vstockwell/wraith
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 67 Wiki Activity

fix: CI workflow — use linux runner with MinGW cross-compilation
Some checks failed
Build & Sign Wraith / Build Windows + Sign (push) Failing after 35s
Details

Browse Source 
Matched runner label to existing 'linux' runner on asgard.
Manual git clone checkout, apt-get toolchain install, rustup
with x86_64-pc-windows-gnu target, .cargo/config.toml for
MinGW linker. Mirrors old Go workflow patterns.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Vantz Stockwell 2026-03-17 17:11:04 -04:00
parent 47fb066f1d
commit c1f4875dfd
1 changed files with 100 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

148
.gitea/workflows/build-release.yml
View File

@ -1,8 +1,9 @@
# ============================================================================= # =============================================================================
# Wraith v2 — Build & Sign Release (Tauri v2) # Wraith — Build & Sign Release (Tauri v2)
# ============================================================================= # =============================================================================
# Builds the Tauri desktop app for Windows amd64, signs with Azure Key Vault # Cross-compiles the Tauri app for Windows amd64 from a Linux runner,
# EV cert, creates NSIS installer, uploads to Gitea packages + releases. # signs with Azure Key Vault EV cert via jsign, creates NSIS installer,
# uploads to Gitea packages + releases.
# #
# Trigger: push a tag matching v* (e.g. v1.0.0) or run manually. # Trigger: push a tag matching v* (e.g. v1.0.0) or run manually.
# #
@ -28,20 +29,19 @@ on:
jobs: jobs:
build-and-sign: build-and-sign:
name: Build Windows + Sign name: Build Windows + Sign
runs-on: windows-latest runs-on: linux
steps: steps:
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Checkout # Checkout (manual clone — matches existing runner pattern)
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 run: git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git .
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Extract version from tag # Extract version from tag
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Get version from tag - name: Get version from tag
id: version id: version
shell: bash
run: | run: |
TAG=$(echo "${{ github.ref_name }}" | sed 's/^v//') TAG=$(echo "${{ github.ref_name }}" | sed 's/^v//')
echo "version=${TAG}" >> $GITHUB_OUTPUT echo "version=${TAG}" >> $GITHUB_OUTPUT
@ -50,46 +50,86 @@ jobs:
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Install toolchain # Install toolchain
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Setup Node.js - name: Install build dependencies
uses: actions/setup-node@v4 run: |
with: apt-get update -qq
node-version: '22' apt-get install -y -qq \
mingw-w64 mingw-w64-tools \
default-jre-headless \
python3 curl nsis \
libssl-dev pkg-config
- name: Setup Rust # Node.js 22
uses: dtolnay/rust-toolchain@stable NODE_MAJOR=$(node --version 2>/dev/null | sed 's/v\([0-9]*\).*/\1/' || echo "0")
with: if [ "$NODE_MAJOR" -lt 20 ]; then
targets: x86_64-pc-windows-msvc echo "Node $NODE_MAJOR is too old, installing Node 22..."
curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
apt-get install -y -qq nodejs
fi
- name: Install frontend dependencies # Rust + Windows target
run: npm ci if ! command -v rustup &> /dev/null; then
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
. "$HOME/.cargo/env"
fi
rustup target add x86_64-pc-windows-gnu
echo "=== Toolchain versions ==="
node --version
rustc --version
cargo --version
x86_64-w64-mingw32-gcc --version | head -1
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Build with Tauri # Configure Rust cross-compilation for MinGW
# ---------------------------------------------------------------
- name: Configure MinGW cross-compilation
run: |
mkdir -p .cargo
cat > .cargo/config.toml << 'EOF'
[target.x86_64-pc-windows-gnu]
linker = "x86_64-w64-mingw32-gcc"
ar = "x86_64-w64-mingw32-ar"
[target.x86_64-pc-windows-gnu.rustflags]
rustflags = ["-C", "link-args=-mwindows"]
EOF
# ---------------------------------------------------------------
# Build frontend
# ---------------------------------------------------------------
- name: Build frontend
run: |
npm ci
npm run build
echo "=== Frontend built ==="
ls -la dist/
# ---------------------------------------------------------------
# Build Tauri app (cross-compile for Windows)
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Build Tauri app - name: Build Tauri app
env: env:
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
run: npx tauri build run: |
. "$HOME/.cargo/env" 2>/dev/null || true
npx tauri build --target x86_64-pc-windows-gnu
echo "=== Build output ==="
find src-tauri/target/x86_64-pc-windows-gnu/release/bundle -type f -name "*.exe" -o -name "*.msi" 2>/dev/null
ls -la src-tauri/target/x86_64-pc-windows-gnu/release/*.exe 2>/dev/null || true
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Code signing — jsign + Azure Key Vault (EV cert) # Code signing — jsign + Azure Key Vault (EV cert)
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Install Java (for jsign) - name: Install jsign
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '21'
- name: Download jsign
shell: bash
run: | run: |
curl -sSL -o jsign.jar \ curl -sSL -o /usr/local/bin/jsign.jar \
"https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar" "https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar"
- name: Get Azure Key Vault access token - name: Get Azure Key Vault access token
id: azure-token id: azure-token
shell: bash
run: | run: |
TOKEN=$(curl -s -X POST \ TOKEN=$(curl -s -X POST \
"https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" \ "https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" \
@ -97,21 +137,19 @@ jobs:
-d "client_secret=${{ secrets.AZURE_CLIENT_SECRET }}" \ -d "client_secret=${{ secrets.AZURE_CLIENT_SECRET }}" \
-d "scope=https://vault.azure.net/.default" \ -d "scope=https://vault.azure.net/.default" \
-d "grant_type=client_credentials" \ -d "grant_type=client_credentials" \
| python -c "import sys,json; print(json.load(sys.stdin)['access_token'])") | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")
echo "::add-mask::${TOKEN}" echo "::add-mask::${TOKEN}"
echo "token=${TOKEN}" >> $GITHUB_OUTPUT echo "token=${TOKEN}" >> $GITHUB_OUTPUT
- name: Sign Windows binaries - name: Sign Windows binaries
shell: bash
run: | run: |
echo "=== Signing Wraith binaries with EV certificate ===" echo "=== Signing Wraith binaries with EV certificate ==="
BUNDLE_DIR="src-tauri/target/release/bundle" BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle"
# Sign the main exe for binary in $(find "$BUNDLE_DIR" -name "*.exe" -type f) $(find src-tauri/target/x86_64-pc-windows-gnu/release -maxdepth 1 -name "*.exe" -type f); do
for binary in ${BUNDLE_DIR}/nsis/*.exe; do
[ -f "$binary" ] || continue [ -f "$binary" ] || continue
echo "Signing: $binary" echo "Signing: $binary"
java -jar jsign.jar \ java -jar /usr/local/bin/jsign.jar \
--storetype AZUREKEYVAULT \ --storetype AZUREKEYVAULT \
--keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" \ --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" \
--storepass "${{ steps.azure-token.outputs.token }}" \ --storepass "${{ steps.azure-token.outputs.token }}" \
@ -126,11 +164,16 @@ jobs:
# Create version.json # Create version.json
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Create version.json - name: Create version.json
shell: bash
run: | run: |
VERSION="${{ steps.version.outputs.version }}" VERSION="${{ steps.version.outputs.version }}"
BUNDLE_DIR="src-tauri/target/release/bundle/nsis" BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle"
INSTALLER=$(ls ${BUNDLE_DIR}/*.exe | head -1) INSTALLER=$(find "$BUNDLE_DIR" -name "*.exe" -type f | head -1)
if [ -z "$INSTALLER" ]; then
echo "WARNING: No installer found, checking for raw exe..."
