chore: test signing

algorandfoundation · Jul 15, 2024 · 7fd9def · 7fd9def · github-actions · Jul 15, 2024
1 parent 8e83c76
commit 7fd9def
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 34 deletions.
diff --git a/.github/actions/build-binaries/windows/action.yaml b/.github/actions/build-binaries/windows/action.yaml
@@ -42,28 +42,43 @@ runs:
       run: |
         echo winget > ${{ env.BINARY_BUILD_DIR }}\_internal\algokit\resources\distribution-method
 
+    - name: Sign executable
+      uses: azure/[email protected]
+      with:
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+        endpoint: https://weu.codesigning.azure.net/
+        trusted-signing-account-name: "Algorand Foundation"
+        certificate-profile-name: algokit
+        files-folder: ${{ env.BINARY_BUILD_DIR }}
+        files-folder-filter: exe
+        file-digest: SHA256
+        timestamp-rfc3161: http://timestamp.acs.microsoft.com
+        timestamp-digest: SHA256
+
     # We only sign the release artifacts, as each signing request will use up the HSM quota
-    - name: Download signing certificate
-      if: ${{ inputs.production_release == 'true' }}
-      run: |
-        signing_cert="${{ runner.temp }}\code_signing_cert.pfx"
-        echo "SIGNING_CERT=${signing_cert}" >> $GITHUB_ENV
-        echo '${{ inputs.code_signing_cert }}' | base64 -d > $signing_cert
-      shell: bash
+    # - name: Download signing certificate
+    #   if: ${{ inputs.production_release == 'true' }}
+    #   run: |
+    #     signing_cert="${{ runner.temp }}\code_signing_cert.pfx"
+    #     echo "SIGNING_CERT=${signing_cert}" >> $GITHUB_ENV
+    #     echo '${{ inputs.code_signing_cert }}' | base64 -d > $signing_cert
+    #   shell: bash
 
-    - name: Import signing certificate
-      if: ${{ inputs.production_release == 'true' }}
-      shell: pwsh
-      run: |
-        Import-PfxCertificate -FilePath ${{ env.SIGNING_CERT }} -Password (ConvertTo-SecureString -String ${{ inputs.code_signing_cert_password }} -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My | Out-Null
+    # - name: Import signing certificate
+    #   if: ${{ inputs.production_release == 'true' }}
+    #   shell: pwsh
+    #   run: |
+    #     Import-PfxCertificate -FilePath ${{ env.SIGNING_CERT }} -Password (ConvertTo-SecureString -String ${{ inputs.code_signing_cert_password }} -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My | Out-Null
 
-    - name: Sign executable
-      if: ${{ inputs.production_release == 'true' }}
-      shell: pwsh
-      run: |
-        $executablePath = '${{ env.BINARY_BUILD_DIR }}\algokit.exe'
-        signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $executablePath
-        # signtool verify /v /pa $executablePath
+    # - name: Sign executable
+    #   if: ${{ inputs.production_release == 'true' }}
+    #   shell: pwsh
+    #   run: |
+    #     $executablePath = '${{ env.BINARY_BUILD_DIR }}\algokit.exe'
+    #     signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $executablePath
+    #     # signtool verify /v /pa $executablePath
 
     - name: Build winget installer
       shell: pwsh
@@ -74,19 +89,34 @@ runs:
           -outputFile '${{ env.WINGET_INSTALLER }}'
 
     - name: Sign winget installer
-      if: ${{ inputs.production_release == 'true' }}
-      shell: pwsh
-      run: |
-        signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ${{ env.WINGET_INSTALLER }}
-        # signtool verify /v /pa ${{ env.WINGET_INSTALLER }}
+      uses: azure/[email protected]
+      with:
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+        endpoint: https://weu.codesigning.azure.net/
+        trusted-signing-account-name: "Algorand Foundation"
+        certificate-profile-name: algokit
+        files-folder: ${{ env.WINGET_INSTALLER }}
+        files-folder-filter: msix
+        file-digest: SHA256
+        timestamp-rfc3161: http://timestamp.acs.microsoft.com
+        timestamp-digest: SHA256
 
-    - name: Remove signing certificate
-      if: ${{ inputs.production_release == 'true' }}
-      shell: pwsh
-      run: |
-        $cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq '${{ inputs.code_signing_cert_sha1_hash }}' }
-        Remove-Item -Path $cert.PSPath
-        Remove-Item -Path ${{ env.SIGNING_CERT }}
+    # - name: Sign winget installer
+    #   if: ${{ inputs.production_release == 'true' }}
+    #   shell: pwsh
+    #   run: |
+    #     signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ${{ env.WINGET_INSTALLER }}
+    #     # signtool verify /v /pa ${{ env.WINGET_INSTALLER }}
+
+    # - name: Remove signing certificate
+    #   if: ${{ inputs.production_release == 'true' }}
+    #   shell: pwsh
+    #   run: |
+    #     $cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq '${{ inputs.code_signing_cert_sha1_hash }}' }
+    #     Remove-Item -Path $cert.PSPath
+    #     Remove-Item -Path ${{ env.SIGNING_CERT }}
 
