diff --git a/.gitea/workflows/build-release.yml b/.gitea/workflows/build-release.yml index 4009f9f..30d296b 100644 --- a/.gitea/workflows/build-release.yml +++ b/.gitea/workflows/build-release.yml @@ -5,16 +5,6 @@ # EV cert via jsign, creates NSIS installer, uploads to Gitea packages. # # Trigger: push a tag matching v* (e.g. v1.0.0) or run manually. -# -# Required secrets: -# AZURE_TENANT_ID — Azure AD tenant -# AZURE_CLIENT_ID — Service principal client ID -# AZURE_CLIENT_SECRET — Service principal secret -# AZURE_KEY_VAULT_URL — e.g. https://my-vault.vault.azure.net -# AZURE_CERT_NAME — Certificate/key name in the vault -# GIT_TOKEN — PAT for cloning private repo + uploading packages -# TAURI_SIGNING_PRIVATE_KEY — Tauri updater signing key (base64) -# TAURI_SIGNING_PRIVATE_KEY_PASSWORD — Password for the signing key # ============================================================================= name: Build & Sign Wraith @@ -25,22 +15,20 @@ on: - 'v*' workflow_dispatch: +env: + # Extra paths needed when running as SYSTEM + EXTRA_PATH: C:\Program Files\Eclipse Adoptium\jre-21.0.10.7-hotspot\bin;C:\Users\vantz\.cargo\bin;C:\Users\vantz\.rustup\toolchains\stable-x86_64-pc-windows-msvc\bin;C:\Program Files\nodejs + jobs: build-and-sign: name: Build Windows + Sign runs-on: windows steps: - # --------------------------------------------------------------- - # Checkout - # --------------------------------------------------------------- - name: Checkout code shell: powershell run: | git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git . - # --------------------------------------------------------------- - # Extract version from tag - # --------------------------------------------------------------- - name: Get version from tag id: version shell: powershell @@ -49,60 +37,41 @@ jobs: echo "version=$tag" >> $env:GITHUB_OUTPUT Write-Host "Building version: $tag" - # --------------------------------------------------------------- - # Configure toolchain for SYSTEM account - # --------------------------------------------------------------- - - name: Configure toolchain + - name: Configure Rust shell: powershell run: | + $env:Path = "$env:EXTRA_PATH;$env:Path" $ErrorActionPreference = "Continue" - # Ensure rustup has a default toolchain - rustup default stable 2>$null + rustup default stable $ErrorActionPreference = "Stop" - # Add tool paths that SYSTEM doesn't have - # Java - $javaHome = (Get-ChildItem "C:\Program Files\Eclipse Adoptium" -Directory | Select-Object -First 1).FullName - if ($javaHome) { echo "$javaHome\bin" >> $env:GITHUB_PATH } - - # Cargo - $cargobin = "$env:USERPROFILE\.cargo\bin" - if (Test-Path $cargobin) { echo "$cargobin" >> $env:GITHUB_PATH } - - # Rustup - $rustupbin = "$env:USERPROFILE\.rustup\toolchains\stable-x86_64-pc-windows-msvc\bin" - if (Test-Path $rustupbin) { echo "$rustupbin" >> $env:GITHUB_PATH } - - name: Verify toolchain shell: powershell run: | + $env:Path = "$env:EXTRA_PATH;$env:Path" Write-Host "=== Toolchain versions ===" node --version rustc --version cargo --version java --version - python --version - # --------------------------------------------------------------- - # Build frontend - # --------------------------------------------------------------- - name: Install frontend dependencies shell: powershell - run: npm ci + run: | + $env:Path = "$env:EXTRA_PATH;$env:Path" + npm ci - name: Build frontend shell: powershell run: | + $env:Path = "$env:EXTRA_PATH;$env:Path" npm run build - Write-Host "=== Frontend built ===" - Get-ChildItem dist\ - # --------------------------------------------------------------- - # Build Tauri app (native MSVC) - # --------------------------------------------------------------- - name: Install Tauri CLI shell: powershell - run: cargo install tauri-cli --version "^2" + run: | + $env:Path = "$env:EXTRA_PATH;$env:Path" + cargo install tauri-cli --version "^2" - name: Build Tauri app shell: powershell @@ -110,13 +79,11 @@ jobs: TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} run: | + $env:Path = "$env:EXTRA_PATH;$env:Path" cargo tauri build Write-Host "=== Build output ===" Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe - # --------------------------------------------------------------- - # Code signing — jsign + Azure Key Vault (EV cert) - # --------------------------------------------------------------- - name: Download jsign shell: powershell run: | @@ -140,7 +107,8 @@ jobs: - name: Sign Windows binaries shell: powershell run: | - Write-Host "=== Signing Wraith binaries with EV certificate ===" + $env:Path = "$env:EXTRA_PATH;$env:Path" + Write-Host "=== Signing Wraith binaries ===" $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe foreach ($binary in $installers) { Write-Host "Signing: $($binary.FullName)" @@ -155,9 +123,6 @@ jobs: Write-Host "Signed: $($binary.Name)" } - # --------------------------------------------------------------- - # Create version.json - # --------------------------------------------------------------- - name: Create version.json shell: powershell run: | @@ -177,55 +142,42 @@ jobs: Write-Host "=== version.json ===" Get-Content version.json - # --------------------------------------------------------------- - # Upload to Gitea Package Registry - # --------------------------------------------------------------- - name: Upload to Gitea packages shell: powershell run: | $version = "${{ steps.version.outputs.version }}" $giteaUrl = "https://git.command.vigilcyber.com" - $owner = "vstockwell" - $package = "wraith" $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" } - Write-Host "=== Uploading Wraith v$version to Gitea packages ===" + Write-Host "=== Uploading Wraith v$version ===" - # Upload installer(s) $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe foreach ($file in $installers) { Write-Host "Uploading: $($file.Name)" - Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/$($file.Name)" ` + Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/$($file.Name)" ` -Method PUT -Headers $headers -ContentType "application/octet-stream" ` -InFile $file.FullName } - # Upload version.json Write-Host "Uploading: version.json" - Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/version.json" ` + Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/version.json" ` -Method PUT -Headers $headers -ContentType "application/octet-stream" ` -InFile version.json - # Upload updater signature if exists $sigs = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.sig -ErrorAction SilentlyContinue foreach ($sig in $sigs) { Write-Host "Uploading: $($sig.Name)" - Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/$($sig.Name)" ` + Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/$($sig.Name)" ` -Method PUT -Headers $headers -ContentType "application/octet-stream" ` -InFile $sig.FullName } - Write-Host "" Write-Host "=== Upload complete ===" - # --------------------------------------------------------------- - # Create Gitea Release - # --------------------------------------------------------------- - name: Create Gitea Release shell: powershell run: | $version = "${{ steps.version.outputs.version }}" - $giteaUrl = "https://git.command.vigilcyber.com" $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" "Content-Type" = "application/json" @@ -233,9 +185,9 @@ jobs: $body = @{ tag_name = "v$version" name = "Wraith v$version" - body = "Wraith Desktop v$version — Tauri v2 / Rust build." + body = "Wraith Desktop v$version - Tauri v2 / Rust build." } | ConvertTo-Json - Invoke-RestMethod -Uri "$giteaUrl/api/v1/repos/vstockwell/wraith/releases" ` + Invoke-RestMethod -Uri "https://git.command.vigilcyber.com/api/v1/repos/vstockwell/wraith/releases" ` -Method POST -Headers $headers -Body $body Write-Host "Release created."