Skip to content

fix: add vpn lifecycle check on Connect on Launch feature (#157) #28

fix: add vpn lifecycle check on Connect on Launch feature (#157)

fix: add vpn lifecycle check on Connect on Launch feature (#157) #28

Workflow file for this run

name: Release
on:
push:
tags:
- '*'
workflow_dispatch:
inputs:
version:
description: 'Version number (e.g. v1.2.3)'
required: true
permissions:
contents: write
# Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
id-token: write
jobs:
release:
# windows-2025 is required for an up-to-date version of OpenSSL for the
# appcast generation.
runs-on: ${{ github.repository_owner == 'coder' && 'windows-2025-16-cores' || 'windows-2025' }}
outputs:
version: ${{ steps.version.outputs.VERSION }}
timeout-minutes: 15
steps:
- uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '8.0.x'
# Necessary for signing Windows binaries.
- name: Setup Java
uses: actions/setup-java@3a4f6e1af504cf6a31855fa899c6aa5355ba6c12 # v4.7.0
with:
distribution: "zulu"
java-version: "11.0"
- name: Get version from tag
id: version
shell: pwsh
run: |
$ErrorActionPreference = "Stop"
if ($env:INPUT_VERSION) {
$tag = $env:INPUT_VERSION
} else {
$tag = $env:GITHUB_REF -replace 'refs/tags/',''
}
if ($tag -notmatch '^v\d+\.\d+\.\d+$') {
throw "Version must be in format v1.2.3, got $tag"
}
$version = $tag -replace '^v',''
$assemblyVersion = "$($version).0"
Add-Content -Path $env:GITHUB_OUTPUT -Value "VERSION=$version"
Add-Content -Path $env:GITHUB_OUTPUT -Value "ASSEMBLY_VERSION=$assemblyVersion"
Write-Host "Version: $version"
Write-Host "Assembly version: $assemblyVersion"
env:
INPUT_VERSION: ${{ inputs.version }}
# Setup GCloud for signing Windows binaries.
- name: Authenticate to Google Cloud
id: gcloud_auth
uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
with:
workload_identity_provider: ${{ secrets.GCP_WORKLOAD_ID_PROVIDER }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
token_format: "access_token"
- name: Install gcloud
uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # 2.1.4
- name: Install wix
shell: pwsh
run: |
$ErrorActionPreference = "Stop"
& dotnet.exe tool install --global wix --version 5.0.2
if ($LASTEXITCODE -ne 0) { throw "Failed to install wix" }
foreach ($ext in @("WixToolset.Bal.wixext/5.0.2", "WixToolset.Netfx.wixext/5.0.2", "WixToolset.UI.wixext/5.0.2", "WixToolset.Util.wixext/5.0.2")) {
& wix.exe extension add -g $ext
if ($LASTEXITCODE -ne 0) { throw "Failed to add wix extension $ext" }
}
- name: scripts/Release.ps1
id: release
shell: pwsh
run: |
$ErrorActionPreference = "Stop"
$env:EV_CERTIFICATE_PATH = Join-Path $env:TEMP "ev_cert.pem"
Set-Content -Path $env:EV_CERTIFICATE_PATH -Value $env:EV_SIGNING_CERT
$env:JSIGN_PATH = Join-Path $env:TEMP "jsign-6.0.jar"
Invoke-WebRequest -Uri "https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar" -OutFile $env:JSIGN_PATH
& ./scripts/Release.ps1 `
-version ${{ steps.version.outputs.VERSION }} `
-assemblyVersion ${{ steps.version.outputs.ASSEMBLY_VERSION }}
if ($LASTEXITCODE -ne 0) { throw "Failed to publish" }
env:
EV_SIGNING_CERT: ${{ secrets.EV_SIGNING_CERT }}
EV_KEYSTORE: ${{ secrets.EV_KEYSTORE }}
EV_KEY: ${{ secrets.EV_KEY }}
EV_TSA_URL: ${{ secrets.EV_TSA_URL }}
GCLOUD_ACCESS_TOKEN: ${{ steps.gcloud_auth.outputs.access_token }}
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: publish
path: .\publish\
- name: Create release
uses: softprops/action-gh-release@v2
if: startsWith(github.ref, 'refs/tags/')
with:
name: Release ${{ steps.version.outputs.VERSION }}
generate_release_notes: true
# We currently only release the bootstrappers, not the MSIs.
files: |
${{ steps.release.outputs.X64_OUTPUT_PATH }}
${{ steps.release.outputs.ARM64_OUTPUT_PATH }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Update appcast
if: startsWith(github.ref, 'refs/tags/')
shell: pwsh
run: |
$ErrorActionPreference = "Stop"
# The Update-AppCast.ps1 script fetches the release notes from GitHub,
# which might take a few seconds to be ready.
Start-Sleep -Seconds 10
