Before, we were unintentionally not signing for pushes, and only
signing for PRs.
We definitely *do* want to sign for pushes,
(such as to `master` branch), so that Rolling releases get signed,
but we probably don't need (and probably don't want?) to sign for PRs.
(Regardless of whether from a fork or not.)
So, this commit essentially reverses the situation from before:
- DO sign for branch pushes. (Note: the workflow currently only
triggers for `master` branch pushes.)
- DON'T sign for any other events, such as for Pull Requests.
(This change is for GitHub Actions only, as the Cirrus config was
already set up in a very particular way during the migration of most
binary builds to GitHub Actions, which was quite recent,
and doesn't need any changes at this time.)
Background and context for this commit...
Not sure why exactly, but our GitHub Actions workflow is producing
*signed* macOS binaries that pass spctl "acceptance" on the CLI, and
various other signing/notarization checks on the CLI, such as stapler,
but nevertheless warn they can't be verified when opening the signed
Pulsar.app in Finder or using `open` on the CLI, and so on.
Through investigating what changes we can make to better-match the
Cirrus environment, which has producing signed binaries that open just
fine without the warning for months now, we have tried many things.
Eventually, disabling actions/setup-node and actions/setup-python was
tried, which incidentally got us Python 3.11 instead of our manually
pinned older Python 3.10. That worked, the signed binaries open as
they should, sans verification warning.
Further narrowing it down resulted in, any way we get Python other
than 3.10 from actions/setup-python seems to be working.
Given that, this commit starts using Python 3.11 in GitHub Actions,
to fix the "macOS is signed but is still not making Gatekeeper happy"
situation we have been having with GitHub Actions.
Includes a lot of decaf work from multiple contributors,
a dependency bump, a small code refactor and a Windows postinstall fix
and switching to our fork of npm 6 that includes node-gyp 9.x.
Coffeescript function calls are prefixed with an @, which is the same syntax that jsdoc uses for parsing - which meant that it thought the example was empty.
Cirrus: Don't update last good commit if CI skipped
Makes it so Cirrus Rolling doesn't skip, so we actually have
Rolling binaries/releases for ARM Linux + Apple Silicon again!
For builds that are effectively skipped, since their tasks are all
skipped or not scheduled in the first place, we shouldn't update
CIRRUS_LAST_GREEN_CHANGE.
Unfortunately, Cirrus *does* update that for builds with no or
all-skipped tasks, for now. They may fix it in the future, we have a
feature request open for it. But for now, this is the workaround.
Previously, we threw an error when a scope adjustment violated its bounds constraints, but that's a bit disruptive for everyday use. Instead, we throw an error in dev mode (so that the grammar's author doesn't fail to notice the problem), but downgrade it to a warning outside of dev mode so that it's recoverable.
There's a chance that the warning will be _too_ subtle, but we'll give it a shot.
We also include more diagnostic information so that it's clearer exactly _where_ the violation is happening.