
|
|
|
PKGS += locking
|
2021-02-03 22:27:01 +00:00
|
|
|
PKGS += ssh
|
2018-07-16 21:10:31 +00:00
|
|
|
PKGS += subprocess
|
|
|
|
PKGS += tasklog
|
|
|
|
PKGS += tools
|
|
|
|
PKGS += tools/humanize
|
|
|
|
PKGS += tools/kv
|
2021-11-09 21:23:20 +00:00
|
|
|
PKGS += tr
|
2018-07-16 21:10:31 +00:00
|
|
|
PKGS += tq
|
|
|
|
endif
|
2018-07-16 20:05:08 +00:00
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# X is the platform-specific extension for Git LFS binaries. It is automatically
|
|
|
|
# set to .exe on Windows, and the empty string on all other platforms. It may be
|
|
|
|
# overridden.
|
2018-07-24 15:41:45 +00:00
|
|
|
#
|
|
|
|
# BUILD_MAIN is the main ".go" file that contains func main() for Git LFS. On
|
|
|
|
# macOS and other non-Windows platforms, it is required that a specific
|
|
|
|
# entrypoint be given, hence the below conditional. On Windows, it is required
|
|
|
|
# that an entrypoint not be given so that goversioninfo can successfully embed
|
|
|
|
# the resource.syso file (for more, see below).
|
2018-07-19 18:02:25 +00:00
|
|
|
ifeq ($(OS),Windows_NT)
|
|
|
|
X ?= .exe
|
2018-07-24 15:41:45 +00:00
|
|
|
BUILD_MAIN ?=
|
2018-07-19 18:02:25 +00:00
|
|
|
else
|
|
|
|
X ?=
|
2018-07-24 15:41:45 +00:00
|
|
|
BUILD_MAIN ?= ./git-lfs.go
|
2018-07-19 18:02:25 +00:00
|
|
|
endif
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# BUILD is a macro used to build a single binary of Git LFS using the above
|
|
|
|
# LD_FLAGS and GC_FLAGS.
|
|
|
|
#
|
|
|
|
# It takes three arguments:
|
|
|
|
#
|
|
|
|
# $(1) - a valid GOOS value, or empty-string
|
|
|
|
# $(2) - a valid GOARCH value, or empty-string
|
|
|
|
# $(3) - an optional program extension. If $(3) is given as '-foo', then the
|
|
|
|
# program will be written to bin/git-lfs-foo.
|
2018-07-24 15:41:45 +00:00
|
|
|
#
|
|
|
|
# It uses BUILD_MAIN as defined above to specify the entrypoint for building Git
|
|
|
|
# LFS.
|
2018-07-19 18:02:25 +00:00
|
|
|
BUILD = GOOS=$(1) GOARCH=$(2) \
|
|
|
|
$(GO) build \
|
|
|
|
-ldflags="$(LD_FLAGS)" \
|
|
|
|
-gcflags="$(GC_FLAGS)" \
|
Makefile: trim paths
When building binaries, Go embeds the source filenames into the
binaries, meaning that on most systems, the build directory is embedded
into the binary. This means that binaries are not reproducible when
built by other users and in addition that the layout of the building
user's system is embedded into the binary.
Go provides an option to trim paths out of the ones stored in the
binary, but unfortunately this only works for one path, and since
git-lfs is now built outside the GOPATH to take advantage of the Go
1.11's automatic support for modules, there are two paths that need to
be stripped.
For the benefit of build reproducibility and general build hygiene,
let's strip out the user's home directory when building the binary. This
is better than the status quo, and we can improve this later if
circumstances change. Use "?=" so users who would like to override this
for their particular situation can.
Note that we use "$$HOME" so that the shell expands paths instead of
make, since this means that on Windows, the shell won't ever see any
unescaped backslashes that make might substitute in.
2018-09-28 19:25:58 +00:00
|
|
|
-asmflags="$(ASM_FLAGS)" \
|
2019-09-05 21:29:52 +00:00
|
|
|
$(TRIMPATH) \
|
2018-07-24 15:41:45 +00:00
|
|
|
-o ./bin/git-lfs$(3) $(BUILD_MAIN)
|
2018-07-19 18:02:25 +00:00
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# BUILD_TARGETS is the set of all platforms and architectures that Git LFS is
|
|
|
|
# built for.
|
2018-08-24 15:08:32 +00:00
|
|
|
BUILD_TARGETS = \
|
|
|
|
bin/git-lfs-darwin-amd64 \
|
2021-03-11 21:11:33 +00:00
|
|
|
bin/git-lfs-darwin-arm64 \
|
2020-05-08 12:35:42 +00:00
|
|
|
bin/git-lfs-linux-arm \
|
2018-08-24 15:12:15 +00:00
|
|
|
bin/git-lfs-linux-arm64 \
|
2018-08-24 15:08:32 +00:00
|
|
|
bin/git-lfs-linux-amd64 \
|
2020-01-14 21:35:27 +00:00
|
|
|
bin/git-lfs-linux-ppc64le \
|
|
|
|
bin/git-lfs-linux-s390x \
|
2018-08-24 15:08:32 +00:00
|
|
|
bin/git-lfs-linux-386 \
|
|
|
|
bin/git-lfs-freebsd-amd64 \
|
|
|
|
bin/git-lfs-freebsd-386 \
|
|
|
|
bin/git-lfs-windows-amd64.exe \
|
2021-08-17 08:04:01 +00:00
|
|
|
bin/git-lfs-windows-386.exe \
|
|
|
|
bin/git-lfs-windows-arm64.exe
|
2018-07-19 18:02:25 +00:00
|
|
|
|
2018-08-01 16:41:58 +00:00
|
|
|
# mangen is a shorthand for ensuring that commands/mancontent_gen.go is kept
|
|
|
|
# up-to-date with the contents of docs/man/*.ronn.
|
2018-07-31 06:09:27 +00:00
|
|
|
.PHONY : mangen
|
2018-08-01 16:36:29 +00:00
|
|
|
mangen : commands/mancontent_gen.go
|
2018-07-31 06:09:27 +00:00
|
|
|
|
2018-08-01 16:41:58 +00:00
|
|
|
# commands/mancontent_gen.go is generated by running 'go generate' on package
|
|
|
|
# 'commands' of Git LFS. It depends upon the contents of the 'docs' directory
|
|
|
|
# and converts those manpages into code.
|
2018-08-01 16:41:05 +00:00
|
|
|
commands/mancontent_gen.go : $(wildcard docs/man/*.ronn)
