Merge pull request #8421 from cli/andyfeller/213-windows-hsm-signing-testing
Create HSM testing workflow
This commit is contained in:
Andy Feller
GitHub
commit
f0f09bda57
4 changed files with 355 additions and 0 deletions
123
.github/workflows/deployment-hsm-testing.yml
vendored
Normal file
123
.github/workflows/deployment-hsm-testing.yml
vendored
Normal file
|
|
@ -0,0 +1,123 @@
|
|||
name: Deployment
|
||||
run-name: ${{ inputs.tag_name }} / go ${{ inputs.go_version }}
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref_name }}
|
||||
cancel-in-progress: true
|
||||
|
||||
permissions:
|
||||
contents: write
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
inputs:
|
||||
tag_name:
|
||||
required: true
|
||||
type: string
|
||||
go_version:
|
||||
default: "1.21"
|
||||
type: string
|
||||
|
||||
jobs:
|
||||
windows:
|
||||
runs-on: windows-latest
|
||||
environment: production
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
- name: Set up Go
|
||||
uses: actions/setup-go@v4
|
||||
with:
|
||||
go-version: ${{ inputs.go_version }}
|
||||
- name: Install GoReleaser
|
||||
uses: goreleaser/goreleaser-action@v5
|
||||
with:
|
||||
version: "~1.17.1"
|
||||
install-only: true
|
||||
- name: Install Azure Code Signing Client
|
||||
shell: pwsh
|
||||
env:
|
||||
ACS_DIR: ${{ runner.temp }}\acs
|
||||
ACS_ZIP: ${{ runner.temp }}\acs.zip
|
||||
CORRELATION_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
|
||||
METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
|
||||
run: |
|
||||
Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.38 -OutFile $Env:ACS_ZIP -Verbose
|
||||
Expand-Archive $Env:ACS_ZIP -Destination $Env:ACS_DIR -Force -Verbose
|
||||
|
||||
# Generate metadata file for signtool
|
||||
@{
|
||||
CertificateProfileName = "GitHubInc"
|
||||
CodeSigningAccountName = "GitHubInc"
|
||||
CorrelationId = $Env:CORRELATION_ID
|
||||
Endpoint = "https://wus.codesigning.azure.net/"
|
||||
} | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH
|
||||
|
||||
# Azure Code Signing leverages the environment variables for secrets that complement the metadata.json
|
||||
# file generated above (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID)
|
||||
# For more information, see https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet
|
||||
- name: Build release binaries
|
||||
shell: bash
|
||||
env:
|
||||
AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
|
||||
AZURE_CLIENT_SECRET: ${{ secrets.SPN_GITHUB_CLI_SIGNING }}
|
||||
AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
|
||||
DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll
|
||||
METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
|
||||
TAG_NAME: ${{ inputs.tag_name }}
|
||||
run: script/release-hsm --local "$TAG_NAME" --platform windows --config .goreleaser-hsm.yml
|
||||
- name: Set up MSBuild
|
||||
id: setupmsbuild
|
||||
uses: microsoft/setup-msbuild@v1.3.1
|
||||
- name: Build MSI
|
||||
shell: bash
|
||||
env:
|
||||
MSBUILD_PATH: ${{ steps.setupmsbuild.outputs.msbuildPath }}
|
||||
run: |
|
||||
for ZIP_FILE in dist/gh_*_windows_*.zip; do
|
||||
MSI_NAME="$(basename "$ZIP_FILE" ".zip")"
|
||||
MSI_VERSION="$(cut -d_ -f2 <<<"$MSI_NAME" | cut -d- -f1)"
|
||||
case "$MSI_NAME" in
|
||||
*_386 )
|
||||
source_dir="$PWD/dist/windows_windows_386"
|
||||
platform="x86"
|
||||
;;
|
||||
*_amd64 )
|
||||
source_dir="$PWD/dist/windows_windows_amd64_v1"
|
||||
platform="x64"
|
||||
;;
|
||||
*_arm64 )
|
||||
echo "skipping building MSI for arm64 because WiX 3.11 doesn't support it: https://github.com/wixtoolset/issues/issues/6141" >&2
|
||||
continue
|
||||
#source_dir="$PWD/dist/windows_windows_arm64"
|
||||
#platform="arm64"
|
||||
;;
|
||||
* )
|
||||
printf "unsupported architecture: %s\n" "$MSI_NAME" >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
"${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$source_dir" -p:OutputPath="$PWD/dist" -p:OutputName="$MSI_NAME" -p:ProductVersion="${MSI_VERSION#v}" -p:Platform="$platform"
|
||||
done
|
||||
- name: Sign .msi release binaries
|
||||
uses: azure/azure-code-signing-action@6c86237186b7eed50c9e8a3a6e42131bcc5e4601
|
||||
with:
|
||||
azure-tenant-id: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
|
||||
azure-client-id: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
|
||||
azure-client-secret: ${{ secrets.SPN_GITHUB_CLI_SIGNING }}
|
||||
endpoint: https://wus.codesigning.azure.net/
|
||||
code-signing-account-name: GitHubInc
|
||||
certificate-profile-name: GitHubInc
|
||||
files-folder: ${{ github.workspace }}/dist
|
||||
files-folder-filter: msi
|
||||
file-digest: SHA256
|
||||
timestamp-rfc3161: http://timestamp.acs.microsoft.com
|
||||
timestamp-digest: SHA256
|
||||
- uses: actions/upload-artifact@v3
|
||||
with:
|
||||
name: windows
|
||||
if-no-files-found: error
|
||||
retention-days: 7
|
||||
path: |
|
||||
dist/*.zip
|
||||
dist/*.msi
|
||||
Loading…
Add table
Add a link
Reference in a new issue