From d3049164a9468efaf50dc854ec7bf8876fbbd35c Mon Sep 17 00:00:00 2001 From: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com> Date: Wed, 3 Feb 2021 09:12:43 -0800 Subject: [PATCH] Migrate to gh actions (#89) * intial go at building the windows pipeline in GH * fixing whitespace issue * moving version info script * changing the electron-builder commands to the npm scripts * fixing the PACKAGE_VERSION var * adding debugging statements * changing list command * fixing PACKAGE_VERSION var * adding linux job and disabling windows job * debugging linux installs * retrying the rpm * re-enabling the windows build * re-enabling publishing of the exe * debugging pkg fetched * debugging this more * testing install of pkg-fetch with npm * moving pkg-fetch installation * trying to manually add the fetched package * I was wrong. This wasn't linux. Switching to pwsh * fixing the pwsh var syntax * removing debugging tasks and re-enabling the other build tasks * adding build_and_signing. Removing the non-cli executables from the build pipeline and disabling it for testing. * removing some whitespace * switching how we get package version * adding custom signing script * removing deubbing code and getting ready for PR * adding in another release gate * chaning file name to fit previous standards * removing appveyor pipeline file * moving all of the build tasks to the same build file * changing GITHUB_TOKEN because GITHUB_* is probably reserved * adding release pipeline and moving all realease tasks to that pipeline * updating the package.json's to contain the releases to my repo * fixing the RELEASE_TAG_NAME and switching the electron builder from pack to publish * fixing the npm run publish command * adding GH_TOKEN to the build and sign task * fixing upload path * removing the release asset upload since I think they are already published? * removing testing code * testing tweak to github release * making sure I've got the right repo set * removing whitespace * adding in clone task to setup * removing the stop-gap * adding GH_TOKEN to the linux publish task * fixing string * switching to manual publishing. There seems to be a bug in the electron-builder publishing? or our setup * switching back to electron-builder publishing but manually creating and pushing the tag * I don't know why electron-builder isn't picking up the release. Adding some debugging code * adding in GH token for release checking * adding another GH token for release checking * commenting out the tagging portion. This should just happen automatically... * trying the release without the manual uploads? * adding -d flag to release edit * disabling the gui build to see if the cli changes the tag * trying out a fix * testing the upload release asset action * fixing typo * trying RELEASE_NAME * fixing bash error * trying something else for the release name * changing all of the release asset uploads to a provided action * Removing some debugging code * re-enabling the windows and linux jobs * changing the content type of the checksum files * fixing typo * removing the PKG_INFO flag * installing RH with choco * testing the reshack * reenabling the correct job * resetting release workflow and adding exp workflow * trying ResourceHacker.exe * switching to pwsh to see if that works * switching back and specifying cmd shell * finding the bin to add to the path * wrestling with cmd * debugging path * giving up on nice printing * changing to different path debugging * adding RH to the path * trying something else * trying something else * maybe the path resets? * updating exp workflow to try to get reshack to work * trying to add to the path without the quotes * fixing the RH test * debugging path * setting path forever * not playing around with perfect environment paths with windows.... * preivous test was inconclusive * testing RH * changing the npm command and removing unnecssary GITHUB_TOKEN * removing the exp workflow * quoting the signing file * debugging VER_INFO * debugging the pkg-fetch * disabling non-cli jobs * changing value of WIN_PKG * testing more pkg-fetch * changing the paths to the home directory * renaming exp workflow * trying a string * trying it from the home directory * removing the stop gap * updating the version to something that RH supports * initial release test * fixing GITHUB_TOKEN * changing the version to a real version * debugging tag names * changing the trigger on the exp workflow * moving the disabled job to the correct workflow * trying wet spaghetti * updating case statement * adding in the findings from the experiment * removing testing code. Leaving unfinished macos build disabled * removing the prod environment secrets * setting up the mac build job * renaming the key name * moving the signing file * working on the