INSTALLER="src-tauri/target/x86_64-pc-windows-gnu/release/wraith.exe"
fi
SHA=$(sha256sum "$INSTALLER" | awk '{print $1}') SHA=$(sha256sum "$INSTALLER" | awk '{print $1}')
cat > version.json << EOF cat > version.json << EOF
@ -152,25 +195,26 @@ jobs:
# Upload to Gitea Package Registry # Upload to Gitea Package Registry
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Upload to Gitea packages - name: Upload to Gitea packages
shell: bash
run: | run: |
VERSION="${{ steps.version.outputs.version }}" VERSION="${{ steps.version.outputs.version }}"
GITEA_URL="https://git.command.vigilcyber.com" GITEA_URL="https://git.command.vigilcyber.com"
OWNER="vstockwell" OWNER="vstockwell"
PACKAGE="wraith" PACKAGE="wraith"
BUNDLE_DIR="src-tauri/target/release/bundle/nsis" BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle"
echo "=== Uploading Wraith v${VERSION} to Gitea packages ===" echo "=== Uploading Wraith v${VERSION} to Gitea packages ==="
# Upload installer # Upload installer(s)
INSTALLER=$(ls ${BUNDLE_DIR}/*.exe | head -1) for exe in $(find "$BUNDLE_DIR" -name "*.exe" -type f); do
FILENAME=$(basename "$INSTALLER") FILENAME=$(basename "$exe")
echo "Uploading: ${FILENAME}" echo "Uploading: ${FILENAME}"
curl -s -X PUT \ curl -s -X PUT \
-H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \
-H "Content-Type: application/octet-stream" \ -H "Content-Type: application/octet-stream" \
--data-binary @"$INSTALLER" \ --data-binary @"$exe" \
"${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/${FILENAME}" "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/${FILENAME}"
echo " Done."
done
# Upload version.json # Upload version.json
echo "Uploading: version.json" echo "Uploading: version.json"
@ -181,24 +225,22 @@ jobs:
"${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/version.json" "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/version.json"
# Upload Tauri updater signature if it exists # Upload Tauri updater signature if it exists
SIG_FILE=$(ls ${BUNDLE_DIR}/*.sig 2>/dev/null | head -1) for sig in $(find "$BUNDLE_DIR" -name "*.sig" -type f 2>/dev/null); do
if [ -f "$SIG_FILE" ]; then echo "Uploading: $(basename $sig)"
echo "Uploading: $(basename $SIG_FILE)"
curl -s -X PUT \ curl -s -X PUT \
-H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \
-H "Content-Type: application/octet-stream" \ -H "Content-Type: application/octet-stream" \
--data-binary @"$SIG_FILE" \ --data-binary @"$sig" \
"${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/$(basename $SIG_FILE)" "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/$(basename $sig)"
fi done
echo "" echo ""
echo "=== Upload complete ===" echo "=== Upload complete ==="
# --------------------------------------------------------------- # ---------------------------------------------------------------
# Create Gitea Release (with v prefix to match git tag) # Create Gitea Release
# --------------------------------------------------------------- # ---------------------------------------------------------------
- name: Create Gitea Release - name: Create Gitea Release
shell: bash
run: | run: |
VERSION="${{ steps.version.outputs.version }}" VERSION="${{ steps.version.outputs.version }}"
GITEA_URL="https://git.command.vigilcyber.com" GITEA_URL="https://git.command.vigilcyber.com"
@ -207,7 +249,7 @@ jobs:
curl -s -X POST \ curl -s -X POST \
-H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d "{\"tag_name\": \"v${VERSION}\", \"name\": \"Wraith v${VERSION}\", \"body\": \"Wraith Desktop v${VERSION} — Tauri v2 build.\"}" \ -d "{\"tag_name\": \"v${VERSION}\", \"name\": \"Wraith v${VERSION}\", \"body\": \"Wraith Desktop v${VERSION} — Tauri v2 / Rust build.\"}" \
"${GITEA_URL}/api/v1/repos/vstockwell/wraith/releases" "${GITEA_URL}/api/v1/repos/vstockwell/wraith/releases"
echo "" echo ""
echo "Release created." echo "Release created."