WIP - Signing CD Action

sillsdev · Apr 23, 2024 · 2c77ba7 · 2c77ba7
1 parent fd0ea8a
commit 2c77ba7
Show file tree

Hide file tree

Showing 5 changed files with 128 additions and 29 deletions.
diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
@@ -5,17 +5,25 @@ on:
   pull_request:
     branches: ["develop", "master"]
   workflow_dispatch:
+    inputs:
+      releaseType:
+        description: 'Alpha, Beta, Stable used to stamp release artifacts'
+        required: true
+        default: 'Alpha'
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 jobs:
-  windows_debug_build_and_test:
+  build_and_test:
     env:
       CROWDIN_API_KEY: ${{ secrets.CROWDIN_API_KEY }}
+      FILESTOSIGNLATER: "${{ github.workspace }}\filesToSign"
     name: Build Debug and run Tests
     runs-on: windows-latest
+    outputs:
+      job-info: ${{ steps.msi-digest.outputs.job }}
     steps:
       - name: Checkout Files
         uses: actions/checkout@v4
@@ -38,35 +46,26 @@ jobs:
       - name: Add msbuild to PATH
         uses: microsoft/setup-msbuild@v2
 
+      # We need the dotnet runtime to execute overcrowdin
       - name: Setup dotnet
         uses: actions/setup-dotnet@v3
         with:
-          dotnet-version: | 
-            2.1.x
-            3.1.x
-            5.0.x
+          dotnet-version:
+            8.0.x
         if: github.event_name != 'pull_request'
 
+      # If we are just doing a CI build we don't need real localizations, but the location must exist
       - name: Add Fake Localizations for CI
         shell: bash
         run: echo > DistFiles/localizations/empty.xlf
         if: github.event_name == 'pull_request'
-
-      - name: Restore Build Tasks & Packages
-        id: package_restore
-        shell: cmd
-        run: msbuild build\FLExBridge.proj /t:RestoreBuildTasks;RestorePackages
-
-      - name: Build & Test
-        id: build_and_test
-        shell: cmd
-        run: msbuild build\FLExBridge.proj /t:Test
-
+
       - name: Install Latest Overcrowdin
         shell: cmd
         run: dotnet tool install -g overcrowdin
         if: github.event_name != 'pull_request'
 