mac packaging * removing desktop mac certs * disabling the non-mac jobs * setting up the build workflow for first run * adding manual trigger to the build workflow * disabling the push trigger * removing the non-existant setup function * removing the unneeded certs * removing increment version since we are not submitting to the Apple Store. * re-enabling the APPLE_ID vars * updating how the package version is retrieved in build. staging release workflow for testing * fixing the asset upload updating the repo in package.json * adding debugging to dist * adding in missing directory for debugging * renaming that file * updating the build/release workflows * fixing the setup output * updating file name and changing dist to publish * adding in the missing token * changing the zip name * add debuggin * fixing debugging step * removing debugging task. Not needed * reworking the content type of the mac release assets * removing the rename task and adding in some debugging * flipping the order of the dmg and the mac.zip upload to see if it is a problem with the release asset upload * adding the renaming back in * switching the upload name back to dashes * commenting out the manual release asset upload. Looks like publish is doing that? * removing all debugging code * updating README with the GitHub Actions Badge * changing all of the slashes to match * removing unneeded package version setting * removing unneeded package version setup * adding WIN_PKG task back in. accidentally removed it --- .github/scripts/decrypt-secret.ps1 | 29 ++ .github/scripts/load-version.ps1 | 5 + .github/scripts/macos/decrypt-secrets.ps1 | 7 + .github/scripts/macos/setup-keychain.ps1 | 15 + .github/workflows/build.yml | 390 +++++++++++++++++ .github/workflows/release.yml | 392 ++++++++++++++++++ README.md | 2 +- appveyor.yml | 162 -------- package.json | 3 +- .../make-versioninfo.ps1 | 0 scripts/sign.js | 23 + 11 files changed, 864 insertions(+), 164 deletions(-) create mode 100644 .github/scripts/decrypt-secret.ps1 create mode 100644 .github/scripts/load-version.ps1 create mode 100644 .github/scripts/macos/decrypt-secrets.ps1 create mode 100644 .github/scripts/macos/setup-keychain.ps1 create mode 100644 .github/workflows/build.yml create mode 100644 .github/workflows/release.yml delete mode 100644 appveyor.yml rename make-versioninfo.ps1 => scripts/make-versioninfo.ps1 (100%) create mode 100644 scripts/sign.js diff --git a/.github/scripts/decrypt-secret.ps1 b/.github/scripts/decrypt-secret.ps1 new file mode 100644 index 00000000..b5251d53 --- /dev/null +++ b/.github/scripts/decrypt-secret.ps1 @@ -0,0 +1,29 @@ +param ( + [Parameter(Mandatory=$true)] + [string] $filename, + [string] $output +) + +$homePath = Resolve-Path "~" | Select-Object -ExpandProperty Path +$rootPath = $env:GITHUB_WORKSPACE + +$secretInputPath = $rootPath + "/.github/secrets" +$input = $secretInputPath + "/" + $filename + +$passphrase = $env:DECRYPT_FILE_PASSWORD +$secretOutputPath = $homePath + "/secrets" + +if ([string]::IsNullOrEmpty($output)) { + if ($filename.EndsWith(".gpg")) { + $output = $secretOutputPath + "/" + $filename.TrimEnd(".gpg") + } else { + $output = $secretOutputPath + "/" + $filename + ".plaintext" + } +} + +if (!(Test-Path -Path $secretOutputPath)) +{ + New-Item -ItemType Directory -Path $secretOutputPath +} + +gpg --quiet --batch --yes --decrypt --passphrase="$passphrase" --output $output $input diff --git a/.github/scripts/load-version.ps1 b/.github/scripts/load-version.ps1 new file mode 100644 index 00000000..4c0c5193 --- /dev/null +++ b/.github/scripts/load-version.ps1 @@ -0,0 +1,5 @@ +$rootPath = $env:GITHUB_WORKSPACE; +$packageVersion = (Get-Content -Raw -Path $rootPath\src\package.json | ConvertFrom-Json).version; + +Write-Output "Setting package version to $packageVersion"; +Write-Output "PACKAGE_VERSION=$packageVersion" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append; diff --git a/.github/scripts/macos/decrypt-secrets.ps1 b/.github/scripts/macos/decrypt-secrets.ps1 new file mode 100644 index 00000000..3e167e22 --- /dev/null +++ b/.github/scripts/macos/decrypt-secrets.ps1 @@ -0,0 +1,7 @@ +$rootPath = $env:GITHUB_WORKSPACE; + +$decryptSecretPath = $($rootPath + "/.github/scripts/decrypt-secret.ps1"); + +Invoke-Expression "& `"$decryptSecretPath`" -filename devid-app-cert.p12.gpg" +Invoke-Expression "& `"$decryptSecretPath`" -filename devid-installer-cert.p12.gpg" +Invoke-Expression "& `"$decryptSecretPath`" -filename macdev-cert.p12.gpg" diff --git a/.github/scripts/macos/setup-keychain.ps1 b/.github/scripts/macos/setup-keychain.ps1 new file mode 100644 index 00000000..e75071d5 --- /dev/null +++ b/.github/scripts/macos/setup-keychain.ps1 @@ -0,0 +1,15 @@ +$homePath = Resolve-Path "~" | Select-Object -ExpandProperty