vstockwell/wraith
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 67 Wiki Activity

fix: CI rewrite — no GITHUB_OUTPUT, absolute paths, inline version

Browse Source 
act_runner v0.2.11 doesn't support step outputs. Extract version
from github.ref_name inline in every step. Use absolute paths
for NSIS. Write nsi file with System.IO to avoid encoding issues.
Store Azure token in temp file instead of step output.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Vantz Stockwell 2026-03-18 00:56:25 -04:00
parent 372689fa03
commit 348d8c842d
1 changed files with 75 additions and 134 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

209
.gitea/workflows/build-release.yml
View File

@ -1,12 +1,6 @@
# ============================================================================= # =============================================================================
# Wraith — Build & Sign Release (Tauri v2) # Wraith — Build & Sign Release (Tauri v2)
# ============================================================================= # =============================================================================
# Native Windows build on STORMBREAKER runner, signs with Azure Key Vault
# EV cert via jsign, creates NSIS installer, uploads to Gitea packages.
#
# Trigger: push a tag matching v* (e.g. v1.0.0) or run manually.
# =============================================================================
name: Build & Sign Wraith name: Build & Sign Wraith
on: on:
@ -16,7 +10,6 @@ on:
workflow_dispatch: workflow_dispatch:
env: env:
# Extra paths needed when running as SYSTEM
EXTRA_PATH: C:\Program Files (x86)\NSIS;C:\Program Files\Eclipse Adoptium\jre-21.0.10.7-hotspot\bin;C:\Users\vantz\.cargo\bin;C:\Users\vantz\.rustup\toolchains\stable-x86_64-pc-windows-msvc\bin;C:\Program Files\nodejs EXTRA_PATH: C:\Program Files (x86)\NSIS;C:\Program Files\Eclipse Adoptium\jre-21.0.10.7-hotspot\bin;C:\Users\vantz\.cargo\bin;C:\Users\vantz\.rustup\toolchains\stable-x86_64-pc-windows-msvc\bin;C:\Program Files\nodejs
jobs: jobs:
@ -29,14 +22,6 @@ jobs:
run: | run: |
git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git . git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git .
- name: Get version from tag
id: version
shell: powershell
run: |
$tag = "${{ github.ref_name }}" -replace '^v',''
echo "version=$tag" >> $env:GITHUB_OUTPUT
Write-Host "Building version: $tag"
- name: Configure Rust - name: Configure Rust
shell: powershell shell: powershell
run: | run: |
@ -49,22 +34,16 @@ jobs:
shell: powershell shell: powershell
run: | run: |
$env:Path = "$env:EXTRA_PATH;$env:Path" $env:Path = "$env:EXTRA_PATH;$env:Path"
Write-Host "=== Toolchain versions ==="
node --version node --version
rustc --version rustc --version
cargo --version cargo --version
java --version java --version
- name: Install frontend dependencies - name: Install dependencies and build frontend
shell: powershell shell: powershell
run: | run: |
$env:Path = "$env:EXTRA_PATH;$env:Path" $env:Path = "$env:EXTRA_PATH;$env:Path"
npm ci npm ci
- name: Build frontend
shell: powershell
run: |
$env:Path = "$env:EXTRA_PATH;$env:Path"
npm run build npm run build
- name: Install Tauri CLI - name: Install Tauri CLI
@ -75,76 +54,75 @@ jobs:
- name: Build Tauri app - name: Build Tauri app
shell: powershell shell: powershell
env:
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
run: | run: |
$env:Path = "$env:EXTRA_PATH;$env:Path" $env:Path = "$env:EXTRA_PATH;$env:Path"
cargo tauri build --no-bundle cargo tauri build --no-bundle
Write-Host "=== Build output ==="
Get-ChildItem src-tauri\target\release\Wraith.exe Get-ChildItem src-tauri\target\release\Wraith.exe
- name: Build NSIS installer - name: Build NSIS installer
shell: powershell shell: powershell
run: | run: |
$env:Path = "$env:EXTRA_PATH;$env:Path" $env:Path = "$env:EXTRA_PATH;$env:Path"
$ver = "${{ steps.version.outputs.version }}" $ver = ("${{ github.ref_name }}" -replace '^v','')
$outName = "Wraith_${ver}_x64-setup.exe" $outExe = "Wraith_" + $ver + "_x64-setup.exe"
$workDir = (Get-Location).Path
# Stage files New-Item -ItemType Directory -Force -Path "$workDir\dist-pkg" | Out-Null
New-Item -ItemType Directory -Force -Path dist-pkg | Out-Null Copy-Item "$workDir\src-tauri\target\release\Wraith.exe" "$workDir\dist-pkg\"
Copy-Item src-tauri\target\release\Wraith.exe dist-pkg\ Copy-Item "$workDir\src-tauri\icons\icon.ico" "$workDir\dist-pkg\wraith.ico" -ErrorAction SilentlyContinue
Copy-Item src-tauri\icons\icon.ico dist-pkg\wraith.ico -ErrorAction SilentlyContinue
# Write NSIS script — use single-quoted here-string to avoid PS interpolation $nsiContent = @'
$nsi = @' !include "MUI2.nsh"
!include "MUI2.nsh" Name "Wraith"
Name "Wraith" OutFile "OUTFILE_PLACEHOLDER"
OutFile "OUTFILE_PLACEHOLDER" InstallDir "$PROGRAMFILES64\Wraith"
InstallDir "$PROGRAMFILES64\Wraith" RequestExecutionLevel admin