+
       - name: Restore L10n Packages
         shell: cmd
         run: |
@@ -79,9 +78,82 @@ jobs:
         run: |
           cd l10n
           msbuild l10n.proj /t:GetLatestL10ns;CopyL10nsToDistFiles
-        if: github.event_name != 'pull_request'
-
-      - name: Build Installer
+        if: github.event_name != 'pull_request'      
+
+      - name: Restore Build Tasks & Packages
+        id: package_restore
         shell: cmd
-        run: msbuild build/FLExBridge.proj /t:Installer /p:UploadFolder=Alpha
+        run: msbuild build\FLExBridge.proj /t:RestoreBuildTasks;RestorePackages
+
+      - name: Build & Test
+        id: build_and_test_step
+        shell: cmd
+        run: msbuild build\FLExBridge.proj /t:Test /p:Configuration=Release
+
+      # All the following are used only when building an installer after a merge
+      - name: Build Msi
+        id: build_msi
+        shell: cmd
+        run: |
+          msbuild build/FLExBridge.proj /t:CleanMasterOutputDir;PreparePublishingArtifactsInternal;BuildProductBaseMsi /p:UploadFolder=${{ inputs.environment || 'Alpha' }}
+          echo "FILES_TO_SIGN<<EOF" >> $GITHUB_ENV
+          type $FILESTOSIGNLATER >> $GITHUB_ENV
+          echo "EOF" >> $GITHUB_ENV
         if: github.event_name != 'pull_request'
+
+      - name: Create Msi Digest
+        id: msi-digest
+        uses: sillsdev/codesign/generate-digest@v2
+        with:
+          path: ${{ env.FILES_TO_SIGN }}
+          public-cert: ${{ secrets.CODESIGN_LSDEVSECTIGOEV }}
+        if: github.event_name != 'pull_request'
+
+      - name: upload-msi
+        id: upload
+        uses: actions/upload-artifact@v4
+        with:
+          name: signed-files-for-msi
+          path: ${{ env.FILES_TO_SIGN }}
+          if-no-files-found: error
+          overwrite: true
+
+  sign-msi:
+    needs: build_and_test
+    uses: sillsdev/codesign/.github/workflows/sign-digest.yml@v2
+    with:
+      job: ${{ needs.build_and_test.job-info }}
+    if: github.event_name != 'pull_request'
+
+  build-installer-bundles:
+    needs: [build_and_test, sign-msi]
+    runs-on: windows-latest
+    outputs:
+      job-info: ${{ steps.bundle-digest.outputs.job }}
+    steps:
+    - name: Apply signing to msi
+      uses: sillsdev/codesign/apply-signed-digest@v2
+      with:
+        path: ${{ needs.build_and_test.steps.find_file.outputs.fb_msi_path }}
+        job: ${{ needs.sign-msi.outputs.signed-job }}
+    - name: Build Online\Offline bundles
+      shell: cmd
+      run: |
+        msbuild MSBuild FLExBridge.proj /target:BuildProductBaseBundles /p:Configuration=Release /p:Platform="Any CPU" /p:UploadFolder=${{ inputs.environment || 'Alpha' }}
+        echo "FILES_TO_SIGN<<EOF" >> $GITHUB_ENV
+        type $FILESTOSIGNLATER >> $GITHUB_ENV
+        echo "EOF" >> $GITHUB_ENV   
+    - name: Create Bundle Digest
+      id: bundle-digest
+      uses: sillsdev/codesign/generate-digest@v2
+      with:
+        path: ${{ env.FILES_TO_SIGN }}
+        public-cert: ${{ secrets.CODESIGN_LSDEVSECTIGOEV }}
+    if: github.event_name != 'pull_request'
+
+  sign-bundles:
+    needs: build-installer-bundles
+    uses: sillsdev/codesign/.github/workflows/sign-digest.yml@v2
+    with:
+      job: ${{ needs.build-installer-bundles.job-info }}
+    if: github.event_name != 'pull_request'       
diff --git a/build/WixPatchableInstaller.targets b/build/WixPatchableInstaller.targets
@@ -50,11 +50,14 @@
 		<AppBuildMasterDir>$(InstallersBaseDir)/$(SafeApplicationName)_Build_Master</AppBuildMasterDir>
 		<BinDirSuffix>objects/$(SafeApplicationName)</BinDirSuffix>
 		<DataDirSuffix>$(BinDirSuffix)_Data</DataDirSuffix>
+		<MsiFile>$(SafeApplicationName)_$(BuildVersion).msi</MsiFile>
+		<BaseBuildDir>$(RootDir)/src/WiXInstaller/BaseInstallerBuild</BaseBuildDir>
+		<BaseBuildArgs>"$(ApplicationName)" $(SafeApplicationName) $(BuildVersion) $(ProductIdGuid) $(UpgradeCodeGuid) "$(AppBuildDir)/$(BinDirSuffix)" "$(AppBuildDir)/$(DataDirSuffix)" $(CopyrightYear) "$(Manufacturer)" $(SafeManufacturer)</BaseBuildArgs>
 	</PropertyGroup>
 
 	<!-- Top Level Targets -->
 	<!-- called only once, at the first release of a major version -->
-	<Target Name="BuildRelease" DependsOnTargets="CleanMasterOutputDir;BuildProductMain;BuildProductBaseMsi;CopyBuildToMaster"/>
+	<Target Name="BuildRelease" DependsOnTargets="CleanMasterOutputDir;BuildProductMain;BuildProductBase;CopyBuildToMaster"/>
 
 	<!-- called at each minor release to build a patch installer -->
 	<Target Name="BuildPatch" DependsOnTargets="BuildProductMain;BuildProductPatchMsp" />
@@ -184,14 +187,38 @@
 	</UsingTask>
 