|
2021-09-01 19:41:10 +00:00
|
|
|
GOOS= GOARCH= $(GO) generate github.com/git-lfs/git-lfs/v3/commands
|
2018-07-31 06:09:27 +00:00
|
|
|
|
2021-11-09 21:23:20 +00:00
|
|
|
# trgen is a shorthand for ensuring that tr/tr_gen.go is kept up-to-date with
|
|
|
|
# the contents of po/build/*.mo.
|
|
|
|
.PHONY : trgen
|
|
|
|
trgen : tr/tr_gen.go
|
|
|
|
|
|
|
|
# tr/tr_gen.go is generated by running 'go generate' on package
|
|
|
|
# 'tr' of Git LFS. It depends upon the contents of the 'po' directory
|
|
|
|
# and converts the .mo files.
|
|
|
|
tr/tr_gen.go : $(MO)
|
|
|
|
GOOS= GOARCH= $(GO) generate github.com/git-lfs/git-lfs/v3/tr
|
|
|
|
|
|
|
|
po/build:
|
|
|
|
mkdir -p po/build
|
|
|
|
|
|
|
|
# These targets build the MO files.
|
|
|
|
po/build/%.mo: po/%.po po/build
|
|
|
|
if command -v $(MSGFMT) >/dev/null 2>&1; \
|
|
|
|
then \
|
|
|
|
$(MSGFMT) -o $@ $<; \
|
|
|
|
fi
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# Targets 'all' and 'build' build binaries of Git LFS for the above release
|
|
|
|
# matrix.
|
2018-07-19 18:02:25 +00:00
|
|
|
.PHONY : all build
|
|
|
|
all build : $(BUILD_TARGETS)
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# The following bin/git-lfs-% targets make a single binary compilation of Git
|
|
|
|
# LFS for a specific operating system and architecture pair.
|
|
|
|
#
|
|
|
|
# They function by translating target names into arguments for the above BUILD
|
|
|
|
# builtin, and appending the appropriate suffix to the build target.
|
|
|
|
#
|
2018-07-23 19:00:44 +00:00
|
|
|
# On Windows, they also depend on the resource.syso target, which installs and
|
|
|
|
# embeds the versioninfo into the binary.
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-darwin-amd64 : $(SOURCES) mangen trgen
|
2018-07-19 18:02:25 +00:00
|
|
|
$(call BUILD,darwin,amd64,-darwin-amd64)
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-darwin-arm64 : $(SOURCES) mangen trgen
|
2021-03-11 21:11:33 +00:00
|
|
|
$(call BUILD,darwin,arm64,-darwin-arm64)
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-linux-arm : $(SOURCES) mangen trgen
|
2020-05-08 12:35:42 +00:00
|
|
|
GOARM=5 $(call BUILD,linux,arm,-linux-arm)
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-linux-arm64 : $(SOURCES) mangen trgen
|
2018-08-24 16:41:37 +00:00
|
|
|
$(call BUILD,linux,arm64,-linux-arm64)
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-linux-amd64 : $(SOURCES) mangen trgen
|
2018-07-19 18:02:25 +00:00
|
|
|
$(call BUILD,linux,amd64,-linux-amd64)
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-linux-ppc64le : $(SOURCES) mangen trgen
|
2020-01-14 21:35:27 +00:00
|
|
|
$(call BUILD,linux,ppc64le,-linux-ppc64le)
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-linux-s390x : $(SOURCES) mangen trgen
|
2020-01-14 21:35:27 +00:00
|
|
|
$(call BUILD,linux,s390x,-linux-s390x)
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-linux-386 : $(SOURCES) mangen trgen
|
2018-07-19 18:02:25 +00:00
|
|
|
$(call BUILD,linux,386,-linux-386)
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-freebsd-amd64 : $(SOURCES) mangen trgen
|
2018-07-19 18:02:25 +00:00
|
|
|
$(call BUILD,freebsd,amd64,-freebsd-amd64)
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-freebsd-386 : $(SOURCES) mangen trgen
|
2018-07-19 18:02:25 +00:00
|
|
|
$(call BUILD,freebsd,386,-freebsd-386)
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-windows-amd64.exe : resource.syso $(SOURCES) mangen trgen
|
2018-07-19 18:02:25 +00:00
|
|
|
$(call BUILD,windows,amd64,-windows-amd64.exe)
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-windows-386.exe : resource.syso $(SOURCES) mangen trgen
|
2018-07-19 18:02:25 +00:00
|
|
|
$(call BUILD,windows,386,-windows-386.exe)
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs-windows-arm64.exe : resource.syso $(SOURCES) mangen trgen
|
2021-08-17 08:04:01 +00:00
|
|
|
$(call BUILD,windows,arm64,-windows-arm64.exe)
|
2018-07-19 18:02:25 +00:00
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# .DEFAULT_GOAL sets the operating system-appropriate Git LFS binary as the
|
|
|
|
# default output of 'make'.
|
|
|
|
.DEFAULT_GOAL := bin/git-lfs$(X)
|
|
|
|
|
|
|
|
# bin/git-lfs targets the default output of Git LFS on non-Windows operating
|
|
|
|
# systems, and respects the build knobs as above.
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs : $(SOURCES) fmt mangen trgen
|
2018-07-19 18:02:25 +00:00
|
|
|
$(call BUILD,$(GOOS),$(GOARCH),)
|
|
|
|
|
2018-07-25 23:50:05 +00:00
|
|
|
# bin/git-lfs.exe targets the default output of Git LFS on Windows systems, and
|
2018-07-23 18:41:00 +00:00
|
|
|
# respects the build knobs as above.
|
2021-11-09 21:23:20 +00:00
|
|
|
bin/git-lfs.exe : $(SOURCES) resource.syso mangen trgen
|
2018-07-19 18:02:25 +00:00
|
|
|
$(call BUILD,$(GOOS),$(GOARCH),.exe)
|
|
|
|
|
2018-07-25 23:50:43 +00:00
|
|
|
# resource.syso installs the 'goversioninfo' command and uses it in order to
|
2018-07-23 18:41:00 +00:00
|
|
|
# generate a binary that has information included necessary to create the
|
|
|
|
# Windows installer.
|
2018-07-27 02:12:06 +00:00
|
|
|
#
|
|
|
|
# Generating a new resource.syso is a pure function of the contents in the
|
|
|
|
# prerequisites listed below.
|
|
|
|
resource.syso : \
|
|
|
|
versioninfo.json script/windows-installer/git-lfs-logo.bmp \
|
|
|
|
script/windows-installer/git-lfs-logo.ico \
|
|
|
|
script/windows-installer/git-lfs-wizard-image.bmp
|
2018-07-23 18:45:21 +00:00
|
|
|
$(GO) generate
|
2018-07-19 18:02:25 +00:00
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# RELEASE_TARGETS is the set of all release artifacts that we generate over a
