This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Sign with Software Trust Manager KSP | |
on: push | |
jobs: | |
build: | |
runs-on: ${{ matrix.os }} | |
strategy: | |
matrix: | |
os: [windows-latest, ubuntu-latest, macos-latest] | |
fail-fast: false | |
steps: | |
- name: Check out Git repository | |
uses: actions/checkout@v3 | |
- name: Set Version from package.json | |
id: variables | |
run: | | |
PACKAGE_VERSION=$(cat launcher/package.json \ | |
| grep version \ | |
| head -1 \ | |
| awk -F: '{ print $2 }' \ | |
| sed 's/[ ",]//g') | |
echo "Found Version: $PACKAGE_VERSION in package.json" | |
echo "version=$PACKAGE_VERSION" >> "$GITHUB_OUTPUT" | |
shell: bash | |
- name: Set Certificates and Variables for windows-latest | |
id: win-variables | |
run: | | |
# windows | |
echo "${{secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 | |
echo "SM_CLIENT_CERT_FILE=D:\Certificate_pkcs12.p12" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" | |
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" | |
echo "SM_HOST=${{ vars.SM_HOST }}" >> "$GITHUB_ENV" | |
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH | |
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH | |
echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH | |
shell: bash | |
if: matrix.os == 'windows-latest' | |
- name: Setup SSM KSP on windows-latest | |
run: | | |
curl -s -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi | |
msiexec /i Keylockertools-windows-x64.msi /quiet /qn | |
smksp_registrar.exe list | |
smctl.exe keypair ls | |
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user | |
smctl healthcheck --all | |
smctl windows certsync --keypair-alias=${{ secrets.KEYPAIR_ALIAS }} | |
shell: cmd | |
if: matrix.os == 'windows-latest' | |
- name: macOS build args | |
if: matrix.os == 'macos-latest' | |
run: echo "BUILD_ARGS=--universal" >> $GITHUB_ENV | |
- name: Build Electron app | |
uses: samuelmeuli/action-electron-builder@v1 | |
with: | |
github_token: ${{ secrets.github_token }} | |
package_root: launcher | |
use_vue_cli: true | |
release: never | |
build_script_name: dist | |
mac_certs: ${{ secrets.mac_certs }} | |
mac_certs_password: ${{ secrets.mac_certs_password }} | |
args: ${{ env.BUILD_ARGS }} | |
env: | |
APPLE_ID: ${{ secrets.apple_id }} | |
APPLE_ID_PASSWORD: ${{ secrets.apple_id_password }} | |
TEAM_SHORT_NAME: ${{ secrets.team_short_name }} | |
APP_ID: "com.stereum.launcher" | |
TEAM_ID: ${{ secrets.team_id }} | |
KEYPAIR_ALIAS: ${{ secrets.KEYPAIR_ALIAS }} | |
if: ${{ !contains(github.event.head_commit.message, '[NOCI]') }} | |
- name: Verify Signing using Signtool on windows-latest | |
run: | | |
dir D:\a\ethereum-node\ethereum-node\launcher\dist\win32\ | |
signtool.exe verify /v /pa "D:\a\ethereum-node\ethereum-node\launcher\dist\win32\Stereum-Launcher-Setup-${{ steps.variables.outputs.version }}.exe" | |
shell: cmd | |
if: ${{ !contains(github.event.head_commit.message, '[NOCI]') && matrix.os == 'windows-latest' }} | |
- name: Debug | |
run: | | |
ls -la launcher/dist/linux | |
shell: bash | |
if: ${{ !contains(github.event.head_commit.message, '[NOCI]') && matrix.os == 'ubuntu-latest' }} | |
- name: Upload artifacts for ubuntu-latest | |
uses: actions/upload-artifact@v4 | |
with: | |
name: app-${{ matrix.os }} | |
path: | | |
launcher/dist/linux/Stereum-Launcher-${{ steps.variables.outputs.version }}.AppImage | |
launcher/dist/linux/latest*.yml | |
launcher/dist/linux/*.blockmap | |
if: ${{ !contains(github.event.head_commit.message, '[NOCI]') && matrix.os == 'ubuntu-latest' }} | |
- name: Debug | |
run: | | |
ls -la launcher/dist/win32 | |
shell: bash | |
if: ${{ !contains(github.event.head_commit.message, '[NOCI]') && matrix.os == 'windows-latest' }} | |
- name: Upload artifacts for windows-latest | |
uses: actions/upload-artifact@v4 | |
