fix: CI — inline EXTRA_PATH in every step, no GITHUB_PATH
Some checks failed
Build & Sign Wraith / Build Windows + Sign (push) Failing after 4m59s
Some checks failed
Build & Sign Wraith / Build Windows + Sign (push) Failing after 4m59s
act_runner v0.2.11 doesn't support GITHUB_PATH reliably. Set env.EXTRA_PATH at job level, prepend in each step. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Vantz Stockwell
parent
8cf13d657b
commit
96cbd74f84
@ -5,16 +5,6 @@
|
||||
# EV cert via jsign, creates NSIS installer, uploads to Gitea packages.
|
||||
#
|
||||
# Trigger: push a tag matching v* (e.g. v1.0.0) or run manually.
|
||||
#
|
||||
# Required secrets:
|
||||
# AZURE_TENANT_ID — Azure AD tenant
|
||||
# AZURE_CLIENT_ID — Service principal client ID
|
||||
# AZURE_CLIENT_SECRET — Service principal secret
|
||||
# AZURE_KEY_VAULT_URL — e.g. https://my-vault.vault.azure.net
|
||||
# AZURE_CERT_NAME — Certificate/key name in the vault
|
||||
# GIT_TOKEN — PAT for cloning private repo + uploading packages
|
||||
# TAURI_SIGNING_PRIVATE_KEY — Tauri updater signing key (base64)
|
||||
# TAURI_SIGNING_PRIVATE_KEY_PASSWORD — Password for the signing key
|
||||
# =============================================================================
|
||||
|
||||
name: Build & Sign Wraith
|
||||
@ -25,22 +15,20 @@ on:
|
||||
- 'v*'
|
||||
workflow_dispatch:
|
||||
|
||||
env:
|
||||
# Extra paths needed when running as SYSTEM
|
||||
EXTRA_PATH: C:\Program Files\Eclipse Adoptium\jre-21.0.10.7-hotspot\bin;C:\Users\vantz\.cargo\bin;C:\Users\vantz\.rustup\toolchains\stable-x86_64-pc-windows-msvc\bin;C:\Program Files\nodejs
|
||||
|
||||
jobs:
|
||||
build-and-sign:
|
||||
name: Build Windows + Sign
|
||||
runs-on: windows
|
||||
steps:
|
||||
# ---------------------------------------------------------------
|
||||
# Checkout
|
||||
# ---------------------------------------------------------------
|
||||
- name: Checkout code
|
||||
shell: powershell
|
||||
run: |
|
||||
git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git .
|
||||
|
||||
# ---------------------------------------------------------------
|
||||
# Extract version from tag
|
||||
# ---------------------------------------------------------------
|
||||
- name: Get version from tag
|
||||
id: version
|
||||
shell: powershell
|
||||
@ -49,60 +37,41 @@ jobs:
|
||||
echo "version=$tag" >> $env:GITHUB_OUTPUT
|
||||
Write-Host "Building version: $tag"
|
||||
|
||||
# ---------------------------------------------------------------
|
||||
# Configure toolchain for SYSTEM account
|
||||
# ---------------------------------------------------------------
|
||||
- name: Configure toolchain
|
||||
- name: Configure Rust
|
||||
shell: powershell
|
||||
run: |
|
||||
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
||||
$ErrorActionPreference = "Continue"
|
||||
# Ensure rustup has a default toolchain
|
||||
rustup default stable 2>$null
|
||||
rustup default stable
|
||||
$ErrorActionPreference = "Stop"
|
||||
|
||||
# Add tool paths that SYSTEM doesn't have
|
||||
# Java
|
||||
$javaHome = (Get-ChildItem "C:\Program Files\Eclipse Adoptium" -Directory | Select-Object -First 1).FullName
|
||||
if ($javaHome) { echo "$javaHome\bin" >> $env:GITHUB_PATH }
|
||||
|
||||
# Cargo
|
||||
$cargobin = "$env:USERPROFILE\.cargo\bin"
|
||||
if (Test-Path $cargobin) { echo "$cargobin" >> $env:GITHUB_PATH }
|
||||
|
||||
# Rustup
|
||||
$rustupbin = "$env:USERPROFILE\.rustup\toolchains\stable-x86_64-pc-windows-msvc\bin"
|
||||
if (Test-Path $rustupbin) { echo "$rustupbin" >> $env:GITHUB_PATH }
|
||||
|
||||
- name: Verify toolchain
|
||||
shell: powershell
|
||||
run: |
|
||||
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
||||
Write-Host "=== Toolchain versions ==="
|
||||
node --version
|
||||
rustc --version
|
||||
cargo --version
|
||||
java --version
|
||||
python --version
|
||||
|
||||
# ---------------------------------------------------------------
|
||||
# Build frontend
|
||||
# ---------------------------------------------------------------
|
||||
- name: Install frontend dependencies
|
||||
shell: powershell
|
||||
run: npm ci
|
||||
run: |
|
||||
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
||||
npm ci
|
||||
|
||||
- name: Build frontend
|
||||
shell: powershell
|
||||
run: |
|
||||
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
||||
npm run build
|
||||
Write-Host "=== Frontend built ==="
|
||||
Get-ChildItem dist\
|
||||
|
||||
# ---------------------------------------------------------------
|
||||
# Build Tauri app (native MSVC)
|
||||
# ---------------------------------------------------------------
|
||||
- name: Install Tauri CLI
|
||||
shell: powershell
|
||||
run: cargo install tauri-cli --version "^2"
|
||||
run: |
|
||||
