Files
amacocian 9d7f145c25 Sign windows binaries (#1557)
* Sign windows binaries

* Fix temp test

* Remove temporary test

---------

Co-authored-by: Alexandru Macocian <amacocian@microsoft.com>
2026-06-29 22:36:44 +02:00

329 lines
12 KiB
YAML

# Reusable CD pipeline with optional release publishing
name: Daybreak CD Template
on:
workflow_call:
inputs:
publishRelease:
description: "Whether to create and publish the GitHub release"
required: false
type: boolean
default: false
signBinaries:
description: "Whether to code-sign Windows binaries"
required: false
type: boolean
default: false
jobs:
# ───────────────────────────────────────────────────────
# Stage 1 — Build the x86 Windows-only components
# (Injector + API) that both platforms need.
# ───────────────────────────────────────────────────────
build-x86:
runs-on: windows-2025
outputs:
version: ${{ steps.get_version.outputs.version }}
env:
Configuration: Release
Actions_Allow_Unsecure_Commands: true
CERTUM_OTP_URI: ${{ secrets.CERTUM_OTP_URI }}
CERTUM_USERID: ${{ secrets.CERTUM_USERID }}
CERTUM_CERT_SHA1: ${{ secrets.CERTUM_CERT_SHA1 }}
steps:
- name: Checkout
uses: actions/checkout@v7
with:
fetch-depth: 0
submodules: recursive
- name: Get version
id: get_version
shell: pwsh
run: |
$version = (Select-String -Path Directory.Build.props -Pattern '<Version>(.*)</Version>').Matches.Groups[1].Value
echo "version=$version" >> $env:GITHUB_OUTPUT
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: "10.x"
- name: Publish x86 components
run: .\Scripts\PublishWindowsX86.ps1
shell: pwsh
# Certum SimplySign code signing. Binaries are signed only when explicitly
# requested and the Certum secrets are provisioned.
- name: Set up Certum SimplySign
if: inputs.signBinaries && env.CERTUM_OTP_URI != ''
shell: bash
run: |
chmod +x ./.github/scripts/install-simplysign.sh
./.github/scripts/install-simplysign.sh
powershell -ExecutionPolicy Bypass -File "./.github/scripts/configure-simplysign.ps1"
- name: Authenticate Certum SimplySign
if: inputs.signBinaries && env.CERTUM_OTP_URI != ''
shell: bash
run: powershell -ExecutionPolicy Bypass -File "./.github/scripts/connect-simplysign.ps1"
- name: Sign x86 binaries
if: inputs.signBinaries && env.CERTUM_OTP_URI != ''
run: |
./.github/scripts/sign-certum.ps1 -Files @(
"Publish/Injector/Daybreak.Injector.exe",
"Publish/Api/Daybreak.API.dll"
)
shell: pwsh
- name: Upload x86 artifacts
uses: actions/upload-artifact@v7
with:
name: x86-components
path: |
Publish/Injector/
Publish/Api/
retention-days: 1
# ───────────────────────────────────────────────────────
# Stage 2 — Platform builds (parallel)
# ───────────────────────────────────────────────────────
build-windows:
needs: build-x86
runs-on: windows-2025
env:
Configuration: Release
Actions_Allow_Unsecure_Commands: true
CERTUM_OTP_URI: ${{ secrets.CERTUM_OTP_URI }}
CERTUM_USERID: ${{ secrets.CERTUM_USERID }}
CERTUM_CERT_SHA1: ${{ secrets.CERTUM_CERT_SHA1 }}
steps:
- name: Checkout
uses: actions/checkout@v7
with:
fetch-depth: 0
submodules: recursive
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: "10.x"
- name: Setup project secrets
run: |
dotnet user-secrets --project Daybreak.Core\Daybreak.Core.csproj set AadApplicationId "${{ secrets.AadApplicationId }}"
dotnet user-secrets --project Daybreak.Core\Daybreak.Core.csproj set AadTenantId "${{ secrets.AadTenantId }}"
dotnet user-secrets --project Daybreak.Core\Daybreak.Core.csproj set ApmServiceAccount "${{ secrets.ApmServiceAccount }}"
dotnet user-secrets --project Daybreak.Core\Daybreak.Core.csproj set ApmServiceKey "${{ secrets.ApmServiceKey }}"
dotnet user-secrets --project Daybreak.Core\Daybreak.Core.csproj set ApmUri "${{ secrets.ApmUri }}"
- name: Download x86 artifacts
uses: actions/download-artifact@v8
with:
name: x86-components
path: Publish/
- name: Publish Windows x64
run: .\Scripts\PublishWindows.ps1
shell: pwsh
- name: Set up Certum SimplySign
if: inputs.signBinaries && env.CERTUM_OTP_URI != ''
shell: bash
run: |
chmod +x ./.github/scripts/install-simplysign.sh
./.github/scripts/install-simplysign.sh
powershell -ExecutionPolicy Bypass -File "./.github/scripts/configure-simplysign.ps1"
- name: Authenticate Certum SimplySign
if: inputs.signBinaries && env.CERTUM_OTP_URI != ''
shell: bash
run: powershell -ExecutionPolicy Bypass -File "./.github/scripts/connect-simplysign.ps1"
- name: Sign Windows build
if: inputs.signBinaries && env.CERTUM_OTP_URI != ''
run: |
./.github/scripts/sign-certum.ps1 -Files @(
