Files
Marc 66663fa9f9 v1.10.0 - signed binaries (#39)
* Sign release binaries with Certum and bump to v2.0.0.0

Add Certum SimplySign cloud code signing to the CD pipeline so gMod.dll
and TpfConvert.exe are signed before being published as release assets.
The signing scripts are ported from gwlauncher (commit 5ae825a).

Signing is gated on the CERTUM_OTP_URI secret, so forks/unconfigured
repos still build, just unsigned. Requires repo secrets CERTUM_OTP_URI,
CERTUM_USERID and CERTUM_CERT_SHA1.

Bump the major version to 2.0.0.0.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* 1.10

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-29 21:46:55 +07:00

102 lines
2.9 KiB
YAML

name: gMod CD Pipeline
on:
push:
branches:
- master
workflow_dispatch:
jobs:
build:
strategy:
matrix:
targetplatform: [x86]
runs-on: windows-2025-vs2026
permissions:
contents: write
env:
Configuration: Release
Actions_Allow_Unsecure_Commands: true
CERTUM_OTP_URI: ${{ secrets.CERTUM_OTP_URI }}
CERTUM_USERID: ${{ secrets.CERTUM_USERID }}
CERTUM_CERT_SHA1: ${{ secrets.CERTUM_CERT_SHA1 }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup MSBuild.exe
uses: microsoft/setup-msbuild@v1.3.1
- name: Install vcpkg
run: |
git clone https://github.com/microsoft/vcpkg.git
.\vcpkg\bootstrap-vcpkg.bat
- name: Set VCPKG_ROOT
run: |
echo "VCPKG_ROOT=$(Get-Location)\vcpkg" >> $env:GITHUB_ENV
shell: powershell
- name: Build CMake Files with vcpkg toolchain
run: cmake --preset=vcpkg
env:
VCPKG_ROOT: ${{ env.VCPKG_ROOT }}
- name: Build binaries
run: cmake --build build --config Release
# Signing only runs when the Certum secrets are present (i.e. on the real
# repo, not forks); without them the build still produces unsigned binaries.
- name: Set up Certum SimplySign
if: env.CERTUM_OTP_URI != ''
shell: bash
run: |
chmod +x ./.github/scripts/install-simplysign.sh
./.github/scripts/install-simplysign.sh
powershell -ExecutionPolicy Bypass -File "./.github/scripts/configure-simplysign.ps1"
- name: Authenticate Certum SimplySign
if: env.CERTUM_OTP_URI != ''
shell: bash
run: powershell -ExecutionPolicy Bypass -File "./.github/scripts/connect-simplysign.ps1"
- name: Sign release binaries
if: env.CERTUM_OTP_URI != ''
shell: pwsh
run: |
./.github/scripts/sign-certum.ps1 -Files @(".\bin\Release\gMod.dll", ".\bin\Release\TpfConvert.exe")
- name: Retrieve version
id: set_version
run: |
$fileVersionInfo = (Get-Item -Path .\bin\Release\gMod.dll).VersionInfo.FileVersion
if ([string]::IsNullOrEmpty($fileVersionInfo)) {
Write-Host "The DLL file version information could not be retrieved."
exit 1
} else {
Write-Host "FileVersionInfo: $fileVersionInfo"
echo "::set-output name=version::$fileVersionInfo"
}
shell: pwsh
- name: Publish release
uses: Xotl/cool-github-releases@v1.1.8
with:
mode: update
tag_name: v${{ steps.set_version.outputs.version }}
release_name: gMod v${{ steps.set_version.outputs.version }}
assets: .\bin\Release\gMod.dll;.\bin\Release\TpfConvert.exe;.\bin\Release\d3dx9_43.dll
github_token: ${{ env.GITHUB_TOKEN }}
replace_assets: true
body_mrkdwn: ${{ env.Changelog }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}