diff --git a/.github/workflows/build_and_deploy.yaml b/.github/workflows/build_and_deploy.yaml index 1948500..608d4a8 100644 --- a/.github/workflows/build_and_deploy.yaml +++ b/.github/workflows/build_and_deploy.yaml @@ -1,105 +1,141 @@ name: Build and Deploy on: - # Nightly build - schedule: - - cron: '0 9 * * *' - # Manual nightly & release - workflow_dispatch: - inputs: - mode: - description: What type of build to trigger. Release builds should be ran from the `master` branch. - required: true - default: nightly - type: choice - options: - - nightly - - release - macos: - description: Whether to build macOS - required: true - type: boolean - default: true - linux: - description: Whether to build Linux - required: true - type: boolean - default: true - deploy: - description: Whether to deploy artifacts - required: true - type: boolean - default: true + # Nightly build + schedule: + - cron: "0 9 * * *" + # Manual nightly & release + workflow_dispatch: + inputs: + mode: + description: What type of build to trigger. Release builds should be ran from the `master` branch. + required: true + default: nightly + type: choice + options: + - nightly + - release + macos: + description: Whether to build macOS + required: true + type: boolean + default: true + windows_32bit: + description: Whether to build Windows 32-bit + required: true + type: boolean + default: true + windows_64bit: + description: Whether to build Windows 64-bit + required: true + type: boolean + default: true + linux: + description: Whether to build Linux + required: true + type: boolean + default: true + deploy: + description: Whether to deploy artifacts + required: true + type: boolean + default: true concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true env: - # XXX: UPDATE THIS BEFORE WHEN GOING LIVE - R2_BUCKET: 'packages-element-io-test' + # XXX: UPDATE THIS BEFORE WHEN GOING LIVE + R2_BUCKET: "packages-element-io-test" jobs: - prepare: - uses: ./.github/workflows/build_prepare.yaml - with: - config: element.io/${{ inputs.mode || 'nightly' }} - version: ${{ inputs.mode == 'release' && '' || 'develop' }} - calculate-nightly-versions: ${{ inputs.mode != 'release' }} - secrets: - CF_R2_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} - CF_R2_TOKEN: ${{ secrets.CF_R2_TOKEN }} - CF_R2_S3_API: ${{ secrets.CF_R2_S3_API }} - - macos: - if: github.event_name != 'workflow_dispatch' || inputs.macos - needs: prepare - name: macOS - uses: ./.github/workflows/build_macos.yaml - secrets: inherit - with: - sign: true - deploy-mode: true - base-url: https://packages.element.io/${{ inputs.mode == 'release' && 'desktop' || 'nightly' }} - version: ${{ needs.prepare.outputs.macos-version }} - - linux: - if: github.event_name != 'workflow_dispatch' || inputs.linux - needs: prepare - name: Linux - uses: ./.github/workflows/build_linux.yaml - secrets: inherit - with: - sqlcipher: system - deploy-mode: true - version: ${{ needs.prepare.outputs.linux-version }} - - deploy: - needs: - - macos - runs-on: ubuntu-latest - name: Deploy - if: always() && (github.event != 'workflow_dispatch' || inputs.deploy) - environment: packages.element.io - steps: - - name: Download artifacts - uses: actions/download-artifact@v3 + prepare: + uses: ./.github/workflows/build_prepare.yaml with: - name: packages.element.io - path: packages.element.io + config: element.io/${{ inputs.mode || 'nightly' }} + version: ${{ inputs.mode == 'release' && '' || 'develop' }} + calculate-nightly-versions: ${{ inputs.mode != 'release' }} + secrets: + CF_R2_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} + CF_R2_TOKEN: ${{ secrets.CF_R2_TOKEN }} + CF_R2_S3_API: ${{ secrets.CF_R2_S3_API }} - - name: Deploy debian repo - if: github.event_name != 'workflow_dispatch' || inputs.linux - run: | - mv packages.element.io/debian . - aws s3 cp --recursive debian/ s3://$R2_BUCKET/debian --endpoint-url $R2_URL --region auto - env: - AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} - R2_URL: ${{ secrets.CF_R2_S3_API }} + windows_32bit: + if: github.event_name != 'workflow_dispatch' || inputs.windows_32bit + needs: prepare + name: Windows 32-bit + uses: ./.github/workflows/build_windows.yaml + secrets: inherit + with: + sign: true + deploy-mode: true + arch: x86 + version: ${{ needs.prepare.outputs.win32-x86-version }} - - name: Deploy artifacts + windows_64bit: + if: github.event_name != 'workflow_dispatch' || inputs.windows_64bit + needs: prepare + name: Windows 64-bit + uses: ./.github/workflows/build_windows.yaml + secrets: inherit + with: + sign: true + deploy-mode: true + arch: x64 + version: ${{ needs.prepare.outputs.win32-x64-version }} + + macos: if: github.event_name != 'workflow_dispatch' || inputs.macos - run: | - aws s3 cp --recursive packages.element.io/ s3://$R2_BUCKET/$DEPLOYMENT_DIR --endpoint-url $R2_URL --region auto - env: - AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} - R2_URL: ${{ secrets.CF_R2_S3_API }} - DEPLOYMENT_DIR: ${{ inputs.mode == 'release' && 'desktop' || 'nightly' }} + needs: prepare + name: macOS + uses: ./.github/workflows/build_macos.yaml + secrets: inherit + with: + sign: true + deploy-mode: true + base-url: https://packages.element.io/${{ inputs.mode == 'release' && 'desktop' || 'nightly' }} + version: ${{ needs.prepare.outputs.macos-version }} + + linux: + if: github.event_name != 'workflow_dispatch' || inputs.linux + needs: prepare + name: Linux + uses: ./.github/workflows/build_linux.yaml + secrets: inherit + with: + sqlcipher: system + deploy-mode: true + version: ${{ needs.prepare.outputs.linux-version }} + + deploy: + needs: + - macos + - windows_32bit + - windows_64bit + runs-on: ubuntu-latest + name: Deploy + if: always() && (github.event != 'workflow_dispatch' || inputs.deploy) + environment: packages.element.io + steps: + - name: Download artifacts + uses: actions/download-artifact@v3 + with: + name: packages.element.io + path: packages.element.io + + - name: Deploy debian repo + if: github.event_name != 'workflow_dispatch' || inputs.linux + run: | + mv packages.element.io/debian . + aws s3 cp --recursive debian/ s3://$R2_BUCKET/debian --endpoint-url $R2_URL --region auto + env: + AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} + R2_URL: ${{ secrets.CF_R2_S3_API }} + + - name: Deploy artifacts + if: github.event_name != 'workflow_dispatch' || inputs.macos + run: | + aws s3 cp --recursive packages.element.io/ s3://$R2_BUCKET/$DEPLOYMENT_DIR --endpoint-url $R2_URL --region auto + env: + AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} + R2_URL: ${{ secrets.CF_R2_S3_API }} + DEPLOYMENT_DIR: ${{ inputs.mode == 'release' && 'desktop' || 'nightly' }} diff --git a/.github/workflows/build_and_test.yaml b/.github/workflows/build_and_test.yaml index 9c5ec04..451fc5a 100644 --- a/.github/workflows/build_and_test.yaml +++ b/.github/workflows/build_and_test.yaml @@ -1,107 +1,107 @@ name: Build and Test on: - pull_request: {} - push: - branches: [develop, staging, master] + pull_request: {} + push: + branches: [develop, staging, master] concurrency: - group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true jobs: - fetch: - uses: ./.github/workflows/build_prepare.yaml - with: - config: ${{ github.event.pull_request.base.ref == 'develop' && 'element.io/nightly' || 'element.io/release' }} - version: ${{ github.event.pull_request.base.ref == 'develop' && 'develop' || '' }} - - windows: - needs: fetch - name: Windows - uses: ./.github/workflows/build_windows.yaml - strategy: - matrix: - arch: [x64, x86] - with: - arch: ${{ matrix.arch }} - - linux: - needs: fetch - name: Linux - uses: ./.github/workflows/build_linux.yaml - strategy: - matrix: - sqlcipher: [system, static] - with: - sqlcipher: ${{ matrix.sqlcipher }} - - macos: - needs: fetch - name: macOS - uses: ./.github/workflows/build_macos.yaml - - test: - needs: - - macos - - linux - - windows - strategy: - matrix: - include: - - name: macOS Universal - os: macos - artifact: macos - executable: "./dist/mac-universal/Element.app/Contents/MacOS/Element" - prepare_cmd: "find ./dist/mac-universal/Element.app -type f | perl -lne 'print if -B' | tr '\\n' '\\0' | xargs -0 -n1 chmod 755" - - name: "Linux (sqlcipher: system)" - os: ubuntu - artifact: linux-sqlcipher-system - executable: "element-desktop" - prepare_cmd: "sudo apt install ./dist/*.deb" - - name: "Linux (sqlcipher: static)" - os: ubuntu - artifact: linux-sqlcipher-static - executable: "element-desktop" - prepare_cmd: "sudo apt install ./dist/*.deb" - - name: Windows (x86) - os: windows - artifact: win-x86 - executable: "./dist/win-ia32-unpacked/Element.exe" - - name: Windows (x64) - os: windows - artifact: win-x64 - executable: "./dist/win-unpacked/Element.exe" - name: Test ${{ matrix.name }} - runs-on: ${{ matrix.os }}-latest - steps: - - uses: actions/checkout@v3 - - - uses: actions/setup-node@v3 + fetch: + uses: ./.github/workflows/build_prepare.yaml with: - cache: "yarn" + config: ${{ github.event.pull_request.base.ref == 'develop' && 'element.io/nightly' || 'element.io/release' }} + version: ${{ github.event.pull_request.base.ref == 'develop' && 'develop' || '' }} - - name: Install Deps - run: "yarn install --pure-lockfile" - - - uses: actions/download-artifact@v3 + windows: + needs: fetch + name: Windows + uses: ./.github/workflows/build_windows.yaml + strategy: + matrix: + arch: [x64, x86] with: - name: ${{ matrix.artifact }} - path: dist + arch: ${{ matrix.arch }} - - name: Prepare for tests - run: ${{ matrix.prepare_cmd }} - if: matrix.prepare_cmd - - - name: Run tests - uses: GabrielBB/xvfb-action@v1 - timeout-minutes: 5 + linux: + needs: fetch + name: Linux + uses: ./.github/workflows/build_linux.yaml + strategy: + matrix: + sqlcipher: [system, static] with: - run: "yarn test" - env: - ELEMENT_DESKTOP_EXECUTABLE: ${{ matrix.executable }} + sqlcipher: ${{ matrix.sqlcipher }} - - name: Upload Artifacts - uses: actions/upload-artifact@v3 - if: always() - with: - name: ${{ matrix.artifact }} - path: test_artifacts - retention-days: 1 + macos: + needs: fetch + name: macOS + uses: ./.github/workflows/build_macos.yaml + + test: + needs: + - macos + - linux + - windows + strategy: + matrix: + include: + - name: macOS Universal + os: macos + artifact: macos + executable: "./dist/mac-universal/Element.app/Contents/MacOS/Element" + prepare_cmd: "find ./dist/mac-universal/Element.app -type f | perl -lne 'print if -B' | tr '\\n' '\\0' | xargs -0 -n1 chmod 755" + - name: "Linux (sqlcipher: system)" + os: ubuntu + artifact: linux-sqlcipher-system + executable: "element-desktop" + prepare_cmd: "sudo apt install ./dist/*.deb" + - name: "Linux (sqlcipher: static)" + os: ubuntu + artifact: linux-sqlcipher-static + executable: "element-desktop" + prepare_cmd: "sudo apt install ./dist/*.deb" + - name: Windows (x86) + os: windows + artifact: win-x86 + executable: "./dist/win-ia32-unpacked/Element.exe" + - name: Windows (x64) + os: windows + artifact: win-x64 + executable: "./dist/win-unpacked/Element.exe" + name: Test ${{ matrix.name }} + runs-on: ${{ matrix.os }}-latest + steps: + - uses: actions/checkout@v3 + + - uses: actions/setup-node@v3 + with: + cache: "yarn" + + - name: Install Deps + run: "yarn install --pure-lockfile" + + - uses: actions/download-artifact@v3 + with: + name: ${{ matrix.artifact }} + path: dist + + - name: Prepare for tests + run: ${{ matrix.prepare_cmd }} + if: matrix.prepare_cmd + + - name: Run tests + uses: GabrielBB/xvfb-action@v1 + timeout-minutes: 5 + with: + run: "yarn test" + env: + ELEMENT_DESKTOP_EXECUTABLE: ${{ matrix.executable }} + + - name: Upload Artifacts + uses: actions/upload-artifact@v3 + if: always() + with: + name: ${{ matrix.artifact }} + path: test_artifacts + retention-days: 1 diff --git a/.github/workflows/build_linux.yaml b/.github/workflows/build_linux.yaml index 4c9a527..862258c 100644 --- a/.github/workflows/build_linux.yaml +++ b/.github/workflows/build_linux.yaml @@ -70,7 +70,7 @@ jobs: env: SQLCIPHER_STATIC: ${{ inputs.sqlcipher == 'static' && '1' || '' }} - - name: '[Nightly] Resolve version' + - name: "[Nightly] Resolve version" id: nightly if: inputs.version != '' run: | @@ -101,17 +101,17 @@ jobs: run: | # Clear out the template packages.element.io directory, it has a dedicated deploy workflow rm -R packages.element.io/* - + # Install reprepro sudo apt-get install -y reprepro - + # Fetch reprepro database aws s3 cp --recursive s3://$R2_BUCKET debian/db/ --endpoint-url $R2_URL --region auto - + grep Codename debian/conf/distributions | sed -n 's/Codename: //p' | while read -r target ; do reprepro -b debian includedeb "$target" ./dist/*.deb done - + # Store reprepro database aws s3 cp --recursive debian/db/ s3://$R2_BUCKET --endpoint-url $R2_URL --region auto env: diff --git a/.github/workflows/build_macos.yaml b/.github/workflows/build_macos.yaml index f35b353..4917150 100644 --- a/.github/workflows/build_macos.yaml +++ b/.github/workflows/build_macos.yaml @@ -69,14 +69,14 @@ jobs: if: steps.cache.outputs.cache-hit != 'true' run: "yarn build:native:universal" - - name: '[Nightly] Resolve version' + - name: "[Nightly] Resolve version" id: nightly if: inputs.version != '' run: | echo "config-args=--nightly '${{ inputs.version }}'" >> $GITHUB_OUTPUT # We split these because electron-builder gets upset if we set CSC_LINK even to an empty string - - name: '[Signed] Build App' + - name: "[Signed] Build App" if: inputs.sign != '' run: | scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} @@ -88,7 +88,7 @@ jobs: CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }} CSC_LINK: ${{ secrets.APPLE_CSC_LINK }} - - name: '[Unsigned] Build App' + - name: "[Unsigned] Build App" if: inputs.sign == '' run: | scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} @@ -103,11 +103,11 @@ jobs: mkdir -p dist/install/macos dist/update/macos mv _dist/*-mac.zip dist/update/macos/ mv _dist/*.dmg dist/install/macos/ - + PKG_JSON_VERSION=$(cat package.json | jq -r .version) LATEST=$(find dist -type f -iname "*-mac.zip" | xargs -0 -n1 -- basename) URL="${{ inputs.base-url }}/update/macos/$LATEST" - + jq -n --arg version "${VERSION:-$PKG_JSON_VERSION}" --arg url "$URL" ' { currentRelease: $version, @@ -127,12 +127,12 @@ jobs: VERSION: ${{ inputs.version }} # We don't wish to store the installer for every nightly ever, so we only keep