Skip to content

Commit

Permalink
Sign PAF contents before packaging it
Browse files Browse the repository at this point in the history
  • Loading branch information
filips123 committed Oct 15, 2024
1 parent 9f41694 commit 9d9e560
Showing 1 changed file with 57 additions and 14 deletions.
71 changes: 57 additions & 14 deletions .github/workflows/native.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -143,6 +143,8 @@ jobs:
portable: true

steps:
# == Setting Environment

- name: Checkout repository
uses: actions/checkout@v4

Expand All @@ -164,6 +166,8 @@ jobs:
cache-all-crates: true
key: ${{ matrix.target }}-${{ matrix.portable == true }}

# == Setting Dependencies

- name: Install cross (Linux)
if: matrix.os == 'ubuntu-latest'
run: |
Expand Down Expand Up @@ -200,6 +204,8 @@ jobs:
7z x -y PortableAppsInstaller.paf.exe
echo $TEMP/PortableAppsInstaller >> $GITHUB_PATH
# == Building Project

- name: Configure Linux builds
if: matrix.os == 'ubuntu-latest'
run: |
Expand Down Expand Up @@ -246,6 +252,8 @@ jobs:
[[ ${{ matrix.os }} == ubuntu-latest ]] && CARGO="cross" || CARGO="cargo"
$CARGO build --release --target ${{ matrix.target }} ${{ matrix.flags }}
# == Packaging Shell Completions

- name: Package shell completions
if: matrix.target == 'x86_64-unknown-linux-gnu'
run: |
Expand All @@ -259,6 +267,8 @@ jobs:
path: native/target/completions.zip
compression-level: 0

# == Packaging Linux DEB

- name: Package DEB (Linux)
if: matrix.os == 'ubuntu-latest'
run: |
Expand All @@ -273,6 +283,8 @@ jobs:
path: native/target/debian/*.deb
compression-level: 0

# == Packaging Linux RPM

- name: Package RPM (Linux)
if: matrix.os == 'ubuntu-latest'
run: |
Expand All @@ -286,14 +298,15 @@ jobs:
path: native/target/rpm/*.rpm
compression-level: 0

# == Packaging Windows MSI

- name: Upload unsigned executables (Windows, MSI)
id: unsigned-executables-normal
if: matrix.os == 'windows-latest' && matrix.portable != true
if: matrix.os == 'windows-latest' && matrix.portable != true # && startsWith(github.ref, 'refs/tags/v')
uses: actions/upload-artifact@v4
with:
name: unsigned-executables-normal-${{ steps.target.outputs.target }}
path: native/target/${{ matrix.target }}/release/*.exe
compression-level: 0

- name: Sign executables with SignPath (Windows, MSI)
if: matrix.os == 'windows-latest' && matrix.portable != true # && startsWith(github.ref, 'refs/tags/v')
Expand All @@ -307,7 +320,7 @@ jobs:
artifact-configuration-slug: installer-contents
output-artifact-directory: native/target/${{ matrix.target }}/release

- name: Package MSI (Windows)
- name: Package MSI (Windows, MSI)
if: matrix.os == 'windows-latest' && matrix.portable != true
run: |
heat dir userchrome -o packages/wix/userchrome.wxs -scom -srd -sreg -gg -cg UserChrome -dr UserChromeDir -var wix.UserChromeSource
Expand Down Expand Up @@ -342,7 +355,9 @@ jobs:
path: signed/msi/*.msi
compression-level: 0

- name: Package PAF (Windows)
# == Packaging Windows PAF

- name: Prepare portable package (Windows, PAF)
if: matrix.os == 'windows-latest' && matrix.portable == true
run: |
# Build helper executables
Expand Down Expand Up @@ -372,20 +387,46 @@ jobs:
fi
echo "::endgroup::"
# Generate the launcher and installer
echo "::group::Generating the launcher and installer"
cd packages/paf
PortableApps.comLauncherGenerator.exe $(cygpath -d $(realpath PWAsForFirefoxPortable))
PortableApps.comInstaller.exe $(cygpath -d $(realpath PWAsForFirefoxPortable))
# Generate the launcher
echo "::group::Generating the launcher"
(cd packages/paf && PortableApps.comLauncherGenerator.exe $(cygpath -d $(realpath PWAsForFirefoxPortable)))
echo "::endgroup::"
- name: Upload unsigned contents (Windows, PAF)
id: unsigned-executables-portable
if: matrix.os == 'windows-latest' && matrix.portable == true # && startsWith(github.ref, 'refs/tags/v')
uses: actions/upload-artifact@v4
with:
name: unsigned-executables-portable-${{ steps.target.outputs.target }}
path: native/packages/paf/PWAsForFirefoxPortable

- name: Sign contents with SignPath (Windows, PAF)
if: matrix.os == 'windows-latest' && matrix.portable == true # && startsWith(github.ref, 'refs/tags/v')
uses: signpath/github-action-submit-signing-request@v1
with:
api-token: ${{ secrets.SIGNPATH_TOKEN }}
organization-id: ${{ vars.SIGNPATH_ORGANIZATION_ID }}
project-slug: ${{ vars.SIGNPATH_PROJECT_SLUG }}
signing-policy-slug: ${{ vars.SIGNPATH_POLICY_SLUG }}
github-artifact-id: ${{ steps.unsigned-executables-portable.outputs.artifact-id }}
artifact-configuration-slug: portable-contents
output-artifact-directory: native/packages/paf/PWAsForFirefoxPortable

- name: Generate portable package (Windows, PAF)
if: matrix.os == 'windows-latest' && matrix.portable == true
run: |
# Generate the installer
echo "::group::Generating the launcher"
(cd packages/paf && PortableApps.comInstaller.exe $(cygpath -d $(realpath PWAsForFirefoxPortable)))
echo "::endgroup::"
# Rename the installer
echo "::group::Renaming the installer"
mkdir -p ../../target/paf/
mv PWAsForFirefoxPortable_*.paf.exe ../../target/paf/firefoxpwa_${VERSION}_online.paf.exe
mkdir -p target/paf/
mv packages/paf/PWAsForFirefoxPortable_*.paf.exe target/paf/firefoxpwa_${VERSION}_online.paf.exe
echo "::endgroup::"
- name: Upload unsigned PAF (Windows)
- name: Upload unsigned PAF (Windows, PAF)
id: artifact-unsigned-paf
if: matrix.os == 'windows-latest' && matrix.portable == true
uses: actions/upload-artifact@v4
Expand All @@ -394,7 +435,7 @@ jobs:
path: native/target/paf/*.paf.exe
compression-level: 0

- name: Sign PAF with SignPath (Windows)
- name: Sign PAF with SignPath (Windows, PAF)
if: matrix.os == 'windows-latest' && matrix.portable == true # && startsWith(github.ref, 'refs/tags/v')
uses: signpath/github-action-submit-signing-request@v1
with:
Expand All @@ -406,14 +447,16 @@ jobs:
artifact-configuration-slug: portable
output-artifact-directory: signed/paf

- name: Upload signed PAF (Windows)
- name: Upload signed PAF (Windows, PAF)
if: matrix.os == 'windows-latest' && matrix.portable == true # && startsWith(github.ref, 'refs/tags/v')
uses: actions/upload-artifact@v4
with:
name: build-artifacts-windows-paf-${{ steps.target.outputs.target }}
path: signed/paf/*.paf.exe
compression-level: 0

# == BUILD PROVENANCE

- name: Attest artifacts
# if: startsWith(github.ref, 'refs/tags/v')
uses: actions/attest-build-provenance@v1
Expand Down

0 comments on commit 9d9e560

Please sign in to comment.