Path; +$secretsPath = $homePath + "/secrets" + +$devidAppCertPath = $($secretsPath + "/devid-app-cert.p12"); +$devidInstallerCertPath = $($secretsPath + "/devid-installer-cert.p12"); +$macdevCertPath = $($secretsPath + "/macdev-cert.p12"); + +security create-keychain -p $env:KEYCHAIN_PASSWORD build.keychain +security default-keychain -s build.keychain +security unlock-keychain -p $env:KEYCHAIN_PASSWORD build.keychain +security set-keychain-settings -lut 1200 build.keychain +security import $devidAppCertPath -k build.keychain -P $env:DEVID_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild +security import $devidInstallerCertPath -k build.keychain -P $env:DEVID_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild +security import $macdevCertPath -k build.keychain -P $env:MACDEV_CERT_PASSWORD -T /usr/bin/codesign -T /usr/bin/security -T /usr/bin/productbuild +security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $env:KEYCHAIN_PASSWORD build.keychain diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..1433bffb --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,390 @@ +name: Build + +on: + push: + branches-ignore: + - 'l10n_master' + workflow_dispatch: + inputs: + + +jobs: + cloc: + runs-on: ubuntu-latest + steps: + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Set up cloc + run: | + sudo apt update + sudo apt -y install cloc + - name: Print lines of code + run: cloc --include-lang TypeScript,JavaScript,HTML,Sass,CSS --vcs git + + + setup: + runs-on: ubuntu-latest + outputs: + package_version: ${{ steps.get_version.outputs.package_version }} + steps: + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Get Package Version + id: get_version + shell: pwsh + run: | + $env:pkgVersion = (Get-Content -Raw -Path ./src/package.json | ConvertFrom-Json).version + echo "::set-output name=PACKAGE_VERSION::$env:pkgVersion" + + + cli: + runs-on: windows-latest + needs: setup + env: + PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} + steps: + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Setup Windows builder + run: | + choco install checksum --no-progress + choco install reshack --no-progress + + - name: Set up Node + uses: actions/setup-node@v1 + with: + node-version: '10.x' + + - name: Setting WIN_PKG + run: | + echo "WIN_PKG=$env:WIN_PKG" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "version: $env:pkgVersion" + env: + WIN_PKG: C:\Users\runneradmin\.pkg-cache\v2.5\fetched-v10.4.1-win-x64 + + - name: get pkg-fetch + shell: pwsh + run: | + cd $HOME + $fetchedUrl = "https://github.com/vercel/pkg-fetch/releases/download/v2.5/uploaded-v2.5-node-v10.4.1-win-x64" + + New-Item -ItemType directory -Path ./.pkg-cache + New-Item -ItemType directory -Path ./.pkg-cache/v2.5 + Invoke-RestMethod -Uri $fetchedUrl -OutFile "./.pkg-cache/v2.5/fetched-v10.4.1-win-x64" + env: + WIN_PKG: C:\Users\runneradmin\.pkg-cache\v2.5\fetched-v10.4.1-win-x64 + + - name: Keytar + shell: pwsh + run: | + $keytarVersion = (Get-Content -Raw -Path ./src/package.json | ConvertFrom-Json).dependencies.keytar + $nodeModVersion = node -e "console.log(process.config.variables.node_module_version)" + $keytarTar = "keytar-v${keytarVersion}-node-v${nodeModVersion}-{0}-x64.tar" + $keytarTarGz = "${keytarTar}.gz" + $keytarUrl = "https://github.com/atom/node-keytar/releases/download/v${keytarVersion}/${keytarTarGz}" + + New-Item -ItemType directory -Path ./keytar/macos | Out-Null + New-Item -ItemType directory -Path ./keytar/linux | Out-Null + New-Item -ItemType directory -Path ./keytar/windows | Out-Null + + Invoke-RestMethod -Uri $($keytarUrl -f "darwin") -OutFile "./keytar/macos/$($keytarTarGz -f "darwin")" + Invoke-RestMethod -Uri $($keytarUrl -f "linux") -OutFile "./keytar/linux/$($keytarTarGz -f "linux")" + Invoke-RestMethod -Uri $($keytarUrl -f "win32") -OutFile "./keytar/windows/$($keytarTarGz -f "win32")" + + 7z e "./keytar/macos/$($keytarTarGz -f "darwin")" -o"./keytar/macos" + 7z e "./keytar/linux/$($keytarTarGz -f "linux")" -o"./keytar/linux" + 7z e "./keytar/windows/$($keytarTarGz -f "win32")" -o"./keytar/windows" + + 7z e "./keytar/macos/$($keytarTar -f "darwin")" -o"./keytar/macos" + 7z e "./keytar/linux/$($keytarTar -f "linux")" -o"./keytar/linux" + 7z e "./keytar/windows/$($keytarTar -f "win32")" -o"./keytar/windows" + + - name: Setup Version Info + shell: pwsh + run: ./scripts/make-versioninfo.ps1 + + - name: Resource Hacker + shell: cmd + run: | + set PATH=%PATH%;C:\Program Files (x86)\Resource Hacker + ResourceHacker -open %WIN_PKG% -save %WIN_PKG% -action delete -mask ICONGROUP,1, + ResourceHacker -open version-info.rc -save version-info.res -action compile + ResourceHacker -open %WIN_PKG% -save %WIN_PKG% -action addoverwrite -resource version-info.res + + - name: Install + run: npm install + + - name: Package CLI + run: npm run dist:cli + + - name: Zip + shell: cmd + run: | + 7z a ./dist-cli/bwdc-windows-%PACKAGE_VERSION%.zip ./dist-cli/windows/bwdc.exe ./keytar/windows/keytar.node + 7z a ./dist-cli/bwdc-macos-%PACKAGE_VERSION%.zip ./dist-cli/macos/bwdc ./keytar/macos/keytar.node + 7z a ./dist-cli/bwdc-linux-%PACKAGE_VERSION%.zip ./dist-cli/linux/bwdc ./keytar/linux/keytar.node + + - name: Version Test + run: | + Expand-Archive -Path "./dist-cli/bwdc-windows-${env:PACKAGE_VERSION}.zip" -DestinationPath "./test/windows" + $testVersion = Invoke-Expression '& ./test/windows/bwdc.exe -v' + echo "version: $env:PACKAGE_VERSION" + echo "testVersion: $testVersion" + if($testVersion -ne $env:PACKAGE_VERSION) { + Throw "Version test failed." + } + + - name: Create checksums + run: | + checksum -f="./dist-cli/bwdc-windows-${env:PACKAGE_VERSION}.zip" ` + -t sha256 | Out-File ./dist-cli/bwdc-windows-sha256-${env:PACKAGE_VERSION}.txt + checksum -f="./dist-cli/bwdc-macos-${env:PACKAGE_VERSION}.zip" ` + -t sha256 | Out-File ./dist-cli/bwdc-macos-sha256-${env:PACKAGE_VERSION}.txt + checksum -f="./dist-cli/bwdc-linux-${env:PACKAGE_VERSION}.zip" ` + -t sha256 | Out-File ./dist-cli/bwdc-linux-sha256-${env:PACKAGE_VERSION}.txt + + - name: Upload windows zip to GitHub + if: github.ref == 'refs/heads/master' + uses: actions/upload-artifact@v2 + with: + name: bwdc-windows-${{ env.PACKAGE_VERSION }}.zip + path: ./dist-cli/bwdc-windows-${{ env.PACKAGE_VERSION }}.zip + + - name: Upload mac zip to GitHub + if: github.ref == 'refs/heads/master' + uses: actions/upload-artifact@v2 + with: + name: bwdc-macos-${{ env.PACKAGE_VERSION }}.zip + path: ./dist-cli/bwdc-macos-${{ env.PACKAGE_VERSION }}.zip + + - name: Upload linux zip to GitHub + if: github.ref == 'refs/heads/master' + uses: actions/upload-artifact@v2 + with: + name: bwdc-linux-${{ env.PACKAGE_VERSION }}.zip + path: ./dist-cli/bwdc-linux-${{ env.PACKAGE_VERSION }}.zip + + - name: Upload windows checksum to GitHub + if: github.ref == 'refs/heads/master' + uses: actions/upload-artifact@v2 + with: + name: bwdc-windows-sha256-${{ env.PACKAGE_VERSION }}.txt + path: ./dist-cli/bwdc-windows-sha256-${{ env.PACKAGE_VERSION }}.txt + + - name: Upload mac checksum to GitHub + if: github.ref == 'refs/heads/master' + uses: actions/upload-artifact@v2 + with: + name: bwdc-macos-sha256-${{ env.PACKAGE_VERSION }}.txt + path: ./dist-cli/bwdc-macos-sha256-${{ env.PACKAGE_VERSION }}.txt + + - name: Upload linux checksum to GitHub + if: github.ref == 'refs/heads/master' + uses: actions/upload-artifact@v2 + with: + name: bwdc-linux-sha256-${{ env.PACKAGE_VERSION }}.txt + path: ./dist-cli/bwdc-linux-sha256-${{ env.PACKAGE_VERSION }}.txt + + + windows_gui: + runs-on: windows-latest + needs: setup + env: + PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} + steps: + - name: Set up dotnet + uses: actions/setup-dotnet@v1 + with: + dotnet-version: "3.1.x" + + - name: Set up Node + uses: actions/setup-node@v1 + with: + node-version: '10.x' + + - name: Set Node options + run: echo "NODE_OPTIONS=--max_old_space_size=4096" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + shell: pwsh + + - name: Print environment + run: | + node --version + npm --version + dotnet --version + + - name: Install AST + shell: pwsh + run: | + cd $HOME + + git clone https://github.com/vcsjones/AzureSignTool.git + cd AzureSignTool + $latest_head = $(git rev-parse HEAD)[0..9] -join "" + $latest_version = "0.0.0-g$latest_head" + + Write-Host "--------" + Write-Host "git commit - $(git rev-parse HEAD)" + Write-Host "latest_head - $latest_head" + Write-Host "PACKAGE VERSION TO BUILD - $latest_version" + Write-Host "--------" + + dotnet restore + dotnet pack --output ./nupkg + dotnet tool install --global --ignore-failed-sources --add-source ./nupkg --version $latest_version azuresigntool + + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Install Node dependencies + run: npm install + + - name: Run linter + run: npm run lint + + - name: Build & Sign + run: npm run dist:win + env: + ELECTRON_BUILDER_SIGN: 1 + SIGNING_VAULT_URL: ${{ secrets.SIGNING_VAULT_URL }} + SIGNING_CLIENT_ID: ${{ secrets.SIGNING_CLIENT_ID }} + SIGNING_TENANT_ID: ${{ secrets.SIGNING_TENANT_ID }} + SIGNING_CLIENT_SECRET: ${{ secrets.SIGNING_CLIENT_SECRET }} + SIGNING_CERT_NAME: ${{ secrets.SIGNING_CERT_NAME }} + + - name: List Dist + run: dir ./dist + + - name: Publish Portable Exe to GitHub + if: github.ref == 'refs/heads/master' + uses: actions/upload-artifact@v2 + with: + name: Bitwarden-Connector-Portable-${{ env.PACKAGE_VERSION }}.exe + path: ./dist/Bitwarden-Connector-Portable-${{ env.PACKAGE_VERSION }}.exe + + - name: Publish Installer Exe to GitHub + if: github.ref == 'refs/heads/master' + uses: actions/upload-artifact@v2 + with: + name: Bitwarden-Connector-Installer-${{ env.PACKAGE_VERSION }}.exe + path: ./dist/Bitwarden-Connector-Installer-${{ env.PACKAGE_VERSION }}.exe + + + linux: + runs-on: ubuntu-latest + needs: setup + env: + PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} + steps: + - name: Set up Node + uses: actions/setup-node@v1 + with: + node-version: '10.x' + + - name: Set Node options + run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV + + - name: Set up environment + run: | + sudo apt-get update + sudo apt-get -y install pkg-config libxss-dev libsecret-1-dev + sudo apt-get -y install rpm + + - name: Checkout repo + uses: actions/checkout@v2 + + - name: npm install + run: npm install + + - name: npm rebuild + run: npm run rebuild + + - name: npm package + run: npm run dist:lin + + - name: Publish AppImage + if: github.ref == 'refs/heads/master' + uses: actions/upload-artifact@v2 + with: + name: Bitwarden-Connector-${{ env.PACKAGE_VERSION }}-x86_64.AppImage + path: ./dist/Bitwarden-Connector-${{ env.PACKAGE_VERSION }}-x86_64.AppImage + + + macos: + runs-on: macos-latest + needs: setup + env: + PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} + steps: + - name: Set up Node + uses: actions/setup-node@v1 + with: + node-version: '10.x' + + - name: Set Node options + run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV + + - name: Print environment + run: | + node --version + npm --version + Write-Output "GitHub ref: $env:GITHUB_REF" + Write-Output "GitHub event: $env:GITHUB_EVENT" + shell: pwsh + env: + GITHUB_REF: ${{ github.ref }} + GITHUB_EVENT: ${{ github.event_name }} + + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Decrypt secrets + run: ./.github/scripts/macos/decrypt-secrets.ps1 + shell: pwsh + env: + DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + + - name: Set up keychain + run: ./.github/scripts/macos/setup-keychain.ps1 + shell: pwsh + env: + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} + MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} + + - name: Load package version + run: ./.github/scripts/load-version.ps1 + shell: pwsh + + - name: Install Node dependencies + run: npm install + + - name: Run linter + run: npm run lint + + - name: Build application (dev) + if: github.ref != 'refs/heads/master' + run: npm run build + + - name: Build application (dist) + if: github.ref == 'refs/heads/master' + run: npm run dist:mac + env: + APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} + APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} + + - name: Upload .zip artifact + if: github.ref == 'refs/heads/master' + uses: actions/upload-artifact@v2 + with: + name: Bitwarden-Connector-${{ env.PACKAGE_VERSION }}-mac.zip + path: ./dist/Bitwarden-Connector-${{ env.PACKAGE_VERSION }}-mac.zip + + - name: Upload .dmg artifact + if: github.ref == 'refs/heads/master' + uses: actions/upload-artifact@v2 + with: + name: Bitwarden-Connector-${{ env.PACKAGE_VERSION }}.dmg + path: ./dist/Bitwarden-Connector-${{ env.PACKAGE_VERSION }}.dmg diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..8fbaeb89 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,392 @@ +name: Release + +on: + workflow_dispatch: + inputs: + release_tag_name_input: + description: "Release Tag Name " + required: true + + +jobs: + setup: + runs-on: ubuntu-latest + outputs: + package_version: ${{ steps.create_tags.outputs.package_version }} + tag_version: ${{ steps.create_tags.outputs.tag_version }} + release_upload_url: ${{ steps.create_release.outputs.upload_url }} + steps: + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Create Release Vars + id: create_tags + run: | + case "${RELEASE_TAG_NAME_INPUT:0:1}" in + v) + echo "RELEASE_NAME=${RELEASE_TAG_NAME_INPUT:1}" >> $GITHUB_ENV + echo "RELEASE_TAG_NAME=$RELEASE_TAG_NAME_INPUT" >> $GITHUB_ENV + echo "::set-output name=package_version::${RELEASE_TAG_NAME_INPUT:1}" + echo "::set-output name=tag_version::$RELEASE_TAG_NAME_INPUT" + ;; + [0-9]) + echo "RELEASE_NAME=$RELEASE_TAG_NAME_INPUT" >> $GITHUB_ENV + echo "RELEASE_TAG_NAME=v$RELEASE_TAG_NAME_INPUT" >> $GITHUB_ENV + echo "::set-output name=package_version::$RELEASE_TAG_NAME_INPUT" + echo "::set-output name=tag_version::v$RELEASE_TAG_NAME_INPUT" + ;; + *) + exit 1 + ;; + esac + env: + RELEASE_TAG_NAME_INPUT: ${{ github.event.inputs.release_tag_name_input }} + + - name: Create Draft Release + id: create_release + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + tag_name: ${{ env.RELEASE_TAG_NAME }} + release_name: ${{ env.RELEASE_NAME }} + draft: true + prerelease: false + + + cli: + runs-on: windows-latest + needs: setup + env: + PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} + steps: + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Setup Windows builder + run: | + choco install