the latest - - name: '[Nightly] Strip version from installer file' + - name: "[Nightly] Strip version from installer file" if: inputs.deploy-mode && inputs.version != '' run: | mv dist/install/macos/*.dmg "dist/install/macos/Element Nightly.dmg" - - name: '[Release] Prepare release latest symlink' + - name: "[Release] Prepare release latest symlink" if: inputs.deploy-mode && inputs.version == '' run: | ln -s "$(find . -type f -iname "*.dmg" | xargs -0 -n1 -- basename)" "Element.dmg" diff --git a/.github/workflows/build_prepare.yaml b/.github/workflows/build_prepare.yaml index 24f92d3..a0c2430 100644 --- a/.github/workflows/build_prepare.yaml +++ b/.github/workflows/build_prepare.yaml @@ -31,6 +31,12 @@ on: linux-version: description: "The version string the next Linux Nightly should use, only output for calculate-nightly-versions" value: ${{ jobs.prepare.outputs.linux-version }} + win32-x64-version: + description: "The version string the next Windows x64 Nightly should use, only output for calculate-nightly-versions" + value: ${{ jobs.prepare.outputs.win32-x64-version }} + win32-x86-version: + description: "The version string the next Windows x86 Nightly should use, only output for calculate-nightly-versions" + value: ${{ jobs.prepare.outputs.win32-x86-version }} jobs: prepare: name: Prepare @@ -39,6 +45,8 @@ jobs: outputs: macos-version: ${{ steps.versions.outputs.macos }} linux-version: ${{ steps.versions.outputs.linux }} + win32-x64-version: ${{ steps.versions.outputs.win_x64 }} + win32-x86-version: ${{ steps.versions.outputs.win_x86 }} steps: - uses: actions/checkout@v3 @@ -77,9 +85,14 @@ jobs: LINUX=$(aws s3 cp s3://$R2_BUCKET/debian/dists/default/main/binary-amd64/Packages - --endpoint-url $R2_URL --region auto | grep "Package: element-nightly" -A 50 | grep Version -m1 | sed -n 's/Version: //p') echo "linux=$(scripts/generate-nightly-version.ts --latest $LINUX)" >> $GITHUB_OUTPUT + + WINx64=$(aws s3 cp s3://$R2_BUCKET/nightly/update/win32/x64/RELEASES - --endpoint-url $R2_URL --region auto | awk '{print $2}' | cut -d "-" -f 5 | cut -c 8-) + echo "win_x64=$(scripts/generate-nightly-version.ts --latest $WINx64)" >> $GITHUB_OUTPUT + WINx86=$(aws s3 cp s3://$R2_BUCKET/nightly/update/win32/ia32/RELEASES - --endpoint-url $R2_URL --region auto | awk '{print $2}' | cut -d "-" -f 5 | cut -c 8-) + echo "win_x86=$(scripts/generate-nightly-version.ts --latest $WINx86)" >> $GITHUB_OUTPUT env: AWS_ACCESS_KEY_ID: ${{ secrets.CF_R2_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.CF_R2_TOKEN }} # XXX: UPDATE THIS BEFORE WHEN GOING LIVE - R2_BUCKET: 'packages-element-io-test' + R2_BUCKET: "packages-element-io-test" R2_URL: ${{ secrets.CF_R2_S3_API }} diff --git a/.github/workflows/build_windows.yaml b/.github/workflows/build_windows.yaml index cdc8bea..b176792 100644 --- a/.github/workflows/build_windows.yaml +++ b/.github/workflows/build_windows.yaml @@ -3,14 +3,34 @@ # the correct cache scoping, and additional care must be taken to not run untrusted actions on the develop branch. on: workflow_call: + secrets: + ESIGNER_USER_NAME: + required: false + ESIGNER_USER_PASSWORD: + required: false + ESIGNER_USER_TOTP: + required: false inputs: arch: type: string required: true description: "The architecture to build for, one of 'x64' | 'x86'" + version: + type: string + required: false + description: "Version string to override the one in package.json, used for non-release builds" + sign: + type: string + required: false + description: "Whether to sign & notarise the build, requires 'packages.element.io' environment" + deploy-mode: + type: string + required: false + description: "Whether to arrange artifacts in the arrangement needed for deployment, skipping unrelated ones" jobs: build: runs-on: windows-latest + environment: ${{ inputs.sign && 'packages.element.io' || '' }} steps: - uses: kanga333/variable-mapper@master id: config @@ -50,12 +70,14 @@ jobs: # ActiveTCL package on choco is from 2015, # this one is newer but includes more than we need - name: Choco install tclsh + if: steps.cache.outputs.cache-hit != 'true' shell: pwsh run: | choco install -y magicsplat-tcl-tk --no-progress echo "${HOME}/AppData/Local/Apps/Tcl86/bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - name: Choco install NetWide Assembler + if: steps.cache.outputs.cache-hit != 'true' shell: pwsh run: | choco install -y nasm --no-progress @@ -82,12 +104,86 @@ jobs: refreshenv yarn build:native --target ${{ steps.config.outputs.target }} + - name: Install and configure eSigner CKA + id: esigner + if: inputs.sign + run: | + Set-StrictMode -Version 'Latest' + + # Download + Invoke-WebRequest -OutFile eSigner_CKA.exe "https://packages.element.io/tools/SSL.COM%20eSigner%20CKA_1.0.4-build-20230221_signed.exe" + + # Install + New-Item -ItemType Directory -Force -Path "$env:INSTALL_DIR" + ./eSigner_CKA.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR="${{ env.INSTALL_DIR }}" | Out-Null + + # Disable logger + $LogConfig = Get-Content -Path ${{ env.INSTALL_DIR }}/log4net.config + $LogConfig[0] = '' + $LogConfig | Set-Content -Path ${{ env.INSTALL_DIR }}/log4net.config + + # Configure + ${{ env.INSTALL_DIR }}/eSignerCKATool.exe config -mode "${{ env.MODE }}" -user "${{ secrets.ESIGNER_USER_NAME }}" -pass "${{ secrets.ESIGNER_USER_PASSWORD }}" -totp "${{ secrets.ESIGNER_USER_TOTP }}" -key "${{ env.MASTER_KEY_FILE }}" -r + ${{ env.INSTALL_DIR }}/eSignerCKATool.exe unload + ${{ env.INSTALL_DIR }}/eSignerCKATool.exe load + + # Find certificate + $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1 + echo Certificate: $CodeSigningCert + + # Extract thumbprint and subject name + $Thumbprint = $CodeSigningCert.Thumbprint + $SubjectName = ($CodeSigningCert.Subject -replace ", ?", "`n" | ConvertFrom-StringData).CN + echo "config-args=--signtool-thumbprint '$Thumbprint' --signtool-subject-name '$SubjectName'" >> $env:GITHUB_OUTPUT + env: + # XXX: UPDATE THIS BEFORE WHEN GOING LIVE + MODE: sandbox + INSTALL_DIR: C:\Users\runneradmin\eSignerCKA + MASTER_KEY_FILE: C:\Users\runneradmin\eSignerCKA\master.key + + - name: "[Nightly] Resolve version" + id: nightly + if: inputs.version != '' + shell: bash + run: | + echo "config-args=--nightly '${{ inputs.version }}'" >> $GITHUB_OUTPUT + - name: Build App - run: "yarn build --publish never -w ${{ steps.config.outputs.build-args }}" + run: | + yarn ts-node scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} ${{ steps.esigner.outputs.config-args }} + yarn build --publish never -w --config electron-builder.json ${{ steps.config.outputs.build-args }} + env: + SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe" + + - name: Prepare artifacts for deployment + if: inputs.deploy-mode + shell: bash + run: | + mv dist _dist + mkdir -p dist/install/win32/${{ inputs.arch }}/msi dist/update/win32/${{ inputs.arch }} + mv _dist/squirrel-windows*/*.exe dist/install/win32/${{ inputs.arch }}/ + mv _dist/squirrel-windows*/*.nupkg dist/update/win32/${{ inputs.arch }}/ + mv _dist/squirrel-windows*/RELEASES dist/update/win32/${{ inputs.arch }}/ + # mv _dist/*.msi dist/install/win32/${{ inputs.arch }}/msi/ + + # We don't wish to store the