Update deployment workflow for final HSM solution

This applies the changes from the separate Windows HSM signing prototype development to the official deployment workflow including: 1. Use of Azure Code Signing client 2. Sourcing signtool.exe from runner 3. Moving from batch to PowerShell for Windows signing script 4. Using the same signing process for .exe and .msi
2023-12-14 13:15:38 -05:00 · 2023-12-14 13:15:38 -05:00 · 5ecdf166fb
commit 5ecdf166fb
parent 441beb9de3
8 changed files with 38 additions and 376 deletions
--- a/.github/workflows/deployment-hsm-testing.yml
+++ b/.github/workflows/deployment-hsm-testing.yml
@ -1,122 +0,0 @@
-name: Deployment HSM Testing
-run-name: ${{ inputs.tag_name }} / go ${{ inputs.go_version }}
-
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref_name }}
-  cancel-in-progress: true
-
-permissions:
-  contents: write
-
-on:
-  workflow_dispatch:
-    inputs:
-      tag_name:
-        required: true
-        type: string
-      go_version:
-        default: "1.21"
-        type: string
-
-jobs:
-  windows:
-    runs-on: windows-latest
-    environment: production
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Set up Go
-        uses: actions/setup-go@v4
-        with:
-          go-version: ${{ inputs.go_version }}
-      - name: Install GoReleaser
-        uses: goreleaser/goreleaser-action@v5
-        with:
-          version: "~1.17.1"
-          install-only: true
-      - name: Install Azure Code Signing Client
-        shell: pwsh
-        env:
-          ACS_DIR: ${{ runner.temp }}\acs
-          ACS_ZIP: ${{ runner.temp }}\acs.zip
-          CORRELATION_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
-          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
-        run: |
-          # Download Azure Code Signing client containing the DLL needed for signtool in script/sign
-          Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.38 -OutFile $Env:ACS_ZIP -Verbose
-          Expand-Archive $Env:ACS_ZIP -Destination $Env:ACS_DIR -Force -Verbose
-
-          # Generate metadata file for signtool, used in signing box .exe and .msi
-          @{
-            CertificateProfileName = "GitHubInc"
-            CodeSigningAccountName = "GitHubInc"
-            CorrelationId = $Env:CORRELATION_ID
-            Endpoint =  "https://wus.codesigning.azure.net/"
-          } | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH
-
-      # Azure Code Signing leverages the environment variables for secrets that complement the metadata.json
-      # file generated above (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID)
-      # For more information, see https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet
-      - name: Build release binaries
-        shell: bash
-        env:
-          AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
-          AZURE_CLIENT_SECRET: ${{ secrets.SPN_GITHUB_CLI_SIGNING }}
-          AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
-          DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll
-          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
-          TAG_NAME: ${{ inputs.tag_name }}
-        run: script/release-hsm --local "$TAG_NAME" --platform windows --config .goreleaser-hsm.yml
-      - name: Set up MSBuild
-        id: setupmsbuild
-        uses: microsoft/setup-msbuild@v1.3.1
-      - name: Build MSI
-        shell: bash
-        env:
-          MSBUILD_PATH: ${{ steps.setupmsbuild.outputs.msbuildPath }}
-        run: |
-          for ZIP_FILE in dist/gh_*_windows_*.zip; do
-            MSI_NAME="$(basename "$ZIP_FILE" ".zip")"
-            MSI_VERSION="$(cut -d_ -f2 <<<"$MSI_NAME" | cut -d- -f1)"
-            case "$MSI_NAME" in
-            *_386 )
-              source_dir="$PWD/dist/windows_windows_386"
-              platform="x86"
-              ;;
-            *_amd64 )
-              source_dir="$PWD/dist/windows_windows_amd64_v1"
-              platform="x64"
-              ;;
-            *_arm64 )
-              echo "skipping building MSI for arm64 because WiX 3.11 doesn't support it: https://github.com/wixtoolset/issues/issues/6141" >&2
-              continue
-              #source_dir="$PWD/dist/windows_windows_arm64"
-              #platform="arm64"
-              ;;
-            * )
-              printf "unsupported architecture: %s\n" "$MSI_NAME" >&2
-              exit 1
-              ;;
-            esac
-            "${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$source_dir" -p:OutputPath="$PWD/dist" -p:OutputName="$MSI_NAME" -p:ProductVersion="${MSI_VERSION#v}" -p:Platform="$platform"
