diff --git a/.gitea/workflows/build-release.yml b/.gitea/workflows/build-release.yml index 79bca73..d4a5263 100644 --- a/.gitea/workflows/build-release.yml +++ b/.gitea/workflows/build-release.yml @@ -1,8 +1,9 @@ # ============================================================================= -# Wraith v2 — Build & Sign Release (Tauri v2) +# Wraith — Build & Sign Release (Tauri v2) # ============================================================================= -# Builds the Tauri desktop app for Windows amd64, signs with Azure Key Vault -# EV cert, creates NSIS installer, uploads to Gitea packages + releases. +# Cross-compiles the Tauri app for Windows amd64 from a Linux runner, +# signs with Azure Key Vault EV cert via jsign, creates NSIS installer, +# uploads to Gitea packages + releases. # # Trigger: push a tag matching v* (e.g. v1.0.0) or run manually. # @@ -28,20 +29,19 @@ on: jobs: build-and-sign: name: Build Windows + Sign - runs-on: windows-latest + runs-on: linux steps: # --------------------------------------------------------------- - # Checkout + # Checkout (manual clone — matches existing runner pattern) # --------------------------------------------------------------- - name: Checkout code - uses: actions/checkout@v4 + run: git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git . # --------------------------------------------------------------- # Extract version from tag # --------------------------------------------------------------- - name: Get version from tag id: version - shell: bash run: | TAG=$(echo "${{ github.ref_name }}" | sed 's/^v//') echo "version=${TAG}" >> $GITHUB_OUTPUT @@ -50,46 +50,86 @@ jobs: # --------------------------------------------------------------- # Install toolchain # --------------------------------------------------------------- - - name: Setup Node.js - uses: actions/setup-node@v4 - with: - node-version: '22' + - name: Install build dependencies + run: | + apt-get update -qq + apt-get install -y -qq \ + mingw-w64 mingw-w64-tools \ + default-jre-headless \ + python3 curl nsis \ + libssl-dev pkg-config - - name: Setup Rust - uses: dtolnay/rust-toolchain@stable - with: - targets: x86_64-pc-windows-msvc + # Node.js 22 + NODE_MAJOR=$(node --version 2>/dev/null | sed 's/v\([0-9]*\).*/\1/' || echo "0") + if [ "$NODE_MAJOR" -lt 20 ]; then + echo "Node $NODE_MAJOR is too old, installing Node 22..." + curl -fsSL https://deb.nodesource.com/setup_22.x | bash - + apt-get install -y -qq nodejs + fi - - name: Install frontend dependencies - run: npm ci + # Rust + Windows target + if ! command -v rustup &> /dev/null; then + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y + . "$HOME/.cargo/env" + fi + rustup target add x86_64-pc-windows-gnu + + echo "=== Toolchain versions ===" + node --version + rustc --version + cargo --version + x86_64-w64-mingw32-gcc --version | head -1 # --------------------------------------------------------------- - # Build with Tauri + # Configure Rust cross-compilation for MinGW + # --------------------------------------------------------------- + - name: Configure MinGW cross-compilation + run: | + mkdir -p .cargo + cat > .cargo/config.toml << 'EOF' + [target.x86_64-pc-windows-gnu] + linker = "x86_64-w64-mingw32-gcc" + ar = "x86_64-w64-mingw32-ar" + + [target.x86_64-pc-windows-gnu.rustflags] + rustflags = ["-C", "link-args=-mwindows"] + EOF + + # --------------------------------------------------------------- + # Build frontend + # --------------------------------------------------------------- + - name: Build frontend + run: | + npm ci + npm run build + echo "=== Frontend built ===" + ls -la dist/ + + # --------------------------------------------------------------- + # Build Tauri app (cross-compile for Windows) # --------------------------------------------------------------- - name: Build Tauri app env: TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} - run: npx tauri build + run: | + . "$HOME/.cargo/env" 2>/dev/null || true + npx tauri build --target x86_64-pc-windows-gnu + + echo "=== Build output ===" + find src-tauri/target/x86_64-pc-windows-gnu/release/bundle -type f -name "*.exe" -o -name "*.msi" 2>/dev/null + ls -la src-tauri/target/x86_64-pc-windows-gnu/release/*.exe 2>/dev/null || true # --------------------------------------------------------------- # Code signing — jsign + Azure Key Vault (EV cert) # --------------------------------------------------------------- - - name: Install Java (for jsign) - uses: actions/setup-java@v4 - with: - distribution: 'temurin' - java-version: '21' - - - name: Download jsign - shell: bash + - name: Install jsign run: | - curl -sSL -o jsign.jar \ + curl -sSL -o /usr/local/bin/jsign.jar \ "https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar" - name: Get Azure Key Vault access token