fix mfa codes #221
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Build app and create release' | |
on: | |
push: | |
tags: | |
- v*.*.* | |
jobs: | |
build-wireguard-go: | |
strategy: | |
fail-fast: false | |
matrix: | |
architecture: [arm64, amd64] | |
runs-on: [self-hosted, macOS] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
repository: WireGuard/wireguard-go | |
ref: master | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: '1.22' | |
- name: Build wireguard-go binary | |
run: make | |
env: | |
GOOS: darwin | |
GOARCH: ${{ matrix.architecture }} | |
- name: Upload binary artifact arm64 | |
if: matrix.architecture == 'arm64' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: wireguard-go-aarch64-apple-darwin | |
path: wireguard-go | |
- name: Upload binary artifact amd64 | |
if: matrix.architecture == 'amd64' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: wireguard-go-x86_64-apple-darwin | |
path: wireguard-go | |
create-release: | |
name: create-release | |
runs-on: self-hosted | |
outputs: | |
upload_url: ${{ steps.release.outputs.upload_url }} | |
steps: | |
- name: Create GitHub release | |
id: release | |
uses: softprops/action-gh-release@v2 | |
with: | |
draft: true | |
generate_release_notes: true | |
build-linux: | |
needs: | |
- create-release | |
runs-on: | |
- self-hosted | |
- Linux | |
- ${{ matrix.architecture }} | |
strategy: | |
fail-fast: false | |
matrix: | |
architecture: [ARM64, X64] | |
include: | |
- architecture: ARM64 | |
deb_arch: arm64 | |
binary_arch: aarch64 | |
- architecture: X64 | |
deb_arch: amd64 | |
binary_arch: x86_64 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- name: Write release version | |
run: | | |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) | |
echo Version: $VERSION | |
echo "VERSION=$VERSION" >> $GITHUB_ENV | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '20' | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: 9 | |
run_install: false | |
- name: Get pnpm store directory | |
shell: bash | |
run: | | |
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | |
- uses: actions/cache@v3 | |
name: Setup pnpm cache | |
with: | |
path: ${{ env.STORE_PATH }} | |
key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
restore-keys: | | |
${{ runner.os }}-pnpm-build-store- | |
- name: Install Node dependencies | |
run: pnpm install --frozen-lockfile | |
- uses: dtolnay/rust-toolchain@stable | |
- name: Install Linux dependencies | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libappindicator3-dev librsvg2-dev patchelf libssl-dev unzip protobuf-compiler libprotobuf-dev rpm | |
- name: Build packages | |
uses: tauri-apps/tauri-action@v0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Create RPM | |
run: | | |
rpmbuild --build-in-place --define "_topdir $(pwd)" --define "version ${{ env.VERSION }}" -bb resources-linux/defguard-client.spec | |
- name: Upload RPM | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: RPMS/${{ matrix.binary_arch }}/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm | |
asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm | |
asset_content_type: application/octet-stream | |
- name: Upload DEB | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb | |
asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb | |
asset_content_type: application/octet-stream | |
- name: Rename client binary | |
run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} | |
- name: Tar client binary | |
uses: a7ul/[email protected] | |
with: | |
command: c | |
files: | | |
defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} | |
outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz | |
- name: Upload client archive | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz | |
asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz | |
asset_content_type: application/octet-stream | |
- name: Rename daemon binary | |
run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} | |
- name: Tar daemon binary | |
uses: a7ul/[email protected] | |
with: | |
command: c | |
files: | | |
defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} | |
outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz | |
- name: Upload daemon archive | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz | |
asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz | |
asset_content_type: application/octet-stream | |
- name: Rename dg binary | |
run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} | |
- name: Tar dg binary | |
uses: a7ul/[email protected] | |
with: | |
command: c | |
files: | | |
dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} | |
outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz | |
- name: Upload dg archive | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz | |
asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz | |
asset_content_type: application/octet-stream | |
- name: Build dg deb | |
uses: defGuard/fpm-action@main | |
with: | |
fpm_args: 'dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf' | |
fpm_opts: '--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb' | |
- name: Upload DEB | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb | |
asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb | |
asset_content_type: application/octet-stream | |
- name: Build dg rpm | |
uses: defGuard/fpm-action@main | |
with: | |
fpm_args: 'dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf' | |
fpm_opts: '--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm' | |
- name: Upload RPM | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm | |
asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm | |
asset_content_type: application/octet-stream | |
build-macos: | |
needs: | |
- create-release | |
- build-wireguard-go | |
strategy: | |
fail-fast: false | |
matrix: | |
target: [aarch64-apple-darwin, x86_64-apple-darwin] | |
runs-on: | |
- self-hosted | |
- macOS | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- name: Write release version | |
run: | | |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) | |
echo Version: $VERSION | |
echo "VERSION=$VERSION" >> $GITHUB_ENV | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '20' | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: 9 | |
run_install: false | |
