diff --git a/.gitea/workflows/build-release.yml b/.gitea/workflows/build-release.yml index 4b75939..2864281 100644 --- a/.gitea/workflows/build-release.yml +++ b/.gitea/workflows/build-release.yml @@ -1,9 +1,8 @@ # ============================================================================= # Wraith — Build & Sign Release (Tauri v2) # ============================================================================= -# Cross-compiles the Tauri app for Windows amd64 from a Linux runner, -# signs with Azure Key Vault EV cert via jsign, creates NSIS installer, -# uploads to Gitea packages + releases. +# Native Windows build on STORMBREAKER runner, signs with Azure Key Vault +# EV cert via jsign, creates NSIS installer, uploads to Gitea packages. # # Trigger: push a tag matching v* (e.g. v1.0.0) or run manually. # @@ -29,230 +28,193 @@ on: jobs: build-and-sign: name: Build Windows + Sign - runs-on: linux + runs-on: windows steps: # --------------------------------------------------------------- - # Checkout (manual clone — matches existing runner pattern) + # Checkout # --------------------------------------------------------------- - name: Checkout code - run: git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git . + shell: pwsh + run: | + git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git . # --------------------------------------------------------------- # Extract version from tag # --------------------------------------------------------------- - name: Get version from tag id: version + shell: pwsh run: | - TAG=$(echo "${{ github.ref_name }}" | sed 's/^v//') - echo "version=${TAG}" >> $GITHUB_OUTPUT - echo "Building version: ${TAG}" + $tag = "${{ github.ref_name }}" -replace '^v','' + echo "version=$tag" >> $env:GITHUB_OUTPUT + Write-Host "Building version: $tag" # --------------------------------------------------------------- - # Install toolchain + # Verify toolchain # --------------------------------------------------------------- - - name: Install build dependencies + - name: Verify toolchain + shell: pwsh run: | - apt-get update -qq - apt-get install -y -qq \ - mingw-w64 mingw-w64-tools \ - default-jre-headless \ - python3 curl nsis \ - libssl-dev pkg-config - - # Node.js 22 - NODE_MAJOR=$(node --version 2>/dev/null | sed 's/v\([0-9]*\).*/\1/' || echo "0") - if [ "$NODE_MAJOR" -lt 20 ]; then - echo "Node $NODE_MAJOR is too old, installing Node 22..." - curl -fsSL https://deb.nodesource.com/setup_22.x | bash - - apt-get install -y -qq nodejs - fi - - # Rust + Windows target - if ! command -v rustup &> /dev/null; then - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y - . "$HOME/.cargo/env" - fi - rustup target add x86_64-pc-windows-gnu - - echo "=== Toolchain versions ===" + Write-Host "=== Toolchain versions ===" node --version rustc --version cargo --version - x86_64-w64-mingw32-gcc --version | head -1 - - # --------------------------------------------------------------- - # Configure Rust cross-compilation for MinGW - # --------------------------------------------------------------- - - name: Configure MinGW cross-compilation - run: | - mkdir -p .cargo - cat > .cargo/config.toml << 'EOF' - [target.x86_64-pc-windows-gnu] - linker = "x86_64-w64-mingw32-gcc" - ar = "x86_64-w64-mingw32-ar" - rustflags = ["-C", "link-args=-mwindows"] - EOF + java --version + python --version # --------------------------------------------------------------- # Build frontend # --------------------------------------------------------------- + - name: Install frontend dependencies + shell: pwsh + run: npm ci + - name: Build frontend + shell: pwsh run: | - npm ci npm run build - echo "=== Frontend built ===" - ls -la dist/ + Write-Host "=== Frontend built ===" + Get-ChildItem dist\ # --------------------------------------------------------------- - # Build Tauri app (cross-compile for Windows) + # Build Tauri app (native MSVC) # --------------------------------------------------------------- - name: Install Tauri CLI - run: | - . "$HOME/.cargo/env" 2>/dev/null || true - cargo install tauri-cli --version "^2" + shell: pwsh + run: cargo install tauri-cli --version "^2" - name: Build Tauri app + shell: pwsh env: TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} run: | - . "$HOME/.cargo/env" 2>/dev/null || true - cargo tauri build --target x86_64-pc-windows-gnu - - echo "=== Build output ===" - find src-tauri/target/x86_64-pc-windows-gnu/release/bundle -type f -name "*.exe" -o -name "*.msi" 2>/dev/null - ls -la src-tauri/target/x86_64-pc-windows-gnu/release/*.exe 2>/dev/null || true + cargo tauri build + Write-Host "=== Build output ===" + Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe # --------------------------------------------------------------- # Code signing — jsign + Azure Key Vault (EV cert) # --------------------------------------------------------------- - - name: Install jsign + - name: Download jsign + shell: pwsh run: | - curl -sSL -o /usr/local/bin/jsign.jar \ - "https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar" + Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar" -OutFile jsign.jar - name: Get Azure Key Vault access token id: azure-token + shell: pwsh run: | - TOKEN=$(curl -s -X POST \ - "https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" \ - -d "client_id=${{ secrets.AZURE_CLIENT_ID }}" \ - -d "client_secret=${{ secrets.AZURE_CLIENT_SECRET }}" \ - -d "scope=https://vault.azure.net/.default" \ - -d "grant_type=client_credentials" \ - | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])") - echo "::add-mask::${TOKEN}" - echo "token=${TOKEN}" >> $GITHUB_OUTPUT + $body = @{ + client_id = "${{ secrets.AZURE_CLIENT_ID }}" + client_secret = "${{ secrets.AZURE_CLIENT_SECRET }}" + scope = "https://vault.azure.net/.default" + grant_type = "client_credentials" + } + $resp = Invoke-RestMethod -Uri "https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" -Method POST -Body $body + $token = $resp.access_token + echo "::add-mask::$token" + echo "token=$token" >> $env:GITHUB_OUTPUT - name: Sign Windows binaries + shell: pwsh run: | - echo "=== Signing Wraith binaries with EV certificate ===" - BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle" - - for binary in $(find "$BUNDLE_DIR" -name "*.exe" -type f) $(find src-tauri/target/x86_64-pc-windows-gnu/release -maxdepth 1 -name "*.exe" -type f); do - [ -f "$binary" ] || continue - echo "Signing: $binary" - java -jar /usr/local/bin/jsign.jar \ - --storetype AZUREKEYVAULT \ - --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" \ - --storepass "${{ steps.azure-token.outputs.token }}" \ - --alias "${{ secrets.AZURE_CERT_NAME }}" \ - --tsaurl http://timestamp.digicert.com \ - --tsmode RFC3161 \ - "$binary" - echo "Signed: $binary" - done + Write-Host "=== Signing Wraith binaries with EV certificate ===" + $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe + foreach ($binary in $installers) { + Write-Host "Signing: $($binary.FullName)" + java -jar jsign.jar ` + --storetype AZUREKEYVAULT ` + --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" ` + --storepass "${{ steps.azure-token.outputs.token }}" ` + --alias "${{ secrets.AZURE_CERT_NAME }}" ` + --tsaurl http://timestamp.digicert.com ` + --tsmode RFC3161 ` + $binary.FullName + Write-Host "Signed: $($binary.Name)" + } # --------------------------------------------------------------- # Create version.json # --------------------------------------------------------------- - name: Create version.json + shell: pwsh run: | - VERSION="${{ steps.version.outputs.version }}" - BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle" - INSTALLER=$(find "$BUNDLE_DIR" -name "*.exe" -type f | head -1) - - if [ -z "$INSTALLER" ]; then - echo "WARNING: No installer found, checking for raw exe..." - INSTALLER="src-tauri/target/x86_64-pc-windows-gnu/release/wraith.exe" - fi - - SHA=$(sha256sum "$INSTALLER" | awk '{print $1}') - - cat > version.json << EOF - { - "version": "${VERSION}", - "filename": "$(basename $INSTALLER)", - "sha256": "${SHA}", - "platform": "windows", - "architecture": "amd64", - "released": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")", - "signed": true - } - EOF - - echo "=== version.json ===" - cat version.json + $version = "${{ steps.version.outputs.version }}" + $installer = (Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe | Select-Object -First 1) + $hash = (Get-FileHash $installer.FullName -Algorithm SHA256).Hash.ToLower() + $json = @{ + version = $version + filename = $installer.Name + sha256 = $hash + platform = "windows" + architecture = "amd64" + released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ") + signed = $true + } | ConvertTo-Json + $json | Out-File -FilePath version.json -Encoding utf8 + Write-Host "=== version.json ===" + Get-Content version.json # --------------------------------------------------------------- # Upload to Gitea Package Registry # --------------------------------------------------------------- - name: Upload to Gitea packages + shell: pwsh run: | - VERSION="${{ steps.version.outputs.version }}" - GITEA_URL="https://git.command.vigilcyber.com" - OWNER="vstockwell" - PACKAGE="wraith" - BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle" + $version = "${{ steps.version.outputs.version }}" + $giteaUrl = "https://git.command.vigilcyber.com" + $owner = "vstockwell" + $package = "wraith" + $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" } - echo "=== Uploading Wraith v${VERSION} to Gitea packages ===" + Write-Host "=== Uploading Wraith v$version to Gitea packages ===" # Upload installer(s) - for exe in $(find "$BUNDLE_DIR" -name "*.exe" -type f); do - FILENAME=$(basename "$exe") - echo "Uploading: ${FILENAME}" - curl -s -X PUT \ - -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ - -H "Content-Type: application/octet-stream" \ - --data-binary @"$exe" \ - "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/${FILENAME}" - echo " Done." - done + $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe + foreach ($file in $installers) { + Write-Host "Uploading: $($file.Name)" + Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/$($file.Name)" ` + -Method PUT -Headers $headers -ContentType "application/octet-stream" ` + -InFile $file.FullName + } # Upload version.json - echo "Uploading: version.json" - curl -s -X PUT \ - -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ - -H "Content-Type: application/octet-stream" \ - --data-binary @"version.json" \ - "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/version.json" + Write-Host "Uploading: version.json" + Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/version.json" ` + -Method PUT -Headers $headers -ContentType "application/octet-stream" ` + -InFile version.json - # Upload Tauri updater signature if it exists - for sig in $(find "$BUNDLE_DIR" -name "*.sig" -type f 2>/dev/null); do - echo "Uploading: $(basename $sig)" - curl -s -X PUT \ - -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ - -H "Content-Type: application/octet-stream" \ - --data-binary @"$sig" \ - "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/$(basename $sig)" - done + # Upload updater signature if exists + $sigs = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.sig -ErrorAction SilentlyContinue + foreach ($sig in $sigs) { + Write-Host "Uploading: $($sig.Name)" + Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/$($sig.Name)" ` + -Method PUT -Headers $headers -ContentType "application/octet-stream" ` + -InFile $sig.FullName + } - echo "" - echo "=== Upload complete ===" + Write-Host "" + Write-Host "=== Upload complete ===" # --------------------------------------------------------------- # Create Gitea Release # --------------------------------------------------------------- - name: Create Gitea Release + shell: pwsh run: | - VERSION="${{ steps.version.outputs.version }}" - GITEA_URL="https://git.command.vigilcyber.com" + $version = "${{ steps.version.outputs.version }}" + $giteaUrl = "https://git.command.vigilcyber.com" + $headers = @{ + Authorization = "token ${{ secrets.GIT_TOKEN }}" + "Content-Type" = "application/json" + } + $body = @{ + tag_name = "v$version" + name = "Wraith v$version" + body = "Wraith Desktop v$version — Tauri v2 / Rust build." + } | ConvertTo-Json - echo "=== Creating Gitea Release for v${VERSION} ===" - curl -s -X POST \ - -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ - -H "Content-Type: application/json" \ - -d "{\"tag_name\": \"v${VERSION}\", \"name\": \"Wraith v${VERSION}\", \"body\": \"Wraith Desktop v${VERSION} — Tauri v2 / Rust build.\"}" \ - "${GITEA_URL}/api/v1/repos/vstockwell/wraith/releases" - echo "" - echo "Release created." + Invoke-RestMethod -Uri "$giteaUrl/api/v1/repos/vstockwell/wraith/releases" ` + -Method POST -Headers $headers -Body $body + Write-Host "Release created."