diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index eb188e16205..2580d098000 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -11,7 +11,6 @@ permissions: jobs: build-cli: - if: ${{ !(startsWith(github.ref, 'refs/tags/') && matrix.target == 'x86_64-pc-windows-msvc') }} strategy: fail-fast: false matrix: @@ -51,81 +50,45 @@ jobs: - name: Install rust target run: rustup target add ${{ matrix.target }} - - name: Compile - run: | - cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update - - - name: Package (unix) - if: ${{ runner.os != 'Windows' }} - shell: bash - run: | - mkdir build - cd target/${{matrix.target}}/release - cp spacetimedb-update ../../../build/spacetimedb-update-${{matrix.target}} - tar -czf ../../../build/spacetime-${{matrix.target}}.tar.gz spacetimedb-{cli,standalone} - - - name: Package (windows) + - name: Add signtool.exe to PATH if: ${{ runner.os == 'Windows' }} - shell: bash + shell: pwsh run: | - mkdir build - cd target/${{matrix.target}}/release - cp spacetimedb-update.exe ../../../build/spacetimedb-update-${{matrix.target}}.exe - 7z a ../../../build/spacetime-${{matrix.target}}.zip spacetimedb-cli.exe spacetimedb-standalone.exe - - - name: Extract branch name - shell: bash - run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT - id: extract_branch - - - name: Upload to DO Spaces - uses: shallwefootball/s3-upload-action@master - with: - aws_key_id: ${{ secrets.AWS_KEY_ID }} - aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY}} - aws_bucket: ${{ vars.AWS_BUCKET }} - source_dir: build - endpoint: https://nyc3.digitaloceanspaces.com - destination_dir: ${{ steps.extract_branch.outputs.branch }} - - build-cli-windows-signed: - if: ${{ startsWith(github.ref, 'refs/tags/') }} - name: Build and sign CLI for x86_64 Windows - runs-on: [self-hosted, windows, signing] - environment: codesign - concurrency: - group: codesign-${{ github.ref }} - cancel-in-progress: false - - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Install Rust - uses: dsherret/rust-toolchain-file@v1 + $root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin" + $signtool = Get-ChildItem $root -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | + Where-Object { $_.FullName -match '\\x64\\signtool\.exe$' } | + Sort-Object FullName -Descending | + Select-Object -First 1 - - name: Install rust target - run: rustup target add x86_64-pc-windows-msvc + if (-not $signtool) { throw "signtool.exe not found under $root" } - - name: Compile - run: | - cargo build --release --target x86_64-pc-windows-msvc -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update + "Found: $($signtool.FullName)" + $dir = Split-Path $signtool.FullName + Add-Content -Path $env:GITHUB_PATH -Value $dir - - name: Write certificate file + - name: Write certificate file for signing + if: ${{ runner.os == 'Windows' }} shell: powershell env: DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }} run: | - [IO.File]::WriteAllBytes("digicert.crt", [Convert]::FromBase64String($env:DIGICERT_CERT_B64)) + [IO.File]::WriteAllBytes("digicert.pfx", [Convert]::FromBase64String($env:DIGICERT_CERT_B64)) - - name: Sign binaries + - name: Compile + run: | + cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update + + - name: Sign binaries for Windows + # Disabled for now since the current flow isn't working. + if: false + #if: ${{ runner.os == 'Windows' }} shell: powershell env: DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }} run: | $ErrorActionPreference = 'Stop' $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' - $certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.crt' + $certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.pfx' $signtool = Get-Command signtool.exe -ErrorAction Stop @@ -136,32 +99,31 @@ jobs: ) foreach ($file in $files) { - & $signtool.Path sign /csp "DigiCert Signing Manager KSP" /kc $env:DIGICERT_KEYPAIR_ALIAS /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file + & $signtool.Path sign /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file & $signtool.Path verify /v /pa $file } - - name: Package (windows) - shell: powershell + - name: Package (unix) + if: ${{ runner.os != 'Windows' }} + shell: bash run: | - $ErrorActionPreference = 'Stop' - New-Item -ItemType Directory -Force -Path build | Out-Null - $releaseDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' + mkdir build + cd target/${{matrix.target}}/release + cp spacetimedb-update ../../../build/spacetimedb-update-${{matrix.target}} + tar -czf ../../../build/spacetime-${{matrix.target}}.tar.gz spacetimedb-{cli,standalone} - Copy-Item (Join-Path $releaseDir 'spacetimedb-update.exe') (Join-Path $env:GITHUB_WORKSPACE 'build\spacetimedb-update-x86_64-pc-windows-msvc.exe') - Compress-Archive -Force -Path @( - (Join-Path $releaseDir 'spacetimedb-cli.exe'), - (Join-Path $releaseDir 'spacetimedb-standalone.exe') - ) -DestinationPath (Join-Path $env:GITHUB_WORKSPACE 'build\spacetime-x86_64-pc-windows-msvc.zip') + - name: Package (windows) + if: ${{ runner.os == 'Windows' }} + shell: bash + run: | + mkdir build + cd target/${{matrix.target}}/release + cp spacetimedb-update.exe ../../../build/spacetimedb-update-${{matrix.target}}.exe + 7z a ../../../build/spacetime-${{matrix.target}}.zip spacetimedb-cli.exe spacetimedb-standalone.exe - name: Extract branch name - shell: powershell - run: | - $ErrorActionPreference = 'Stop' - $branch = $env:GITHUB_HEAD_REF - if ([string]::IsNullOrEmpty($branch)) { - $branch = $env:GITHUB_REF -replace '^refs/heads/', '' - } - "branch=$branch" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append + shell: bash + run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT id: extract_branch - name: Upload to DO Spaces