|
|
|
|
# particular release. They each have a corresponding entry in BUILD_TARGETS as
|
|
|
|
# above.
|
|
|
|
#
|
|
|
|
# Unlike BUILD_TARGETS above, each of the below create a compressed directory
|
|
|
|
# containing the matching binary, as well as the contents of RELEASE_INCLUDES
|
|
|
|
# below.
|
2018-07-25 23:57:55 +00:00
|
|
|
#
|
|
|
|
# To build a specific release, execute the following:
|
|
|
|
#
|
|
|
|
# make bin/releases/git-lfs-darwin-amd64-$(git describe HEAD).tar.gz
|
|
|
|
#
|
|
|
|
# To build a specific release with a custom VERSION suffix, run the following:
|
|
|
|
#
|
|
|
|
# make VERSION=my-version bin/releases/git-lfs-darwin-amd64-my-version.tar.gz
|
2018-08-24 15:08:32 +00:00
|
|
|
RELEASE_TARGETS = \
|
2020-04-10 14:34:54 +00:00
|
|
|
bin/releases/git-lfs-darwin-amd64-$(VERSION).zip \
|
2021-03-11 21:11:33 +00:00
|
|
|
bin/releases/git-lfs-darwin-arm64-$(VERSION).zip \
|
2020-05-08 12:35:42 +00:00
|
|
|
bin/releases/git-lfs-linux-arm-$(VERSION).tar.gz \
|
2018-08-24 15:12:15 +00:00
|
|
|
bin/releases/git-lfs-linux-arm64-$(VERSION).tar.gz \
|
2018-07-19 18:02:25 +00:00
|
|
|
bin/releases/git-lfs-linux-amd64-$(VERSION).tar.gz \
|
2020-01-14 21:35:27 +00:00
|
|
|
bin/releases/git-lfs-linux-ppc64le-$(VERSION).tar.gz \
|
|
|
|
bin/releases/git-lfs-linux-s390x-$(VERSION).tar.gz \
|
2018-07-19 18:02:25 +00:00
|
|
|
bin/releases/git-lfs-linux-386-$(VERSION).tar.gz \
|
|
|
|
bin/releases/git-lfs-freebsd-amd64-$(VERSION).tar.gz \
|
|
|
|
bin/releases/git-lfs-freebsd-386-$(VERSION).tar.gz \
|
|
|
|
bin/releases/git-lfs-windows-amd64-$(VERSION).zip \
|
2018-09-24 14:44:58 +00:00
|
|
|
bin/releases/git-lfs-windows-386-$(VERSION).zip \
|
2021-08-17 08:04:01 +00:00
|
|
|
bin/releases/git-lfs-windows-arm64-$(VERSION).zip \
|
2018-09-24 14:44:58 +00:00
|
|
|
bin/releases/git-lfs-$(VERSION).tar.gz
|
2018-07-19 18:02:25 +00:00
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# RELEASE_INCLUDES are the names of additional files that are added to each
|
|
|
|
# release artifact.
|
2020-09-03 16:19:02 +00:00
|
|
|
RELEASE_INCLUDES = README.md CHANGELOG.md man
|
2018-07-19 18:02:25 +00:00
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# release is a phony target that builds all of the release artifacts, and then
|
|
|
|
# shows the SHA 256 signature of each.
|
2018-07-25 23:57:55 +00:00
|
|
|
#
|
|
|
|
# To build all of the release binaries for a given Git LFS release:
|
|
|
|
#
|
|
|
|
# make release
|
2018-07-19 18:02:25 +00:00
|
|
|
.PHONY : release
|
|
|
|
release : $(RELEASE_TARGETS)
|
|
|
|
shasum -a 256 $(RELEASE_TARGETS)
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# bin/releases/git-lfs-%-$(VERSION).tar.gz generates a gzip-compressed TAR of
|
2020-04-10 14:34:54 +00:00
|
|
|
# the non-Windows and non-macOS release artifacts.
|
2018-07-23 18:41:00 +00:00
|
|
|
#
|
|
|
|
# It includes all of RELEASE_INCLUDES, as well as script/install.sh.
|
|
|
|
bin/releases/git-lfs-%-$(VERSION).tar.gz : \
|
|
|
|
$(RELEASE_INCLUDES) bin/git-lfs-% script/install.sh
|
2018-07-19 18:02:25 +00:00
|
|
|
@mkdir -p bin/releases
|
2018-08-24 15:05:57 +00:00
|
|
|
tar $(TAR_XFORM_ARG) '$(TAR_XFORM_CMD)!bin/git-lfs-.*!git-lfs!' $(TAR_XFORM_ARG) '$(TAR_XFORM_CMD)!script/!!' -czf $@ $^
|
2018-07-19 18:02:25 +00:00
|
|
|
|
2020-04-10 14:34:54 +00:00
|
|
|
# bin/releases/git-lfs-darwin-$(VERSION).zip generates a ZIP compression of all
|
|
|
|
# of the macOS release artifacts.
|
|
|
|
#
|
|
|
|
# It includes all of the RELEASE_INCLUDES, as well as script/install.sh.
|
|
|
|
bin/releases/git-lfs-darwin-%-$(VERSION).zip : \
|
|
|
|
$(RELEASE_INCLUDES) bin/git-lfs-darwin-% script/install.sh
|
|
|
|
dir=bin/releases/darwin-$* && \
|
2020-12-10 21:57:53 +00:00
|
|
|
rm -f $@ && \
|
2020-04-10 14:34:54 +00:00
|
|
|
mkdir -p $$dir && \
|
2020-09-03 16:19:02 +00:00
|
|
|
cp -R $^ $$dir && mv $$dir/git-lfs-darwin-$* $$dir/git-lfs && \
|
2020-04-10 14:34:54 +00:00
|
|
|
zip -j $@ $$dir/* && \
|
2020-09-03 16:19:02 +00:00
|
|
|
zip -u $@ man/* && \
|
2020-04-10 14:34:54 +00:00
|
|
|
$(RM) -r $$dir
|
|
|
|
|
|
|
|
# bin/releases/git-lfs-windows-$(VERSION).zip generates a ZIP compression of all
|
|
|
|
# of the Windows release artifacts.
|
2018-07-23 18:41:00 +00:00
|
|
|
#
|
|
|
|
# It includes all of the RELEASE_INCLUDES, and converts LF-style line endings to
|
|
|
|
# CRLF in the non-binary components of the artifact.
|
2020-04-10 14:34:54 +00:00
|
|
|
bin/releases/git-lfs-windows-%-$(VERSION).zip : $(RELEASE_INCLUDES) bin/git-lfs-windows-%.exe
|
2018-07-19 18:02:25 +00:00
|
|
|
@mkdir -p bin/releases
|
2020-12-11 17:33:00 +00:00
|
|
|
rm -f $@
|
2018-07-19 18:02:25 +00:00
|
|
|
zip -j -l $@ $^
|
2020-09-03 16:19:02 +00:00
|
|
|
zip -u $@ man/*
|
2018-07-19 18:02:25 +00:00
|
|
|
|
2018-09-24 14:44:58 +00:00
|
|
|
# bin/releases/git-lfs-$(VERSION).tar.gz generates a tarball of the source code.
|
|
|
|
#
|
|
|
|
# This is useful for third parties who wish to have a bit-for-bit identical
|
|
|
|
# source archive to download and verify cryptographically.
|
|
|
|
bin/releases/git-lfs-$(VERSION).tar.gz :
|
|
|
|
git archive -o $@ --prefix=git-lfs-$(patsubst v%,%,$(VERSION))/ --format tar.gz $(VERSION)
|
|
|
|
|
2018-09-24 21:53:53 +00:00
|
|
|
# release-linux is a target that builds Linux packages. It must be run on a
|
|
|
|
# system with Docker that can run Linux containers.
|
|
|
|
.PHONY : release-linux
|
|
|
|
release-linux:
|
|
|
|
./docker/run_dockers.bsh
|
|
|
|
|
2018-09-24 20:52:46 +00:00
|
|
|
# release-windows is a target that builds and signs Windows binaries. It must
|
|
|
|
# be run on a Windows machine under Git Bash.
|
|
|
|
#
|
workflows/release: sign and notarize macOS binaries
On macOS, Gatekeeper requires binaries that are signed with a trusted
code-signing certificate and notarized by Apple in order for them to
run. To ease the burden for Mac users, let's start providing signed
binaries.
The macOS codesign tool can only read certificates from a keychain.
