vstockwell/wraith
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 67 Wiki Activity
47fb066f1d
wraith/.gitea/workflows/build-release.yml
Vantz Stockwell 47fb066f1d
Some checks failed
Build & Sign Wraith / Build Windows + Sign (push) Has been cancelled
Details
docs: Phase 7 complete — CLAUDE.md + Go migration checklist 
CLAUDE.md for future XOs: tech stack, architecture, commands,
key design decisions, lineage from Go version.

GO_MIGRATION.md: step-by-step checklist for deploying v2,
archiving Go repo, configuring CI secrets, first release.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-17 16:48:36 -04:00

214 lines
8.2 KiB
YAML
Raw Blame History

# =============================================================================
# Wraith v2 — Build & Sign Release (Tauri v2)
# =============================================================================
# Builds the Tauri desktop app for Windows amd64, signs with Azure Key Vault
# EV cert, creates NSIS installer, uploads to Gitea packages + releases.
#
# Trigger: push a tag matching v* (e.g. v1.0.0) or run manually.
#
# Required secrets:
# AZURE_TENANT_ID — Azure AD tenant
# AZURE_CLIENT_ID — Service principal client ID
# AZURE_CLIENT_SECRET — Service principal secret
# AZURE_KEY_VAULT_URL — e.g. https://my-vault.vault.azure.net
# AZURE_CERT_NAME — Certificate/key name in the vault
# GIT_TOKEN — PAT for cloning private repo + uploading packages
# TAURI_SIGNING_PRIVATE_KEY — Tauri updater signing key (base64)
# TAURI_SIGNING_PRIVATE_KEY_PASSWORD — Password for the signing key
# =============================================================================
name: Build & Sign Wraith
on:
push:
tags:
- 'v*'
workflow_dispatch:
jobs:
build-and-sign:
name: Build Windows + Sign
runs-on: windows-latest
steps:
# ---------------------------------------------------------------
# Checkout
# ---------------------------------------------------------------
- name: Checkout code
uses: actions/checkout@v4
# ---------------------------------------------------------------
# Extract version from tag
# ---------------------------------------------------------------
- name: Get version from tag
id: version
shell: bash
run: |
TAG=$(echo "${{ github.ref_name }}" | sed 's/^v//')
echo "version=${TAG}" >> $GITHUB_OUTPUT
echo "Building version: ${TAG}"
# ---------------------------------------------------------------
# Install toolchain
# ---------------------------------------------------------------
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
- name: Setup Rust
uses: dtolnay/rust-toolchain@stable
with:
targets: x86_64-pc-windows-msvc
- name: Install frontend dependencies
run: npm ci
# ---------------------------------------------------------------
# Build with Tauri
# ---------------------------------------------------------------
- name: Build Tauri app
env:
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY_PASSWORD }}
run: npx tauri build
# ---------------------------------------------------------------
# Code signing — jsign + Azure Key Vault (EV cert)
# ---------------------------------------------------------------
- name: Install Java (for jsign)
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '21'
- name: Download jsign
shell: bash
run: |
curl -sSL -o jsign.jar \
"https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar"
- name: Get Azure Key Vault access token
id: azure-token
shell: bash
run: |
TOKEN=$(curl -s -X POST \
"https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" \
-d "client_id=${{ secrets.AZURE_CLIENT_ID }}" \
-d "client_secret=${{ secrets.AZURE_CLIENT_SECRET }}" \
-d "scope=https://vault.azure.net/.default" \
-d "grant_type=client_credentials" \