with: | |
name: app-${{ matrix.os }} | |
path: | | |
launcher/dist/win32/Stereum-Launcher-Setup-${{ steps.variables.outputs.version }}.exe | |
launcher/dist/win32/latest*.yml | |
launcher/dist/win32/*.blockmap | |
if: ${{ !contains(github.event.head_commit.message, '[NOCI]') && matrix.os == 'windows-latest' }} | |
- name: Debug | |
run: | | |
sed -i '' 's/Stereum-Launcher-${{ steps.variables.outputs.version }}.zip/Stereum-Launcher-${{ steps.variables.outputs.version }}-mac.zip/g' launcher/dist/darwin/latest-mac.yml | |
ls -la launcher/dist/darwin | |
mv launcher/dist/darwin/Stereum-Launcher-${{ steps.variables.outputs.version }}.zip launcher/dist/darwin/Stereum-Launcher-${{ steps.variables.outputs.version }}-mac.zip | |
mv launcher/dist/darwin/Stereum-Launcher-${{ steps.variables.outputs.version }}.zip.blockmap launcher/dist/darwin/Stereum-Launcher-${{ steps.variables.outputs.version }}-mac.zip.blockmap | |
shell: bash | |
if: ${{ !contains(github.event.head_commit.message, '[NOCI]') && matrix.os == 'macos-latest' }} | |
- name: Upload artifacts for macos-latest | |
uses: actions/upload-artifact@v4 | |
with: | |
name: app-${{ matrix.os }} | |
path: | | |
launcher/dist/darwin/Stereum-Launcher-${{ steps.variables.outputs.version }}.dmg | |
launcher/dist/darwin/Stereum-Launcher-${{ steps.variables.outputs.version }}-mac.zip | |
launcher/dist/darwin/latest*.yml | |
launcher/dist/darwin/*.blockmap | |
if: ${{ !contains(github.event.head_commit.message, '[NOCI]') && matrix.os == 'macos-latest' }} | |
release: | |
runs-on: ubuntu-latest | |
needs: build | |
permissions: | |
contents: write | |
steps: | |
- name: Check out Git repository | |
uses: actions/checkout@v3 | |
- name: Set Versions | |
id: variables | |
run: | | |
echo "release=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT | |
APP_VERSION=$(cat launcher/package.json \ | |
| grep version \ | |
| head -1 \ | |
| awk -F: '{ print $2 }' \ | |
| sed 's/[ ",]//g') | |
echo "version=$APP_VERSION" >> "$GITHUB_OUTPUT" | |
shell: bash | |
# download artifacts from build | |
- name: create dist folder | |
run: | | |
mkdir dist | |
shell: bash | |
- name: Download ubuntu binary from build into dist | |
uses: actions/download-artifact@v4 | |
with: | |
name: app-ubuntu-latest | |
path: dist | |
if: ${{ !contains(github.event.head_commit.message, '[NOCI]') }} | |
- name: Download windows binary from build into dist | |
uses: actions/download-artifact@v4 | |
with: | |
name: app-windows-latest | |
path: dist | |
if: ${{ !contains(github.event.head_commit.message, '[NOCI]') }} | |
- name: Download macos binary from build into dist | |
uses: actions/download-artifact@v4 | |
with: | |
name: app-macos-latest | |
path: dist | |
if: ${{ !contains(github.event.head_commit.message, '[NOCI]') }} | |
# create release if [DRAFT] is in commit using the version from package.json. | |
# during creation, upload all the downloaded build artifacts | |
- name: Create Draft Release | |
uses: ncipollo/release-action@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag: "${{ steps.variables.outputs.version }}-draft" | |
name: "${{ steps.variables.outputs.version }}" | |
skipIfReleaseExists: true | |
updateOnlyUnreleased: true | |
artifacts: dist/* | |
draft: true | |
allowUpdates: true | |
replacesArtifacts: true | |
prerelease: true | |
if: ${{ contains(github.event.head_commit.message, '[DRAFT]') }} | |
# if no release was created, just update the artifacts | |
- name: "Upload artifacts to existing draft release ${{ steps.variables.outputs.version }}" | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
gh release upload --clobber "${{ steps.variables.outputs.version }}-draft" dist/* | |
if: ${{ !contains(github.event.head_commit.message, '[NOCI]') && !contains(github.event.head_commit.message, '[DRAFT]') }} |