vstockwell/wraith
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 67 Wiki Activity

fix: CI workflow — native Windows build on STORMBREAKER
Some checks failed
Build & Sign Wraith / Build Windows + Sign (push) Failing after 0s
Details

Browse Source 
Replaced Linux/MinGW cross-compilation with native MSVC build
on Windows runner. PowerShell throughout. No more silent crash
binaries. runs-on: windows targets the STORMBREAKER runner.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Vantz Stockwell 2026-03-17 23:59:24 -04:00
parent 08ebf35c66
commit 3d50c7c894
1 changed files with 119 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

276
.gitea/workflows/build-release.yml
View File

@ -1,9 +1,8 @@
# ============================================================================= # =============================================================================
# Wraith — Build & Sign Release (Tauri v2) # Wraith — Build & Sign Release (Tauri v2)
# ============================================================================= # =============================================================================
# Cross-compiles the Tauri app for Windows amd64 from a Linux runner, # Native Windows build on STORMBREAKER runner, signs with Azure Key Vault
# signs with Azure Key Vault EV cert via jsign, creates NSIS installer, # EV cert via jsign, creates NSIS installer, uploads to Gitea packages.
# uploads to Gitea packages + releases.
# #
# Trigger: push a tag matching v* (e.g. v1.0.0) or run manually. # Trigger: push a tag matching v* (e.g. v1.0.0) or run manually.
# #
@ -29,230 +28,193 @@ on:
jobs: jobs:
build-and-sign: build-and-sign:
name: Build Windows + Sign name: Build Windows + Sign
runs-on: linux runs-on: windows
steps: steps:
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Checkout (manual clone — matches existing runner pattern) # Checkout
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Checkout code - name: Checkout code
run: git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git . shell: pwsh
run: |
git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git .
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Extract version from tag # Extract version from tag
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Get version from tag - name: Get version from tag
id: version id: version
shell: pwsh
run: | run: |
TAG=$(echo "${{ github.ref_name }}" | sed 's/^v//') $tag = "${{ github.ref_name }}" -replace '^v',''
echo "version=${TAG}" >> $GITHUB_OUTPUT echo "version=$tag" >> $env:GITHUB_OUTPUT
echo "Building version: ${TAG}" Write-Host "Building version: $tag"
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Install toolchain # Verify toolchain
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Install build dependencies - name: Verify toolchain
shell: pwsh
run: | run: |
apt-get update -qq Write-Host "=== Toolchain versions ==="
apt-get install -y -qq \
mingw-w64 mingw-w64-tools \
default-jre-headless \
python3 curl nsis \
libssl-dev pkg-config
# Node.js 22
NODE_MAJOR=$(node --version 2>/dev/null | sed 's/v\([0-9]*\).*/\1/' || echo "0")
if [ "$NODE_MAJOR" -lt 20 ]; then
echo "Node $NODE_MAJOR is too old, installing Node 22..."
curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
apt-get install -y -qq nodejs
fi
# Rust + Windows target
if ! command -v rustup &> /dev/null; then
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
. "$HOME/.cargo/env"
fi
rustup target add x86_64-pc-windows-gnu
echo "=== Toolchain versions ==="
node --version node --version
rustc --version rustc --version
cargo --version cargo --version
x86_64-w64-mingw32-gcc --version | head -1 java --version
python --version
# ---------------------------------------------------------------
# Configure Rust cross-compilation for MinGW
# ---------------------------------------------------------------
- name: Configure MinGW cross-compilation
run: |
mkdir -p .cargo
cat > .cargo/config.toml << 'EOF'
[target.x86_64-pc-windows-gnu]
linker = "x86_64-w64-mingw32-gcc"
ar = "x86_64-w64-mingw32-ar"
rustflags = ["-C", "link-args=-mwindows"]
EOF
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Build frontend # Build frontend
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Install frontend dependencies
shell: pwsh
run: npm ci
- name: Build frontend - name: Build frontend
shell: pwsh
run: | run: |
npm ci
npm run build npm run build
echo "=== Frontend built ===" Write-Host "=== Frontend built ==="