However, setting keychains up to work in a non-interactive way is
complex and error prone. We create a target to import the certificates
from a PKCS #12 file and pull them into a temporary keychain which has
been specially set up to work in CI. This requires multiple complex and
poorly documented incantations to work correctly, but it does currently
work. These incantations are not to be meant run on a user system
because they modify various keychain properties, such as the default
keychain, so add a comment to that effect.
We sign both the binary and the zip file, since we cannot notarize the
binary alone but would like to have a signed binary. Only zip files,
pkg files, and disk images can be notarized; this is why we have
switched to a zip file for macOS.
Note that the notarization process requires a particular developer to
submit the binary for notarization using their Apple account. That
developer's ID and their app password are specified from the environment
and can be read from the secret store. This is so that this can easily
be rotated to reflect a new user without needing to involve code
changes. Similarly, the cert ID, although not secret, is passed in in a
similar way.
When we perform the notarization, we do it in a loop, since Apple's
servers can sometimes "forget" the fact that we submitted a request and
therefore cause gon, the notarization tool we use, to spuriously fail
when it checks on the status of our request. We don't use seq to count
in our loop because it is not portable to non-Linux systems.
Finally, we use "darwin" in the Makefile because everything else in the
Makefile already uses that, but we use "MACOS" for secrets for
consistency with the GitHub Actions workflow, which uses that. We
translate in the workflow file.
2020-04-10 19:39:23 +00:00
|
|
|
# You may sign with a different certificate by specifying CERT_ID.
|
2018-09-24 20:52:46 +00:00
|
|
|
.PHONY : release-windows
|
|
|
|
release-windows: bin/releases/git-lfs-windows-assets-$(VERSION).tar.gz
|
|
|
|
|
|
|
|
bin/releases/git-lfs-windows-assets-$(VERSION).tar.gz :
|
|
|
|
$(RM) git-lfs-windows-*.exe
|
|
|
|
@# Using these particular filenames is required for the Inno Setup script to
|
|
|
|
@# work properly.
|
|
|
|
$(MAKE) -B GOARCH=amd64 && cp ./bin/git-lfs.exe ./git-lfs-x64.exe
|
|
|
|
$(MAKE) -B GOARCH=386 && cp ./bin/git-lfs.exe ./git-lfs-x86.exe
|
2021-08-17 08:04:01 +00:00
|
|
|
$(MAKE) -B GOARCH=arm64 && cp ./bin/git-lfs.exe ./git-lfs-arm64.exe
|
2019-09-05 21:50:36 +00:00
|
|
|
@echo Signing git-lfs-x64.exe
|
2019-09-24 17:27:22 +00:00
|
|
|
@signtool.exe sign -debug -fd sha256 -tr http://timestamp.digicert.com -td sha256 $(CERT_ARGS) -v git-lfs-x64.exe
|
2019-09-05 21:50:36 +00:00
|
|
|
@echo Signing git-lfs-x86.exe
|
2019-09-24 17:27:22 +00:00
|
|
|
@signtool.exe sign -debug -fd sha256 -tr http://timestamp.digicert.com -td sha256 $(CERT_ARGS) -v git-lfs-x86.exe
|
2021-08-17 08:04:01 +00:00
|
|
|
@echo Signing git-lfs-arm64.exe
|
|
|
|
@signtool.exe sign -debug -fd sha256 -tr http://timestamp.digicert.com -td sha256 $(CERT_ARGS) -v git-lfs-arm64.exe
|
2018-09-24 20:52:46 +00:00
|
|
|
iscc.exe script/windows-installer/inno-setup-git-lfs-installer.iss
|
|
|
|
@# This file will be named according to the version number in the
|
|
|
|
@# versioninfo.json, not according to $(VERSION).
|
|
|
|
mv git-lfs-windows-*.exe git-lfs-windows.exe
|
2019-09-05 21:50:36 +00:00
|
|
|
@echo Signing git-lfs-windows.exe
|
2019-09-24 17:27:22 +00:00
|
|
|
@signtool.exe sign -debug -fd sha256 -tr http://timestamp.digicert.com -td sha256 $(CERT_ARGS) -v git-lfs-windows.exe
|
2018-09-24 20:52:46 +00:00
|
|
|
mv git-lfs-x64.exe git-lfs-windows-amd64.exe
|
|
|
|
mv git-lfs-x86.exe git-lfs-windows-386.exe
|
2021-08-17 08:04:01 +00:00
|
|
|
mv git-lfs-arm64.exe git-lfs-windows-arm64.exe
|
2018-09-24 20:52:46 +00:00
|
|
|
@# We use tar because Git Bash doesn't include zip.
|
2021-08-17 08:04:01 +00:00
|
|
|
tar -czf $@ git-lfs-windows-amd64.exe git-lfs-windows-386.exe git-lfs-windows-arm64.exe git-lfs-windows.exe
|
|
|
|
$(RM) git-lfs-windows-amd64.exe git-lfs-windows-386.exe git-lfs-windows-arm64.exe git-lfs-windows.exe
|
2018-09-24 20:52:46 +00:00
|
|
|
|
|
|
|
# release-windows-rebuild takes the archive produced by release-windows and
|
|
|
|
# incorporates the signed binaries into the existing zip archives.
|
|
|
|
.PHONY : release-windows-rebuild
|
|
|
|
release-windows-rebuild: bin/releases/git-lfs-windows-assets-$(VERSION).tar.gz
|
|
|
|
temp=$$(mktemp -d); \
|
|
|
|
file="$$PWD/$^"; \
|
|
|
|
( \
|
|
|
|
tar -C "$$temp" -xzf "$$file" && \
|
2021-08-17 08:04:01 +00:00
|
|
|
for i in 386 amd64 arm64; do \
|
2018-09-24 20:52:46 +00:00
|
|
|
cp "$$temp/git-lfs-windows-$$i.exe" "$$temp/git-lfs.exe" && \
|
|
|
|
zip -d bin/releases/git-lfs-windows-$$i-$(VERSION).zip "git-lfs-windows-$$i.exe" && \
|
|
|
|
zip -j -l bin/releases/git-lfs-windows-$$i-$(VERSION).zip "$$temp/git-lfs.exe"; \
|
|
|
|
done && \
|
|
|
|
cp "$$temp/git-lfs-windows.exe" bin/releases/git-lfs-windows-$(VERSION).exe \
|
|
|
|
); \
|
|
|
|
status="$$?"; [ -n "$$temp" ] && $(RM) -r "$$temp"; exit "$$status"
|
|
|
|
|
workflows/release: sign and notarize macOS binaries
On macOS, Gatekeeper requires binaries that are signed with a trusted
code-signing certificate and notarized by Apple in order for them to
run. To ease the burden for Mac users, let's start providing signed
binaries.
The macOS codesign tool can only read certificates from a keychain.
However, setting keychains up to work in a non-interactive way is
complex and error prone. We create a target to import the certificates
from a PKCS #12 file and pull them into a temporary keychain which has
been specially set up to work in CI. This requires multiple complex and
poorly documented incantations to work correctly, but it does currently
work. These incantations are not to be meant run on a user system
because they modify various keychain properties, such as the default
keychain, so add a comment to that effect.
We sign both the binary and the zip file, since we cannot notarize the
binary alone but would like to have a signed binary. Only zip files,
pkg files, and disk images can be notarized; this is why we have
switched to a zip file for macOS.