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
||||
cargo install tauri-cli --version "^2"
|
||||
|
||||
- name: Build Tauri app
|
||||
shell: powershell
|
||||
@ -110,13 +79,11 @@ jobs:
|
||||
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
|
||||
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
|
||||
run: |
|
||||
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
||||
cargo tauri build
|
||||
Write-Host "=== Build output ==="
|
||||
Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
|
||||
|
||||
# ---------------------------------------------------------------
|
||||
# Code signing — jsign + Azure Key Vault (EV cert)
|
||||
# ---------------------------------------------------------------
|
||||
- name: Download jsign
|
||||
shell: powershell
|
||||
run: |
|
||||
@ -140,7 +107,8 @@ jobs:
|
||||
- name: Sign Windows binaries
|
||||
shell: powershell
|
||||
run: |
|
||||
Write-Host "=== Signing Wraith binaries with EV certificate ==="
|
||||
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
||||
Write-Host "=== Signing Wraith binaries ==="
|
||||
$installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
|
||||
foreach ($binary in $installers) {
|
||||
Write-Host "Signing: $($binary.FullName)"
|
||||
@ -155,9 +123,6 @@ jobs:
|
||||
Write-Host "Signed: $($binary.Name)"
|
||||
}
|
||||
|
||||
# ---------------------------------------------------------------
|
||||
# Create version.json
|
||||
# ---------------------------------------------------------------
|
||||
- name: Create version.json
|
||||
shell: powershell
|
||||
run: |
|
||||
@ -177,55 +142,42 @@ jobs:
|
||||
Write-Host "=== version.json ==="
|
||||
Get-Content version.json
|
||||
|
||||
# ---------------------------------------------------------------
|
||||
# Upload to Gitea Package Registry
|
||||
# ---------------------------------------------------------------
|
||||
- name: Upload to Gitea packages
|
||||
shell: powershell
|
||||
run: |
|
||||
$version = "${{ steps.version.outputs.version }}"
|
||||
$giteaUrl = "https://git.command.vigilcyber.com"
|
||||
$owner = "vstockwell"
|
||||
$package = "wraith"
|
||||
$headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" }
|
||||
|
||||
Write-Host "=== Uploading Wraith v$version to Gitea packages ==="
|
||||
Write-Host "=== Uploading Wraith v$version ==="
|
||||
|
||||
# Upload installer(s)
|
||||
$installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
|
||||
foreach ($file in $installers) {
|
||||
Write-Host "Uploading: $($file.Name)"
|
||||
Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/$($file.Name)" `
|
||||
Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/$($file.Name)" `
|
||||
-Method PUT -Headers $headers -ContentType "application/octet-stream" `
|
||||
-InFile $file.FullName
|
||||
}
|
||||
|
||||
# Upload version.json
|
||||
Write-Host "Uploading: version.json"
|
||||
Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/version.json" `
|
||||
Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/version.json" `
|
||||
-Method PUT -Headers $headers -ContentType "application/octet-stream" `
|
||||
-InFile version.json
|
||||
|
||||
# Upload updater signature if exists
|
||||
$sigs = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.sig -ErrorAction SilentlyContinue
|
||||
foreach ($sig in $sigs) {
|
||||
Write-Host "Uploading: $($sig.Name)"
|
||||
Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/$($sig.Name)" `
|
||||
Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/$($sig.Name)" `
|
||||
-Method PUT -Headers $headers -ContentType "application/octet-stream" `
|
||||
-InFile $sig.FullName
|
||||
}
|
||||
|
||||
Write-Host ""
|
||||
Write-Host "=== Upload complete ==="
|
||||
|
||||
# ---------------------------------------------------------------
|
||||
# Create Gitea Release
|
||||
# ---------------------------------------------------------------
|
||||
- name: Create Gitea Release
|
||||
shell: powershell
|
||||
run: |
|
||||
$version = "${{ steps.version.outputs.version }}"
|
||||
$giteaUrl = "https://git.command.vigilcyber.com"
|
||||
$headers = @{
|
||||
Authorization = "token ${{ secrets.GIT_TOKEN }}"
|
||||
"Content-Type" = "application/json"
|
||||
@ -233,9 +185,9 @@ jobs:
|
||||
$body = @{
|
||||
tag_name = "v$version"
|
||||
name = "Wraith v$version"
|
||||
body = "Wraith Desktop v$version — Tauri v2 / Rust build."
|
||||
body = "Wraith Desktop v$version - Tauri v2 / Rust build."
|
||||
} | ConvertTo-Json
|
||||
|
||||
Invoke-RestMethod -Uri "$giteaUrl/api/v1/repos/vstockwell/wraith/releases" `
|
||||
Invoke-RestMethod -Uri "https://git.command.vigilcyber.com/api/v1/repos/vstockwell/wraith/releases" `
|
||||
-Method POST -Headers $headers -Body $body
|
||||
Write-Host "Release created."
|
||||
|
||||
Loading…
Reference in New Issue
Block a user