vstockwell/wraith
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 67 Wiki Activity
1b04d3edeb
wraith/.gitea/workflows/build-release.yml
Vantz Stockwell 1b04d3edeb
Some checks failed
Build & Sign Wraith / Build Windows + Sign (push) Failing after 18s
Details
fix: suppress MinGW format string warnings in FreeRDP build (-Wno-format)
2026-03-17 09:31:17 -04:00

313 lines
12 KiB
YAML
Raw Blame History

# =============================================================================
# Wraith — Build & Sign Release
# =============================================================================
# Builds the Wails v3 desktop app for Windows amd64, cross-compiles FreeRDP3
# from source via MinGW, signs everything with Azure Key Vault EV cert,
# then uploads to SeaweedFS.
#
# Trigger: push a tag matching v* (e.g. v1.0.0) or run manually.
#
# Required secrets:
# AZURE_TENANT_ID — Azure AD tenant
# AZURE_CLIENT_ID — Service principal client ID
# AZURE_CLIENT_SECRET — Service principal secret
# AZURE_KEY_VAULT_URL — e.g. https://my-vault.vault.azure.net
# AZURE_CERT_NAME — Certificate/key name in the vault
# GIT_TOKEN — PAT for cloning private repo
# =============================================================================
name: Build & Sign Wraith
on:
push:
tags:
- 'v*'
workflow_dispatch:
jobs:
build-and-sign:
name: Build Windows + Sign
runs-on: linux
steps:
# ---------------------------------------------------------------
# Checkout
# ---------------------------------------------------------------
- name: Checkout code
run: git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git .
# ---------------------------------------------------------------
# Extract version from tag
# ---------------------------------------------------------------
- name: Get version from tag
id: version
run: |
TAG=$(echo "${{ github.ref_name }}" | sed 's/^v//')
echo "version=${TAG}" >> $GITHUB_OUTPUT
echo "Building version: ${TAG}"
# ---------------------------------------------------------------
# Install toolchain
# ---------------------------------------------------------------
- name: Install build dependencies
run: |
apt-get update -qq
apt-get install -y -qq \
mingw-w64 mingw-w64-tools binutils-mingw-w64 \
cmake ninja-build nasm meson \
default-jre-headless \
python3 curl pkg-config
# Node.js
if ! command -v node >/dev/null 2>&1; then
curl -fsSL https://deb.nodesource.com/setup_22.x | bash -
apt-get install -y -qq nodejs
fi
echo "=== Toolchain versions ==="
go version
node --version
x86_64-w64-mingw32-gcc --version | head -1
cmake --version | head -1
# ===============================================================
# FreeRDP3 dependencies — cross-compile zlib + OpenSSL for MinGW
# ===============================================================
- name: Build FreeRDP3 dependencies (zlib + OpenSSL for MinGW)
run: |
INSTALL_PREFIX="/tmp/mingw-deps"
mkdir -p "$INSTALL_PREFIX"
export CROSS=x86_64-w64-mingw32
# --- zlib ---
echo "=== Building zlib for MinGW ==="
ZLIB_VERSION="1.3.1"
