mirror of
https://github.com/vector-im/element-desktop.git
synced 2024-08-09 06:53:47 +00:00
a0a9ec830c
* Add way to provide apple ID and app password to notarise script * Add utility to generate electron-builder.json for release & nightly builds * Run Build & Test on staging too * First attempt at build & deploy for macOS with signing and notarisation * Fix quote mismatch * use correct quotes * add runs-on * Fix inputs.mode usage * remove quotes * chmod +x * Fix artifact paths * Fix deploy condition * Fix deploy condition * Fix artifact path * Iterate * Fix workflow * Fix env * Iterate * Fix missing env * Fix version calculation * Iterate * Fix config not taking effect * Update build_and_deploy.yaml * Fix alignments * delint * Fix alignment * Update build_macos.yaml * Add ability to EV sign using eSigner CKA * Initial work to build & sign Windows nightlies in CI * Format * Format * Fix gha * fix winSign * Fix install command * Add signtool to path * Update build_and_deploy.yaml * Fix quotes * Test * Fix comments * Fix cmd * Try again * arg slashes * Fix exe path * Fix matrix strategy * Use ampersand-call * fwd slash ftw? * ls * * 🌲 * tree dist * prepend path * Specify /fd and /td to modern signtool * /tr not /t for CKA * Test signing * missing comma * 🤦♂️ * Fix wrong mv * Lets sign * Fix config gen * Debug * Fix typo * Multiple drives why * Try NVL sandbox creds * Update * Attempt to disable logger * Try again * Iterate * Update build_macos.yaml * Update build_and_deploy.yaml * Update build_macos.yaml * Update build_and_deploy.yaml * Update build_and_deploy.yaml * Try custom build of eSigner CKA * Fix typos * Update build_windows.yaml * Update build_and_deploy.yaml * Update build_windows.yaml * Update build_and_deploy.yaml * Fix symlinking * Fix working-directory incantation * exe * remove debug * Prettier * Vendor check in SSL.com executable * Download CKA from packages.element.io instead * Use demo creds * StrictMode * Switch back to 0207 (unsigned) * Fix call syntax * Revert env inc * Partial rollback * Trace * Trace less * Fix CN being passed wrong * DEBUG * Debug 2 * Fix ConvertFrom-StringData * 0214 * Test * Test * Untested * Revert to 0207 * stash * Try with 20230221 * Restore scripts/electron_winSign.js * Prepare for merge * Update build_windows.yaml * Update build_and_deploy.yaml * Restore .github/workflows/build_and_deploy.yaml * Restore .github/workflows/build_and_deploy.yaml * Fix bad restore
190 lines
8.5 KiB
YAML
190 lines
8.5 KiB
YAML
# This workflow relies on actions/cache to store the hak dependency artifacts as they take a long time to build
|
|
# Due to this extra care must be taken to only ever run all build_* scripts against the same branch to ensure
|
|
# the correct cache scoping, and additional care must be taken to not run untrusted actions on the develop branch.
|
|
on:
|
|
workflow_call:
|
|
secrets:
|
|
ESIGNER_USER_NAME:
|
|
required: false
|
|
ESIGNER_USER_PASSWORD:
|
|
required: false
|
|
ESIGNER_USER_TOTP:
|
|
required: false
|
|
inputs:
|
|
arch:
|
|
type: string
|
|
required: true
|
|
description: "The architecture to build for, one of 'x64' | 'x86'"
|
|
version:
|
|
type: string
|
|
required: false
|
|
description: "Version string to override the one in package.json, used for non-release builds"
|
|
sign:
|
|
type: string
|
|
required: false
|
|
description: "Whether to sign & notarise the build, requires 'packages.element.io' environment"
|
|
deploy-mode:
|
|
type: string
|
|
required: false
|
|
description: "Whether to arrange artifacts in the arrangement needed for deployment, skipping unrelated ones"
|
|
jobs:
|
|
build:
|
|
runs-on: windows-latest
|
|
environment: ${{ inputs.sign && 'packages.element.io' || '' }}
|
|
steps:
|
|
- uses: kanga333/variable-mapper@master
|
|
id: config
|
|
with:
|
|
key: "${{ inputs.arch }}"
|
|
export_to: output
|
|
map: |
|
|
{
|
|
"x64": {
|
|
"target": "x86_64-pc-windows-msvc"
|
|
},
|
|
"x86": {
|
|
"target": "i686-pc-windows-msvc",
|
|
"build-args": "--ia32"
|
|
}
|
|
}
|
|
|
|
- uses: actions/checkout@v3
|
|
|
|
- uses: actions/download-artifact@v3
|
|
with:
|
|
name: webapp
|
|
|
|
- name: Cache .hak
|
|
id: cache
|
|
uses: actions/cache@v3
|
|
with:
|
|
key: ${{ runner.os }}-${{ hashFiles('hakDependencies.json', 'electronVersion') }}
|
|
path: |
|
|
./.hak
|
|
|
|
- name: Set up build tools
|
|
uses: ilammy/msvc-dev-cmd@v1
|
|
with:
|
|
arch: ${{ inputs.arch }}
|
|
|
|
# ActiveTCL package on choco is from 2015,
|
|
# this one is newer but includes more than we need
|
|
- name: Choco install tclsh
|
|
if: steps.cache.outputs.cache-hit != 'true'
|
|
shell: pwsh
|
|
run: |
|
|
