From ab347773cab72fb955e8bfb5751b928779c3680e Mon Sep 17 00:00:00 2001 From: Dorin Geman Date: Thu, 9 Jul 2026 15:38:39 +0300 Subject: [PATCH] ci(dmr): sign/notarize via internal repo and publish a Homebrew cask MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit model-runner is public and can't use Docker's private signing action, so release-dmr.yml now only builds the (unsigned) archives, creates the release, and publishes WinGet — then auto-triggers release-dmr.yml in the internal docker/inference-engine-llama.cpp repo (which holds the signing credentials) to sign+notarize the macOS/Windows binaries, re-upload them to this release, and open the Homebrew cask PR. - Drop the unsigned Homebrew *formula* publish (replaced by a signed *cask* generated from the internal repo). - Add a trigger-signing job that dispatches the internal workflow with the tag (needs DMR_SIGN_TRIGGER_TOKEN: Actions:write on the internal repo). - Update packaging/README to document the two-repo, two-step flow. Signed-off-by: Dorin Geman --- .github/workflows/release-dmr.yml | 103 ++++++++++-------------------- packaging/README.md | 44 +++++++++---- 2 files changed, 65 insertions(+), 82 deletions(-) diff --git a/.github/workflows/release-dmr.yml b/.github/workflows/release-dmr.yml index 9aedb9691..dbe6cceae 100644 --- a/.github/workflows/release-dmr.yml +++ b/.github/workflows/release-dmr.yml @@ -1,10 +1,16 @@ name: Release dmr # Builds the standalone dmr binary for macOS (arm64), Linux (amd64/arm64), -# and Windows (amd64), publishes a GitHub Release with the archives, then -# opens the corresponding Homebrew formula and WinGet manifest updates so -# `brew install docker/tap/dmr` and `winget install Docker.dmr` pick up the -# new version. +# and Windows (amd64) and publishes a GitHub Release with the (initially +# unsigned) archives. +# +# macOS/Windows code signing + notarization and the Homebrew cask update live +# in docker/inference-engine-llama.cpp's release-dmr.yml — an internal repo +# that holds the Docker code-signing credentials (this repo is public and +# cannot use them). This workflow auto-triggers it after the release is +# created; it downloads the macOS/Windows archives from this release, signs +# and notarizes them, re-uploads the signed versions here, and opens the +# Homebrew cask PR against docker/homebrew-tap. WinGet is published below. # # Triggered by pushing a tag of the form dmr-vX.Y.Z (kept distinct from the # model-runner container image release tags used by release.yml). @@ -94,77 +100,38 @@ jobs: --generate-notes \ dist/* - publish-homebrew: - name: Publish Homebrew formula + trigger-signing: + name: Trigger signing + Homebrew cask needs: release runs-on: ubuntu-latest + permissions: + contents: read steps: - - name: Compute release checksums - id: sha - run: | - set -euo pipefail - for target in darwin-arm64 linux-amd64 linux-arm64; do - curl -sL -o "${target}.tar.gz" \ - "https://github.com/${{ github.repository }}/releases/download/${TAG}/dmr-${target}.tar.gz" - sum=$(sha256sum "${target}.tar.gz" | cut -d' ' -f1) - echo "${target//-/_}=${sum}" >> "$GITHUB_OUTPUT" - done + # Cross-repo automation uses a GitHub App, never a PAT (org security + # guidance). This dedicated App has only Actions: write on + # docker/inference-engine-llama.cpp — the minimum needed to start that + # repo's signing workflow. That internal repo owns the code-signing + # credentials this public repo cannot hold; it signs the macOS/Windows + # archives, re-uploads them to this release, and opens the Homebrew cask + # PR. + - name: Mint trigger token + id: trigger-token + uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547 # v1 + with: + app-id: ${{ vars.DMR_TRIGGER_APP_ID }} + private-key: ${{ secrets.DMR_TRIGGER_APP_PRIVATE_KEY }} + owner: docker + repositories: inference-engine-llama.cpp - - name: Generate formula - run: | - set -euo pipefail - mkdir -p formula - cat > formula/dmr.rb <