Note that the notarization process requires a particular developer to
submit the binary for notarization using their Apple account. That
developer's ID and their app password are specified from the environment
and can be read from the secret store. This is so that this can easily
be rotated to reflect a new user without needing to involve code
changes. Similarly, the cert ID, although not secret, is passed in in a
similar way.
When we perform the notarization, we do it in a loop, since Apple's
servers can sometimes "forget" the fact that we submitted a request and
therefore cause gon, the notarization tool we use, to spuriously fail
when it checks on the status of our request. We don't use seq to count
in our loop because it is not portable to non-Linux systems.
Finally, we use "darwin" in the Makefile because everything else in the
Makefile already uses that, but we use "MACOS" for secrets for
consistency with the GitHub Actions workflow, which uses that. We
translate in the workflow file.
2020-04-10 19:39:23 +00:00
|
|
|
# release-darwin is a target that builds and signs Darwin (macOS) binaries. It must
|
|
|
|
# be run on a macOS machine with a suitable version of XCode.
|
|
|
|
#
|
|
|
|
# You may sign with a different certificate by specifying DARWIN_CERT_ID.
|
|
|
|
.PHONY : release-darwin
|
2021-03-11 21:11:33 +00:00
|
|
|
release-darwin: bin/releases/git-lfs-darwin-amd64-$(VERSION).zip bin/releases/git-lfs-darwin-arm64-$(VERSION).zip
|
workflows/release: sign and notarize macOS binaries
On macOS, Gatekeeper requires binaries that are signed with a trusted
code-signing certificate and notarized by Apple in order for them to
run. To ease the burden for Mac users, let's start providing signed
binaries.
The macOS codesign tool can only read certificates from a keychain.
However, setting keychains up to work in a non-interactive way is
complex and error prone. We create a target to import the certificates
from a PKCS #12 file and pull them into a temporary keychain which has
been specially set up to work in CI. This requires multiple complex and
poorly documented incantations to work correctly, but it does currently
work. These incantations are not to be meant run on a user system
because they modify various keychain properties, such as the default
keychain, so add a comment to that effect.
We sign both the binary and the zip file, since we cannot notarize the
binary alone but would like to have a signed binary. Only zip files,
pkg files, and disk images can be notarized; this is why we have
switched to a zip file for macOS.
Note that the notarization process requires a particular developer to
submit the binary for notarization using their Apple account. That
developer's ID and their app password are specified from the environment
and can be read from the secret store. This is so that this can easily
be rotated to reflect a new user without needing to involve code
changes. Similarly, the cert ID, although not secret, is passed in in a
similar way.
When we perform the notarization, we do it in a loop, since Apple's
servers can sometimes "forget" the fact that we submitted a request and
therefore cause gon, the notarization tool we use, to spuriously fail
when it checks on the status of our request. We don't use seq to count
in our loop because it is not portable to non-Linux systems.
Finally, we use "darwin" in the Makefile because everything else in the
Makefile already uses that, but we use "MACOS" for secrets for
consistency with the GitHub Actions workflow, which uses that. We
translate in the workflow file.
2020-04-10 19:39:23 +00:00
|
|
|
for i in $^; do \
|
|
|
|
temp=$$(mktemp -d) && \
|
|
|
|
( \
|
2021-03-11 21:11:33 +00:00
|
|
|
unzip -d "$$temp" "$$i" && \
|
workflows/release: sign and notarize macOS binaries
On macOS, Gatekeeper requires binaries that are signed with a trusted
code-signing certificate and notarized by Apple in order for them to
run. To ease the burden for Mac users, let's start providing signed
binaries.
The macOS codesign tool can only read certificates from a keychain.
However, setting keychains up to work in a non-interactive way is
complex and error prone. We create a target to import the certificates
from a PKCS #12 file and pull them into a temporary keychain which has
been specially set up to work in CI. This requires multiple complex and
poorly documented incantations to work correctly, but it does currently
work. These incantations are not to be meant run on a user system
because they modify various keychain properties, such as the default
keychain, so add a comment to that effect.
We sign both the binary and the zip file, since we cannot notarize the
binary alone but would like to have a signed binary. Only zip files,
pkg files, and disk images can be notarized; this is why we have
switched to a zip file for macOS.
Note that the notarization process requires a particular developer to
submit the binary for notarization using their Apple account. That
developer's ID and their app password are specified from the environment
and can be read from the secret store. This is so that this can easily
be rotated to reflect a new user without needing to involve code
changes. Similarly, the cert ID, although not secret, is passed in in a
similar way.
When we perform the notarization, we do it in a loop, since Apple's
servers can sometimes "forget" the fact that we submitted a request and
therefore cause gon, the notarization tool we use, to spuriously fail
when it checks on the status of our request. We don't use seq to count
in our loop because it is not portable to non-Linux systems.
Finally, we use "darwin" in the Makefile because everything else in the
Makefile already uses that, but we use "MACOS" for secrets for
consistency with the GitHub Actions workflow, which uses that. We
translate in the workflow file.
2020-04-10 19:39:23 +00:00
|
|
|
codesign --keychain $(DARWIN_KEYCHAIN_ID) -s "$(DARWIN_CERT_ID)" --force --timestamp -vvvv --options runtime "$$temp/git-lfs" && \
|
|
|
|
codesign -dvvv "$$temp/git-lfs" && \
|
|
|
|
zip -j $$i "$$temp/git-lfs" && \
|
|
|
|
codesign --keychain $(DARWIN_KEYCHAIN_ID) -s "$(DARWIN_CERT_ID)" --force --timestamp -vvvv --options runtime "$$i" && \
|
|
|
|
codesign -dvvv "$$i" && \
|
|
|
|
jq -e ".notarize.path = \"$$i\" | .apple_id.username = \"$(DARWIN_DEV_USER)\"" script/macos/manifest.json > "$$temp/manifest.json"; \
|
|
|
|
for j in 1 2 3; \
|
|
|
|
do \
|
|
|
|
gon "$$temp/manifest.json" && break; \
|
|
|
|
done; \
|
|
|
|
); \
|
|
|
|
status="$$?"; [ -n "$$temp" ] && $(RM) -r "$$temp"; [ "$$status" -eq 0 ] || exit "$$status"; \
|
|
|
|
done
|
|
|
|
|
2019-09-05 21:50:36 +00:00
|
|
|
.PHONY : release-write-certificate
|
|
|
|
release-write-certificate:
|
|
|
|
@echo "Writing certificate to $(CERT_FILE)"
|
|
|
|
@echo "$$CERT_CONTENTS" | base64 --decode >"$$CERT_FILE"
|
|
|
|
@printf 'Wrote %d bytes (SHA256 %s) to certificate file\n' $$(wc -c <"$$CERT_FILE") $$(shasum -ba 256 "$$CERT_FILE" | cut -d' ' -f1)
|
|
|
|
|
workflows/release: sign and notarize macOS binaries
On macOS, Gatekeeper requires binaries that are signed with a trusted
code-signing certificate and notarized by Apple in order for them to
run. To ease the burden for Mac users, let's start providing signed
binaries.
The macOS codesign tool can only read certificates from a keychain.
