Signing AAX plugins on CI/CD service (GitHub Actions/Azure Pipelines etc.)

Is it even possible?

Or should we resign ourselves to the fact that we will need a dedicated build server with an iLok connected?

AFAIK the only option for CI/CD is to use a self-hosted runner. I’ve done this with GitLab in the past and it wasn’t too painful, but still quite a bit more overhead than using the cloud-hosted alternatives.

I’d also love to know if anyone has found any other options.

PACE allows cloud-signing for their paying customers only (Similar to how you can open Pro Tools with a cloud license and without iLok). I had it working on Azure Devops hosted VS2019 machines with a trial version from their side. But they don’t support that for the AAX signing plan, unfortunately. Hopefully they will revise that decision at some point because the full version from PACE is quite expensive.

Any news on this before I shell out cash for a stupid iLok? I was really hoping for a modern build pipeline in the cloud…

I doubt anyone from Avid is here paying attention, but one idea would be to just forget about AAX support. If they see more and more developers abandoning the platform because it’s a painful experience they might just do something about it.

In my day job we’ve decided to ditch AAX support for an upcoming product, because we want the nice modern build pipeline, and analytics suggest that AAX usage is almost nil amongst our target audience, therefore makes a lot more sense to have a painless developer experience at the expense of ProTools users.

I wish we could forget unfortunately the target of our new product is in the semi-pro to pro range and we’re getting roped into doing it, hence my little outburst of frustration above.

I could really rant endlessly all day on the subject but of course that won’t really accomplish anything… so I’ll keep THINKING those rants instead…

Is there any news?
We are a team dispersed in different countries, so a hosted build service is our best bet.

We would like to add AAX to our offerings, so is there a way to run the eden signing on github actions? I have enough iLoks here from past ADCs, so this is not a problem and I am already enrolled in the AVID 3rd party program (and therefore with pace as well).

Any news is highly appreciated.

Contact sales@paceap.com and ask about their Cloud Signing for AAX service.

You can also subscribe to the JUCE YouTube channel to be notified when we publish the video of the following talk from ADC 2020:

Awesome, thank you @t0m!

I really wish PACE wouldn’t be so blinking opaque. Their website gives the same advice as Tom (email sales@…), and links to this article from the same company that did the ADC talk also mentioned. So looks like it’s totally possible, let’s just hope they don’t charge an arm and a leg for the privilege!

It’s very not fun to setup – but my general experience was basically:

Really painful:

• Bundle all the installers into your repo
• Install them via bash scripts (easy on Mac, a pain on windows with their installer software which has a bunch of hoops to get this working)

Quite nice once setup:

• Open cloud session
• Sign

They will charge you for the cloud signing access, and you still will need an iLok for your local machine to get setup (at least I did when I set this up initially)

WHAT THEY COULD DO:

CREATE A FREAKING BASH SCRIPT WHICH WE CAN CURL & CALL FROM COMMAND LINE

J

Having to download and install software is killer on GitHub Actions where you need to pay for time by the minute (10x on macOS, 2x on Windows) and pay for Github LFS data by the byte.

I have my own build machines running with iLoks and the software installed. I assume it would be a TOS violation to offer AAX signing as a service? Provide an API where you can upload your key and binary and it gets returned signed?

I have plans to build this for myself, so builds can run on GitHub Actions and then only one step in the process needs a local machine, which should be pretty quick.

Yeah this is true – for certain projects it’s really easy and cheap to do self hosted runners on google cloud, it only takes about 30 minutes to setup and costs like $10/mo – downside for plugins though is we actually need all these Mac + Win environments, overall though – it’s definitely cost saving to not have to set that stuff up, it took me weeks to figure out, but maybe I’m a knucklehead

btw I’d pay for that @g-mon

Failing the use of the cloud signing, you can register runners with GitHub actions and only do the signing on the runners. It wouldn’t be that crazy. Additionally if you have a powerful enough machine you can run up multiple VM’s each instance attached to it’s own unique iLok (I suggest a decent powered hub for this) and register all of them as runners. This has the advantage that you can do signing in parallel if you need to and you can easily reset the image back to some known state if something goes wrong.

That seems to be the route of choice.
I will install a self hosted runner with the dongle attached. I had the same experience like @RolandMR, the factor 10 build minutes add up way too quickly.
I would have loved to use my new mac Mini for the runner, but at this point GH requires Intel for the runner. I guess this will change in the next months, they have a reminder online they will switch to macOS 11 soon…

You can run the runner under Rosetta, but then in your build script, escape Rosetta and run natively with arch -arm64 ./build.sh

Nice one, thanks @RolandMR! Suddenly I find myself much deeper in dev-ops than I wished

or you could use CMake and add a custom target that executes your signing script with its OSX_ARCHITECTURES property set to arm64

Sorry for the necro, just curious if anybody has tried the Cloud 2 Cloud signing that Pace seems to offer now, looking at the “docs” this should make signing AAX builds on shared runners possible.