# Save the appcast signing key to a temporary file.
$keyPath = Join-Path $env:TEMP "appcast-key.pem"
$key = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($env:APPCAST_SIGNATURE_KEY_BASE64))
Set-Content -Path $keyPath -Value $key
# Download the old appcast from GCS.
$oldAppCastPath = Join-Path $env:TEMP "appcast.old.xml"
& gsutil cp $env:APPCAST_GCS_URI $oldAppCastPath
if ($LASTEXITCODE -ne 0) { throw "Failed to download appcast" }
# Generate the new appcast and signature.
$newAppCastPath = Join-Path $env:TEMP "appcast.new.xml"
$newAppCastSignaturePath = $newAppCastPath + ".signature"
& ./scripts/Update-AppCast.ps1 `
-tag "${{ github.ref_name }}" `
-channel stable `
-x64Path "${{ steps.release.outputs.X64_OUTPUT_PATH }}" `
-arm64Path "${{ steps.release.outputs.ARM64_OUTPUT_PATH }}" `
-keyPath $keyPath `
-inputAppCastPath $oldAppCastPath `
-outputAppCastPath $newAppCastPath `
-outputAppCastSignaturePath $newAppCastSignaturePath
if ($LASTEXITCODE -ne 0) { throw "Failed to generate new appcast" }
# Upload the new appcast and signature to GCS.
& gsutil -h "Cache-Control:no-cache,max-age=0" cp $newAppCastPath $env:APPCAST_GCS_URI
if ($LASTEXITCODE -ne 0) { throw "Failed to upload new appcast" }
& gsutil -h "Cache-Control:no-cache,max-age=0" cp $newAppCastSignaturePath $env:APPCAST_SIGNATURE_GCS_URI
if ($LASTEXITCODE -ne 0) { throw "Failed to upload new appcast signature" }
env:
APPCAST_GCS_URI: gs://releases.coder.com/coder-desktop/windows/appcast.xml
APPCAST_SIGNATURE_GCS_URI: gs://releases.coder.com/coder-desktop/windows/appcast.xml.signature
APPCAST_SIGNATURE_KEY_BASE64: ${{ secrets.APPCAST_SIGNATURE_KEY_BASE64 }}
GH_TOKEN: ${{ github.token }}
GCLOUD_ACCESS_TOKEN: ${{ steps.gcloud_auth.outputs.access_token }}
winget:
runs-on: depot-windows-latest
needs: release
steps:
- name: Sync fork
run: gh repo sync cdrci/winget-pkgs -b master
env:
GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
# If the event that triggered the build was an annotated tag (which our
# tags are supposed to be), actions/checkout has a bug where the tag in
# question is only a lightweight tag and not a full annotated tag. This
# command seems to fix it.
# https://github.com/actions/checkout/issues/290
- name: Fetch git tags
run: git fetch --tags --force
- name: Install wingetcreate
run: |
Invoke-WebRequest https://aka.ms/wingetcreate/latest -OutFile wingetcreate.exe
- name: Submit updated manifest to winget-pkgs
run: |
$version = "${{ needs.release.outputs.version }}"
$release_assets = gh release view --repo coder/coder-desktop-windows "v${version}" --json assets | `
ConvertFrom-Json
# Get the installer URLs from the release assets.
$amd64_installer_url = $release_assets.assets | `
Where-Object name -Match ".*-x64.exe$" | `
Select -ExpandProperty url
$arm64_installer_url = $release_assets.assets | `
Where-Object name -Match ".*-arm64.exe$" | `
Select -ExpandProperty url
echo "amd64 Installer URL: ${amd64_installer_url}"
echo "arm64 Installer URL: ${arm64_installer_url}"
echo "Package version: ${version}"
.\wingetcreate.exe update Coder.CoderDesktop `
--submit `
--version "${version}" `
--urls "${amd64_installer_url}" "${arm64_installer_url}" `
--token "$env:WINGET_GH_TOKEN"
env:
# For gh CLI:
GH_TOKEN: ${{ github.token }}
# For wingetcreate. We need a real token since we're pushing a commit
# to GitHub and then making a PR in a different repo.
WINGET_GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}
- name: Comment on PR
run: |
# wait 30 seconds
Start-Sleep -Seconds 30.0
# Find the PR that wingetcreate just made.
$version = "${{ needs.release.outputs.version }}"
$pr_list = gh pr list --repo microsoft/winget-pkgs --search "author:cdrci Coder.CoderDesktop version ${version}" --limit 1 --json number | `
ConvertFrom-Json
$pr_number = $pr_list[0].number
gh pr comment --repo microsoft/winget-pkgs "${pr_number}" --body "🤖 cc: @deansheather @matifali"
env:
# For gh CLI. We need a real token since we're commenting on a PR in a
# different repo.
GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}