vstockwell/wraith
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 67 Wiki Activity

fix: CI — inline EXTRA_PATH in every step, no GITHUB_PATH
Some checks failed
Build & Sign Wraith / Build Windows + Sign (push) Failing after 4m59s
Details

Browse Source 
act_runner v0.2.11 doesn't support GITHUB_PATH reliably.
Set env.EXTRA_PATH at job level, prepend in each step.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Vantz Stockwell 2026-03-18 00:12:56 -04:00
parent 8cf13d657b
commit 96cbd74f84
1 changed files with 24 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
.gitea/workflows/build-release.yml
View File

@ -5,16 +5,6 @@
# EV cert via jsign, creates NSIS installer, uploads to Gitea packages. # EV cert via jsign, creates NSIS installer, uploads to Gitea packages.
# #
# Trigger: push a tag matching v* (e.g. v1.0.0) or run manually. # Trigger: push a tag matching v* (e.g. v1.0.0) or run manually.
#
# Required secrets:
# AZURE_TENANT_ID — Azure AD tenant
# AZURE_CLIENT_ID — Service principal client ID
# AZURE_CLIENT_SECRET — Service principal secret
# AZURE_KEY_VAULT_URL — e.g. https://my-vault.vault.azure.net
# AZURE_CERT_NAME — Certificate/key name in the vault
# GIT_TOKEN — PAT for cloning private repo + uploading packages
# TAURI_SIGNING_PRIVATE_KEY — Tauri updater signing key (base64)
# TAURI_SIGNING_PRIVATE_KEY_PASSWORD — Password for the signing key
# ============================================================================= # =============================================================================
name: Build & Sign Wraith name: Build & Sign Wraith
@ -25,22 +15,20 @@ on:
- 'v*' - 'v*'
workflow_dispatch: workflow_dispatch:
env:
# Extra paths needed when running as SYSTEM
EXTRA_PATH: C:\Program Files\Eclipse Adoptium\jre-21.0.10.7-hotspot\bin;C:\Users\vantz\.cargo\bin;C:\Users\vantz\.rustup\toolchains\stable-x86_64-pc-windows-msvc\bin;C:\Program Files\nodejs
jobs: jobs:
build-and-sign: build-and-sign:
name: Build Windows + Sign name: Build Windows + Sign
runs-on: windows runs-on: windows
steps: steps:
# ---------------------------------------------------------------
# Checkout
# ---------------------------------------------------------------
- name: Checkout code - name: Checkout code
shell: powershell shell: powershell
run: | run: |
git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git . git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git .
# ---------------------------------------------------------------
# Extract version from tag
# ---------------------------------------------------------------
- name: Get version from tag - name: Get version from tag
id: version id: version
shell: powershell shell: powershell
@ -49,60 +37,41 @@ jobs:
echo "version=$tag" >> $env:GITHUB_OUTPUT echo "version=$tag" >> $env:GITHUB_OUTPUT
Write-Host "Building version: $tag" Write-Host "Building version: $tag"
# --------------------------------------------------------------- - name: Configure Rust
# Configure toolchain for SYSTEM account
# ---------------------------------------------------------------
- name: Configure toolchain
shell: powershell shell: powershell
run: | run: |
$env:Path = "$env:EXTRA_PATH;$env:Path"
$ErrorActionPreference = "Continue" $ErrorActionPreference = "Continue"
# Ensure rustup has a default toolchain rustup default stable
rustup default stable 2>$null
$ErrorActionPreference = "Stop" $ErrorActionPreference = "Stop"
# Add tool paths that SYSTEM doesn't have
# Java
$javaHome = (Get-ChildItem "C:\Program Files\Eclipse Adoptium" -Directory | Select-Object -First 1).FullName
if ($javaHome) { echo "$javaHome\bin" >> $env:GITHUB_PATH }
# Cargo
$cargobin = "$env:USERPROFILE\.cargo\bin"
if (Test-Path $cargobin) { echo "$cargobin" >> $env:GITHUB_PATH }
# Rustup
$rustupbin = "$env:USERPROFILE\.rustup\toolchains\stable-x86_64-pc-windows-msvc\bin"
if (Test-Path $rustupbin) { echo "$rustupbin" >> $env:GITHUB_PATH }
- name: Verify toolchain - name: Verify toolchain
shell: powershell shell: powershell
run: | run: |
$env:Path = "$env:EXTRA_PATH;$env:Path"
Write-Host "=== Toolchain versions ===" Write-Host "=== Toolchain versions ==="
node --version node --version
rustc --version rustc --version
cargo --version cargo --version
java --version java --version
python --version
# ---------------------------------------------------------------
# Build frontend
# ---------------------------------------------------------------
- name: Install frontend dependencies - name: Install frontend dependencies
shell: powershell shell: powershell
run: npm ci run: |
$env:Path = "$env:EXTRA_PATH;$env:Path"
npm ci
- name: Build frontend - name: Build frontend
shell: powershell shell: powershell
run: | run: |
$env:Path = "$env:EXTRA_PATH;$env:Path"
npm run build npm run build
Write-Host "=== Frontend built ==="
Get-ChildItem dist\
# ---------------------------------------------------------------
# Build Tauri app (native MSVC)
# ---------------------------------------------------------------
- name: Install Tauri CLI - name: Install Tauri CLI
shell: powershell shell: powershell
run: cargo install tauri-cli --version "^2" run: |
$env:Path = "$env:EXTRA_PATH;$env:Path"
cargo install tauri-cli --version "^2"
- name: Build Tauri app - name: Build Tauri app
shell: powershell shell: powershell
@ -110,13 +79,11 @@ jobs:
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
run: | run: |
$env:Path = "$env:EXTRA_PATH;$env:Path"
cargo tauri build cargo tauri build
Write-Host "=== Build output ===" Write-Host "=== Build output ==="
Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
# ---------------------------------------------------------------
# Code signing — jsign + Azure Key Vault (EV cert)
# ---------------------------------------------------------------
- name: Download jsign - name: Download jsign
shell: powershell shell: powershell
run: | run: |
@ -140,7 +107,8 @@ jobs:
- name: Sign Windows binaries - name: Sign Windows binaries
shell: powershell shell: powershell
run: | run: |
Write-Host "=== Signing Wraith binaries with EV certificate ===" $env:Path = "$env:EXTRA_PATH;$env:Path"
Write-Host "=== Signing Wraith binaries ==="
$installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
foreach ($binary in $installers) { foreach ($binary in $installers) {
Write-Host "Signing: $($binary.FullName)" Write-Host "Signing: $($binary.FullName)"
@ -155,9 +123,6 @@ jobs:
Write-Host "Signed: $($binary.Name)" Write-Host "Signed: $($binary.Name)"
} }
# ---------------------------------------------------------------
# Create version.json
# ---------------------------------------------------------------
- name: Create version.json - name: Create version.json
shell: powershell shell: powershell
run: | run: |
@ -177,55 +142,42 @@ jobs:
Write-Host "=== version.json ===" Write-Host "=== version.json ==="
Get-Content version.json Get-Content version.json
# ---------------------------------------------------------------
# Upload to Gitea Package Registry
# ---------------------------------------------------------------
- name: Upload to Gitea packages - name: Upload to Gitea packages
shell: powershell shell: powershell
run: | run: |
$version = "${{ steps.version.outputs.version }}" $version = "${{ steps.version.outputs.version }}"
$giteaUrl = "https://git.command.vigilcyber.com" $giteaUrl = "https://git.command.vigilcyber.com"
$owner = "vstockwell"
$package = "wraith"
$headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" } $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" }
Write-Host "=== Uploading Wraith v$version to Gitea packages ===" Write-Host "=== Uploading Wraith v$version ==="
# Upload installer(s)
$installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
foreach ($file in $installers) { foreach ($file in $installers) {
Write-Host "Uploading: $($file.Name)" Write-Host "Uploading: $($file.Name)"
Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/$($file.Name)" ` Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/$($file.Name)" `
-Method PUT -Headers $headers -ContentType "application/octet-stream" ` -Method PUT -Headers $headers -ContentType "application/octet-stream" `
-InFile $file.FullName -InFile $file.FullName
} }
# Upload version.json
Write-Host "Uploading: version.json" Write-Host "Uploading: version.json"
Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/version.json" ` Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/version.json" `
-Method PUT -Headers $headers -ContentType "application/octet-stream" ` -Method PUT -Headers $headers -ContentType "application/octet-stream" `
-InFile version.json -InFile version.json
# Upload updater signature if exists
$sigs = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.sig -ErrorAction SilentlyContinue $sigs = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.sig -ErrorAction SilentlyContinue
foreach ($sig in $sigs) { foreach ($sig in $sigs) {
Write-Host "Uploading: $($sig.Name)" Write-Host "Uploading: $($sig.Name)"
Invoke-RestMethod -Uri "$giteaUrl/api/packages/$owner/generic/$package/$version/$($sig.Name)" ` Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/$($sig.Name)" `
-Method PUT -Headers $headers -ContentType "application/octet-stream" ` -Method PUT -Headers $headers -ContentType "application/octet-stream" `
-InFile $sig.FullName -InFile $sig.FullName
} }
Write-Host ""
Write-Host "=== Upload complete ===" Write-Host "=== Upload complete ==="
# ---------------------------------------------------------------
# Create Gitea Release
# ---------------------------------------------------------------
- name: Create Gitea Release - name: Create Gitea Release
shell: powershell shell: powershell
run: | run: |
$version = "${{ steps.version.outputs.version }}" $version = "${{ steps.version.outputs.version }}"
$giteaUrl = "https://git.command.vigilcyber.com"
$headers = @{ $headers = @{
Authorization = "token ${{ secrets.GIT_TOKEN }}" Authorization = "token ${{ secrets.GIT_TOKEN }}"
"Content-Type" = "application/json" "Content-Type" = "application/json"
@ -233,9 +185,9 @@ jobs:
$body = @{ $body = @{
tag_name = "v$version" tag_name = "v$version"
name = "Wraith v$version" name = "Wraith v$version"
body = "Wraith Desktop v$version Tauri v2 / Rust build." body = "Wraith Desktop v$version - Tauri v2 / Rust build."
} | ConvertTo-Json } | ConvertTo-Json
Invoke-RestMethod -Uri "$giteaUrl/api/v1/repos/vstockwell/wraith/releases" ` Invoke-RestMethod -Uri "https://git.command.vigilcyber.com/api/v1/repos/vstockwell/wraith/releases" `
-Method POST -Headers $headers -Body $body -Method POST -Headers $headers -Body $body
Write-Host "Release created." Write-Host "Release created."