name: Deployment run-name: ${{ inputs.tag_name }} / go ${{ inputs.go_version }} concurrency: group: ${{ github.workflow }}-${{ github.ref_name }} cancel-in-progress: true permissions: contents: write on: workflow_dispatch: inputs: tag_name: required: true type: string go_version: default: "1.21" type: string jobs: windows: runs-on: windows-latest environment: production steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Go uses: actions/setup-go@v4 with: go-version: ${{ inputs.go_version }} - name: Install GoReleaser uses: goreleaser/goreleaser-action@v5 with: version: "~1.17.1" install-only: true - name: Install Azure Code Signing Client shell: pwsh env: ACS_DIR: ${{ runner.temp }}\acs ACS_ZIP: ${{ runner.temp }}\acs.zip CORRELATION_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }} METADATA_PATH: ${{ runner.temp }}\acs\metadata.json run: | Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.38 -OutFile $Env:ACS_ZIP -Verbose Expand-Archive $Env:ACS_ZIP -Destination $Env:ACS_DIR -Force -Verbose # Generate metadata file for signtool @{ CertificateProfileName = "GitHubInc" CodeSigningAccountName = "GitHubInc" CorrelationId = $Env:CORRELATION_ID Endpoint = "https://wus.codesigning.azure.net/" } | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH # Azure Code Signing leverages the environment variables for secrets that complement the metadata.json # file generated above (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID) # For more information, see https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet - name: Build release binaries shell: bash env: AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }} AZURE_CLIENT_SECRET: ${{ secrets.SPN_GITHUB_CLI_SIGNING }} AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }} DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll METADATA_PATH: ${{ runner.temp }}\acs\metadata.json TAG_NAME: ${{ inputs.tag_name }} run: script/release-hsm --local "$TAG_NAME" --platform windows --config .goreleaser-hsm.yml - name: Set up MSBuild id: setupmsbuild uses: microsoft/setup-msbuild@v1.3.1 - name: Build MSI shell: bash env: MSBUILD_PATH: ${{ steps.setupmsbuild.outputs.msbuildPath }} run: | for ZIP_FILE in dist/gh_*_windows_*.zip; do MSI_NAME="$(basename "$ZIP_FILE" ".zip")" MSI_VERSION="$(cut -d_ -f2 <<<"$MSI_NAME" | cut -d- -f1)" case "$MSI_NAME" in *_386 ) source_dir="$PWD/dist/windows_windows_386" platform="x86" ;; *_amd64 ) source_dir="$PWD/dist/windows_windows_amd64_v1" platform="x64" ;; *_arm64 ) echo "skipping building MSI for arm64 because WiX 3.11 doesn't support it: https://github.com/wixtoolset/issues/issues/6141" >&2 continue #source_dir="$PWD/dist/windows_windows_arm64" #platform="arm64" ;; * ) printf "unsupported architecture: %s\n" "$MSI_NAME" >&2 exit 1 ;; esac "${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$source_dir" -p:OutputPath="$PWD/dist" -p:OutputName="$MSI_NAME" -p:ProductVersion="${MSI_VERSION#v}" -p:Platform="$platform" done - name: Sign .msi release binaries uses: azure/azure-code-signing-action@6c86237186b7eed50c9e8a3a6e42131bcc5e4601 with: azure-tenant-id: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }} azure-client-id: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }} azure-client-secret: ${{ secrets.SPN_GITHUB_CLI_SIGNING }} endpoint: https://wus.codesigning.azure.net/ code-signing-account-name: GitHubInc certificate-profile-name: GitHubInc files-folder: ${{ github.workspace }}/dist files-folder-filter: msi file-digest: SHA256 timestamp-rfc3161: http://timestamp.acs.microsoft.com timestamp-digest: SHA256 - uses: actions/upload-artifact@v3 with: name: windows if-no-files-found: error retention-days: 7 path: | dist/*.zip dist/*.msi