# ============================================================================= # Wraith — Build & Sign Release (Tauri v2) # ============================================================================= # Native Windows build on STORMBREAKER runner, signs with Azure Key Vault # EV cert via jsign, creates NSIS installer, uploads to Gitea packages. # # Trigger: push a tag matching v* (e.g. v1.0.0) or run manually. # ============================================================================= name: Build & Sign Wraith on: push: tags: - 'v*' workflow_dispatch: env: # Extra paths needed when running as SYSTEM EXTRA_PATH: C:\Program Files (x86)\NSIS;C:\Program Files\Eclipse Adoptium\jre-21.0.10.7-hotspot\bin;C:\Users\vantz\.cargo\bin;C:\Users\vantz\.rustup\toolchains\stable-x86_64-pc-windows-msvc\bin;C:\Program Files\nodejs jobs: build-and-sign: name: Build Windows + Sign runs-on: windows steps: - name: Checkout code shell: powershell run: | git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git . - name: Get version from tag id: version shell: powershell run: | $tag = "${{ github.ref_name }}" -replace '^v','' echo "version=$tag" >> $env:GITHUB_OUTPUT Write-Host "Building version: $tag" - name: Configure Rust shell: powershell run: | $env:Path = "$env:EXTRA_PATH;$env:Path" $ErrorActionPreference = "Continue" rustup default stable $ErrorActionPreference = "Stop" - name: Verify toolchain shell: powershell run: | $env:Path = "$env:EXTRA_PATH;$env:Path" Write-Host "=== Toolchain versions ===" node --version rustc --version cargo --version java --version - name: Install frontend dependencies shell: powershell run: | $env:Path = "$env:EXTRA_PATH;$env:Path" npm ci - name: Build frontend shell: powershell run: | $env:Path = "$env:EXTRA_PATH;$env:Path" npm run build - name: Install Tauri CLI shell: powershell run: | $env:Path = "$env:EXTRA_PATH;$env:Path" cargo install tauri-cli --version "^2" - name: Build Tauri app shell: powershell env: TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} run: | $env:Path = "$env:EXTRA_PATH;$env:Path" cargo tauri build Write-Host "=== Build output ===" Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe - name: Download jsign shell: powershell run: | Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar" -OutFile jsign.jar - name: Get Azure Key Vault access token id: azure-token shell: powershell run: | $body = @{ client_id = "${{ secrets.AZURE_CLIENT_ID }}" client_secret = "${{ secrets.AZURE_CLIENT_SECRET }}" scope = "https://vault.azure.net/.default" grant_type = "client_credentials" } $resp = Invoke-RestMethod -Uri "https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" -Method POST -Body $body $token = $resp.access_token echo "::add-mask::$token" echo "token=$token" >> $env:GITHUB_OUTPUT - name: Sign Windows binaries shell: powershell run: | $env:Path = "$env:EXTRA_PATH;$env:Path" Write-Host "=== Signing Wraith binaries ===" $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe foreach ($binary in $installers) { Write-Host "Signing: $($binary.FullName)" java -jar jsign.jar ` --storetype AZUREKEYVAULT ` --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" ` --storepass "${{ steps.azure-token.outputs.token }}" ` --alias "${{ secrets.AZURE_CERT_NAME }}" ` --tsaurl http://timestamp.digicert.com ` --tsmode RFC3161 ` $binary.FullName Write-Host "Signed: $($binary.Name)" } - name: Create version.json shell: powershell run: | $version = "${{ steps.version.outputs.version }}" $installer = (Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe | Select-Object -First 1) $hash = (Get-FileHash $installer.FullName -Algorithm SHA256).Hash.ToLower() $json = @{ version = $version filename = $installer.Name sha256 = $hash platform = "windows" architecture = "amd64" released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ") signed = $true } | ConvertTo-Json $json | Out-File -FilePath version.json -Encoding utf8 Write-Host "=== version.json ===" Get-Content version.json - name: Upload to Gitea packages shell: powershell run: | $version = "${{ steps.version.outputs.version }}" $giteaUrl = "https://git.command.vigilcyber.com" $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" } Write-Host "=== Uploading Wraith v$version ===" $installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe foreach ($file in $installers) { Write-Host "Uploading: $($file.Name)" Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/$($file.Name)" ` -Method PUT -Headers $headers -ContentType "application/octet-stream" ` -InFile $file.FullName } Write-Host "Uploading: version.json" Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/version.json" ` -Method PUT -Headers $headers -ContentType "application/octet-stream" ` -InFile version.json $sigs = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.sig -ErrorAction SilentlyContinue foreach ($sig in $sigs) { Write-Host "Uploading: $($sig.Name)" Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$version/$($sig.Name)" ` -Method PUT -Headers $headers -ContentType "application/octet-stream" ` -InFile $sig.FullName } Write-Host "=== Upload complete ===" - name: Create Gitea Release shell: powershell run: | $version = "${{ steps.version.outputs.version }}" $headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" "Content-Type" = "application/json" } $body = @{ tag_name = "v$version" name = "Wraith v$version" body = "Wraith Desktop v$version - Tauri v2 / Rust build." } | ConvertTo-Json Invoke-RestMethod -Uri "https://git.command.vigilcyber.com/api/v1/repos/vstockwell/wraith/releases" ` -Method POST -Headers $headers -Body $body Write-Host "Release created."