ls -la dist/ Get-ChildItem dist\
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Build Tauri app (cross-compile for Windows) # Build Tauri app (native MSVC)
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Install Tauri CLI - name: Install Tauri CLI
run: | shell: pwsh
. "$HOME/.cargo/env" 2>/dev/null || true run: cargo install tauri-cli --version "^2"
cargo install tauri-cli --version "^2"
- name: Build Tauri app - name: Build Tauri app
shell: pwsh
env: env:
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
run: | run: |
. "$HOME/.cargo/env" 2>/dev/null || true cargo tauri build
cargo tauri build --target x86_64-pc-windows-gnu Write-Host "=== Build output ==="
Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
echo "=== Build output ==="
find src-tauri/target/x86_64-pc-windows-gnu/release/bundle -type f -name "*.exe" -o -name "*.msi" 2>/dev/null
ls -la src-tauri/target/x86_64-pc-windows-gnu/release/*.exe 2>/dev/null || true
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Code signing — jsign + Azure Key Vault (EV cert) # Code signing — jsign + Azure Key Vault (EV cert)
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Install jsign - name: Download jsign
shell: pwsh
run: | run: |
curl -sSL -o /usr/local/bin/jsign.jar \ Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar" -OutFile jsign.jar
"https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar"
- name: Get Azure Key Vault access token - name: Get Azure Key Vault access token
id: azure-token id: azure-token
shell: pwsh
run: | run: |
TOKEN=$(curl -s -X POST \ $body = @{
"https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" \ client_id = "${{ secrets.AZURE_CLIENT_ID }}"
-d "client_id=${{ secrets.AZURE_CLIENT_ID }}" \ client_secret = "${{ secrets.AZURE_CLIENT_SECRET }}"
-d "client_secret=${{ secrets.AZURE_CLIENT_SECRET }}" \ scope = "https://vault.azure.net/.default"
-d "scope=https://vault.azure.net/.default" \ grant_type = "client_credentials"
-d "grant_type=client_credentials" \ }
| python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])") $resp = Invoke-RestMethod -Uri "https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" -Method POST -Body $body
echo "::add-mask::${TOKEN}" $token = $resp.access_token
echo "token=${TOKEN}" >> $GITHUB_OUTPUT echo "::add-mask::$token"
echo "token=$token" >> $env:GITHUB_OUTPUT
- name: Sign Windows binaries - name: Sign Windows binaries
shell: pwsh
run: | run: |
echo "=== Signing Wraith binaries with EV certificate ===" Write-Host "=== Signing Wraith binaries with EV certificate ==="
BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle" $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
foreach ($binary in $installers) {
for binary in $(find "$BUNDLE_DIR" -name "*.exe" -type f) $(find src-tauri/target/x86_64-pc-windows-gnu/release -maxdepth 1 -name "*.exe" -type f); do Write-Host "Signing: $($binary.FullName)"
[ -f "$binary" ] || continue java -jar jsign.jar `
echo "Signing: $binary" --storetype AZUREKEYVAULT `
java -jar /usr/local/bin/jsign.jar \ --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" `
--storetype AZUREKEYVAULT \ --storepass "${{ steps.azure-token.outputs.token }}" `
--keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" \ --alias "${{ secrets.AZURE_CERT_NAME }}" `
--storepass "${{ steps.azure-token.outputs.token }}" \ --tsaurl http://timestamp.digicert.com `
--alias "${{ secrets.AZURE_CERT_NAME }}" \ --tsmode RFC3161 `
--tsaurl http://timestamp.digicert.com \ $binary.FullName
--tsmode RFC3161 \ Write-Host "Signed: $($binary.Name)"
"$binary" }
echo "Signed: $binary"
done
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Create version.json # Create version.json
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Create version.json - name: Create version.json
shell: pwsh
run: | run: |
VERSION="${{ steps.version.outputs.version }}" $version = "${{ steps.version.outputs.version }}"
BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle" $installer = (Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe | Select-Object -First 1)
INSTALLER=$(find "$BUNDLE_DIR" -name "*.exe" -type f | head -1) $hash = (Get-FileHash $installer.FullName -Algorithm SHA256).Hash.ToLower()
$json = @{
if [ -z "$INSTALLER" ]; then version = $version
echo "WARNING: No installer found, checking for raw exe..." filename = $installer.Name
INSTALLER="src-tauri/target/x86_64-pc-windows-gnu/release/wraith.exe" sha256 = $hash
fi platform = "windows"
architecture = "amd64"