curl -sSL -o /tmp/zlib.tar.gz "https://github.com/madler/zlib/releases/download/v${ZLIB_VERSION}/zlib-${ZLIB_VERSION}.tar.gz"
tar -xzf /tmp/zlib.tar.gz -C /tmp
cd /tmp/zlib-${ZLIB_VERSION}
CC=${CROSS}-gcc AR=${CROSS}-ar RANLIB=${CROSS}-ranlib \
./configure --prefix="$INSTALL_PREFIX" --static
make -j$(nproc)
make install
echo "zlib installed to $INSTALL_PREFIX"
# --- OpenSSL ---
echo "=== Building OpenSSL for MinGW ==="
OPENSSL_VERSION="3.4.1"
curl -sSL -o /tmp/openssl.tar.gz "https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz"
tar -xzf /tmp/openssl.tar.gz -C /tmp
cd /tmp/openssl-${OPENSSL_VERSION}
./Configure mingw64 no-shared no-tests \
--cross-compile-prefix=${CROSS}- \
--prefix="$INSTALL_PREFIX"
make -j$(nproc)
make install_sw
echo "OpenSSL installed to $INSTALL_PREFIX"
# ===============================================================
# FreeRDP3 — Cross-compile from source via MinGW
# ===============================================================
- name: Build FreeRDP3 for Windows (MinGW cross-compile)
run: |
FREERDP_VERSION="3.10.3"
INSTALL_PREFIX="/tmp/mingw-deps"
echo "=== Building FreeRDP ${FREERDP_VERSION} for Windows amd64 via MinGW ==="
# Download FreeRDP source
curl -sSL -o /tmp/freerdp.tar.gz "https://github.com/FreeRDP/FreeRDP/archive/refs/tags/${FREERDP_VERSION}.tar.gz"
tar -xzf /tmp/freerdp.tar.gz -C /tmp
cd /tmp/FreeRDP-${FREERDP_VERSION}
# Create MinGW toolchain file pointing to our built deps
cat > /tmp/mingw-toolchain.cmake << TCEOF
set(CMAKE_SYSTEM_NAME Windows)
set(CMAKE_SYSTEM_PROCESSOR AMD64)
set(CMAKE_C_COMPILER x86_64-w64-mingw32-gcc)
set(CMAKE_CXX_COMPILER x86_64-w64-mingw32-g++)
set(CMAKE_RC_COMPILER x86_64-w64-mingw32-windres)
set(CMAKE_FIND_ROOT_PATH /usr/x86_64-w64-mingw32;${INSTALL_PREFIX})
set(CMAKE_FIND_ROOT_PATH_MODE_PROGRAM NEVER)
set(CMAKE_FIND_ROOT_PATH_MODE_LIBRARY ONLY)
set(CMAKE_FIND_ROOT_PATH_MODE_INCLUDE ONLY)
set(CMAKE_PREFIX_PATH ${INSTALL_PREFIX})
set(OPENSSL_ROOT_DIR ${INSTALL_PREFIX})
set(ZLIB_ROOT ${INSTALL_PREFIX})
TCEOF
# Configure — minimal client-only build
# -Wno-format suppresses MinGW PRIuz/PRIxz format string warnings
cmake -B build -G Ninja \
-DCMAKE_TOOLCHAIN_FILE=/tmp/mingw-toolchain.cmake \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_C_FLAGS="-Wno-format" \
-DCMAKE_INSTALL_PREFIX=/tmp/freerdp-install \
-DBUILD_SHARED_LIBS=ON \
-DWITH_CLIENT=OFF \
-DWITH_CLIENT_SDL=OFF \
-DWITH_CLIENT_WINDOWS=OFF \
-DWITH_SERVER=OFF \
-DWITH_SHADOW=OFF \
-DWITH_PROXY=OFF \
-DWITH_SAMPLE=OFF \
-DWITH_PLATFORM_SERVER=OFF \
-DWITH_WINPR_TOOLS=OFF \
-DWITH_FFMPEG=OFF \
-DWITH_SWSCALE=OFF \
-DWITH_CAIRO=OFF \
-DWITH_CUPS=OFF \
-DWITH_PULSE=OFF \
-DWITH_ALSA=OFF \
-DWITH_OSS=OFF \
-DWITH_WAYLAND=OFF \
-DWITH_X11=OFF \
-DCHANNEL_URBDRC=OFF \
-DWITH_OPENH264=OFF
# Build
cmake --build build --parallel $(nproc)
cmake --install build
echo "=== FreeRDP3 DLLs built ==="
ls -la /tmp/freerdp-install/bin/*.dll 2>/dev/null || ls -la /tmp/freerdp-install/lib/*.dll 2>/dev/null || echo "Checking build output..."
