From 862c656aed28d14853dac4b8c9b05e56b410a986 Mon Sep 17 00:00:00 2001 From: Yuval Shavit Date: Sat, 1 Mar 2025 19:05:02 -0500 Subject: [PATCH 1/6] for mac, upload both plain binary and installer --- .github/workflows/build-release.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml index b9ae34c..b227b38 100644 --- a/.github/workflows/build-release.yml +++ b/.github/workflows/build-release.yml @@ -99,16 +99,22 @@ jobs: cp scripts/installer.sh "$tmp_file" base64 -b 72 -i target/release/mdq | sed 's/^/# /' >> "$tmp_file" mv "$tmp_file" target/release/mdq-installer.sh - export BUILD_FILE_NAME=mdq-installer.sh - echo BUILD_FILE_NAME=mdq-installer.sh >> "$GITHUB_ENV" + echo MAC_INSTALLER_FILE_NAME=mdq-installer.sh >> "$GITHUB_ENV" - name: Attest Build Provenance (mac installer) if: ${{ runner.os == 'macOS' }} uses: actions/attest-build-provenance@v1 with: subject-path: "target/release/${{ env.BUILD_FILE_NAME }}" - - name: upload + - name: upload binary uses: actions/upload-artifact@v4 with: if-no-files-found: error name: mdq-${{ matrix.os }} path: target/release/${{ env.BUILD_FILE_NAME }} + - name: upload Mac installer + if: ${{ runner.os == 'macOS' }} + uses: actions/upload-artifact@v4 + with: + if-no-files-found: error + name: mdq-${{ matrix.os }}-installer + path: target/release/${{ env.MAC_INSTALLER_FILE_NAME }} From eb950db0007870a488864da5dcdf295575422aa3 Mon Sep 17 00:00:00 2001 From: Yuval Shavit Date: Sat, 1 Mar 2025 19:07:27 -0500 Subject: [PATCH 2/6] allow option for not building docker --- .github/workflows/build-release.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml index b227b38..c092816 100644 --- a/.github/workflows/build-release.yml +++ b/.github/workflows/build-release.yml @@ -1,5 +1,4 @@ - -name: build-release +name: Release on: push: branches: [ "main" ] @@ -13,6 +12,7 @@ on: options: - latest - stable + - none env: CARGO_TERM_COLOR: always @@ -25,6 +25,7 @@ permissions: jobs: docker: + if: ${{ inputs.docker-tag-type != "none" }} environment: Docker Hub runs-on: ubuntu-latest steps: From 9289c5b0d828417f8a4dea3038cf4a93e2bcf310 Mon Sep 17 00:00:00 2001 From: Yuval Shavit Date: Sat, 1 Mar 2025 19:08:31 -0500 Subject: [PATCH 3/6] syntax fix? --- .github/workflows/build-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml index c092816..a0db099 100644 --- a/.github/workflows/build-release.yml +++ b/.github/workflows/build-release.yml @@ -25,7 +25,7 @@ permissions: jobs: docker: - if: ${{ inputs.docker-tag-type != "none" }} + if: ${{ inputs.docker-tag-type != 'none' }} environment: Docker Hub runs-on: ubuntu-latest steps: From aebf9cabe1e7651a1c126e7ba9a0297623d90bb5 Mon Sep 17 00:00:00 2001 From: Yuval Shavit Date: Sat, 1 Mar 2025 19:26:45 -0500 Subject: [PATCH 4/6] remove mac installer --- .github/workflows/build-release.yml | 20 -------------------- README.md | 6 ++++++ scripts/installer.sh | 13 ------------- 3 files changed, 6 insertions(+), 33 deletions(-) delete mode 100755 scripts/installer.sh diff --git a/.github/workflows/build-release.yml b/.github/workflows/build-release.yml index a0db099..8535433 100644 --- a/.github/workflows/build-release.yml +++ b/.github/workflows/build-release.yml @@ -93,29 +93,9 @@ jobs: uses: actions/attest-build-provenance@v1 with: subject-path: "target/release/${{ env.BUILD_FILE_NAME }}" - - name: mac installer - if: ${{ runner.os == 'macOS' }} - run: | - tmp_file="$(mktemp)" - cp scripts/installer.sh "$tmp_file" - base64 -b 72 -i target/release/mdq | sed 's/^/# /' >> "$tmp_file" - mv "$tmp_file" target/release/mdq-installer.sh - echo MAC_INSTALLER_FILE_NAME=mdq-installer.sh >> "$GITHUB_ENV" - - name: Attest Build Provenance (mac installer) - if: ${{ runner.os == 'macOS' }} - uses: actions/attest-build-provenance@v1 - with: - subject-path: "target/release/${{ env.BUILD_FILE_NAME }}" - name: upload binary uses: actions/upload-artifact@v4 with: if-no-files-found: error name: mdq-${{ matrix.os }} path: target/release/${{ env.BUILD_FILE_NAME }} - - name: upload Mac installer - if: ${{ runner.os == 'macOS' }} - uses: actions/upload-artifact@v4 - with: - if-no-files-found: error - name: mdq-${{ matrix.os }}-installer - path: target/release/${{ env.MAC_INSTALLER_FILE_NAME }} diff --git a/README.md b/README.md index 9e7deff..8486994 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,12 @@ Any of these will work: ``` 4. Download binaries from [the latest release] (or any other release, of course). + > [!note] + > Macs quarantine downloads from the internet by default. You can remove this flag by running the following on the binary after extracting it from the artifact zip: + > ```bash + > xattr -r -d com.apple.quarantine mdq + > ``` + You can also grab the binaries from the latest [build-release] workflow run. You must be logged into GitHub to do that (this is GitHub's limitation, not mine). You'll have to `chmod +x` them before you can run them. diff --git a/scripts/installer.sh b/scripts/installer.sh deleted file mode 100755 index 9de4fe4..0000000 --- a/scripts/installer.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -mdq_name=mdq -suffix=1 -while [[ -e "$mdq_name" ]]; do - mdq_name="mdq-$suffix" - suffix=$(( $suffix + 1 )) -done - -cat "$0" | awk 'f;/^## BASE64 START/{f=1}' | sed 's/^# *//' | base64 -d > "$mdq_name" -chmod +x "$mdq_name" - -## BASE64 START From 1fc9590826bed54ac5923742beb7f1926cd68137 Mon Sep 17 00:00:00 2001 From: Yuval Shavit Date: Sat, 1 Mar 2025 19:30:54 -0500 Subject: [PATCH 5/6] update readme --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8486994..9dd4b32 100644 --- a/README.md +++ b/README.md @@ -52,10 +52,10 @@ Any of these will work: ``` 4. Download binaries from [the latest release] (or any other release, of course). - > [!note] - > Macs quarantine downloads from the internet by default. You can remove this flag by running the following on the binary after extracting it from the artifact zip: + > ![note] + > Macs quarantine downloads from the internet by default. If you get an error saying that Apple cannot check the the binary for malicious software, you can remove this flag by running the following on the binary after extracting it from the artifact zip: > ```bash - > xattr -r -d com.apple.quarantine mdq + > xattr -d com.apple.quarantine mdq > ``` You can also grab the binaries from the latest [build-release] workflow run. You must be logged into GitHub to do From 9a8b75d6d8d710e3f6a295bb769ccb9f5f6bd11d Mon Sep 17 00:00:00 2001 From: Yuval Shavit Date: Sat, 1 Mar 2025 19:36:20 -0500 Subject: [PATCH 6/6] Update README.md --- README.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 9dd4b32..d32aa8b 100644 --- a/README.md +++ b/README.md @@ -52,14 +52,12 @@ Any of these will work: ``` 4. Download binaries from [the latest release] (or any other release, of course). - > ![note] - > Macs quarantine downloads from the internet by default. If you get an error saying that Apple cannot check the the binary for malicious software, you can remove this flag by running the following on the binary after extracting it from the artifact zip: - > ```bash - > xattr -d com.apple.quarantine mdq - > ``` - - You can also grab the binaries from the latest [build-release] workflow run. You must be logged into GitHub to do - that (this is GitHub's limitation, not mine). You'll have to `chmod +x` them before you can run them. + - Macs quarantine downloads from the internet by default. If you get an error saying that Apple cannot check the the binary for malicious software, you can remove this flag by running the following on the binary after extracting it from the artifact zip: + ```bash + xattr -d com.apple.quarantine mdq + ``` + - You can also grab the binaries from the latest [build-release] workflow run. You must be logged into GitHub to do + that (this is GitHub's limitation, not mine). You'll have to `chmod +x` them before you can run them.
Security concerns