# ============================================================================= # Wraith — Build & Sign Release (Tauri v2) # ============================================================================= # Cross-compiles the Tauri app for Windows amd64 from a Linux runner, # signs with Azure Key Vault EV cert via jsign, creates NSIS installer, # uploads to Gitea packages + releases. # # Trigger: push a tag matching v* (e.g. v1.0.0) or run manually. # # Required secrets: # AZURE_TENANT_ID — Azure AD tenant # AZURE_CLIENT_ID — Service principal client ID # AZURE_CLIENT_SECRET — Service principal secret # AZURE_KEY_VAULT_URL — e.g. https://my-vault.vault.azure.net # AZURE_CERT_NAME — Certificate/key name in the vault # GIT_TOKEN — PAT for cloning private repo + uploading packages # TAURI_SIGNING_PRIVATE_KEY — Tauri updater signing key (base64) # TAURI_SIGNING_PRIVATE_KEY_PASSWORD — Password for the signing key # ============================================================================= name: Build & Sign Wraith on: push: tags: - 'v*' workflow_dispatch: jobs: build-and-sign: name: Build Windows + Sign runs-on: linux steps: # --------------------------------------------------------------- # Checkout (manual clone — matches existing runner pattern) # --------------------------------------------------------------- - name: Checkout code run: git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git . # --------------------------------------------------------------- # Extract version from tag # --------------------------------------------------------------- - name: Get version from tag id: version run: | TAG=$(echo "${{ github.ref_name }}" | sed 's/^v//') echo "version=${TAG}" >> $GITHUB_OUTPUT echo "Building version: ${TAG}" # --------------------------------------------------------------- # Install toolchain # --------------------------------------------------------------- - name: Install build dependencies run: | apt-get update -qq apt-get install -y -qq \ mingw-w64 mingw-w64-tools \ default-jre-headless \ python3 curl nsis \ libssl-dev pkg-config # Node.js 22 NODE_MAJOR=$(node --version 2>/dev/null | sed 's/v\([0-9]*\).*/\1/' || echo "0") if [ "$NODE_MAJOR" -lt 20 ]; then echo "Node $NODE_MAJOR is too old, installing Node 22..." curl -fsSL https://deb.nodesource.com/setup_22.x | bash - apt-get install -y -qq nodejs fi # Rust + Windows target if ! command -v rustup &> /dev/null; then curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y . "$HOME/.cargo/env" fi rustup target add x86_64-pc-windows-gnu echo "=== Toolchain versions ===" node --version rustc --version cargo --version x86_64-w64-mingw32-gcc --version | head -1 # --------------------------------------------------------------- # Configure Rust cross-compilation for MinGW # --------------------------------------------------------------- - name: Configure MinGW cross-compilation run: | mkdir -p .cargo cat > .cargo/config.toml << 'EOF' [target.x86_64-pc-windows-gnu] linker = "x86_64-w64-mingw32-gcc" ar = "x86_64-w64-mingw32-ar" [target.x86_64-pc-windows-gnu.rustflags] rustflags = ["-C", "link-args=-mwindows"] EOF # --------------------------------------------------------------- # Build frontend # --------------------------------------------------------------- - name: Build frontend run: | npm ci npm run build echo "=== Frontend built ===" ls -la dist/ # --------------------------------------------------------------- # Build Tauri app (cross-compile for Windows) # --------------------------------------------------------------- - name: Build Tauri app env: TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }} run: | . "$HOME/.cargo/env" 2>/dev/null || true npx tauri build --target x86_64-pc-windows-gnu echo "=== Build output ===" find src-tauri/target/x86_64-pc-windows-gnu/release/bundle -type f -name "*.exe" -o -name "*.msi" 2>/dev/null ls -la src-tauri/target/x86_64-pc-windows-gnu/release/*.exe 2>/dev/null || true # --------------------------------------------------------------- # Code signing — jsign + Azure Key Vault (EV cert) # --------------------------------------------------------------- - name: Install jsign run: | curl -sSL -o /usr/local/bin/jsign.jar \ "https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar" - name: Get Azure Key Vault access token id: azure-token run: | TOKEN=$(curl -s -X POST \ "https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" \ -d "client_id=${{ secrets.AZURE_CLIENT_ID }}" \ -d "client_secret=${{ secrets.AZURE_CLIENT_SECRET }}" \ -d "scope=https://vault.azure.net/.default" \ -d "grant_type=client_credentials" \ | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])") echo "::add-mask::${TOKEN}" echo "token=${TOKEN}" >> $GITHUB_OUTPUT - name: Sign Windows binaries run: | echo "=== Signing Wraith binaries with EV certificate ===" BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle" for binary in $(find "$BUNDLE_DIR" -name "*.exe" -type f) $(find src-tauri/target/x86_64-pc-windows-gnu/release -maxdepth 1 -name "*.exe" -type f); do [ -f "$binary" ] || continue echo "Signing: $binary" java -jar /usr/local/bin/jsign.jar \ --storetype AZUREKEYVAULT \ --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" \ --storepass "${{ steps.azure-token.outputs.token }}" \ --alias "${{ secrets.AZURE_CERT_NAME }}" \ --tsaurl http://timestamp.digicert.com \ --tsmode RFC3161 \ "$binary" echo "Signed: $binary" done # --------------------------------------------------------------- # Create version.json # --------------------------------------------------------------- - name: Create version.json run: | VERSION="${{ steps.version.outputs.version }}" BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle" INSTALLER=$(find "$BUNDLE_DIR" -name "*.exe" -type f | head -1) if [ -z "$INSTALLER" ]; then echo "WARNING: No installer found, checking for raw exe..." INSTALLER="src-tauri/target/x86_64-pc-windows-gnu/release/wraith.exe" fi SHA=$(sha256sum "$INSTALLER" | awk '{print $1}') cat > version.json << EOF { "version": "${VERSION}", "filename": "$(basename $INSTALLER)", "sha256": "${SHA}", "platform": "windows", "architecture": "amd64", "released": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")", "signed": true } EOF echo "=== version.json ===" cat version.json # --------------------------------------------------------------- # Upload to Gitea Package Registry # --------------------------------------------------------------- - name: Upload to Gitea packages run: | VERSION="${{ steps.version.outputs.version }}" GITEA_URL="https://git.command.vigilcyber.com" OWNER="vstockwell" PACKAGE="wraith" BUNDLE_DIR="src-tauri/target/x86_64-pc-windows-gnu/release/bundle" echo "=== Uploading Wraith v${VERSION} to Gitea packages ===" # Upload installer(s) for exe in $(find "$BUNDLE_DIR" -name "*.exe" -type f); do FILENAME=$(basename "$exe") echo "Uploading: ${FILENAME}" curl -s -X PUT \ -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ -H "Content-Type: application/octet-stream" \ --data-binary @"$exe" \ "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/${FILENAME}" echo " Done." done # Upload version.json echo "Uploading: version.json" curl -s -X PUT \ -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ -H "Content-Type: application/octet-stream" \ --data-binary @"version.json" \ "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/version.json" # Upload Tauri updater signature if it exists for sig in $(find "$BUNDLE_DIR" -name "*.sig" -type f 2>/dev/null); do echo "Uploading: $(basename $sig)" curl -s -X PUT \ -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ -H "Content-Type: application/octet-stream" \ --data-binary @"$sig" \ "${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/$(basename $sig)" done echo "" echo "=== Upload complete ===" # --------------------------------------------------------------- # Create Gitea Release # --------------------------------------------------------------- - name: Create Gitea Release run: | VERSION="${{ steps.version.outputs.version }}" GITEA_URL="https://git.command.vigilcyber.com" echo "=== Creating Gitea Release for v${VERSION} ===" curl -s -X POST \ -H "Authorization: token ${{ secrets.GIT_TOKEN }}" \ -H "Content-Type: application/json" \ -d "{\"tag_name\": \"v${VERSION}\", \"name\": \"Wraith v${VERSION}\", \"body\": \"Wraith Desktop v${VERSION} — Tauri v2 / Rust build.\"}" \ "${GITEA_URL}/api/v1/repos/vstockwell/wraith/releases" echo "" echo "Release created."