-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: SP-1549 Build signing for windows
- Loading branch information
1 parent
2c5f9b2
commit f4d67fb
Showing
1 changed file
with
64 additions
and
107 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,31 +1,21 @@ | ||
| name: Wails build | ||
| name: Publish | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
|
|
||
| push: | ||
| tags: | ||
| - "v*.*.*" | ||
|
|
||
| env: | ||
| # Necessary for most environments as build failure can occur due to OOM issues | ||
| NODE_OPTIONS: "--max-old-space-size=4096" | ||
| NODE_OPTIONS: "--max-old-space-size=4096" # Necessary for most environments as build failure can occur due to OOM issues | ||
| ARTIFACT_NAME_PREFIX: "scanoss-lui" | ||
| GOLANG_VERSION: "1.21" | ||
| NODE_VERSION: "16.x" | ||
|
|
||
| jobs: | ||
| build: | ||
| strategy: | ||
| # Failure in one platform build won't impact the others | ||
| fail-fast: false | ||
| matrix: | ||
| build: | ||
| - platform: "linux/amd64" | ||
| os: "ubuntu-20.04" | ||
| - platform: "windows/amd64" | ||
| os: "windows-latest" | ||
| - platform: "darwin/universal" | ||
| os: "macos-latest" | ||
|
|
||
| runs-on: ${{ matrix.build.os }} | ||
| build_w: | ||
| name: Build for Windows | ||
| runs-on: windows-latest | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
@@ -37,122 +27,89 @@ jobs: | |
| uses: actions/setup-go@v4 | ||
| with: | ||
| check-latest: true | ||
| go-version: "1.21" | ||
| go-version: ${{ env.GOLANG_VERSION }} | ||
| - run: go version | ||
| shell: bash | ||
| # Setup and configure NodeJS | ||
| - name: Setup NodeJS | ||
| uses: actions/setup-node@v3 | ||
| with: | ||
| node-version: "16.x" | ||
| node-version: ${{ env.NODE_VERSION }} | ||
| # Install Wails | ||
| - name: Install Wails | ||
| run: go install github.com/wailsapp/wails/v2/cmd/wails@latest | ||
| shell: bash | ||
| - name: Install Linux Wails deps | ||
| if: runner.os == 'Linux' | ||
| run: sudo apt-get update && sudo apt-get install libgtk-3-0 libwebkit2gtk-4.0-dev gcc-aarch64-linux-gnu | ||
| shell: bash | ||
| - name: Install macOS Wails deps | ||
| if: runner.os == 'macOS' | ||
| run: brew install mitchellh/gon/gon | ||
| shell: bash | ||
| # Build | ||
| - name: Build App | ||
| if: runner.os == 'macOS' | ||
| run: | | ||
| mkdir build | ||
| cp -r assets build/assets | ||
| wails build -ldflags "-X main.version=$(git tag --sort=-version:refname | head -n 1)" --platform ${{matrix.build.platform}} --nopackage -webview2 download -o scanoss-lui-macos | ||
| shell: bash | ||
| - name: Build Linux App | ||
| if: runner.os == 'Linux' | ||
| run: | | ||
| mkdir build | ||
| cp -r assets build/assets | ||
| wails build -ldflags "-X main.version=$(git tag --sort=-version:refname | head -n 1)" --platform ${{matrix.build.platform}} -webview2 download -o scanoss-lui-linux | ||
| shell: bash | ||
| # Build | ||
| - name: Build Windows App | ||
| if: runner.os == 'Windows' | ||
| run: | | ||
| mkdir build | ||
| cp -r assets build/assets | ||
| wails build -ldflags "-X main.version=$(git tag --sort=-version:refname | head -n 1)" --platform ${{matrix.build.platform}} -webview2 download -o scanoss-lui-windows.exe | ||
| shell: bash | ||
|
|
||
| # Set execution permissions | ||
| - name: Add macOS perms | ||
| if: runner.os == 'macOS' | ||
| run: chmod +x ./build/bin/scanoss-lui-macos | ||
| shell: bash | ||
|
|
||
| - name: Add Linux perms | ||
| if: runner.os == 'Linux' | ||
| run: chmod +x ./build/bin/scanoss-lui-linux | ||
| wails build -ldflags "-X main.version=$(git tag --sort=-version:refname | head -n 1)" --platform ${{matrix.build.platform}} -webview2 download -o ${{env.ARTIFACT_NAME_PREFIX}}-windows.exe | ||
| shell: bash | ||
|
|
||
| # macOS Signing | ||
| - name: Import Code-Signing Certificates for macOS | ||
| if: runner.os == 'macOS' && startsWith(github.ref, 'refs/tags/') | ||
| uses: Apple-Actions/import-codesign-certs@v1 | ||
| - uses: actions/upload-artifact@v4 | ||
| with: | ||
| keychain-password: ${{ secrets.APPLE_PASSWORD }} | ||
| p12-file-base64: ${{ secrets.MACOS_DEVELOPER_CERT }} | ||