- name: Get pnpm store directory | |
shell: bash | |
run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | |
- uses: actions/cache@v3 | |
name: Setup pnpm cache | |
with: | |
path: ${{ env.STORE_PATH }} | |
key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
restore-keys: | | |
${{ runner.os }}-pnpm-build-store- | |
- name: Install deps | |
run: pnpm install --frozen-lockfile | |
- uses: dtolnay/rust-toolchain@stable | |
- name: Install protobuf compiler | |
run: brew install protobuf | |
- name: Install ARM target | |
run: rustup target add aarch64-apple-darwin | |
- name: Download wireguard-go binary | |
uses: actions/download-artifact@v4 | |
with: | |
name: wireguard-go-${{ matrix.target }} | |
path: src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }} | |
- name: Unlock keychain | |
run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain | |
- name: Build app | |
uses: tauri-apps/tauri-action@v0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
APPLE_SIGNING_IDENTITY: 'Developer ID Application: TEONITE (6WD6W6WQNV)' | |
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
APPLE_ID: '[email protected]' | |
APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} | |
APPLE_TEAM_ID: '6WD6W6WQNV' | |
with: | |
args: --target ${{ matrix.target }} -v | |
- name: Build installation package | |
run: | | |
bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts "Developer ID Installer: TEONITE (6WD6W6WQNV)" /Users/admin/Library/Keychains/login.keychain | |
xcrun notarytool submit --wait --apple-id [email protected] --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id 6WD6W6WQNV src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg | |
xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg | |
- name: Upload installation package | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg | |
asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg | |
asset_content_type: application/octet-stream | |
# Building signed Windows bundle involves a few steps as described here: | |
# https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line | |
# 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows) | |
# 2. Detach the burn engine from the bundle so that it can be signed (also Windows) | |
# 3. Sign the burn engine (Linux) | |
# 4. Reattach the burn engine back to the bundle (Windows again) | |
# 5. Sign the whole bundle (Linux) | |
build-windows: | |
needs: | |
- create-release | |
runs-on: windows-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- name: Write release version | |
run: | | |
$env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0] | |
echo Version: $env:VERSION | |
echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '20' | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: 9 | |
run_install: false | |
- name: Get pnpm store directory | |
shell: bash | |
run: echo "STORE_PATH=$(pnpm store path --silent)" >> $env:GITHUB_ENV | |
- uses: actions/cache@v3 | |
name: Setup pnpm cache | |
with: | |
path: ${{ env.STORE_PATH }} | |
key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
restore-keys: | | |
${{ runner.os }}-pnpm-build-store- | |
- name: Install deps | |
run: pnpm install --frozen-lockfile | |
- uses: dtolnay/rust-toolchain@stable | |
- name: Install Protoc | |
uses: arduino/setup-protoc@v2 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Remove "default-run" line from Cargo.toml | |
run: | | |
Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch) | |
- name: Build packages | |
uses: tauri-apps/tauri-action@v0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Bundle application | |
run: | | |
dotnet tool install --global wix --version 4.0.5 | |
wix extension add WixToolset.Bal.wixext/4 | |
wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll | |
wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe | |
- name: Upload unsigned bundle and burn-engine | |
uses: actions/upload-artifact@v4 | |
with: | |
name: unsigned-bundle-and-burnengine | |
path: | | |
src-tauri/resources-windows/defguard-client.exe | |
src-tauri/resources-windows/burnengine.exe | |
sign-burn-engine: | |
needs: | |
- build-windows | |
runs-on: | |
- self-hosted | |
- Linux | |
- X64 | |
steps: | |
- name: Write release version | |
run: | | |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) | |
echo Version: $VERSION | |
echo "VERSION=$VERSION" >> $GITHUB_ENV | |
- name: Download unsigned bundle & burn-engine | |
uses: actions/download-artifact@v4 | |
with: | |
name: unsigned-bundle-and-burnengine | |
- name: Sign burn-engine | |
run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe | |
- name: Upload bundle and burn-engine artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: unsigned-bundle-and-signed-burnengine | |
path: | | |
defguard-client.exe | |
burnengine-signed.exe | |
reattach-burn-engine: | |
needs: | |
- sign-burn-engine | |
runs-on: windows-latest | |
steps: | |
- name: Download unsigned bundle and signed burn-engine | |
uses: actions/download-artifact@v4 | |
with: | |
name: unsigned-bundle-and-signed-burnengine | |
- name: Reattach burn-engine | |
run: | | |
dotnet tool install --global wix --version 4.0.5 | |
wix extension add WixToolset.Bal.wixext/4 | |
wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe | |
- name: Upload bundle with reattached burn-engine | |
uses: actions/upload-artifact@v4 | |
with: | |
name: unsigned-bundle-with-reattached-signed-burn-engine | |
path: defguard-client-reattached.exe | |
sign-bundle: | |
needs: | |
- create-release | |
- reattach-burn-engine | |
runs-on: | |
- self-hosted | |
- Linux | |
- X64 | |
steps: | |
- name: Write release version | |
run: | | |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) | |
echo Version: $VERSION | |
echo "VERSION=$VERSION" >> $GITHUB_ENV | |
- name: Download unsigned bundle & signed burn-engine | |
uses: actions/download-artifact@v4 | |
with: | |
name: unsigned-bundle-with-reattached-signed-burn-engine | |
- name: Sign bundle | |
run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe | |
- name: Upload installer asset | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: defguard-client-signed.exe | |
asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe | |
asset_content_type: application/octet-stream |