348d8c842d
act_runner v0.2.11 doesn't support step outputs. Extract version from github.ref_name inline in every step. Use absolute paths for NSIS. Write nsi file with System.IO to avoid encoding issues. Store Azure token in temp file instead of step output. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
184 lines
7.7 KiB
YAML
184 lines
7.7 KiB
YAML
# =============================================================================
|
|
# Wraith — Build & Sign Release (Tauri v2)
|
|
# =============================================================================
|
|
name: Build & Sign Wraith
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
EXTRA_PATH: C:\Program Files (x86)\NSIS;C:\Program Files\Eclipse Adoptium\jre-21.0.10.7-hotspot\bin;C:\Users\vantz\.cargo\bin;C:\Users\vantz\.rustup\toolchains\stable-x86_64-pc-windows-msvc\bin;C:\Program Files\nodejs
|
|
|
|
jobs:
|
|
build-and-sign:
|
|
name: Build Windows + Sign
|
|
runs-on: windows
|
|
steps:
|
|
- name: Checkout code
|
|
shell: powershell
|
|
run: |
|
|
git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git .
|
|
|
|
- name: Configure Rust
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
$ErrorActionPreference = "Continue"
|
|
rustup default stable
|
|
$ErrorActionPreference = "Stop"
|
|
|
|
- name: Verify toolchain
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
node --version
|
|
rustc --version
|
|
cargo --version
|
|
java --version
|
|
|
|
- name: Install dependencies and build frontend
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
npm ci
|
|
npm run build
|
|
|
|
- name: Install Tauri CLI
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
cargo install tauri-cli --version "^2"
|
|
|
|
- name: Build Tauri app
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
cargo tauri build --no-bundle
|
|
Get-ChildItem src-tauri\target\release\Wraith.exe
|
|
|
|
- name: Build NSIS installer
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
$ver = ("${{ github.ref_name }}" -replace '^v','')
|
|
$outExe = "Wraith_" + $ver + "_x64-setup.exe"
|
|
$workDir = (Get-Location).Path
|
|
|
|
New-Item -ItemType Directory -Force -Path "$workDir\dist-pkg" | Out-Null
|
|
Copy-Item "$workDir\src-tauri\target\release\Wraith.exe" "$workDir\dist-pkg\"
|
|
Copy-Item "$workDir\src-tauri\icons\icon.ico" "$workDir\dist-pkg\wraith.ico" -ErrorAction SilentlyContinue
|
|
|
|
$nsiContent = @'
|
|
!include "MUI2.nsh"
|
|
Name "Wraith"
|
|
OutFile "OUTFILE_PLACEHOLDER"
|
|
InstallDir "$PROGRAMFILES64\Wraith"
|
|
RequestExecutionLevel admin
|
|
!insertmacro MUI_PAGE_DIRECTORY
|
|
!insertmacro MUI_PAGE_INSTFILES
|
|
!insertmacro MUI_LANGUAGE "English"
|
|
Section "Install"
|
|
SetOutPath "$INSTDIR"
|
|
File "Wraith.exe"
|
|
File "wraith.ico"
|
|
CreateDirectory "$SMPROGRAMS\Wraith"
|
|
CreateShortcut "$SMPROGRAMS\Wraith\Wraith.lnk" "$INSTDIR\Wraith.exe" "" "$INSTDIR\wraith.ico"
|
|
CreateShortcut "$DESKTOP\Wraith.lnk" "$INSTDIR\Wraith.exe" "" "$INSTDIR\wraith.ico"
|
|
WriteUninstaller "$INSTDIR\uninstall.exe"
|
|
WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" "DisplayName" "Wraith"
|
|
WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" "UninstallString" "$INSTDIR\uninstall.exe"
|
|
WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" "DisplayVersion" "VER_PLACEHOLDER"
|
|
WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith" "Publisher" "Vigilance Cyber"
|
|
SectionEnd
|
|
Section "Uninstall"
|
|
Delete "$INSTDIR\Wraith.exe"
|
|
Delete "$INSTDIR\wraith.ico"
|
|
Delete "$INSTDIR\uninstall.exe"
|
|
RMDir "$INSTDIR"
|
|
Delete "$SMPROGRAMS\Wraith\Wraith.lnk"
|
|
RMDir "$SMPROGRAMS\Wraith"
|
|
Delete "$DESKTOP\Wraith.lnk"