choco install -y magicsplat-tcl-tk --no-progress
|
|
echo "${HOME}/AppData/Local/Apps/Tcl86/bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
|
|
|
|
- name: Choco install NetWide Assembler
|
|
if: steps.cache.outputs.cache-hit != 'true'
|
|
shell: pwsh
|
|
run: |
|
|
choco install -y nasm --no-progress
|
|
echo "C:/Program Files/NASM" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
|
|
|
|
- name: Install Rust
|
|
if: steps.cache.outputs.cache-hit != 'true'
|
|
uses: actions-rs/toolchain@v1
|
|
with:
|
|
toolchain: stable
|
|
target: ${{ steps.config.outputs.target }}
|
|
|
|
- uses: actions/setup-node@v3
|
|
with:
|
|
cache: "yarn"
|
|
|
|
# Does not need branch matching as only analyses this layer
|
|
- name: Install Deps
|
|
run: "yarn install --pure-lockfile"
|
|
|
|
- name: Build Natives
|
|
if: steps.cache.outputs.cache-hit != 'true'
|
|
run: |
|
|
refreshenv
|
|
yarn build:native --target ${{ steps.config.outputs.target }}
|
|
|
|
- name: Install and configure eSigner CKA
|
|
id: esigner
|
|
if: inputs.sign
|
|
run: |
|
|
Set-StrictMode -Version 'Latest'
|
|
|
|
# Download
|
|
Invoke-WebRequest -OutFile eSigner_CKA.exe "https://packages.element.io/tools/SSL.COM%20eSigner%20CKA_1.0.4-build-20230221_signed.exe"
|
|
|
|
# Install
|
|
New-Item -ItemType Directory -Force -Path "$env:INSTALL_DIR"
|
|
./eSigner_CKA.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR="${{ env.INSTALL_DIR }}" | Out-Null
|
|
|
|
# Disable logger
|
|
$LogConfig = Get-Content -Path ${{ env.INSTALL_DIR }}/log4net.config
|
|
$LogConfig[0] = '<log4net threshold="OFF">'
|
|
$LogConfig | Set-Content -Path ${{ env.INSTALL_DIR }}/log4net.config
|
|
|
|
# Configure
|
|
${{ env.INSTALL_DIR }}/eSignerCKATool.exe config -mode "${{ env.MODE }}" -user "${{ secrets.ESIGNER_USER_NAME }}" -pass "${{ secrets.ESIGNER_USER_PASSWORD }}" -totp "${{ secrets.ESIGNER_USER_TOTP }}" -key "${{ env.MASTER_KEY_FILE }}" -r
|
|
${{ env.INSTALL_DIR }}/eSignerCKATool.exe unload
|
|
${{ env.INSTALL_DIR }}/eSignerCKATool.exe load
|
|
|
|
# Find certificate
|
|
$CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1
|
|
echo Certificate: $CodeSigningCert
|
|
|
|
# Extract thumbprint and subject name
|
|
$Thumbprint = $CodeSigningCert.Thumbprint
|
|
$SubjectName = ($CodeSigningCert.Subject -replace ", ?", "`n" | ConvertFrom-StringData).CN
|
|
echo "config-args=--signtool-thumbprint '$Thumbprint' --signtool-subject-name '$SubjectName'" >> $env:GITHUB_OUTPUT
|
|
env:
|
|
# XXX: UPDATE THIS BEFORE WHEN GOING LIVE
|
|
MODE: sandbox
|
|
INSTALL_DIR: C:\Users\runneradmin\eSignerCKA
|
|
MASTER_KEY_FILE: C:\Users\runneradmin\eSignerCKA\master.key
|
|
|
|
- name: "[Nightly] Resolve version"
|
|
id: nightly
|
|
if: inputs.version != ''
|
|
shell: bash
|
|
run: |
|
|
echo "config-args=--nightly '${{ inputs.version }}'" >> $GITHUB_OUTPUT
|
|
|
|
- name: Build App
|
|
run: |
|
|
yarn ts-node scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} ${{ steps.esigner.outputs.config-args }}
|
|
yarn build --publish never -w --config electron-builder.json ${{ steps.config.outputs.build-args }}
|
|
env:
|
|
SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe"
|
|
|
|
- name: Prepare artifacts for deployment
|
|
if: inputs.deploy-mode
|
|
shell: bash
|
|
run: |
|
|
mv dist _dist
|
|
mkdir -p dist/install/win32/${{ inputs.arch }}/msi dist/update/win32/${{ inputs.arch }}
|
|
mv _dist/squirrel-windows*/*.exe dist/install/win32/${{ inputs.arch }}/
|
|
mv _dist/squirrel-windows*/*.nupkg dist/update/win32/${{ inputs.arch }}/
|
|
mv _dist/squirrel-windows*/RELEASES dist/update/win32/${{ inputs.arch }}/
|
|
# mv _dist/*.msi dist/install/win32/${{ inputs.arch }}/msi/
|
|
|
|
# We don't wish to store the installer for every nightly ever, so we only keep the latest
|
|
- name: "[Nightly] Strip version from installer file"
|
|
if: inputs.deploy-mode && inputs.version != ''
|
|
shell: bash
|
|
run: |
|
|
mv dist/install/win32/${{ inputs.arch }}/*.exe "dist/install/win32/${{ inputs.arch }}/Element Nightly Setup.exe"
|
|
# mv dist/install/win32/${{ inputs.arch }}/msi/*.msi "dist/install/win32/${{ inputs.arch }}/msi/Element Nightly Setup.msi"
|
|
|
|
- name: "[Release] Prepare release latest symlink"
|
|
if: inputs.deploy-mode && inputs.version == ''
|
|
shell: bash
|
|
run: |
|
|
ln -s "$(find . -type f -iname "*.exe" | xargs -0 -n1 -- basename)" "Element Setup.exe"
|
|
working-directory: "dist/install/win32/${{ inputs.arch }}"
|
|
|
|
- name: Upload Artifacts
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: ${{ inputs.deploy-mode && 'packages.element.io' || format('win-{0}', inputs.arch) }}
|
|
path: dist
|
|
retention-days: 1
|