checksum --no-progress + choco install reshack --no-progress + + - name: Set up Node + uses: actions/setup-node@v1 + with: + node-version: '10.x' + + - name: Set VER_INFO + run: | + echo "WIN_PKG=$env:WIN_PKG" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + env: + WIN_PKG: C:\Users\runneradmin\.pkg-cache\v2.5\fetched-v10.4.1-win-x64 + + - name: get pkg-fetch + shell: pwsh + run: | + cd $HOME + $fetchedUrl = "https://github.com/vercel/pkg-fetch/releases/download/v2.5/uploaded-v2.5-node-v10.4.1-win-x64" + + New-Item -ItemType directory -Path ./.pkg-cache + New-Item -ItemType directory -Path ./.pkg-cache/v2.5 + Invoke-RestMethod -Uri $fetchedUrl -OutFile "./.pkg-cache/v2.5/fetched-v10.4.1-win-x64" + env: + WIN_PKG: C:\Users\runneradmin\.pkg-cache\v2.5\fetched-v10.4.1-win-x64 + + - name: Keytar + shell: pwsh + run: | + $keytarVersion = (Get-Content -Raw -Path ./src/package.json | ConvertFrom-Json).dependencies.keytar + $nodeModVersion = node -e "console.log(process.config.variables.node_module_version)" + $keytarTar = "keytar-v${keytarVersion}-node-v${nodeModVersion}-{0}-x64.tar" + $keytarTarGz = "${keytarTar}.gz" + $keytarUrl = "https://github.com/atom/node-keytar/releases/download/v${keytarVersion}/${keytarTarGz}" + + New-Item -ItemType directory -Path ./keytar/macos | Out-Null + New-Item -ItemType directory -Path ./keytar/linux | Out-Null + New-Item -ItemType directory -Path ./keytar/windows | Out-Null + + Invoke-RestMethod -Uri $($keytarUrl -f "darwin") -OutFile "./keytar/macos/$($keytarTarGz -f "darwin")" + Invoke-RestMethod -Uri $($keytarUrl -f "linux") -OutFile "./keytar/linux/$($keytarTarGz -f "linux")" + Invoke-RestMethod -Uri $($keytarUrl -f "win32") -OutFile "./keytar/windows/$($keytarTarGz -f "win32")" + + 7z e "./keytar/macos/$($keytarTarGz -f "darwin")" -o"./keytar/macos" + 7z e "./keytar/linux/$($keytarTarGz -f "linux")" -o"./keytar/linux" + 7z e "./keytar/windows/$($keytarTarGz -f "win32")" -o"./keytar/windows" + + 7z e "./keytar/macos/$($keytarTar -f "darwin")" -o"./keytar/macos" + 7z e "./keytar/linux/$($keytarTar -f "linux")" -o"./keytar/linux" + 7z e "./keytar/windows/$($keytarTar -f "win32")" -o"./keytar/windows" + + - name: Setup Version Info + shell: pwsh + run: ./scripts/make-versioninfo.ps1 + + - name: Resource Hacker + shell: cmd + run: | + set PATH=%PATH%;C:\Program Files (x86)\Resource Hacker + ResourceHacker -open %WIN_PKG% -save %WIN_PKG% -action delete -mask ICONGROUP,1, + ResourceHacker -open version-info.rc -save version-info.res -action compile + ResourceHacker -open %WIN_PKG% -save %WIN_PKG% -action addoverwrite -resource version-info.res + + - name: Install + run: npm install + + - name: Package CLI + run: npm run dist:cli + + - name: Zip + shell: cmd + run: | + 7z a ./dist-cli/bwdc-windows-%PACKAGE_VERSION%.zip ./dist-cli/windows/bwdc.exe ./keytar/windows/keytar.node + 7z a ./dist-cli/bwdc-macos-%PACKAGE_VERSION%.zip ./dist-cli/macos/bwdc ./keytar/macos/keytar.node + 7z a ./dist-cli/bwdc-linux-%PACKAGE_VERSION%.zip ./dist-cli/linux/bwdc ./keytar/linux/keytar.node + + - name: Version Test + run: | + Expand-Archive -Path "./dist-cli/bwdc-windows-${env:PACKAGE_VERSION}.zip" -DestinationPath "./test/windows" + $testVersion = Invoke-Expression '& ./test/windows/bwdc.exe -v' + echo "version: $env:PACKAGE_VERSION" + echo "testVersion: $testVersion" + if($testVersion -ne $env:PACKAGE_VERSION) { + Throw "Version test failed." + } + + - name: Create checksums + run: | + checksum -f="./dist-cli/bwdc-windows-${env:PACKAGE_VERSION}.zip" ` + -t sha256 | Out-File ./dist-cli/bwdc-windows-sha256-${env:PACKAGE_VERSION}.txt + checksum -f="./dist-cli/bwdc-macos-${env:PACKAGE_VERSION}.zip" ` + -t sha256 | Out-File ./dist-cli/bwdc-macos-sha256-${env:PACKAGE_VERSION}.txt + checksum -f="./dist-cli/bwdc-linux-${env:PACKAGE_VERSION}.zip" ` + -t sha256 | Out-File ./dist-cli/bwdc-linux-sha256-${env:PACKAGE_VERSION}.txt + + - name: upload windows zip release asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.setup.outputs.release_upload_url }} + asset_path: ./dist-cli/bwdc-windows-${{ env.PACKAGE_VERSION }}.zip + asset_name: bwdc-windows-${{ env.PACKAGE_VERSION }}.zip + asset_content_type: application/zip + + - name: upload macos zip release asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.setup.outputs.release_upload_url }} + asset_path: ./dist-cli/bwdc-macos-${{ env.PACKAGE_VERSION }}.zip + asset_name: bwdc-macos-${{ env.PACKAGE_VERSION }}.zip + asset_content_type: application/zip + + - name: upload linux zip release asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.setup.outputs.release_upload_url }} + asset_path: ./dist-cli/bwdc-linux-${{ env.PACKAGE_VERSION }}.zip + asset_name: bwdc-linux-${{ env.PACKAGE_VERSION }}.zip + asset_content_type: application/zip + + - name: upload