| p12-password: ${{ secrets.MACOS_DEVELOPER_CERT_PASSWORD }} | ||
| name: artifact_w_unsigned | ||
| path: | | ||
| release/build/${{ env.ARTIFACT_NAME_PREFIX }}*.exe | ||
| - name: Sign macOS binary | ||
| if: runner.os == 'macOS' && startsWith(github.ref, 'refs/tags/') | ||
| shell: bash | ||
| env: | ||
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | ||
| APPLE_ID: [email protected] | ||
| APPLE_DEVELOPER_ID: ${{ secrets.MACOS_DEVELOPER_CERT_ID }} | ||
| APP_CERTIFICATE: ${{ secrets.MACOS_DEVELOPER_CERT_FULL_ID }} | ||
| run: | | ||
| echo "Signing Package" | ||
| codesign --timestamp --deep --options=runtime -s "$APP_CERTIFICATE" --verbose ./build/bin/scanoss-lui-macos | ||
| - name: Build macOS zip file | ||
| if: runner.os == 'macOS' | ||
| shell: bash | ||
| run: | | ||
| cd ./build/bin/ && zip scanoss-lui-macos.zip scanoss-lui-macos | ||
| build_w_sign: | ||
| name: "Sign with CodeSignTool" | ||
| needs: [build_w] | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
|
|
||
| - name: Build Linux zip file | ||
| if: runner.os == 'Linux' | ||
| shell: bash | ||
| run: | | ||
| cd ./build/bin/ && zip scanoss-lui-linux.zip scanoss-lui-linux | ||
| - name: Download artifact W unsigned | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| name: artifact_w_unsigned | ||
|
|
||
| - name: Build Windows zip file | ||
| if: runner.os == 'Windows' | ||
| shell: powershell | ||
| #This stage locates the unsigned .exe binary and move to win_unsigned folder. | ||
| #CodeSignTool does not support reading and writting into the same filepath | ||
| - name: Find Windows Artifact Path | ||
| id: win-path-artifact | ||
| run: | | ||
| cd ./build/bin/; Compress-Archive -Path scanoss-lui-windows.exe -Destination scanoss-lui-windows.zip | ||
| export WIN_BINARY_FILEPATH=$(ls ${{ env.ARTIFACT_NAME_PREFIX }}*.exe) | ||
| mkdir win_unsigned | ||
| mv "$WIN_BINARY_FILEPATH" win_unsigned/ | ||
| echo "ARTIFACT_WIN_PATH=win_unsigned/$WIN_BINARY_FILEPATH" >> "$GITHUB_OUTPUT" | ||
| - name: Notarize | ||
| if: runner.os == 'macOS' && startsWith(github.ref, 'refs/tags/') | ||
| shell: bash | ||
| - name: Sign Windows Artifact with CodeSignTool | ||
| uses: sslcom/actions-codesigner@develop | ||
| env: | ||
| APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} | ||
| APPLE_ID: [email protected] | ||
| APPLE_DEVELOPER_ID: ${{ secrets.MACOS_DEVELOPER_CERT_ID }} | ||
| run: | | ||
| xcrun notarytool submit ./build/bin/scanoss-lui-macos.zip --apple-id "${APPLE_ID?}" --team-id "${APPLE_DEVELOPER_ID?}" --password "${APPLE_PASSWORD?}" | ||
| ARTIFACT_WIN_PATH: ${{ steps.win-path-artifact.outputs.ARTIFACT_WIN_PATH }} | ||
| with: | ||
| command: sign | ||
| username: ${{secrets.WINDOWS_CODE_SIGNING_TOOL_ES_USERNAME}} | ||
| password: ${{secrets.WINDOWS_CODE_SIGNING_TOOL_ES_PASSWORD}} | ||
| credential_id: ${{secrets.WINDOWS_CODE_SIGNING_TOOL_CREDENTIAL_ID}} | ||
| totp_secret: ${{secrets.WINDOWS_CODE_SIGNING_TOOL_ES_TOTP_SECRET}} | ||
| file_path: ${GITHUB_WORKSPACE}/${{ env.ARTIFACT_WIN_PATH }} | ||
| output_path: ${GITHUB_WORKSPACE} | ||
|
|
||
| # Upload build assets | ||
| - uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: Wails Build ${{runner.os}} | ||
| path: | | ||
| */bin/*.zip | ||
| *\bin\*.zip | ||
| name: artifact_w | ||
| path: ${{ env.ARTIFACT_NAME_PREFIX }}*.exe | ||
|
|
||
| - name: Release | ||
| uses: softprops/action-gh-release@v2 | ||
| if: startsWith(github.ref, 'refs/tags/') | ||
| create_release: | ||
| needs: [build_w_sign] | ||
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Download artifact W | ||
| uses: actions/download-artifact@v4 | ||
| with: | ||
| files: | | ||
| */bin/*.zip | ||
| prerelease: true | ||
| name: artifact_w | ||
|
|
||
| - name: Publish release draft | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| GH_PROMPT_DISABLED: "disable" | ||
| run: | | ||
| gh release create ${{github.ref_name}} \ | ||
| --repo ${{ github.server_url }}/${{ github.repository }} \ | ||
| --generate-notes \ | ||
| --draft \ | ||
| $(ls *.AppImage *.exe *.dmg) | ||