Add windows code sign to CI

janhq · Nov 23, 2023 · 1325e89 · 1325e89
1 parent 20a5c79
commit 1325e89
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 5 deletions.
diff --git a/.github/workflows/jan-electron-build.yml b/.github/workflows/jan-electron-build.yml
@@ -5,8 +5,34 @@ on:
     tags: ["v[0-9]+.[0-9]+.[0-9]+"]
 
 jobs:
+  create-draft-release:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+    outputs:
+      upload_url: ${{ steps.create_release.outputs.upload_url }}
+      version: ${{ steps.get_version.outputs.version }}
+    permissions:
+      contents: write
+    steps:
+      - name: Extract tag name without v prefix
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV && echo "::set-output name=version::${GITHUB_REF#refs/tags/v}"
+        env:
+          GITHUB_REF: ${{ github.ref }}
+      - name: Create Draft Release
+        id: create_release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref_name }}
+          release_name: "${{ env.VERSION }}"
+          draft: true
+          prerelease: false
+
   build-macos:
     runs-on: macos-latest
+    needs: create-draft-release
     environment: production
     permissions:
       contents: write
@@ -59,6 +85,7 @@ jobs:
 
   build-windows-x64:
     runs-on: windows-latest
+    needs: create-draft-release
     permissions:
       contents: write
     steps:
@@ -86,12 +113,54 @@ jobs:
 
       - name: Build and publish app
         run: |
-          make build-and-publish
+          make build
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Extract tag name without v prefix
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV && echo "::set-output name=version::${GITHUB_REF#refs/tags/v}"
+        env:
+          GITHUB_REF: ${{ github.ref }}
+
+      - name: Windows Code Sign with AzureSignTool
+        run: |
+          dotnet tool install --global AzureSignTool
+          azuresigntool.exe sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "./electron/dist/jan-win-x64-${{ env.VERSION }}.exe"
+
+      - uses: actions/[email protected]
+        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-draft-release.outputs.upload_url }}
+          asset_path: ./electron/dist/jan-win-x64-${{ env.VERSION }}.exe
+          asset_name: jan-win-x64-${{ env.VERSION }}.exe
+          asset_content_type: application/octet-stream
+
+      - uses: actions/[email protected]
+        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-draft-release.outputs.upload_url }}
+          asset_path: ./electron/dist/jan-win-x64-${{ env.VERSION }}.exe.blockmap
+          asset_name: jan-win-x64-${{ env.VERSION }}.exe.blockmap
+          asset_content_type: application/octet-stream
+
+      - uses: actions/[email protected]
+        if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/')
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-draft-release.outputs.upload_url }}
+          asset_path: ./electron/dist/latest.yml
+          asset_name: latest.yml
+          asset_content_type: application/octet-stream
+
   build-linux-x64:
     runs-on: ubuntu-latest
+    needs: create-draft-release
     environment: production
     env:
       SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }}
@@ -129,7 +198,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   update_release_draft:
-    needs: [build-macos, build-windows-x64, build-linux-x64]
+    needs: [build-macos, build-windows-x64, build-linux-x64, create-draft-release]
     permissions:
       # write permission is required to create a github release
       contents: write

diff --git a/Makefile b/Makefile
@@ -13,9 +13,9 @@ else
 endif
 # Updates the app version based on the tag
 update-app-version:
-	if [[ ! "${VERSION_TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then \
-		echo "Error: Tag is not valid!"; \
-		exit 1; \
+	if [[ ! "${VERSION_TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+		echo "Error: Tag is not valid!"
+		exit 1
 	fi
 	jq --arg version "${VERSION_TAG#v}" '.version = $version' electron/package.json > /tmp/package.json
 	mv /tmp/package.json electron/package.json