5e8e645a7f
This update leverages GitHub Desktop approach of downloading Azure Code Signing DLL and wiring it up as part of the existing signing process used by Windows builds.
151 lines
No EOL
5.9 KiB
YAML
151 lines
No EOL
5.9 KiB
YAML
name: Deployment
|
|
run-name: ${{ inputs.tag_name }} / go ${{ inputs.go_version }}
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref_name }}
|
|
cancel-in-progress: true
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
tag_name:
|
|
required: true
|
|
type: string
|
|
go_version:
|
|
default: "1.21"
|
|
type: string
|
|
|
|
jobs:
|
|
windows:
|
|
runs-on: windows-latest
|
|
environment: production
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v4
|
|
with:
|
|
go-version: ${{ inputs.go_version }}
|
|
- name: Install GoReleaser
|
|
uses: goreleaser/goreleaser-action@v5
|
|
with:
|
|
version: "~1.17.1"
|
|
install-only: true
|
|
- name: Install Azure Code Signing Client
|
|
shell: pwsh
|
|
env:
|
|
ACS_DIR: ${{ runner.temp }}\acs
|
|
ACS_ZIP: ${{ runner.temp }}\acs.zip
|
|
CORRELATION_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
|
|
METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
|
|
run: |
|
|
Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.38 -OutFile $Env:ACS_ZIP -Verbose
|
|
Expand-Archive $acsZip -Destination $Env:ACS_DIR acsDir -Force -Verbose
|
|
|
|
# Replace ancient signtool in scripts with one that supports ACS
|
|
Copy-Item -Path "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\*" -Include signtool.exe,signtool.exe.manifest,Microsoft.Windows.Build.Signing.mssign32.dll.manifest,mssign32.dll,Microsoft.Windows.Build.Signing.wintrust.dll.manifest,wintrust.dll,Microsoft.Windows.Build.Appx.AppxSip.dll.manifest,AppxSip.dll,Microsoft.Windows.Build.Appx.AppxPackaging.dll.manifest,AppxPackaging.dll,Microsoft.Windows.Build.Appx.OpcServices.dll.manifest,OpcServices.dll -Destination scripts -Verbose
|
|
|
|
# Generate metadata file for signtool
|
|
@{
|
|
CertificateProfileName = "GitHubInc"
|
|
CodeSigningAccountName = "GitHubInc"
|
|
CorrelationId = $Env:CORRELATION_ID
|
|
Description = "GitHub CLI"
|
|
Endpoint = "https://wus.codesigning.azure.net/
|
|
|
|
# Unused metadata configuration:
|
|
# AppendSignature
|
|
# DescriptionUrl
|
|
# EnhancedKeyUsage
|
|
# ExcludeAzureCliCredential
|
|
# ExcludeAzurePowerShellCredential
|
|
# ExcludeEnvironmentCredential
|
|
# ExcludeInteractiveBrowserCredential
|
|
# ExcludeManagedIdentityCredential
|
|
# ExcludeSharedTokenCacheCredential
|
|
# ExcludeVisualStudioCodeCredential
|
|
# ExcludeVisualStudioCredential
|
|
# FileDigest
|
|
# FilesCatalog
|
|
# FilesFolder
|
|
# FilesFolderDepth
|
|
# FilesFolderFilter
|
|
# FilesFolderRecurse
|
|
# GenerateDigestPath
|
|
# GenerateDigestXml
|
|
# GeneratePageHashes
|
|
# GeneratePkcs7
|
|
# IngestDigestPath
|
|
# Pkcs7Oid
|
|
# Pkcs7Options
|
|
# SignDigest
|
|
# SuppressPageHashes
|
|
# Timeout
|
|
# TimestampDigest
|
|
# TimestampRfc3161
|
|
} | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH
|
|
- name: Build release binaries
|
|
shell: bash
|
|
env:
|
|
DLIB_PATH: ${{ runner.temp }}\acs\bin/x64/Azure.CodeSigning.Dlib.dll
|
|
METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
|
|
TAG_NAME: ${{ inputs.tag_name }}
|
|
run: script/release-hsm --local "$TAG_NAME" --platform windows --config .goreleaser-hsm.yml
|
|
- name: Set up MSBuild
|
|
id: setupmsbuild
|
|
uses: microsoft/setup-msbuild@v1.3.1
|
|
- name: Build MSI
|
|
shell: bash
|
|
env:
|
|
MSBUILD_PATH: ${{ steps.setupmsbuild.outputs.msbuildPath }}
|
|
run: |
|
|
for ZIP_FILE in dist/gh_*_windows_*.zip; do
|
|
MSI_NAME="$(basename "$ZIP_FILE" ".zip")"
|
|
MSI_VERSION="$(cut -d_ -f2 <<<"$MSI_NAME" | cut -d- -f1)"
|
|
case "$MSI_NAME" in
|
|
*_386 )
|
|
source_dir="$PWD/dist/windows_windows_386"
|
|
platform="x86"
|
|
;;
|
|
*_amd64 )
|
|
source_dir="$PWD/dist/windows_windows_amd64_v1"
|
|
platform="x64"
|
|
;;
|
|
*_arm64 )
|
|
echo "skipping building MSI for arm64 because WiX 3.11 doesn't support it: https://github.com/wixtoolset/issues/issues/6141" >&2
|
|
continue
|
|
#source_dir="$PWD/dist/windows_windows_arm64"
|
|
#platform="arm64"
|
|
;;
|
|
* )
|
|
printf "unsupported architecture: %s\n" "$MSI_NAME" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
"${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$source_dir" -p:OutputPath="$PWD/dist" -p:OutputName="$MSI_NAME" -p:ProductVersion="${MSI_VERSION#v}" -p:Platform="$platform"
|
|
done
|
|
- name: Sign .msi release binaries
|
|
uses: azure/azure-code-signing-action@6c86237186b7eed50c9e8a3a6e42131bcc5e4601
|
|
with:
|
|
azure-tenant-id: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO_TENANT_ID }}
|
|
azure-client-id: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO_CLIENT_ID }}
|
|
azure-client-secret: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO }}
|
|
endpoint: https://wus.codesigning.azure.net/
|
|
code-signing-account-name: GitHubInc
|
|
certificate-profile-name: GitHubInc
|
|
files-folder: ${{ github.workspace }}/dist
|
|
files-folder-filter: msi
|
|
file-digest: SHA256
|
|
timestamp-rfc3161: http://timestamp.acs.microsoft.com
|
|
timestamp-digest: SHA256
|
|
- uses: actions/upload-artifact@v3
|
|
with:
|
|
name: windows
|
|
if-no-files-found: error
|
|
retention-days: 7
|
|
path: |
|
|
dist/*.zip
|
|
dist/*.msi |