429f41d853
All checks were successful
Build & Sign Wraith / Build Windows + Sign (push) Successful in 2m48s
Never manually sync version again. CI reads the tag, patches the config before building. Also bumped to 1.1.5. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
133 lines
5.7 KiB
YAML
133 lines
5.7 KiB
YAML
# =============================================================================
|
|
# Wraith — Build & Sign Release (Tauri v2)
|
|
# =============================================================================
|
|
name: Build & Sign Wraith
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
EXTRA_PATH: C:\Program Files (x86)\NSIS;C:\Program Files\Eclipse Adoptium\jre-21.0.10.7-hotspot\bin;C:\Users\vantz\.cargo\bin;C:\Users\vantz\.rustup\toolchains\stable-x86_64-pc-windows-msvc\bin;C:\Program Files\nodejs
|
|
|
|
jobs:
|
|
build-and-sign:
|
|
name: Build Windows + Sign
|
|
runs-on: windows
|
|
steps:
|
|
- name: Checkout code
|
|
shell: powershell
|
|
run: |
|
|
git clone --depth 1 --branch ${{ github.ref_name }} https://${{ secrets.GIT_TOKEN }}@git.command.vigilcyber.com/vstockwell/wraith.git .
|
|
|
|
- name: Configure Rust
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
$ErrorActionPreference = "Continue"
|
|
rustup default stable
|
|
$ErrorActionPreference = "Stop"
|
|
|
|
- name: Verify toolchain
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
node --version
|
|
rustc --version
|
|
cargo --version
|
|
java --version
|
|
|
|
- name: Patch version from git tag
|
|
shell: powershell
|
|
run: |
|
|
$ver = ("${{ github.ref_name }}" -replace '^v','')
|
|
$conf = Get-Content src-tauri\tauri.conf.json -Raw
|
|
$conf = $conf -replace '"version":\s*"[^"]*"', "`"version`": `"$ver`""
|
|
[System.IO.File]::WriteAllText((Join-Path (Get-Location) "src-tauri\tauri.conf.json"), $conf)
|
|
Write-Host "Patched tauri.conf.json version to $ver"
|
|
|
|
- name: Install dependencies and build frontend
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
npm ci
|
|
npm run build
|
|
|
|
- name: Install Tauri CLI
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
cargo install tauri-cli --version "^2"
|
|
|
|
- name: Build Tauri app
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
cargo tauri build
|
|
Write-Host "=== Build output ==="
|
|
Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
|
|
|
|
- name: Download jsign
|
|
shell: powershell
|
|
run: |
|
|
Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar" -OutFile jsign.jar
|
|
|
|
- name: Get Azure token
|
|
shell: powershell
|
|
run: |
|
|
$body = @{
|
|
client_id = "${{ secrets.AZURE_CLIENT_ID }}"
|
|
client_secret = "${{ secrets.AZURE_CLIENT_SECRET }}"
|
|
scope = "https://vault.azure.net/.default"
|
|
grant_type = "client_credentials"
|
|
}
|
|
$resp = Invoke-RestMethod -Uri "https://login.microsoftonline.com/${{ secrets.AZURE_TENANT_ID }}/oauth2/v2.0/token" -Method POST -Body $body
|
|
$token = $resp.access_token
|
|
echo "::add-mask::$token"
|
|
[System.IO.File]::WriteAllText("$env:TEMP\aztoken.txt", $token)
|
|
|
|
- name: Sign binaries
|
|
shell: powershell
|
|
run: |
|
|
$env:Path = "$env:EXTRA_PATH;$env:Path"
|
|
$token = [System.IO.File]::ReadAllText("$env:TEMP\aztoken.txt")
|
|
$binaries = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
|
|
foreach ($binary in $binaries) {
|
|
Write-Host "Signing: $($binary.FullName)"
|
|
java -jar jsign.jar --storetype AZUREKEYVAULT --keystore "${{ secrets.AZURE_KEY_VAULT_URL }}" --storepass $token --alias "${{ secrets.AZURE_CERT_NAME }}" --tsaurl http://timestamp.digicert.com --tsmode RFC3161 $binary.FullName
|
|
Write-Host "Signed: $($binary.Name)"
|
|
}
|
|
Remove-Item "$env:TEMP\aztoken.txt" -ErrorAction SilentlyContinue
|
|
|
|
- name: Upload to Gitea
|
|
shell: powershell
|
|
run: |
|
|
$ver = ("${{ github.ref_name }}" -replace '^v','')
|
|
$giteaUrl = "https://git.command.vigilcyber.com"
|
|
$headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}" }
|
|
|
|
$installers = Get-ChildItem -Recurse src-tauri\target\release\bundle\nsis\*.exe
|
|
foreach ($file in $installers) {
|
|
$hash = (Get-FileHash $file.FullName -Algorithm SHA256).Hash.ToLower()
|
|
@{ version = $ver; filename = $file.Name; sha256 = $hash; platform = "windows"; architecture = "amd64"; released = (Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ"); signed = $true } | ConvertTo-Json | Out-File version.json -Encoding utf8
|
|
|
|
Write-Host "Uploading: $($file.Name)"
|
|
Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/$($file.Name)" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile $file.FullName
|
|
|
|
Write-Host "Uploading: version.json"
|
|
Invoke-RestMethod -Uri "$giteaUrl/api/packages/vstockwell/generic/wraith/$ver/version.json" -Method PUT -Headers $headers -ContentType "application/octet-stream" -InFile version.json
|
|
}
|
|
|
|
Write-Host "=== Upload complete ==="
|
|
|
|
- name: Create Release
|
|
shell: powershell
|
|
run: |
|
|
$ver = ("${{ github.ref_name }}" -replace '^v','')
|
|
$headers = @{ Authorization = "token ${{ secrets.GIT_TOKEN }}"; "Content-Type" = "application/json" }
|
|
$body = @{ tag_name = "v$ver"; name = "Wraith v$ver"; body = "Wraith Desktop v$ver - Tauri v2 / Rust build." } | ConvertTo-Json
|
|
Invoke-RestMethod -Uri "https://git.command.vigilcyber.com/api/v1/repos/vstockwell/wraith/releases" -Method POST -Headers $headers -Body $body
|
|
Write-Host "Release v$ver created."
|