However, setting keychains up to work in a non-interactive way is
complex and error prone. We create a target to import the certificates
from a PKCS #12 file and pull them into a temporary keychain which has
been specially set up to work in CI. This requires multiple complex and
poorly documented incantations to work correctly, but it does currently
work. These incantations are not to be meant run on a user system
because they modify various keychain properties, such as the default
keychain, so add a comment to that effect.
We sign both the binary and the zip file, since we cannot notarize the
binary alone but would like to have a signed binary. Only zip files,
pkg files, and disk images can be notarized; this is why we have
switched to a zip file for macOS.
Note that the notarization process requires a particular developer to
submit the binary for notarization using their Apple account. That
developer's ID and their app password are specified from the environment
and can be read from the secret store. This is so that this can easily
be rotated to reflect a new user without needing to involve code
changes. Similarly, the cert ID, although not secret, is passed in in a
similar way.
When we perform the notarization, we do it in a loop, since Apple's
servers can sometimes "forget" the fact that we submitted a request and
therefore cause gon, the notarization tool we use, to spuriously fail
when it checks on the status of our request. We don't use seq to count
in our loop because it is not portable to non-Linux systems.
Finally, we use "darwin" in the Makefile because everything else in the
Makefile already uses that, but we use "MACOS" for secrets for
consistency with the GitHub Actions workflow, which uses that. We
translate in the workflow file.
2020-04-10 19:39:23 +00:00
|
|
|
# release-import-certificate imports the given certificate into the macOS
|
|
|
|
# keychain "CI". It is not generally recommended to run this on a user system,
|
|
|
|
# since it creates a new keychain and modifies the keychain search path.
|
|
|
|
.PHONY : release-import-certificate
|
|
|
|
release-import-certificate:
|
|
|
|
@[ -n "$(CI)" ] || { echo "Don't run this target by hand." >&2; false; }
|
|
|
|
@echo "Creating CI keychain"
|
|
|
|
security create-keychain -p default CI.keychain
|
|
|
|
security set-keychain-settings CI.keychain
|
|
|
|
security unlock-keychain -p default CI.keychain
|
|
|
|
@echo "Importing certificate from $(CERT_FILE)"
|
|
|
|
@security import "$$CERT_FILE" -f pkcs12 -k CI.keychain -P "$$CERT_PASS" -A
|
|
|
|
@echo "Verifying import and setting permissions"
|
|
|
|
security list-keychains -s CI.keychain
|
|
|
|
security default-keychain -s CI.keychain
|
|
|
|
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k default CI.keychain
|
|
|
|
security find-identity -vp codesigning CI.keychain
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# TEST_TARGETS is a list of all phony test targets. Each one of them corresponds
|
|
|
|
# to a specific kind or subset of tests to run.
|
2018-07-16 21:25:54 +00:00
|
|
|
TEST_TARGETS := test-bench test-verbose test-race
|
|
|
|
.PHONY : $(TEST_TARGETS) test
|
|
|
|
$(TEST_TARGETS) : test
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# test-bench runs all Go benchmark tests, and nothing more.
|
2018-07-16 21:25:54 +00:00
|
|
|
test-bench : GO_TEST_EXTRA_ARGS=-run=__nothing__ -bench=.
|
2018-07-23 18:41:00 +00:00
|
|
|
# test-verbose runs all Go tests in verbose mode.
|
2018-07-16 21:25:54 +00:00
|
|
|
test-verbose : GO_TEST_EXTRA_ARGS=-v
|
2018-07-23 18:41:00 +00:00
|
|
|
# test-race runs all Go tests in race-detection mode.
|
2018-07-16 21:25:54 +00:00
|
|
|
test-race : GO_TEST_EXTRA_ARGS=-race
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# test runs the Go tests with GO_TEST_EXTRA_ARGS in all specified packages,
|
|
|
|
# given by the PKGS variable.
|
|
|
|
#
|
|
|
|
# For example, a caller can invoke the race-detection tests in just the config
|
|
|
|
# package by running:
|
|
|
|
#
|
|
|
|
# make PKGS=config test-race
|
|
|
|
#
|
|
|
|
# Or in a series of packages, like:
|
|
|
|
#
|
|
|
|
# make PKGS="config lfsapi tools/kv" test-race
|
|
|
|
#
|
|
|
|
# And so on.
|
2020-03-28 02:46:40 +00:00
|
|
|
test : fmt $(.DEFAULT_GOAL)
|
2020-05-13 20:51:59 +00:00
|
|
|
( \
|
|
|
|
unset GIT_DIR; unset GIT_WORK_TREE; unset XDG_CONFIG_HOME; \
|
|
|
|
tempdir="$$(mktemp -d)"; \
|
|
|
|
export HOME="$$tempdir"; \
|
|
|
|
export GIT_CONFIG_NOSYSTEM=1; \
|
|
|
|
$(GO) test -count=1 $(GO_TEST_EXTRA_ARGS) $(addprefix ./,$(PKGS)); \
|
|
|
|
RET=$$?; \
|
2020-06-12 16:36:50 +00:00
|
|
|
chmod -R u+w "$$tempdir"; \
|
2020-05-13 20:51:59 +00:00
|
|
|
rm -fr "$$tempdir"; \
|
|
|
|
exit $$RET; \
|
|
|
|
)
|
2018-07-16 21:25:54 +00:00
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# integration is a shorthand for running 'make' in the 't' directory.
|
|
|
|
.PHONY : integration
|
|
|
|
integration : bin/git-lfs$(X)
|
|
|
|
make -C t test
|
|
|
|
|
all: use Go Modules instead of Glide
Since we are now building on Go 1.11 (as of 074a2d4f (all: use Go 1.11
in CI, 2018-08-28)) and Go 1.11 supports Go Modules [1], let's stop
using Glide, and begin using Go Modules.
This involves a few things:
* Teach the Makefile how to build go.sum files instead of glide.lock
files.
* Teach continuous integration services to build Git LFS in a
non-$GOPATH environment, since (without setting GO111MODULE=on
explicitly, which we choose not to do), this will break compiling
Git LFS, because Go 1.11 will ignore modules present in a Go
checkout beneath $GOPATH.
* In order to do the above, let's also make sure that we are
un-setting $GOCACHE in the environment, as this causes Go to work
without modules support [2].
* Because we're no longer building in a `$GOPATH`-based location,
let's instruct the CircleCI base image to archive the new location,
too.
* Similarly, teach the RPM spec to build in a non-$GOPATH location.
* By contrast, since we use dh_golang to build git-lfs binaries on
Debian, let's wait until the upstream dh_golang package is released
with support for Go 1.11 module support explicitly. Therefore, force
GO111MODULE to be on so that we can build a copy of Git LFS whose
checkout is within a $GOPATH.
Although the go.mod versions match the glide.yaml ones, the diff
attached is large because Go Modules do not vendor `_test.go` files,
whereas Glide does.
[1]: https://golang.org/doc/go1.11#modules
[2]: `GOCACHE=on` will be deprecated in Go 1.12, so this change makes
sense for that reason, too.
