diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e3a67326..a758e275 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -84,20 +84,27 @@ jobs: uses: actions/setup-dotnet@v5.2.0 with: dotnet-version: 9.0.x - - name: Compute version suffix for branch builds + - name: Compute version override for branch builds if: ${{ !startsWith(github.ref, 'refs/tags/') }} id: version run: | + # Latest release tag matching the convention -octopus. (see README "Releasing") + LATEST=$(git tag --list --sort=-v:refname | grep -E '^[0-9]+\.[0-9]+\.[0-9]+-octopus\.[0-9]+$' | head -n 1) + if [ -z "$LATEST" ]; then + echo "::error::No release tag matching -octopus. found" + exit 1 + fi # Sanitize branch name: lowercase, replace non-alphanumeric with hyphen, trim to 20 chars BRANCH="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}" SAFE_BRANCH=$(echo "$BRANCH" | tr '[:upper:]' '[:lower:]' | sed 's/[^a-z0-9]/-/g' | sed 's/--*/-/g' | sed 's/^-//' | sed 's/-$//' | cut -c1-20) - echo "override=${SAFE_BRANCH}.${{ github.run_number }}" >> "$GITHUB_OUTPUT" + # Join with '.' (not '-') so branch/run land as separate prerelease IDs, keeping ordering correct vs the next octopus. + echo "override=${LATEST}.${SAFE_BRANCH}.${{ github.run_number }}" >> "$GITHUB_OUTPUT" - name: Download artifacts uses: actions/download-artifact@v8.0.1 with: path: nuget.package/runtimes/ - name: Create package - run: dotnet pack nuget.package ${{ steps.version.outputs.override && format('/p:MinVerDefaultPreReleaseIdentifiers="{0}"', steps.version.outputs.override) || '' }} + run: dotnet pack nuget.package ${{ steps.version.outputs.override && format('/p:MinVerVersionOverride={0}', steps.version.outputs.override) || '' }} - name: Upload NuGet package uses: actions/upload-artifact@v7.0.0 with: diff --git a/build.libgit2.sh b/build.libgit2.sh index d8ed8744..d8edaaf9 100755 --- a/build.libgit2.sh +++ b/build.libgit2.sh @@ -62,7 +62,51 @@ cp libgit2/build/libgit2-$SHORTSHA.$LIBEXT $PACKAGEPATH/$RID/native LIBGIT2_PATH="$PACKAGEPATH/$RID/native/libgit2-$SHORTSHA.$LIBEXT" if [[ $OS == "Darwin" ]]; then - echo "macOS: libssh2 sourced from global installation" + # We don't run Octopus Server on Mac, so we can avoid the restriction of relying on the system crypto libraries + # (Required for FIPS compliance). Instead we just bundle the packages so devs don't need to install them. + NATIVE_DIR="$PACKAGEPATH/$RID/native" + + is_homebrew_path() { + case "$1" in + /opt/homebrew/*|/usr/local/Cellar/*) return 0 ;; + *) return 1 ;; + esac + } + + # Walk the load commands of $1 and, for each Homebrew-rooted dep, copy it next to libgit2, + # rewrite the load command to @rpath, and recurse so transitive deps (libssl -> libcrypto, etc.) are covered. + bundle_homebrew_deps() { + local DYLIB="$1" + local DEPS + DEPS=$(otool -L "$DYLIB" | tail -n +2 | awk '{print $1}') + local DEP + for DEP in $DEPS; do + if is_homebrew_path "$DEP"; then + local DEP_BASENAME + DEP_BASENAME=$(basename "$DEP") + local DEP_DEST="$NATIVE_DIR/$DEP_BASENAME" + if [[ ! -f "$DEP_DEST" ]]; then + echo "Bundling $DEP_BASENAME from $DEP" + cp "$DEP" "$DEP_DEST" + chmod u+w "$DEP_DEST" + install_name_tool -id "@rpath/$DEP_BASENAME" "$DEP_DEST" + bundle_homebrew_deps "$DEP_DEST" + fi + install_name_tool -change "$DEP" "@rpath/$DEP_BASENAME" "$DYLIB" + fi + done + } + + bundle_homebrew_deps "$LIBGIT2_PATH" + + for DYLIB in "$NATIVE_DIR"/*.dylib; do + install_name_tool -add_rpath @loader_path "$DYLIB" + done + + # Ad-hoc re-sign — install_name_tool invalidates the existing signature, which is fatal on Apple Silicon. + for DYLIB in "$NATIVE_DIR"/*.dylib; do + codesign --force --sign - "$DYLIB" + done else # Linux: find libssh2 via ldd LIBSSH2_PATH=$(ldd "$LIBGIT2_PATH" | grep libssh2 | awk '{print $3}')