|
|
DeleteRegKey HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\Wraith"
|
|
SectionEnd
|
|
'@
|
|
$nsiContent = $nsiContent.Replace("OUTFILE_PLACEHOLDER", $outExe).Replace("VER_PLACEHOLDER", $ver)
|
|
[System.IO.File]::WriteAllText("$workDir\dist-pkg\installer.nsi", $nsiContent)
|
|
|
|
Write-Host "=== NSIS script written ==="
|
|
Write-Host "Working dir: $workDir"
|
|
Write-Host "OutFile: $outExe"
|
|
Get-ChildItem "$workDir\dist-pkg\"
|
|
|
|
& makensis "$workDir\dist-pkg\installer.nsi"
|
|
Move-Item "$workDir\dist-pkg\$outExe" "$workDir\"
|
|
Write-Host "=== Installer built ==="
|
|
Get-ChildItem "$workDir\$outExe"
|
|
|
|
- name: Download jsign
|
|
shell: powershell
|
|
run: |
|
|
Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar" -OutFile jsign.jar
|
|
|
|
- name: Get Azure token
|
|
id: azure-token
|
|
shell: powershell
|
|
run: |
|
|
$body = @{
|
|
client_id = "${{ secrets.AZURE_CLIENT_ID }}"
|
|
client_secret = "${{ secrets.AZURE_CLIENT_SECRET }}"
|
|
scope = "https://vault.azure.net/.default"
|
|
grant_type = "client_credentials"
|
|
}
|
|
$resp = Invoke-RestMethod -Uri "https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" -Method POST -Body $body
|
|
$token = $resp.access_token
|
|
echo "::add-mask::$token"
|
|
[System.IO.File]::WriteAllText("$env:TEMP\aztoken.txt", $token)
|
|
|
|
- name: Sign binaries
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
$ver = ("${{ github.ref_name }}" -replace '^v','')
|
|
$token = [System.IO.File]::ReadAllText("$env:TEMP\aztoken.txt")
|
|
$binaries = @("src-tauri\target\release\Wraith.exe", "Wraith_" + $ver + "_x64-setup.exe")
|
|
foreach ($path in $binaries) {
|
|
if (Test-Path $path) {
|
|
Write-Host "Signing: $path"
|
|
java -jar jsign.jar --storetype AZUREKEYVAULT --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" --storepass $token --alias "${{ secrets.AZURE_CERT_NAME }}" --tsaurl http://timestamp.digicert.com --tsmode RFC3161 $path
|
|
Write-Host "Signed."
|
|
}
|
|
}
|
|
Remove-Item "$env:TEMP\aztoken.txt" -ErrorAction SilentlyContinue
|
|
|
|
- name: Upload to Gitea
|
|
shell: powershell
|
|
run: |
|
|
$ver = ("${{ github.ref_name }}" -replace '^v','')
|
|
$installer = "Wraith_" + $ver + "_x64-setup.exe"
|
|
$giteaUrl = "https://git.command.vigilcyber.com"
|
|
$headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" }
|
|
|
|
# Version JSON
|
|
$hash = (Get-FileHash $installer -Algorithm SHA256).Hash.ToLower()
|
|
@{ version = $ver; filename = $installer; sha256 = $hash; platform = "windows"; architecture = "amd64"; released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"); signed = $true } | ConvertTo-Json | Out-File version.json -Encoding utf8
|
|
|
|
Write-Host "Uploading $installer"
|
|
Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/$installer" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile $installer
|
|
|
|
Write-Host "Uploading version.json"
|
|
Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/version.json" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile version.json
|
|
|
|
Write-Host "=== Upload complete ==="
|
|
|
|
- name: Create Release
|
|
shell: powershell
|
|
run: |
|
|
$ver = ("${{ github.ref_name }}" -replace '^v','')
|
|
$headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}"; "Content-Type" = "application/json" }
|
|
$body = @{ tag_name = "v$ver"; name = "Wraith v$ver"; body = "Wraith Desktop v$ver - Tauri v2 / Rust build." } | ConvertTo-Json
|
|
Invoke-RestMethod -Uri "https://git.command.vigilcyber.com/api/v1/repos/vstockwell/wraith/releases" -Method POST -Headers $headers -Body $body
|
|
Write-Host "Release v$ver created."
|