Co-authored-by: brian m. carlson <bk2204@github.com>
2018-08-28 20:53:57 +00:00
|
|
|
# go.sum is a lockfile based on the contents of go.mod.
|
|
|
|
go.sum : go.mod
|
|
|
|
$(GO) mod verify >/dev/null
|
2018-07-16 20:05:08 +00:00
|
|
|
|
all: use Go Modules instead of Glide
Since we are now building on Go 1.11 (as of 074a2d4f (all: use Go 1.11
in CI, 2018-08-28)) and Go 1.11 supports Go Modules [1], let's stop
using Glide, and begin using Go Modules.
This involves a few things:
* Teach the Makefile how to build go.sum files instead of glide.lock
files.
* Teach continuous integration services to build Git LFS in a
non-$GOPATH environment, since (without setting GO111MODULE=on
explicitly, which we choose not to do), this will break compiling
Git LFS, because Go 1.11 will ignore modules present in a Go
checkout beneath $GOPATH.
* In order to do the above, let's also make sure that we are
un-setting $GOCACHE in the environment, as this causes Go to work
without modules support [2].
* Because we're no longer building in a `$GOPATH`-based location,
let's instruct the CircleCI base image to archive the new location,
too.
* Similarly, teach the RPM spec to build in a non-$GOPATH location.
* By contrast, since we use dh_golang to build git-lfs binaries on
Debian, let's wait until the upstream dh_golang package is released
with support for Go 1.11 module support explicitly. Therefore, force
GO111MODULE to be on so that we can build a copy of Git LFS whose
checkout is within a $GOPATH.
Although the go.mod versions match the glide.yaml ones, the diff
attached is large because Go Modules do not vendor `_test.go` files,
whereas Glide does.
[1]: https://golang.org/doc/go1.11#modules
[2]: `GOCACHE=on` will be deprecated in Go 1.12, so this change makes
sense for that reason, too.
Co-authored-by: brian m. carlson <bk2204@github.com>
2018-08-28 20:53:57 +00:00
|
|
|
# vendor updates the go.sum-file, and installs vendored dependencies into
|
2018-07-23 18:41:00 +00:00
|
|
|
# the vendor/ sub-tree, removing sub-packages (listed below) that are unused by
|
all: use Go Modules instead of Glide
Since we are now building on Go 1.11 (as of 074a2d4f (all: use Go 1.11
in CI, 2018-08-28)) and Go 1.11 supports Go Modules [1], let's stop
using Glide, and begin using Go Modules.
This involves a few things:
* Teach the Makefile how to build go.sum files instead of glide.lock
files.
* Teach continuous integration services to build Git LFS in a
non-$GOPATH environment, since (without setting GO111MODULE=on
explicitly, which we choose not to do), this will break compiling
Git LFS, because Go 1.11 will ignore modules present in a Go
checkout beneath $GOPATH.
* In order to do the above, let's also make sure that we are
un-setting $GOCACHE in the environment, as this causes Go to work
without modules support [2].
* Because we're no longer building in a `$GOPATH`-based location,
let's instruct the CircleCI base image to archive the new location,
too.
* Similarly, teach the RPM spec to build in a non-$GOPATH location.
* By contrast, since we use dh_golang to build git-lfs binaries on
Debian, let's wait until the upstream dh_golang package is released
with support for Go 1.11 module support explicitly. Therefore, force
GO111MODULE to be on so that we can build a copy of Git LFS whose
checkout is within a $GOPATH.
Although the go.mod versions match the glide.yaml ones, the diff
attached is large because Go Modules do not vendor `_test.go` files,
whereas Glide does.
[1]: https://golang.org/doc/go1.11#modules
[2]: `GOCACHE=on` will be deprecated in Go 1.12, so this change makes
sense for that reason, too.
Co-authored-by: brian m. carlson <bk2204@github.com>
2018-08-28 20:53:57 +00:00
|
|
|
# Git LFS as well as test code.
|
2018-07-23 18:41:00 +00:00
|
|
|
.PHONY : vendor
|
all: use Go Modules instead of Glide
Since we are now building on Go 1.11 (as of 074a2d4f (all: use Go 1.11
in CI, 2018-08-28)) and Go 1.11 supports Go Modules [1], let's stop
using Glide, and begin using Go Modules.
This involves a few things:
* Teach the Makefile how to build go.sum files instead of glide.lock
files.
* Teach continuous integration services to build Git LFS in a
non-$GOPATH environment, since (without setting GO111MODULE=on
explicitly, which we choose not to do), this will break compiling
Git LFS, because Go 1.11 will ignore modules present in a Go
checkout beneath $GOPATH.
* In order to do the above, let's also make sure that we are
un-setting $GOCACHE in the environment, as this causes Go to work
without modules support [2].
* Because we're no longer building in a `$GOPATH`-based location,
let's instruct the CircleCI base image to archive the new location,
too.
* Similarly, teach the RPM spec to build in a non-$GOPATH location.
* By contrast, since we use dh_golang to build git-lfs binaries on
Debian, let's wait until the upstream dh_golang package is released
with support for Go 1.11 module support explicitly. Therefore, force
GO111MODULE to be on so that we can build a copy of Git LFS whose
checkout is within a $GOPATH.
Although the go.mod versions match the glide.yaml ones, the diff
attached is large because Go Modules do not vendor `_test.go` files,
whereas Glide does.
[1]: https://golang.org/doc/go1.11#modules
[2]: `GOCACHE=on` will be deprecated in Go 1.12, so this change makes
sense for that reason, too.
Co-authored-by: brian m. carlson <bk2204@github.com>
2018-08-28 20:53:57 +00:00
|
|
|
vendor : go.mod
|
|
|
|
$(GO) mod vendor -v
|
2018-07-16 20:25:44 +00:00
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# fmt runs goimports over all files in Git LFS (as defined by $(SOURCES) above),
|
|
|
|
# and replaces their contents with a formatted one in-place.
|
2018-07-25 01:28:22 +00:00
|
|
|
#
|
|
|
|
# If $(GOIMPORTS) does not exist, or isn't otherwise executable, this recipe
|
|
|
|
# still performs the linting sequence, but gracefully skips over running a
|
|
|
|
# non-existent command.
|
2018-07-19 18:02:25 +00:00
|
|
|
.PHONY : fmt
|
2021-08-23 15:30:43 +00:00
|
|
|
ifeq ($(shell test -x "`command -v $(GOIMPORTS)`"; echo $$?),0)
|
2018-07-25 01:28:22 +00:00
|
|
|
fmt : $(SOURCES) | lint
|
2018-07-31 21:20:11 +00:00
|
|
|
@$(GOIMPORTS) $(GOIMPORTS_EXTRA_OPTS) $?;
|
2018-07-25 01:28:22 +00:00
|
|
|
else
|
2018-07-19 18:10:56 +00:00
|
|
|
fmt : $(SOURCES) | lint
|
2018-07-25 01:28:22 +00:00
|
|
|
@echo "git-lfs: skipping fmt, no goimports found at \`$(GOIMPORTS)\` ..."
|
|
|
|
endif
|
2018-07-16 20:25:44 +00:00
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# lint ensures that there are all dependencies outside of the standard library
|
|
|
|
# are vendored in via vendor (see: above).
|
2018-07-19 18:02:25 +00:00
|
|
|
.PHONY : lint
|
2018-07-19 18:10:56 +00:00
|
|
|
lint : $(SOURCES)
|
2018-08-28 19:21:21 +00:00
|
|
|
@! $(GO) list -f '{{ join .Deps "\n" }}' . \
|
all: use Go Modules instead of Glide
Since we are now building on Go 1.11 (as of 074a2d4f (all: use Go 1.11
in CI, 2018-08-28)) and Go 1.11 supports Go Modules [1], let's stop
using Glide, and begin using Go Modules.