find /tmp/freerdp-install -name "*.dll" -type f
- name: Stage FreeRDP3 DLLs
run: |
mkdir -p dist
# Copy all FreeRDP DLLs (MinGW produces lib-prefixed names)
find /tmp/freerdp-install -name "*.dll" -type f -exec cp {} dist/ \;
echo "=== Staged DLLs ==="
ls -la dist/*.dll 2>/dev/null || echo "No DLLs found — FreeRDP build may have failed"
# ===============================================================
# Build Wraith
# ===============================================================
- name: Build frontend
run: |
cd frontend
npm ci
npm run build
echo "Frontend build complete:"
ls -la dist/
- name: Build wraith.exe (Windows amd64)
run: |
VERSION="${{ steps.version.outputs.version }}"
echo "=== Cross-compiling wraith.exe for Windows amd64 ==="
GOOS=windows GOARCH=amd64 CGO_ENABLED=0 \
go build \
-ldflags="-s -w -X main.version=${VERSION}" \
-o dist/wraith.exe \
.
ls -la dist/wraith.exe
# ===============================================================
# Code signing — jsign + Azure Key Vault (EV cert)
# ===============================================================
- name: Install jsign
run: |
JSIGN_VERSION="7.0"
curl -sSL -o /usr/local/bin/jsign.jar \
"https://github.com/ebourg/jsign/releases/download/${JSIGN_VERSION}/jsign-${JSIGN_VERSION}.jar"
- name: Get Azure Key Vault access token
id: azure-token
run: |
TOKEN=$(curl -s -X POST \
"https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" \
-d "client_id=${{ secrets.AZURE_CLIENT_ID }}" \
-d "client_secret=${{ secrets.AZURE_CLIENT_SECRET }}" \
-d "scope=https://vault.azure.net/.default" \
-d "grant_type=client_credentials" \
| python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")
echo "::add-mask::${TOKEN}"
echo "token=${TOKEN}" >> $GITHUB_OUTPUT
- name: Sign all Windows binaries
run: |
echo "=== Signing all .exe and .dll files with EV certificate ==="
for binary in dist/*.exe dist/*.dll; do
[ -f "$binary" ] || continue
echo "Signing: $binary"
java -jar /usr/local/bin/jsign.jar \
--storetype AZUREKEYVAULT \
--keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" \
--storepass "${{ steps.azure-token.outputs.token }}" \
--alias "${{ secrets.AZURE_CERT_NAME }}" \
--tsaurl http://timestamp.digicert.com \
--tsmode RFC3161 \
"$binary"
echo "Signed: $binary"
done
# ===============================================================
# Version manifest
# ===============================================================
- name: Create version.json
run: |
VERSION="${{ steps.version.outputs.version }}"
EXE_SHA=$(sha256sum dist/wraith.exe | awk '{print $1}')
# Build DLL manifest
DLL_ENTRIES=""
for dll in dist/*.dll; do
[ -f "$dll" ] || continue
DLL_NAME=$(basename "$dll")
DLL_SHA=$(sha256sum "$dll" | awk '{print $1}')
DLL_ENTRIES="${DLL_ENTRIES} \"${DLL_NAME}\": \"${DLL_SHA}\",
"
done
cat > dist/version.json << EOF
{
"version": "${VERSION}",
"filename": "wraith.exe",
"sha256": "${EXE_SHA}",
"platform": "windows",
"architecture": "amd64",
"released": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
"signed": true,
"dlls": {
${DLL_ENTRIES} "_note": "All DLLs are EV code-signed"
}
}
EOF
echo "=== version.json ==="
cat dist/version.json
# ===============================================================
# Upload to Gitea Package Registry
# ===============================================================
- name: Upload to Gitea packages
run: |
VERSION="${{ steps.version.outputs.version }}"
GITEA_URL="https://git.command.vigilcyber.com"
OWNER="vstockwell"
PACKAGE="wraith"
echo "=== Uploading Wraith ${VERSION} to Gitea packages ==="
# Upload each file as a generic package
for file in dist/*; do
[ -f "$file" ] || continue
FILENAME=$(basename "$file")
echo "Uploading: ${FILENAME}"
curl -s -X PUT \
-H "Authorization: token ${{ secrets.GIT_TOKEN }}" \
-H "Content-Type: application/octet-stream" \
--data-binary @"$file" \
"${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/${FILENAME}"
echo " Done."
done
echo ""
echo "=== Upload complete ==="
echo "Package: ${GITEA_URL}/${OWNER}/-/packages/generic/${PACKAGE}/${VERSION}"
echo ""
echo "=== Contents ==="
ls -la dist/
Reference in New Issue View Git Blame Copy Permalink