From 9365c373c61cae30b0f31bac7207d8724b2de2a3 Mon Sep 17 00:00:00 2001 From: Hien To Date: Thu, 23 Nov 2023 19:55:25 +0700 Subject: [PATCH] Add windows code sign to CI --- .github/workflows/jan-electron-build.yml | 95 ++++++++++++++++++++++-- Makefile | 8 -- 2 files changed, 90 insertions(+), 13 deletions(-) diff --git a/.github/workflows/jan-electron-build.yml b/.github/workflows/jan-electron-build.yml index 118d6c3a01..4a18a02e0a 100644 --- a/.github/workflows/jan-electron-build.yml +++ b/.github/workflows/jan-electron-build.yml @@ -5,8 +5,34 @@ on: tags: ["v[0-9]+.[0-9]+.[0-9]+"] jobs: + create-draft-release: + runs-on: ubuntu-latest + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') + outputs: + upload_url: ${{ steps.create_release.outputs.upload_url }} + version: ${{ steps.get_version.outputs.version }} + permissions: + contents: write + steps: + - name: Extract tag name without v prefix + id: get_version + run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV && echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" + env: + GITHUB_REF: ${{ github.ref }} + - name: Create Draft Release + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ github.ref_name }} + release_name: "${{ env.VERSION }}" + draft: true + prerelease: false + build-macos: runs-on: macos-latest + needs: create-draft-release environment: production permissions: contents: write @@ -28,7 +54,12 @@ jobs: - name: Update app version base on tag run: | - make update-app-version + if [[ ! "${VERSION_TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "Error: Tag is not valid!" + exit 1 + fi + jq --arg version "${VERSION_TAG#v}" '.version = $version' electron/package.json > /tmp/package.json + mv /tmp/package.json electron/package.json env: VERSION_TAG: ${{ steps.tag.outputs.tag }} @@ -59,6 +90,7 @@ jobs: build-windows-x64: runs-on: windows-latest + needs: create-draft-release permissions: contents: write steps: @@ -80,18 +112,66 @@ jobs: - name: Update app version base on tag shell: bash run: | - make update-app-version + if [[ ! "${VERSION_TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "Error: Tag is not valid!" + exit 1 + fi + jq --arg version "${VERSION_TAG#v}" '.version = $version' electron/package.json > /tmp/package.json + mv /tmp/package.json electron/package.json env: VERSION_TAG: ${{ steps.tag.outputs.tag }} - name: Build and publish app + shell: cmd run: | - make build-and-publish + make build env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Extract tag name without v prefix + id: get_version + run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_ENV && echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" + env: + GITHUB_REF: ${{ github.ref }} + + - name: Windows Code Sign with AzureSignTool + run: | + dotnet tool install --global AzureSignTool + azuresigntool.exe sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}" -kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v "./electron/dist/jan-win-x64-${{ env.VERSION }}.exe" + + - uses: actions/upload-release-asset@v1.0.1 + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-draft-release.outputs.upload_url }} + asset_path: ./electron/dist/jan-win-x64-${{ env.VERSION }}.exe + asset_name: jan-win-x64-${{ env.VERSION }}.exe + asset_content_type: application/octet-stream + + - uses: actions/upload-release-asset@v1.0.1 + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-draft-release.outputs.upload_url }} + asset_path: ./electron/dist/jan-win-x64-${{ env.VERSION }}.exe.blockmap + asset_name: jan-win-x64-${{ env.VERSION }}.exe.blockmap + asset_content_type: application/octet-stream + + - uses: actions/upload-release-asset@v1.0.1 + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-draft-release.outputs.upload_url }} + asset_path: ./electron/dist/latest.yml + asset_name: latest.yml + asset_content_type: application/octet-stream + build-linux-x64: runs-on: ubuntu-latest + needs: create-draft-release environment: production env: SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_TOKEN }} @@ -118,7 +198,12 @@ jobs: - name: Update app version base on tag run: | - make update-app-version + if [[ ! "${VERSION_TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "Error: Tag is not valid!" + exit 1 + fi + jq --arg version "${VERSION_TAG#v}" '.version = $version' electron/package.json > /tmp/package.json + mv /tmp/package.json electron/package.json env: VERSION_TAG: ${{ steps.tag.outputs.tag }} @@ -129,7 +214,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} update_release_draft: - needs: [build-macos, build-windows-x64, build-linux-x64] + needs: [build-macos, build-windows-x64, build-linux-x64, create-draft-release] permissions: # write permission is required to create a github release contents: write diff --git a/Makefile b/Makefile index 3d04b745fb..af416304cc 100644 --- a/Makefile +++ b/Makefile @@ -11,14 +11,6 @@ ifeq ($(OS),Windows_NT) else cd uikit && yarn install && yarn build endif -# Updates the app version based on the tag -update-app-version: - if [[ ! "${VERSION_TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then \ - echo "Error: Tag is not valid!"; \ - exit 1; \ - fi - jq --arg version "${VERSION_TAG#v}" '.version = $version' electron/package.json > /tmp/package.json - mv /tmp/package.json electron/package.json # Installs yarn dependencies and builds core and plugins install-and-build: build-uikit