"Publish/Daybreak.exe",
"Publish/Installer/Daybreak.Installer.exe"
)
shell: pwsh
- name: Upload Windows build
uses: actions/upload-artifact@v7
with:
name: windows-build
path: Publish/
retention-days: 1
build-linux:
needs: build-x86
runs-on: ubuntu-latest
env:
Configuration: Release
steps:
- name: Checkout
uses: actions/checkout@v7
with:
fetch-depth: 0
submodules: recursive
- name: Install .NET
uses: actions/setup-dotnet@v5
with:
dotnet-version: "10.x"
- name: Setup project secrets
run: |
dotnet user-secrets --project Daybreak.Core/Daybreak.Core.csproj set AadApplicationId "${{ secrets.AadApplicationId }}"
dotnet user-secrets --project Daybreak.Core/Daybreak.Core.csproj set AadTenantId "${{ secrets.AadTenantId }}"
dotnet user-secrets --project Daybreak.Core/Daybreak.Core.csproj set ApmServiceAccount "${{ secrets.ApmServiceAccount }}"
dotnet user-secrets --project Daybreak.Core/Daybreak.Core.csproj set ApmServiceKey "${{ secrets.ApmServiceKey }}"
dotnet user-secrets --project Daybreak.Core/Daybreak.Core.csproj set ApmUri "${{ secrets.ApmUri }}"
- name: Download x86 artifacts
uses: actions/download-artifact@v8
with:
name: x86-components
path: Publish/
- name: Publish Linux x64
run: pwsh ./Scripts/PublishLinux.ps1
shell: bash
- name: Set executable permissions
run: |
chmod +x Publish/Daybreak
chmod +x Publish/Daybreak.Wayland.sh
chmod +x Publish/Installer/Daybreak.Installer
- name: Upload Linux build
uses: actions/upload-artifact@v7
with:
name: linux-build
path: Publish/
retention-days: 1
# ───────────────────────────────────────────────────────
# Stage 3 — Package (always)
# ───────────────────────────────────────────────────────
package:
needs: [build-x86, build-windows, build-linux]
runs-on: ubuntu-latest
env:
Actions_Allow_Unsecure_Commands: true
Version: ${{ needs.build-x86.outputs.version }}
steps:
# ── Windows package ──
- name: Download Windows build
uses: actions/download-artifact@v8
with:
name: windows-build
path: windows-publish/
- name: Clean and zip Windows build
run: |
cd windows-publish
find . -name '*.pdb' -delete
find . -name '*.dbg' -delete
if [ -f Installer/Daybreak.Installer.exe ]; then
mv Installer/Daybreak.Installer.exe Installer/Daybreak.Installer.Temp.exe
fi
cd ..
cd windows-publish && zip -r ../daybreakv${{ env.Version }}.zip . && cd ..
# ── Linux package ──
- name: Download Linux build
uses: actions/download-artifact@v8
with:
name: linux-build
path: linux-publish/
- name: Clean and zip Linux build
run: |
cd linux-publish
find . -name '*.pdb' -delete
find . -name '*.dbg' -delete
if [ -f Installer/Daybreak.Installer ]; then
chmod +x Installer/Daybreak.Installer
mv Installer/Daybreak.Installer Installer/Daybreak.Installer.Temp
fi
chmod +x Daybreak Daybreak.Wayland.sh
cd ..
cd linux-publish && zip -r ../daybreakv${{ env.Version }}-linux.zip . && cd ..
- name: Upload release artifacts
uses: actions/upload-artifact@v7
with:
name: release-zips
path: |
daybreakv${{ env.Version }}.zip
daybreakv${{ env.Version }}-linux.zip
retention-days: 7
# ───────────────────────────────────────────────────────
# Stage 4 — Release (optional)
# ───────────────────────────────────────────────────────
release:
needs: [build-x86, package]
runs-on: ubuntu-latest
if: ${{ inputs.publishRelease }}
env:
Actions_Allow_Unsecure_Commands: true
Version: ${{ needs.build-x86.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@v7
with:
fetch-depth: 0
submodules: recursive
- name: Download release artifacts
uses: actions/download-artifact@v8
with:
name: release-zips
path: release-assets/
- name: Get Latest Tag
id: getLatestTag
uses: WyriHaximus/github-action-get-previous-tag@v2
- name: Generate changelog
id: changelog
run: |
changeLog=$(git log --no-merges --pretty="%h - %s (%an)<br />" ${{ steps.getLatestTag.outputs.tag }}..HEAD)
echo "content<<EOF" >> $GITHUB_OUTPUT
echo "$changeLog" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
# ── Release ──
- name: Create release draft
uses: Xotl/cool-github-releases@v1.1.10
with:
mode: update
tag_name: v${{ env.Version }}
release_name: Daybreak v${{ env.Version }}
assets: release-assets/daybreakv${{ env.Version }}.zip;release-assets/daybreakv${{ env.Version }}-linux.zip
github_token: ${{ secrets.GITHUB_TOKEN }}
replace_assets: true
body_mrkdwn: |
${{ steps.changelog.outputs.content }}
isDraft: true
- name: Publish release
run: gh release edit v${{ env.Version }} --draft=false
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}