-          done
-      - name: Sign .msi release binaries
-        shell: pwsh
-        env:
-          AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
-          AZURE_CLIENT_SECRET: ${{ secrets.SPN_GITHUB_CLI_SIGNING }}
-          AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
-          DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll
-          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
-        run: |
-          Get-ChildItem "$Env:GITHUB_WORKSPACE/dist" -Filter *.msi | Foreach-Object {
-            .\script\sign.ps1 $_.FullName
-          }
-      - uses: actions/upload-artifact@v3
-        with:
-          name: windows
-          if-no-files-found: error
-          retention-days: 7
-          path: |
-            dist/*.zip
-            dist/*.msi
--- a/.github/workflows/deployment.yml
+++ b/.github/workflows/deployment.yml
@ -1,4 +1,5 @@
 name: Deployment
+run-name: ${{ inputs.tag_name }} / go ${{ inputs.go_version }} / ${{ inputs.environment }}

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref_name }}
@ -130,26 +131,43 @@ jobs:
        uses: actions/setup-go@v5
        with:
          go-version: ${{ inputs.go_version }}
-      - name: Obtain signing certificate
-        id: obtain_cert
-        if: inputs.environment == 'production'
-        shell: bash
-        run: |
-          base64 -d <<<"$CERT_CONTENTS" > ./cert.pfx
-          printf "cert-file=%s\n" ".\\cert.pfx" >> $GITHUB_OUTPUT
-        env:
-          CERT_CONTENTS: ${{ secrets.WINDOWS_CERT_PFX }}
      - name: Install GoReleaser
        uses: goreleaser/goreleaser-action@v5
        with:
          version: "~1.17.1"
          install-only: true
+      - name: Install Azure Code Signing Client
+        shell: pwsh
+        env:
+          ACS_DIR: ${{ runner.temp }}\acs
+          ACS_ZIP: ${{ runner.temp }}\acs.zip
+          CORRELATION_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
+        run: |
+          # Download Azure Code Signing client containing the DLL needed for signtool in script/sign
+          Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.43 -OutFile $Env:ACS_ZIP -Verbose
+          Expand-Archive $Env:ACS_ZIP -Destination $Env:ACS_DIR -Force -Verbose
+
+          # Generate metadata file for signtool, used in signing box .exe and .msi
+          @{
+            CertificateProfileName = "GitHubInc"
+            CodeSigningAccountName = "GitHubInc"
+            CorrelationId = $Env:CORRELATION_ID
+            Endpoint =  "https://wus.codesigning.azure.net/"
+          } | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH
+
+      # Azure Code Signing leverages the environment variables for secrets that complement the metadata.json
+      # file generated above (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID)
+      # For more information, see https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet
      - name: Build release binaries
        shell: bash
        env:
+          AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.SPN_GITHUB_CLI_SIGNING }}
+          AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
+          DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll
+          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
          TAG_NAME: ${{ inputs.tag_name }}
-          CERT_FILE: ${{ steps.obtain_cert.outputs.cert-file }}
-          CERT_PASSWORD: ${{ secrets.WINDOWS_CERT_PASSWORD }}
        run: script/release --local "$TAG_NAME" --platform windows
      - name: Set up MSBuild
        id: setupmsbuild
@ -184,12 +202,18 @@ jobs:
            esac
            "${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$source_dir" -p:OutputPath="$PWD/dist" -p:OutputName="$MSI_NAME" -p:ProductVersion="${MSI_VERSION#v}" -p:Platform="$platform"
          done
-      - name: Sign MSI
+      - name: Sign .msi release binaries
        if: inputs.environment == 'production'
        shell: pwsh
+        env:
+          AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ secrets.SPN_GITHUB_CLI_SIGNING }}
+          AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
+          DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll
+          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
        run: |
          Get-ChildItem -Path .\dist -Filter *.msi | ForEach-Object {
-              .\script\sign $_.FullName
+            .\script\sign.ps1 $_.FullName
          }
        env:
          CERT_FILE: ${{ steps.obtain_cert.outputs.cert-file }}