120 lines
4.1 KiB
YAML
120 lines
4.1 KiB
YAML
name: Manually Sign Windows Binaries
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
build_run_number:
|
|
description: 'GitHub Run Number (per build_viewer.yml workflow)'
|
|
required: true
|
|
policy:
|
|
description: 'Policy to sign binaries'
|
|
required: true
|
|
type: choice
|
|
default: "Test"
|
|
options:
|
|
- "Test"
|
|
- "Release"
|
|
# viewer_version:
|
|
# description: 'viewer version not including build'
|
|
# required: true
|
|
# default: '7.1.10'
|
|
# viewer_build:
|
|
# description: 'build id'
|
|
# required: true
|
|
# default: '799999'
|
|
# viewer_release_type:
|
|
# description: 'release type'
|
|
# required: true
|
|
# default: 'Release'
|
|
# branch:
|
|
# description: 'Branch to deploy from'
|
|
# required: false
|
|
# default: 'master'
|
|
|
|
jobs:
|
|
find-setup-files:
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
outputs:
|
|
setup_files: ${{ steps.get-files.outputs.setup_files }}
|
|
steps:
|
|
- name: Download Build Artifacts
|
|
uses: dawidd6/action-download-artifact@v7
|
|
id: download
|
|
with:
|
|
workflow: build_viewer.yml
|
|
run_number: ${{ github.event.inputs.build_run_number }}
|
|
name: .*windows.*
|
|
name_is_regexp: true
|
|
path: artifacts
|
|
- name: Get List of Setup.exe Files
|
|
id: get-files
|
|
shell: bash
|
|
run: |
|
|
mkdir -p setup_exe_files
|
|
files=$(find artifacts -type f -name '*Setup.exe')
|
|
for file in $files; do
|
|
basename=$(basename "$file")
|
|
cp "$file" "setup_exe_files/$basename"
|
|
done
|
|
files_json=$(ls setup_exe_files | jq -R . | jq -s -c .)
|
|
echo "setup_files=$files_json" >> $GITHUB_OUTPUT
|
|
- name: Upload Setup.exe Files
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: setup-exe-files
|
|
path: setup_exe_files/
|
|
sign-and-upload:
|
|
name: Sign and Upload each Setup.exe
|
|
needs: find-setup-files
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
file: ${{ fromJson( needs.find-setup-files.outputs.setup_files) }}
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
steps:
|
|
- name: List Available Artifacts
|
|
run: |
|
|
echo "Available artifacts:"
|
|
curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
|
|
-H "Accept: application/vnd.github.v3+json" \
|
|
https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts
|
|
|
|
- name: Download Setup.exe Files Artifact
|
|
uses: actions/download-artifact@v4
|
|
with:
|
|
name: setup-exe-files
|
|
path: setup_exe_files
|
|
- name: Prepare File for Signing
|
|
run: |
|
|
mkdir -p to_sign
|
|
cp "setup_exe_files/${{ matrix.file }}" to_sign/
|
|
- name: Upload unsigned artifact
|
|
id: upload-unsigned-artifact
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: unsigned-artifact-${{ matrix.file }}
|
|
path: to_sign/${{ matrix.file }}
|
|
|
|
- name: sign the file
|
|
uses: signpath/github-action-submit-signing-request@v1
|
|
env:
|
|
SIGNPATH_SIGNING_POLICY_SLUG: ${{ github.event.inputs.policy == 'Test' && vars.SIGNPATH_SIGNING_POLICY_SLUG_TEST || vars.SIGNPATH_SIGNING_POLICY_SLUG_RELEASE }}
|
|
with:
|
|
api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
|
|
organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
|
|
project-slug: '${{ vars.SIGNPATH_PROJECT_SLUG }}'
|
|
signing-policy-slug: '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}'
|
|
github-artifact-id: "${{steps.upload-unsigned-artifact.outputs.artifact-id}}"
|
|
wait-for-completion: true
|
|
output-artifact-directory: 'application-signed'
|
|
|
|
- name: Upload signed artifact
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: signed-artifact-${{ matrix.file }}
|
|
path: ./application-signed |