diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9d540b1ff7..8e8e817443 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -139,12 +139,13 @@ jobs: ./payload/* # ================================ -# Windows +# Windows # ================================ - win-sign: - name: Build and Sign Windows + create-windows-artifacts: + name: Create Windows Artifacts runs-on: windows-latest environment: release + needs: prereqs steps: - uses: actions/checkout@v4 @@ -153,9 +154,6 @@ jobs: with: dotnet-version: 7.0.x - - name: Install dependencies - run: dotnet restore - - name: Build run: | dotnet build --configuration=WindowsRelease @@ -165,80 +163,75 @@ jobs: dotnet test --configuration=WindowsRelease - name: Lay out Windows payload and symbols - shell: pwsh run: | - cd src/windows/Installer.Windows/ - ./layout.ps1 -Configuration WindowsRelease -Output payload -SymbolOutput symbols - mkdir unsigned-payload - Get-ChildItem -Path payload/* -Include *.exe, *.dll | Move-Item -Destination unsigned-payload + cd $env:GITHUB_WORKSPACE\src\windows\Installer.Windows\ + ./layout.ps1 -Configuration WindowsRelease ` + -Output $env:GITHUB_WORKSPACE\payload ` + -SymbolOutput $env:GITHUB_WORKSPACE\symbols + # The AzureCodeSigning PowerShell module currently cannot handle files + # without extensions. This is a temporary workaround until the issue is + # fixed. + mkdir $env:GITHUB_WORKSPACE\incompatible-files + Get-ChildItem -Path $env:GITHUB_WORKSPACE\payload\* -Include NOTICE ` + | Move-Item -Destination $env:GITHUB_WORKSPACE\incompatible-files - - uses: azure/login@v1 + - name: Log into Azure + uses: azure/login@v1 with: - creds: ${{ secrets.AZURE_CREDENTIALS }} - - - name: Set up ESRP client - shell: pwsh - env: - AZURE_VAULT: ${{ secrets.AZURE_VAULT }} - AUTH_CERT: ${{ secrets.AZURE_VAULT_AUTH_CERT_NAME }} - REQUEST_SIGNING_CERT: ${{ secrets.AZURE_VAULT_REQUEST_SIGNING_CERT_NAME }} - run: | - .github\set_up_esrp.ps1 + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - name: Run ESRP client for unsigned payload - shell: pwsh - env: - AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }} - WINDOWS_KEY_CODE: ${{ secrets.WINDOWS_KEY_CODE }} - WINDOWS_OP_CODE: ${{ secrets.WINDOWS_OPERATION_CODE }} - run: | - python .github\run_esrp_signing.py ` - src/windows/Installer.Windows/unsigned-payload ` - $env:WINDOWS_KEY_CODE $env:WINDOWS_OP_CODE ` - --params 'OpusName' 'Microsoft' ` - 'OpusInfo' 'http://www.microsoft.com' ` - 'FileDigest' '/fd "SHA256"' 'PageHash' '/NPH' ` - 'TimeStamp' '/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256' - - - name: Lay out signed payload - shell: pwsh - run: | - mkdir signed-payload - Move-Item -Path signed/* -Destination signed-payload - # ESRP will not sign the *.exe.config or NOTICE files, but they are needed to build the installers. - # Due to this, we copy them after signing. - Get-ChildItem -Path src/windows/Installer.Windows/payload/* -Include *.exe.config, NOTICE | Move-Item -Destination signed-payload - Remove-Item signed -Recurse -Force + - name: Sign payload files with Azure Code Signing + uses: azure/azure-code-signing-action@v0.2.20 + with: + endpoint: https://wus2.codesigning.azure.net/ + code-signing-account-name: git-fundamentals-signing + certificate-profile-name: git-fundamentals-windows-signing + files-folder: ${{ github.workspace }}\payload + files-folder-filter: exe,dll + file-digest: SHA256 + timestamp-rfc3161: http://timestamp.acs.microsoft.com + timestamp-digest: SHA256 + + # The Azure Code Signing action overrides the .NET version, so we reset it. + - name: Set up .NET + uses: actions/setup-dotnet@v3.2.0 + with: + dotnet-version: 7.0.x - name: Build with signed payload - shell: pwsh run: | - dotnet build src/windows/Installer.Windows /p:PayloadPath=$env:GITHUB_WORKSPACE/signed-payload /p:NoLayout=true --configuration=WindowsRelease + Get-ChildItem -Path $env:GITHUB_WORKSPACE\incompatible-files ` + -Include NOTICE | Move-Item -Destination payload + dotnet build $env:GITHUB_WORKSPACE\src\windows\Installer.Windows ` + /p:PayloadPath=$env:GITHUB_WORKSPACE\payload /p:NoLayout=true ` + --configuration=WindowsRelease --output=$env:GITHUB_WORKSPACE\installers + # The AzureCodeSigning PowerShell module currently cannot handle files + # without extensions. Since it was previously bundled with the payload, + # we can manually remove until the issue is fixed. + Remove-Item -Path $env:GITHUB_WORKSPACE\installers\NOTICE - - name: Run ESRP client for installers - shell: pwsh - env: - AZURE_AAD_ID: ${{ secrets.AZURE_AAD_ID }} - WINDOWS_KEY_CODE: ${{ secrets.WINDOWS_KEY_CODE }} - WINDOWS_OP_CODE: ${{ secrets.WINDOWS_OPERATION_CODE }} - run: | - python .github\run_esrp_signing.py ` - .\out\windows\Installer.Windows\bin\WindowsRelease\net472 ` - $env:WINDOWS_KEY_CODE ` - $env:WINDOWS_OP_CODE ` - --params 'OpusName' 'Microsoft' ` - 'OpusInfo' 'http://www.microsoft.com' ` - 'FileDigest' '/fd "SHA256"' 'PageHash' '/NPH' ` - 'TimeStamp' '/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256' + - name: Sign installers with Azure Code Signing + uses: azure/azure-code-signing-action@v0.2.20 + with: + endpoint: https://wus2.codesigning.azure.net/ + code-signing-account-name: git-fundamentals-signing + certificate-profile-name: git-fundamentals-windows-signing + files-folder: ${{ github.workspace }}\installers + files-folder-filter: exe + file-digest: SHA256 + timestamp-rfc3161: http://timestamp.acs.microsoft.com + timestamp-digest: SHA256 - name: Publish final artifacts uses: actions/upload-artifact@v3 with: - name: win-sign + name: windows-artifacts path: | - signed - signed-payload - src/windows/Installer.Windows/symbols + payload + installers + symbols # ================================ # Linux @@ -443,7 +436,7 @@ jobs: command: git-credential-manager description: osx-x64 - os: windows-latest - artifact: win-sign + artifact: windows-artifacts # Even when a standalone GCM version is installed, GitHub actions # runners still only recognize the version bundled with Git for # Windows due to its placement on the PATH. For this reason, we use @@ -455,10 +448,15 @@ jobs: command: git-credential-manager description: dotnet-tool runs-on: ${{ matrix.component.os }} - needs: [ create-macos-artifacts, win-sign, create-linux-artifacts, create-dotnet-tool-artifacts ] + needs: [ create-macos-artifacts, create-windows-artifacts, create-linux-artifacts, create-dotnet-tool-artifacts ] steps: - uses: actions/checkout@v4 + - name: Set up .NET + uses: actions/setup-dotnet@v3.2.0 + with: + dotnet-version: 7.0.x + - name: Download artifacts uses: actions/download-artifact@v3 with: @@ -468,7 +466,7 @@ jobs: if: contains(matrix.component.description, 'windows') shell: pwsh run: | - $exePaths = Get-ChildItem -Path ./signed/*.exe | %{$_.FullName} + $exePaths = Get-ChildItem -Path ./installers/*.exe | %{$_.FullName} foreach ($exePath in $exePaths) { Start-Process -Wait -FilePath "$exePath" -ArgumentList "/SILENT /VERYSILENT /NORESTART" @@ -543,8 +541,8 @@ jobs: - name: Archive Windows payload and symbols run: | mkdir win-x86-payload-and-symbols - zip -jr win-x86-payload-and-symbols/gcm-win-x86-$VERSION.zip win-sign/signed-payload - zip -jr win-x86-payload-and-symbols/gcm-win-x86-$VERSION-symbols.zip win-sign/src/windows/Installer.Windows/symbols + zip -jr win-x86-payload-and-symbols/gcm-win-x86-$VERSION.zip windows-artifacts/payload + zip -jr win-x86-payload-and-symbols/gcm-win-x86-$VERSION-symbols.zip windows-artifacts/symbols - uses: actions/github-script@v6 with: @@ -592,7 +590,7 @@ jobs: await Promise.all([ // Upload Windows artifacts - uploadDirectoryToRelease('win-sign/signed'), + uploadDirectoryToRelease('windows-artifacts/installers'), uploadDirectoryToRelease('win-x86-payload-and-symbols'), // Upload macOS artifacts