This involves a few things:
* Teach the Makefile how to build go.sum files instead of glide.lock
files.
* Teach continuous integration services to build Git LFS in a
non-$GOPATH environment, since (without setting GO111MODULE=on
explicitly, which we choose not to do), this will break compiling
Git LFS, because Go 1.11 will ignore modules present in a Go
checkout beneath $GOPATH.
* In order to do the above, let's also make sure that we are
un-setting $GOCACHE in the environment, as this causes Go to work
without modules support [2].
* Because we're no longer building in a `$GOPATH`-based location,
let's instruct the CircleCI base image to archive the new location,
too.
* Similarly, teach the RPM spec to build in a non-$GOPATH location.
* By contrast, since we use dh_golang to build git-lfs binaries on
Debian, let's wait until the upstream dh_golang package is released
with support for Go 1.11 module support explicitly. Therefore, force
GO111MODULE to be on so that we can build a copy of Git LFS whose
checkout is within a $GOPATH.
Although the go.mod versions match the glide.yaml ones, the diff
attached is large because Go Modules do not vendor `_test.go` files,
whereas Glide does.
[1]: https://golang.org/doc/go1.11#modules
[2]: `GOCACHE=on` will be deprecated in Go 1.12, so this change makes
sense for that reason, too.
Co-authored-by: brian m. carlson <bk2204@github.com>
2018-08-28 20:53:57 +00:00
|
|
|
| $(XARGS) $(GO) list -f \
|
|
|
|
'{{ if and (not .Standard) (not .Module) }} \
|
|
|
|
{{ .ImportPath }} \
|
|
|
|
{{ end }}' \
|
2018-08-28 19:21:21 +00:00
|
|
|
| $(GREP) -v "github.com/git-lfs/git-lfs" \
|
|
|
|
| $(GREP) "."
|
2018-07-19 19:03:54 +00:00
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# MAN_ROFF_TARGETS is a list of all ROFF-style targets in the man pages.
|
2018-07-19 19:03:54 +00:00
|
|
|
MAN_ROFF_TARGETS = man/git-lfs-checkout.1 \
|
|
|
|
man/git-lfs-clean.1 \
|
|
|
|
man/git-lfs-clone.1 \
|
|
|
|
man/git-lfs-config.5 \
|
|
|
|
man/git-lfs-env.1 \
|
|
|
|
man/git-lfs-ext.1 \
|
|
|
|
man/git-lfs-fetch.1 \
|
|
|
|
man/git-lfs-filter-process.1 \
|
|
|
|
man/git-lfs-fsck.1 \
|
|
|
|
man/git-lfs-install.1 \
|
|
|
|
man/git-lfs-lock.1 \
|
|
|
|
man/git-lfs-locks.1 \
|
|
|
|
man/git-lfs-logs.1 \
|
|
|
|
man/git-lfs-ls-files.1 \
|
|
|
|
man/git-lfs-migrate.1 \
|
|
|
|
man/git-lfs-pointer.1 \
|
|
|
|
man/git-lfs-post-checkout.1 \
|
2020-03-03 00:46:18 +00:00
|
|
|
man/git-lfs-post-commit.1 \
|
2018-07-19 19:03:54 +00:00
|
|
|
man/git-lfs-post-merge.1 \
|
|
|
|
man/git-lfs-pre-push.1 \
|
|
|
|
man/git-lfs-prune.1 \
|
|
|
|
man/git-lfs-pull.1 \
|
|
|
|
man/git-lfs-push.1 \
|
|
|
|
man/git-lfs-smudge.1 \
|
|
|
|
man/git-lfs-status.1 \
|
|
|
|
man/git-lfs-track.1 \
|
|
|
|
man/git-lfs-uninstall.1 \
|
|
|
|
man/git-lfs-unlock.1 \
|
|
|
|
man/git-lfs-untrack.1 \
|
|
|
|
man/git-lfs-update.1 \
|
|
|
|
man/git-lfs.1
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# MAN_HTML_TARGETS is a list of all HTML-style targets in the man pages.
|
2018-07-19 19:03:54 +00:00
|
|
|
MAN_HTML_TARGETS = man/git-lfs-checkout.1.html \
|
|
|
|
man/git-lfs-clean.1.html \
|
|
|
|
man/git-lfs-clone.1.html \
|
|
|
|
man/git-lfs-config.5.html \
|
|
|
|
man/git-lfs-env.1.html \
|
|
|
|
man/git-lfs-ext.1.html \
|
|
|
|
man/git-lfs-fetch.1.html \
|
|
|
|
man/git-lfs-filter-process.1.html \
|
|
|
|
man/git-lfs-fsck.1.html \
|
|
|
|
man/git-lfs-install.1.html \
|
|
|
|
man/git-lfs-lock.1.html \
|
|
|
|
man/git-lfs-locks.1.html \
|
|
|
|
man/git-lfs-logs.1.html \
|
|
|
|
man/git-lfs-ls-files.1.html \
|
|
|
|
man/git-lfs-migrate.1.html \
|
|
|
|
man/git-lfs-pointer.1.html \
|
|
|
|
man/git-lfs-post-checkout.1.html \
|
2020-03-03 00:46:18 +00:00
|
|
|
man/git-lfs-post-commit.1.html \
|
2018-07-19 19:03:54 +00:00
|
|
|
man/git-lfs-post-merge.1.html \
|
|
|
|
man/git-lfs-pre-push.1.html \
|
|
|
|
man/git-lfs-prune.1.html \
|
|
|
|
man/git-lfs-pull.1.html \
|
|
|
|
man/git-lfs-push.1.html \
|
|
|
|
man/git-lfs-smudge.1.html \
|
|
|
|
man/git-lfs-status.1.html \
|
|
|
|
man/git-lfs-track.1.html \
|
|
|
|
man/git-lfs-uninstall.1.html \
|
|
|
|
man/git-lfs-unlock.1.html \
|
|
|
|
man/git-lfs-untrack.1.html \
|
|
|
|
man/git-lfs-update.1.html \
|
|
|
|
man/git-lfs.1.html
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# man generates all ROFF- and HTML-style manpage targets.
|
2018-07-19 19:03:54 +00:00
|
|
|
.PHONY : man
|
|
|
|
man : $(MAN_ROFF_TARGETS) $(MAN_HTML_TARGETS)
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# man/% generates ROFF-style man pages from the corresponding .ronn file.
|
2018-07-19 19:03:54 +00:00
|
|
|
man/% : docs/man/%.ronn
|
|
|
|
@mkdir -p man
|
|
|
|
$(RONN) $(RONN_EXTRA_ARGS) -r --pipe < $^ > $@
|
|
|
|
|
2018-07-23 18:41:00 +00:00
|
|
|
# man/%.html generates HTML-style man pages from the corresponding .ronn file.
|
2018-07-19 19:03:54 +00:00
|
|
|
man/%.html : docs/man/%.ronn
|
|
|
|
@mkdir -p man
|
|
|
|
$(RONN) $(RONN_EXTRA_ARGS) -5 --pipe < $^ > $@
|