id: azure-token - shell: bash run: | TOKEN=$(curl -s -X POST \ "https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" \ @@ -97,21 +137,19 @@ jobs: -d "client_secret=${{ secrets.AZURE_CLIENT_SECRET }}" \ -d "scope=https://vault.azure.net/.default" \ -d "grant_type=client_credentials" \ - | python -c "import sys,json; print(json.load(sys.stdin)['access_token'])") + | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])") echo "::add-mask::${TOKEN}" echo "token=${TOKEN}" >> $GITHUB_OUTPUT - name: Sign Windows binaries - shell: bash run: | echo "=== Signing Wraith binaries with EV certificate ===" - BUNDLE_DIR="src-tauri/target/release/bundle" + BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle" - # Sign the main exe - for binary in ${BUNDLE_DIR}/nsis/*.exe; do + for binary in $(find "$BUNDLE_DIR" -name "*.exe" -type f) $(find src-tauri/target/x86_64-pc-windows-gnu/release -maxdepth 1 -name "*.exe" -type f); do [ -f "$binary" ] || continue echo "Signing: $binary" - java -jar jsign.jar \ + java -jar /usr/local/bin/jsign.jar \ --storetype AZUREKEYVAULT \ --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" \ --storepass "${{ steps.azure-token.outputs.token }}" \ @@ -126,11 +164,16 @@ jobs: # Create version.json # --------------------------------------------------------------- - name: Create version.json - shell: bash run: | VERSION="${{ steps.version.outputs.version }}" - BUNDLE_DIR="src-tauri/target/release/bundle/nsis" - INSTALLER=$(ls ${BUNDLE_DIR}/*.exe | head -1) + BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle" + INSTALLER=$(find "$BUNDLE_DIR" -name "*.exe" -type f | head -1) + + if [ -z "$INSTALLER" ]; then + echo "WARNING: No installer found, checking for raw exe..." + INSTALLER="src-tauri/target/x86_64-pc-windows-gnu/release/wraith.exe" + fi + SHA=$(sha256sum "$INSTALLER" | awk '{print $1}') cat > version.json << EOF @@ -152,25 +195,26 @@ jobs: # Upload to Gitea Package Registry # --------------------------------------------------------------- - name: Upload to Gitea packages - shell: bash run: | VERSION="${{ steps.version.outputs.version }}" GITEA_URL="https://git.command.vigilcyber.com" OWNER="vstockwell" PACKAGE="wraith" - BUNDLE_DIR="src-tauri/target/release/bundle/nsis" + BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle" echo "=== Uploading Wraith v${VERSION} to Gitea packages ===" - # Upload installer - INSTALLER=$(ls ${BUNDLE_DIR}/*.exe | head -1) - FILENAME=$(basename "$INSTALLER") - echo "Uploading: ${FILENAME}" - curl -s -X PUT \ - -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ - -H "Content-Type: application/octet-stream" \ - --data-binary @"$INSTALLER" \ - "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/${FILENAME}" + # Upload installer(s) + for exe in $(find "$BUNDLE_DIR" -name "*.exe" -type f); do + FILENAME=$(basename "$exe") + echo "Uploading: ${FILENAME}" + curl -s -X PUT \ + -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ + -H "Content-Type: application/octet-stream" \ + --data-binary @"$exe" \ + "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/${FILENAME}" + echo " Done." + done # Upload version.json echo "Uploading: version.json" @@ -181,24 +225,22 @@ jobs: "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/version.json" # Upload Tauri updater signature if it exists - SIG_FILE=$(ls ${BUNDLE_DIR}/*.sig 2>/dev/null | head -1) - if [ -f "$SIG_FILE" ]; then - echo "Uploading: $(basename $SIG_FILE)" + for sig in $(find "$BUNDLE_DIR" -name "*.sig" -type f 2>/dev/null); do + echo "Uploading: $(basename $sig)" curl -s -X PUT \ -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ -H "Content-Type: application/octet-stream" \ - --data-binary @"$SIG_FILE" \ - "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/$(basename $SIG_FILE)" - fi + --data-binary @"$sig" \ + "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/$(basename $sig)" + done echo "" echo "=== Upload complete ===" # --------------------------------------------------------------- - # Create Gitea Release (with v prefix to match git tag) + # Create Gitea Release # --------------------------------------------------------------- - name: Create Gitea Release - shell: bash run: | VERSION="${{ steps.version.outputs.version }}" GITEA_URL="https://git.command.vigilcyber.com" @@ -207,7 +249,7 @@ jobs: curl -s -X POST \ -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ -H "Content-Type: application/json" \ - -d "{\"tag_name\": \"v${VERSION}\", \"name\": \"Wraith v${VERSION}\", \"body\": \"Wraith Desktop v${VERSION} — Tauri v2 build.\"}" \ + -d "{\"tag_name\": \"v${VERSION}\", \"name\": \"Wraith v${VERSION}\", \"body\": \"Wraith Desktop v${VERSION} — Tauri v2 / Rust build.\"}" \ "${GITEA_URL}/api/v1/repos/vstockwell/wraith/releases" echo "" echo "Release created."