SHA=$(sha256sum "$INSTALLER" | awk '{print $1}') released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ")
signed = $true
cat > version.json << EOF } | ConvertTo-Json
{ $json | Out-File -FilePath version.json -Encoding utf8
"version": "${VERSION}", Write-Host "=== version.json ==="
"filename": "$(basename $INSTALLER)", Get-Content version.json
"sha256": "${SHA}",
"platform": "windows",
"architecture": "amd64",
"released": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
"signed": true
}
EOF
echo "=== version.json ==="
cat version.json
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Upload to Gitea Package Registry # Upload to Gitea Package Registry
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Upload to Gitea packages - name: Upload to Gitea packages
shell: pwsh
run: | run: |
VERSION="${{ steps.version.outputs.version }}" $version = "${{ steps.version.outputs.version }}"
GITEA_URL="https://git.command.vigilcyber.com" $giteaUrl = "https://git.command.vigilcyber.com"
OWNER="vstockwell" $owner = "vstockwell"
PACKAGE="wraith" $package = "wraith"
BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle" $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" }
echo "=== Uploading Wraith v${VERSION} to Gitea packages ===" Write-Host "=== Uploading Wraith v$version to Gitea packages ==="
# Upload installer(s) # Upload installer(s)
for exe in $(find "$BUNDLE_DIR" -name "*.exe" -type f); do $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
FILENAME=$(basename "$exe") foreach ($file in $installers) {
echo "Uploading: ${FILENAME}" Write-Host "Uploading: $($file.Name)"
curl -s -X PUT \ Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/$($file.Name)" `
-H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ -Method PUT -Headers $headers -ContentType "application/octet-stream" `
-H "Content-Type: application/octet-stream" \ -InFile $file.FullName
--data-binary @"$exe" \ }
"${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/${FILENAME}"
echo " Done."
done
# Upload version.json # Upload version.json
echo "Uploading: version.json" Write-Host "Uploading: version.json"
curl -s -X PUT \ Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/version.json" `
-H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ -Method PUT -Headers $headers -ContentType "application/octet-stream" `
-H "Content-Type: application/octet-stream" \ -InFile version.json
--data-binary @"version.json" \
"${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/version.json"
# Upload Tauri updater signature if it exists # Upload updater signature if exists
for sig in $(find "$BUNDLE_DIR" -name "*.sig" -type f 2>/dev/null); do $sigs = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.sig -ErrorAction SilentlyContinue
echo "Uploading: $(basename $sig)" foreach ($sig in $sigs) {
curl -s -X PUT \ Write-Host "Uploading: $($sig.Name)"
-H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/$($sig.Name)" `
-H "Content-Type: application/octet-stream" \ -Method PUT -Headers $headers -ContentType "application/octet-stream" `
--data-binary @"$sig" \ -InFile $sig.FullName
"${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/$(basename $sig)" }
done
echo "" Write-Host ""
echo "=== Upload complete ===" Write-Host "=== Upload complete ==="
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Create Gitea Release # Create Gitea Release
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Create Gitea Release - name: Create Gitea Release
shell: pwsh
run: | run: |
VERSION="${{ steps.version.outputs.version }}" $version = "${{ steps.version.outputs.version }}"
GITEA_URL="https://git.command.vigilcyber.com" $giteaUrl = "https://git.command.vigilcyber.com"
$headers = @{
Authorization = "token ${{ secrets.GIT_TOKEN }}"
"Content-Type" = "application/json"
}
$body = @{
tag_name = "v$version"
name = "Wraith v$version"
body = "Wraith Desktop v$version — Tauri v2 / Rust build."
} | ConvertTo-Json
echo "=== Creating Gitea Release for v${VERSION} ===" Invoke-RestMethod -Uri "$giteaUrl/api/v1/repos/vstockwell/wraith/releases" `
curl -s -X POST \ -Method POST -Headers $headers -Body $body
-H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ Write-Host "Release created."
-H "Content-Type: application/json" \
-d "{\"tag_name\": \"v${VERSION}\", \"name\": \"Wraith v${VERSION}\", \"body\": \"Wraith Desktop v${VERSION} — Tauri v2 / Rust build.\"}" \
"${GITEA_URL}/api/v1/repos/vstockwell/wraith/releases"
echo ""
echo "Release created."