 	<!-- Build Wix Product Targets -->
-	<Target Name="BuildProductBaseMsi" DependsOnTargets="GetDotNetFiles; InstallerVersionNumbers">
+
+	<!-- Attempt to build and sign the full installation package. Both the msi, and the Online and Offline bundles -->
+	<Target Name="BuildProductBase" DependsOnTargets="GetDotNetFiles; InstallerVersionNumbers">
+		<PropertyGroup>
+			<BuildArgsJIT>"$(ApplicationName)" $(SafeApplicationName) $(BuildVersion) $(ProductIdGuid) $(UpgradeCodeGuid) "$(AppBuildDir)/$(BinDirSuffix)" "$(AppBuildDir)/$(DataDirSuffix)" $(CopyrightYear) "$(Manufacturer)" $(SafeManufacturer)</BuildArgsJIT>
+		</PropertyGroup>
+		<Exec WorkingDirectory="$(BaseBuildDir)" Command="buildBaseInstaller.bat $(BuildArgsJIT)" />
+
+		<ItemGroup>
+			<InstallerFiles Include="$(BaseBuildDir)/**/$(SafeApplicationName)_*.exe"/>
+			<InstallerFiles Include="$(BaseBuildDir)/**/$(SafeApplicationName)_*.msi"/>
+		</ItemGroup>
+		<Move SourceFiles="@(InstallerFiles)" DestinationFolder="$(InstallersBaseDir)"/>
+		<!-- The FieldWorks installer wants a stable installer name -->
+		<Move SourceFiles="$(InstallersBaseDir)/$(SafeApplicationName)_$(BuildVersion)_Offline.exe" DestinationFiles="$(InstallersBaseDir)/$(SafeApplicationName)_Offline.exe"/>
+		<Move SourceFiles="$(InstallersBaseDir)/$(SafeApplicationName)_$(BuildVersion)_Online.exe" DestinationFiles="$(InstallersBaseDir)/$(SafeApplicationName)_Online.exe"/>
+		<Move SourceFiles="$(InstallersBaseDir)/$(SafeApplicationName)_$(BuildVersion).msi" DestinationFiles="$(InstallersBaseDir)/$(SafeApplicationName).msi"/>
+	</Target>
+
+	<!-- Build the msi, useful for separating the signing step -->
+	<Target Name="BuildProductBaseMsi" DependsOnTargets="GetDotNetFiles;InstallerVersionNumbers;BuildProductMain">
 		<PropertyGroup>
-			<MsiFile>$(SafeApplicationName)_$(BuildVersion).msi</MsiFile>
-			<BaseBuildDir>$(RootDir)/src/WiXInstaller/BaseInstallerBuild</BaseBuildDir>
-			<BaseBuildArgs>"$(ApplicationName)" $(SafeApplicationName) $(BuildVersion) $(ProductIdGuid) $(UpgradeCodeGuid) "$(AppBuildDir)/$(BinDirSuffix)" "$(AppBuildDir)/$(DataDirSuffix)" $(CopyrightYear) "$(Manufacturer)" $(SafeManufacturer)</BaseBuildArgs>
+			<BuildArgsJIT>"$(ApplicationName)" $(SafeApplicationName) $(BuildVersion) $(ProductIdGuid) $(UpgradeCodeGuid) "$(AppBuildDir)/$(BinDirSuffix)" "$(AppBuildDir)/$(DataDirSuffix)" $(CopyrightYear) "$(Manufacturer)" $(SafeManufacturer)</BuildArgsJIT>
 		</PropertyGroup>
-		<Exec WorkingDirectory="$(BaseBuildDir)" Command="buildBaseInstaller.bat $(BaseBuildArgs)" />
+		<Exec WorkingDirectory="$(BaseBuildDir)" Command="buildMsi.bat $(BuildArgsJIT)" />
+	</Target>
 
+	<Target Name="BuildProductBaseBundles" DependsOnTargets="GetDotNetFiles; InstallerVersionNumbers">
+		<PropertyGroup>
+			<BuildArgsJIT>"$(ApplicationName)" $(SafeApplicationName) $(BuildVersion) $(ProductIdGuid) $(UpgradeCodeGuid) "$(AppBuildDir)/$(BinDirSuffix)" "$(AppBuildDir)/$(DataDirSuffix)" $(CopyrightYear) "$(Manufacturer)" $(SafeManufacturer)</BuildArgsJIT>
+		</PropertyGroup>
+		<Exec WorkingDirectory="$(BaseBuildDir)" Command="buildexe.bat $(BuildArgsJIT) x86 1" />
 		<ItemGroup>
 			<InstallerFiles Include="$(BaseBuildDir)/**/$(SafeApplicationName)_*.exe"/>
 			<InstallerFiles Include="$(BaseBuildDir)/**/$(SafeApplicationName)_*.msi"/>

diff --git a/l10n/l10n.proj b/l10n/l10n.proj
@@ -37,7 +37,7 @@
   </Target>
 
   <Target Name="FetchLatestL10ns" DependsOnTargets="restore">
-    <Exec Command="overcrowdin download -e -f $(FwL10nsZip)" />
+    <Exec Command="overcrowdin download -f $(FwL10nsZip)" />
   </Target>
 
   <Target Name="ProcessL10ns"  DependsOnTargets="restore">

diff --git a/src/LibFLExBridge-ChorusPluginTests/LibFLExBridge-ChorusPluginTests.csproj b/src/LibFLExBridge-ChorusPluginTests/LibFLExBridge-ChorusPluginTests.csproj
@@ -12,7 +12,7 @@
     <PackageReference Include="GitVersion.MsBuild" Version="5.10.3" PrivateAssets="all" />
     <PackageReference Include="NUnit" Version="3.13.3" />
     <PackageReference Include="SIL.Chorus.LibChorus.TestUtilities" Version="$(ChorusVersion)" />
-    <PackageReference Include="SIL.Chorus.Mercurial" Version="6.5.1.25" IncludeAssets="build" />
+    <PackageReference Include="SIL.Chorus.Mercurial" Version="6.*" IncludeAssets="build" />
   </ItemGroup>
 
   <ItemGroup>

diff --git a/src/WiXInstaller b/src/WiXInstaller
+30 −23		BaseInstallerBuild/buildExe.bat
+25 −16		BaseInstallerBuild/signingProxy.bat