RequestExecutionLevel admin !insertmacro MUI_PAGE_DIRECTORY
!insertmacro MUI_PAGE_DIRECTORY !insertmacro MUI_PAGE_INSTFILES
!insertmacro MUI_PAGE_INSTFILES !insertmacro MUI_LANGUAGE "English"
!insertmacro MUI_LANGUAGE "English" Section "Install"
Section "Install" SetOutPath "$INSTDIR"
SetOutPath "$INSTDIR" File "Wraith.exe"
File "Wraith.exe" File "wraith.ico"
File "wraith.ico" CreateDirectory "$SMPROGRAMS\Wraith"
CreateDirectory "$SMPROGRAMS\Wraith" CreateShortcut "$SMPROGRAMS\Wraith\Wraith.lnk" "$INSTDIR\Wraith.exe" "" "$INSTDIR\wraith.ico"
CreateShortcut "$SMPROGRAMS\Wraith\Wraith.lnk" "$INSTDIR\Wraith.exe" "" "$INSTDIR\wraith.ico" CreateShortcut "$DESKTOP\Wraith.lnk" "$INSTDIR\Wraith.exe" "" "$INSTDIR\wraith.ico"
CreateShortcut "$DESKTOP\Wraith.lnk" "$INSTDIR\Wraith.exe" "" "$INSTDIR\wraith.ico" WriteUninstaller "$INSTDIR\uninstall.exe"
WriteUninstaller "$INSTDIR\uninstall.exe" WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" "DisplayName" "Wraith"
WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" "DisplayName" "Wraith" WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" "UninstallString" "$INSTDIR\uninstall.exe"
WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" "UninstallString" "$INSTDIR\uninstall.exe" WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" "DisplayVersion" "VER_PLACEHOLDER"
WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" "DisplayVersion" "VER_PLACEHOLDER" WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" "Publisher" "Vigilance Cyber"
WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" "Publisher" "Vigilance Cyber" SectionEnd
SectionEnd Section "Uninstall"
Section "Uninstall" Delete "$INSTDIR\Wraith.exe"
Delete "$INSTDIR\Wraith.exe" Delete "$INSTDIR\wraith.ico"
Delete "$INSTDIR\wraith.ico" Delete "$INSTDIR\uninstall.exe"
Delete "$INSTDIR\uninstall.exe" RMDir "$INSTDIR"
RMDir "$INSTDIR" Delete "$SMPROGRAMS\Wraith\Wraith.lnk"
Delete "$SMPROGRAMS\Wraith\Wraith.lnk" RMDir "$SMPROGRAMS\Wraith"
RMDir "$SMPROGRAMS\Wraith" Delete "$DESKTOP\Wraith.lnk"
Delete "$DESKTOP\Wraith.lnk" DeleteRegKey HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith"
DeleteRegKey HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" SectionEnd
SectionEnd '@
'@ $nsiContent = $nsiContent.Replace("OUTFILE_PLACEHOLDER", $outExe).Replace("VER_PLACEHOLDER", $ver)
$nsi = $nsi.Replace("OUTFILE_PLACEHOLDER", $outName).Replace("VER_PLACEHOLDER", $ver) [System.IO.File]::WriteAllText("$workDir\dist-pkg\installer.nsi", $nsiContent)
$nsi | Out-File -FilePath dist-pkg\installer.nsi -Encoding ascii
# Build installer Write-Host "=== NSIS script written ==="
makensis dist-pkg\installer.nsi Write-Host "Working dir: $workDir"
Move-Item "dist-pkg\$outName" . Write-Host "OutFile: $outExe"
Get-ChildItem "$workDir\dist-pkg\"
& makensis "$workDir\dist-pkg\installer.nsi"
Move-Item "$workDir\dist-pkg\$outExe" "$workDir\"
Write-Host "=== Installer built ===" Write-Host "=== Installer built ==="
Get-ChildItem $outName Get-ChildItem "$workDir\$outExe"
- name: Download jsign - name: Download jsign
shell: powershell shell: powershell
run: | run: |
Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar" -OutFile jsign.jar Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar" -OutFile jsign.jar
- name: Get Azure Key Vault access token - name: Get Azure token
id: azure-token id: azure-token
shell: powershell shell: powershell
run: | run: |
@ -157,86 +135,49 @@ jobs:
$resp = Invoke-RestMethod -Uri "https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" -Method POST -Body $body $resp = Invoke-RestMethod -Uri "https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" -Method POST -Body $body
$token = $resp.access_token $token = $resp.access_token
echo "::add-mask::$token" echo "::add-mask::$token"
echo "token=$token" >> $env:GITHUB_OUTPUT [System.IO.File]::WriteAllText("$env:TEMP\aztoken.txt", $token)
- name: Sign Windows binaries - name: Sign binaries
shell: powershell shell: powershell
run: | run: |
$env:Path = "$env:EXTRA_PATH;$env:Path" $env:Path = "$env:EXTRA_PATH;$env:Path"
$ver = "${{ steps.version.outputs.version }}" $ver = ("${{ github.ref_name }}" -replace '^v','')
Write-Host "=== Signing Wraith binaries ===" $token = [System.IO.File]::ReadAllText("$env:TEMP\aztoken.txt")
$binaries = @("src-tauri\target\release\Wraith.exe", "Wraith_${ver}_x64-setup.exe") $binaries = @("src-tauri\target\release\Wraith.exe", "Wraith_" + $ver + "_x64-setup.exe")
foreach ($path in $binaries) { foreach ($path in $binaries) {
if (Test-Path $path) { if (Test-Path $path) {
Write-Host "Signing: $path" Write-Host "Signing: $path"
java -jar jsign.jar ` java -jar jsign.jar --storetype AZUREKEYVAULT --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" --storepass $token --alias "${{ secrets.AZURE_CERT_NAME }}" --tsaurl http://timestamp.digicert.com --tsmode RFC3161 $path
--storetype AZUREKEYVAULT ` Write-Host "Signed."
--keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" `
--storepass "${{ steps.azure-token.outputs.token }}" `
--alias "${{ secrets.AZURE_CERT_NAME }}" `
--tsaurl http://timestamp.digicert.com `
--tsmode RFC3161 `
$path
Write-Host "Signed: $path"
} }
} }
Remove-Item "$env:TEMP\aztoken.txt" -ErrorAction SilentlyContinue
- name: Create version.json - name: Upload to Gitea
shell: powershell shell: powershell
run: | run: |
$version = "${{ steps.version.outputs.version }}" $ver = ("${{ github.ref_name }}" -replace '^v','')
$installer = Get-Item "Wraith_${version}_x64-setup.exe" $installer = "Wraith_" + $ver + "_x64-setup.exe"
Write-Host "Installer: $($installer.FullName)"
$hash = (Get-FileHash $installer.FullName -Algorithm SHA256).Hash.ToLower()
$json = @{
version = $version
filename = $installer.Name
sha256 = $hash
platform = "windows"
architecture = "amd64"
released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ")
signed = $true
} | ConvertTo-Json
$json | Out-File -FilePath version.json -Encoding utf8
Write-Host "=== version.json ==="
Get-Content version.json
- name: Upload to Gitea packages
shell: powershell
run: |
$version = "${{ steps.version.outputs.version }}"
$giteaUrl = "https://git.command.vigilcyber.com" $giteaUrl = "https://git.command.vigilcyber.com"
$headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" } $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" }
Write-Host "=== Uploading Wraith v$version ===" # Version JSON
$hash = (Get-FileHash $installer -Algorithm SHA256).Hash.ToLower()
@{ version = $ver; filename = $installer; sha256 = $hash; platform = "windows"; architecture = "amd64"; released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"); signed = $true } | ConvertTo-Json | Out-File version.json -Encoding utf8
$installer = "Wraith_${version}_x64-setup.exe" Write-Host "Uploading $installer"
Write-Host "Uploading: $installer" Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/$installer" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile $installer
Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/$installer" `
-Method PUT -Headers $headers -ContentType "application/octet-stream" `
-InFile $installer
Write-Host "Uploading: version.json" Write-Host "Uploading version.json"
Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/version.json" ` Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/version.json" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile version.json
-Method PUT -Headers $headers -ContentType "application/octet-stream" `
-InFile version.json
Write-Host "=== Upload complete ===" Write-Host "=== Upload complete ==="
- name: Create Gitea Release - name: Create Release
shell: powershell shell: powershell
run: | run: |
$version = "${{ steps.version.outputs.version }}" $ver = ("${{ github.ref_name }}" -replace '^v','')
$headers = @{ $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}"; "Content-Type" = "application/json" }
Authorization = "token ${{ secrets.GIT_TOKEN }}" $body = @{ tag_name = "v$ver"; name = "Wraith v$ver"; body = "Wraith Desktop v$ver - Tauri v2 / Rust build." } | ConvertTo-Json
"Content-Type" = "application/json" Invoke-RestMethod -Uri "https://git.command.vigilcyber.com/api/v1/repos/vstockwell/wraith/releases" -Method POST -Headers $headers -Body $body
} Write-Host "Release v$ver created."
$body = @{
tag_name = "v$version"
name = "Wraith v$version"
body = "Wraith Desktop v$version - Tauri v2 / Rust build."
} | ConvertTo-Json
Invoke-RestMethod -Uri "https://git.command.vigilcyber.com/api/v1/repos/vstockwell/wraith/releases" `
-Method POST -Headers $headers -Body $body
Write-Host "Release created."