installer for every nightly ever, so we only keep the latest + - name: "[Nightly] Strip version from installer file" + if: inputs.deploy-mode && inputs.version != '' + shell: bash + run: | + mv dist/install/win32/${{ inputs.arch }}/*.exe "dist/install/win32/${{ inputs.arch }}/Element Nightly Setup.exe" + # mv dist/install/win32/${{ inputs.arch }}/msi/*.msi "dist/install/win32/${{ inputs.arch }}/msi/Element Nightly Setup.msi" + + - name: "[Release] Prepare release latest symlink" + if: inputs.deploy-mode && inputs.version == '' + shell: bash + run: | + ln -s "$(find . -type f -iname "*.exe" | xargs -0 -n1 -- basename)" "Element Setup.exe" + working-directory: "dist/install/win32/${{ inputs.arch }}" - name: Upload Artifacts uses: actions/upload-artifact@v3 with: - name: win-${{ inputs.arch }} + name: ${{ inputs.deploy-mode && 'packages.element.io' || format('win-{0}', inputs.arch) }} path: dist retention-days: 1 diff --git a/.github/workflows/packages_index.yaml b/.github/workflows/packages_index.yaml index 61b55fd..bd3ecb4 100644 --- a/.github/workflows/packages_index.yaml +++ b/.github/workflows/packages_index.yaml @@ -8,9 +8,9 @@ on: # Trigger a daily rebuild for (mac-mini built) Nightly builds schedule: - cron: "0 11 * * *" - # Trigger after Nightly builds are deployed + # Trigger after Nightly builds are deployed workflow_run: - workflows: [ "Build and Deploy" ] + workflows: ["Build and Deploy"] types: - completed # Manual trigger for rebuilding for releases diff --git a/scripts/generate-builder-config.ts b/scripts/generate-builder-config.ts index adaaddb..eb98b7f 100755 --- a/scripts/generate-builder-config.ts +++ b/scripts/generate-builder-config.ts @@ -22,10 +22,12 @@ const NIGHTLY_APP_ID = "im.riot.nightly"; const NIGHTLY_APP_NAME = "element-desktop-nightly"; const argv = parseArgs<{ - nightly?: string; + "nightly"?: string; + "signtool-thumbprint"?: string; + "signtool-subject-name"?: string; "deb-custom-control"?: string; }>(process.argv.slice(2), { - string: ["nightly", "deb-custom-control"], + string: ["nightly", "deb-custom-control", "signtool-thumbprint", "signtool-subject-name"], }); interface File { @@ -54,7 +56,10 @@ interface PackageBuild { target: { target: string; }; - sign: string; + sign?: string; + signingHashAlgorithms?: string[]; + certificateSubjectName?: string; + certificateSha1?: string; }; deb?: { fpm?: string[]; @@ -108,6 +113,13 @@ async function main(): Promise { cfg.extraMetadata!.version = version; } + if (argv["signtool-thumbprint"] && argv["signtool-subject-name"]) { + delete cfg.win.sign; + cfg.win.signingHashAlgorithms = ["sha256"]; + cfg.win.certificateSubjectName = argv["signtool-subject-name"]; + cfg.win.certificateSha1 = argv["signtool-thumbprint"]; + } + if (os.platform() === "linux") { // Electron crashes on debian if there's a space in the path. // https://github.com/vector-im/element-web/issues/13171 @@ -123,9 +135,11 @@ async function main(): Promise { await fsProm.writeFile(ELECTRON_BUILDER_CFG_FILE, JSON.stringify(cfg, null, 4)); } -main().then((ret) => { - process.exit(ret!); -}).catch((e) => { - console.error(e); - process.exit(1); -}); +main() + .then((ret) => { + process.exit(ret!); + }) + .catch((e) => { + console.error(e); + process.exit(1); + }); diff --git a/scripts/generate-packages-index.ts b/scripts/generate-packages-index.ts index 822b749..9eb8343 100755 --- a/scripts/generate-packages-index.ts +++ b/scripts/generate-packages-index.ts @@ -8,6 +8,7 @@ const HIDDEN_FILES = [ ".DS_Store", "index.html", "/fonts/", + "/tools/", "/nginx-theme/", ".~tmp~/", "msi/",