     - name: Upload winget artifact
       uses: actions/upload-artifact@v4

diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
@@ -1,9 +1,9 @@
 name: Codebase validation
 
 on:
-  pull_request:
-  schedule:
-    - cron: "0 8 * * 1" # Each monday 8 AM UTC
+  push:
+    branches:
+      - sign-test
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
File	Stmts	Miss	Cover	Missing
src/algokit
__init__.py	15	7	53%	6–13, 17–24, 32–34
__main__.py	4	4	0%	1–7
src/algokit/cli
__init__.py	47	3	94%	31–34
codespace.py	50	9	82%	28, 114, 137, 150–155
completions.py	108	9	92%	63–64, 83, 93–99
dispenser.py	121	1	99%	77
doctor.py	53	3	94%	146–148
explore.py	56	15	73%	34–39, 41–46, 80–81, 90
generate.py	70	3	96%	76–77, 155
goal.py	47	1	98%	79
init.py	311	24	92%	497–498, 503–504, 507, 528, 531–533, 544, 548, 606, 632, 661, 694, 703–705, 708–713, 726, 745, 757–758
localnet.py	152	32	79%	65, 86–113, 133–137, 170, 182, 197–207, 220, 271, 292–293
task.py	34	3	91%	25–28
src/algokit/cli/project
bootstrap.py	32	1	97%	33
deploy.py	99	20	80%	47, 49, 101, 124, 146–148, 227, 234, 248–256, 259–268
link.py	89	16	82%	60, 65–66, 101–105, 115–120, 148–149, 218–219, 223
list.py	33	5	85%	21–23, 51–56
run.py	46	3	93%	38, 71, 160
src/algokit/cli/tasks
analyze.py	81	1	99%	81
assets.py	82	13	84%	65–66, 72, 74–75, 105, 119, 125–126, 132, 134, 136–137
ipfs.py	51	8	84%	52, 80, 92, 94–95, 105–107
mint.py	66	4	94%	48, 70, 91, 250
send_transaction.py	65	10	85%	52–53, 57, 89, 158, 170–174
sign_transaction.py	59	8	86%	21, 28–30, 71–72, 109, 123
transfer.py	39	3	92%	26, 90, 117
utils.py	99	45	55%	26–34, 40–43, 75–76, 100–101, 125–133, 152–162, 209, 258–259, 279–290, 297–299
vanity_address.py	56	10	82%	41, 45–48, 112, 114, 121–123
wallet.py	79	4	95%	21, 66, 136, 162
src/algokit/core
codespace.py	175	68	61%	34–37, 41–44, 48–71, 111–112, 125–133, 191, 200–202, 210, 216–217, 229–236, 251–298, 311–313, 338–344, 348, 395
conf.py	57	9	84%	12, 24, 28, 36, 38, 73–75, 80
dispenser.py	202	26	87%	91, 123–124, 141–149, 191–192, 198–200, 218–219, 259–260, 318, 332–334, 345–346, 356, 369, 384
doctor.py	65	7	89%	67–69, 92–94, 134
generate.py	50	3	94%	44, 85, 103
goal.py	65	4	94%	21, 36–37, 47
init.py	67	10	85%	53, 57–62, 70, 81, 88, 108–109
log_handlers.py	68	7	90%	50–51, 63, 112–116, 125
proc.py	45	1	98%	99
sandbox.py	263	23	91%	32, 89–92, 97, 101–103, 153, 201–208, 219, 590, 606, 631, 639
typed_client_generation.py	170	20	88%	62–64, 103–108, 132, 135–138, 156, 159–162, 229, 232–235
utils.py	148	40	73%	50–51, 57–69, 125–131, 155, 158, 164–177, 198–200, 229–232, 254
src/algokit/core/compilers
python.py	28	5	82%	19–20, 25, 49–50
src/algokit/core/config_commands
container_engine.py	41	21	49%	24, 29–31, 47–76
version_prompt.py	92	14	85%	37–38, 68, 87–90, 108, 118–125, 148
src/algokit/core/project
__init__.py	53	3	94%	50, 86, 145
bootstrap.py	120	8	93%	47, 126–127, 149, 176, 207–209
deploy.py	69	9	87%	108–111, 120–122, 126, 131
run.py	125	15	88%	83, 88, 97–98, 133–134, 138–139, 143, 147, 261–269, 284
src/algokit/core/tasks
analyze.py	93	3	97%	105–112, 187
ipfs.py	63	7	89%	58–64, 140, 144, 146, 152
nfd.py	49	13	73%	25, 31, 34–41, 70–72, 99–101
vanity_address.py	90	34	62%	49–50, 54, 59–75, 92–108, 128–131
wallet.py	71	5	93%	37, 129, 155–157
src/algokit/core/tasks/mint
mint.py	78	10	87%	123–133, 187
models.py	90	11	88%	50, 52, 57, 71–74, 85–88
TOTAL	4652	641	86%