| python -c "import sys,json; print(json.load(sys.stdin)['access_token'])")
echo "::add-mask::${TOKEN}"
echo "token=${TOKEN}" >> $GITHUB_OUTPUT
- name: Sign Windows binaries
shell: bash
run: |
echo "=== Signing Wraith binaries with EV certificate ==="
BUNDLE_DIR="src-tauri/target/release/bundle"
# Sign the main exe
for binary in ${BUNDLE_DIR}/nsis/*.exe; do
[ -f "$binary" ] || continue
echo "Signing: $binary"
java -jar jsign.jar \
--storetype AZUREKEYVAULT \
--keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" \
--storepass "${{ steps.azure-token.outputs.token }}" \
--alias "${{ secrets.AZURE_CERT_NAME }}" \
--tsaurl http://timestamp.digicert.com \
--tsmode RFC3161 \
"$binary"
echo "Signed: $binary"
done
# ---------------------------------------------------------------
# Create version.json
# ---------------------------------------------------------------
- name: Create version.json
shell: bash
run: |
VERSION="${{ steps.version.outputs.version }}"
BUNDLE_DIR="src-tauri/target/release/bundle/nsis"
INSTALLER=$(ls ${BUNDLE_DIR}/*.exe | head -1)
SHA=$(sha256sum "$INSTALLER" | awk '{print $1}')
cat > version.json << EOF
{
"version": "${VERSION}",
"filename": "$(basename $INSTALLER)",
"sha256": "${SHA}",
"platform": "windows",
"architecture": "amd64",
"released": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
"signed": true
}
EOF
echo "=== version.json ==="
cat version.json
# ---------------------------------------------------------------
# Upload to Gitea Package Registry
# ---------------------------------------------------------------
- name: Upload to Gitea packages
shell: bash
run: |
VERSION="${{ steps.version.outputs.version }}"
GITEA_URL="https://git.command.vigilcyber.com"
OWNER="vstockwell"
PACKAGE="wraith"
BUNDLE_DIR="src-tauri/target/release/bundle/nsis"
echo "=== Uploading Wraith v${VERSION} to Gitea packages ==="
# Upload installer
INSTALLER=$(ls ${BUNDLE_DIR}/*.exe | head -1)
FILENAME=$(basename "$INSTALLER")
echo "Uploading: ${FILENAME}"
curl -s -X PUT \
-H "Authorization: token ${{ secrets.GIT_TOKEN }}" \
-H "Content-Type: application/octet-stream" \
--data-binary @"$INSTALLER" \
"${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/${FILENAME}"
# Upload version.json
echo "Uploading: version.json"
curl -s -X PUT \
-H "Authorization: token ${{ secrets.GIT_TOKEN }}" \
-H "Content-Type: application/octet-stream" \
--data-binary @"version.json" \
"${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/version.json"
# Upload Tauri updater signature if it exists
SIG_FILE=$(ls ${BUNDLE_DIR}/*.sig 2>/dev/null | head -1)
if [ -f "$SIG_FILE" ]; then
echo "Uploading: $(basename $SIG_FILE)"
curl -s -X PUT \
-H "Authorization: token ${{ secrets.GIT_TOKEN }}" \
-H "Content-Type: application/octet-stream" \
--data-binary @"$SIG_FILE" \
"${GITEA_URL}/api/packages/${OWNER}/generic/${PACKAGE}/${VERSION}/$(basename $SIG_FILE)"
fi
echo ""
echo "=== Upload complete ==="
# ---------------------------------------------------------------
# Create Gitea Release (with v prefix to match git tag)
# ---------------------------------------------------------------
- name: Create Gitea Release
shell: bash
run: |
VERSION="${{ steps.version.outputs.version }}"
GITEA_URL="https://git.command.vigilcyber.com"
echo "=== Creating Gitea Release for v${VERSION} ==="
curl -s -X POST \
-H "Authorization: token ${{ secrets.GIT_TOKEN }}" \
-H "Content-Type: application/json" \
-d "{\"tag_name\": \"v${VERSION}\", \"name\": \"Wraith v${VERSION}\", \"body\": \"Wraith Desktop v${VERSION} — Tauri v2 build.\"}" \
"${GITEA_URL}/api/v1/repos/vstockwell/wraith/releases"
echo ""
echo "Release created."
Reference in New Issue View Git Blame Copy Permalink