windows checksum release asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.setup.outputs.release_upload_url }} + asset_path: ./dist-cli/bwdc-windows-sha256-${{ env.PACKAGE_VERSION }}.txt + asset_name: bwdc-windows-sha256-${{ env.PACKAGE_VERSION }}.txt + asset_content_type: text/plain + + - name: upload macos checksum release asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.setup.outputs.release_upload_url }} + asset_path: ./dist-cli/bwdc-macos-sha256-${{ env.PACKAGE_VERSION }}.txt + asset_name: bwdc-macos-sha256-${{ env.PACKAGE_VERSION }}.txt + asset_content_type: text/plain + + - name: upload linux checksum release asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.setup.outputs.release_upload_url }} + asset_path: ./dist-cli/bwdc-linux-sha256-${{ env.PACKAGE_VERSION }}.txt + asset_name: bwdc-linux-sha256-${{ env.PACKAGE_VERSION }}.txt + asset_content_type: text/plain + + + windows-gui: + runs-on: windows-latest + needs: setup + env: + PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} + steps: + - name: Set up dotnet + uses: actions/setup-dotnet@v1 + with: + dotnet-version: "3.1.x" + + - name: Set up Node + uses: actions/setup-node@v1 + with: + node-version: '10.x' + + - name: Set Node options + run: echo "NODE_OPTIONS=--max_old_space_size=4096" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + shell: pwsh + + - name: Print environment + run: | + node --version + npm --version + dotnet --version + + - name: Install AST + shell: pwsh + run: | + cd $HOME + git clone https://github.com/vcsjones/AzureSignTool.git + cd AzureSignTool + $latest_head = $(git rev-parse HEAD)[0..9] -join "" + $latest_version = "0.0.0-g$latest_head" + Write-Host "--------" + Write-Host "git commit - $(git rev-parse HEAD)" + Write-Host "latest_head - $latest_head" + Write-Host "PACKAGE VERSION TO BUILD - $latest_version" + Write-Host "--------" + dotnet restore + dotnet pack --output ./nupkg + dotnet tool install --global --ignore-failed-sources --add-source ./nupkg --version $latest_version azuresigntool + cd $HOME + + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Install Node dependencies + run: npm install + + - name: Run linter + run: npm run lint + + - name: npm rebuild + run: npm run rebuild + + - name: Build & Sign + run: | + npm run publish:win + env: + ELECTRON_BUILDER_SIGN: 1 + SIGNING_VAULT_URL: ${{ secrets.SIGNING_VAULT_URL }} + SIGNING_CLIENT_ID: ${{ secrets.SIGNING_CLIENT_ID }} + SIGNING_TENANT_ID: ${{ secrets.SIGNING_TENANT_ID }} + SIGNING_CLIENT_SECRET: ${{ secrets.SIGNING_CLIENT_SECRET }} + SIGNING_CERT_NAME: ${{ secrets.SIGNING_CERT_NAME }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + + linux: + runs-on: ubuntu-latest + needs: setup + env: + PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} + steps: + - name: Set up Node + uses: actions/setup-node@v1 + with: + node-version: '10.x' + + - name: Set Node options + run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV + + - name: Set up environment + run: | + sudo apt-get update + sudo apt-get -y install pkg-config libxss-dev libsecret-1-dev + sudo apt-get -y install rpm + + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Set PACKAGE_VERSION + shell: pwsh + run: | + $env:pkgVersion = (Get-Content -Raw -Path ./src/package.json | ConvertFrom-Json).version + echo "PACKAGE_VERSION=$env:pkgVersion" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append + echo "version: $env:pkgVersion" + + - name: npm install + run: npm install + + - name: npm rebuild + run: npm run rebuild + + - name: npm package + run: npm run publish:lin + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + + macos: + runs-on: macos-latest + needs: setup + env: + PACKAGE_VERSION: ${{ needs.setup.outputs.package_version }} + steps: + - name: Set up Node + uses: actions/setup-node@v1 + with: + node-version: '10.x' + + - name: Set Node options + run: echo "NODE_OPTIONS=--max_old_space_size=4096" >> $GITHUB_ENV + + - name: Print environment + run: | + node --version + npm --version + Write-Output "GitHub ref: $env:GITHUB_REF" + Write-Output "GitHub event: $env:GITHUB_EVENT" + shell: pwsh + env: + GITHUB_REF: ${{ github.ref }} + GITHUB_EVENT: ${{ github.event_name }} + + - name: Checkout repo + uses: actions/checkout@v2 + + - name: Decrypt secrets + run: ./.github/scripts/macos/decrypt-secrets.ps1 + shell: pwsh + env: + DECRYPT_FILE_PASSWORD: ${{ secrets.DECRYPT_FILE_PASSWORD }} + + - name: Set up keychain + run: ./.github/scripts/macos/setup-keychain.ps1 + shell: pwsh + env: + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} + DEVID_CERT_PASSWORD: ${{ secrets.DEVID_CERT_PASSWORD }} + MACDEV_CERT_PASSWORD: ${{ secrets.MACDEV_CERT_PASSWORD }} + + - name: Load package version + run: ./.github/scripts/load-version.ps1 + shell: pwsh + + - name: Install Node dependencies + run: npm install + + - name: Run linter + run: npm run lint + + - name: Build application (dist) + run: npm run publish:mac + env: + APPLE_ID_USERNAME: ${{ secrets.APPLE_ID_USERNAME }} + APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/README.md b/README.md index 1f6ad325..f9440f13 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -[![appveyor build](https://ci.appveyor.com/api/projects/status/github/bitwarden/directory-connector?branch=master&svg=true)](https://ci.appveyor.com/project/bitwarden/directory-connector) +[![Build](https://github.com/bitwarden/directory-connector/workflows/Build/badge.svg) [![Join the chat at https://gitter.im/bitwarden/Lobby](https://badges.gitter.im/bitwarden/Lobby.svg)](https://gitter.im/bitwarden/Lobby) # Bitwarden Directory Connector diff --git a/appveyor.yml b/appveyor.yml deleted file mode 100644 index b946b381..00000000 --- a/appveyor.yml +++ /dev/null @@ -1,162 +0,0 @@ -image: -- Visual Studio 2017 -- Ubuntu1804 - -branches: - except: - - l10n_master - -environment: - WIN_PKG: C:\Users\appveyor\.pkg-cache\v2.5\fetched-v10.4.1-win-x64 - -stack: node 10 - -init: -- ps: | - if($isWindows -and $env:DEBUG_RDP -eq "true") { - iex ((new-object net.webclient).DownloadString(` - 'https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1')) - } -- sh: sudo apt-get update -- sh: sudo apt-get -y install pkg-config libxss-dev libsecret-1-dev rpm -- ps: | - if($isWindows) { - [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 - Install-Product node 10 - $env:PATH = "C:\Program Files (x86)\Resource Hacker;${env:PATH}" - } - if($env:APPVEYOR_REPO_TAG -eq "true") { - $env:RELEASE_NAME = $env:APPVEYOR_REPO_TAG_NAME.TrimStart("v") - } - -install: -- ps: | - $env:PACKAGE_VERSION = (Get-Content -Raw -Path .\src\package.json | ConvertFrom-Json).version - $env:PROD_DEPLOY = "false" - if($env:APPVEYOR_REPO_TAG -eq "true" -and $env:APPVEYOR_RE_BUILD -eq "True") { - $env:PROD_DEPLOY = "true" - echo "This is a production deployment." - } - if($isWindows) { - if(Test-Path -Path $env:WIN_PKG) { - $env:VER_INFO = "true" - } - choco install reshack --no-progress - choco install cloc --no-progress - choco install checksum --no-progress - cloc --include-lang TypeScript,JavaScript,HTML,Sass,CSS --vcs git - .\make-versioninfo.ps1 - } -- ps: | - if($isWindows) { - $keytarVersion = (Get-Content -Raw -Path .\src\package.json | ConvertFrom-Json).dependencies.keytar - $nodeModVersion = node -e "console.log(process.config.variables.node_module_version)" - $keytarTar = "keytar-v${keytarVersion}-node-v${nodeModVersion}-{0}-x64.tar" - $keytarTarGz = "${keytarTar}.gz" - $keytarUrl = "https://github.com/atom/node-keytar/releases/download/v${keytarVersion}/${keytarTarGz}" - - New-Item -ItemType directory -Path .\keytar\macos | Out-Null - New-Item -ItemType directory -Path .\keytar\linux | Out-Null - New-Item -ItemType directory -Path .\keytar\windows | Out-Null - - Invoke-RestMethod -Uri $($keytarUrl -f "darwin") -OutFile ".\keytar\macos\$($keytarTarGz -f "darwin")" - Invoke-RestMethod -Uri $($keytarUrl -f "linux") -OutFile ".\keytar\linux\$($keytarTarGz -f "linux")" - Invoke-RestMethod -Uri $($keytarUrl -f "win32") -OutFile ".\keytar\windows\$($keytarTarGz -f "win32")" - - 7z e ".\keytar\macos\$($keytarTarGz -f "darwin")" -o".\keytar\macos" - 7z e ".\keytar\linux\$($keytarTarGz -f "linux")" -o".\keytar\linux" - 7z e ".\keytar\windows\$($keytarTarGz -f "win32")" -o".\keytar\windows" - - 7z e ".\keytar\macos\$($keytarTar -f "darwin")" -o".\keytar\macos" - 7z e ".\keytar\linux\$($keytarTar -f "linux")" -o".\keytar\linux" - 7z e ".\keytar\windows\$($keytarTar -f "win32")" -o".\keytar\windows" - } - -before_build: -- node --version -- npm --version - -build_script: -- cmd: | - if defined VER_INFO ResourceHacker -open %WIN_PKG% -save %WIN_PKG% -action delete -mask ICONGROUP,1, - if defined VER_INFO ResourceHacker -open version-info.rc -save version-info.res -action compile - if defined VER_INFO ResourceHacker -open %WIN_PKG% -save %WIN_PKG% -action addoverwrite -resource version-info.res -- sh: npm install -- sh: npm run rebuild -- sh: npm run dist:lin -- cmd: npm install -- cmd: npm run rebuild -- cmd: npm run dist:win:ci -- cmd: npm run reset -- cmd: npm run dist:cli -- cmd: 7z a ./dist-cli/bwdc-windows-%PACKAGE_VERSION%.zip ./dist-cli/windows/bwdc.exe ./keytar/windows/keytar.node -- cmd: 7z a ./dist-cli/bwdc-macos-%PACKAGE_VERSION%.zip ./dist-cli/macos/bwdc ./keytar/macos/keytar.node -- cmd: 7z a ./dist-cli/bwdc-linux-%PACKAGE_VERSION%.zip ./dist-cli/linux/bwdc ./keytar/linux/keytar.node -- ps: | - if($isWindows) { - Expand-Archive -Path "./dist-cli/bwdc-windows-${env:PACKAGE_VERSION}.zip" -DestinationPath "./test/windows" - $testVersion = Invoke-Expression '& ./test/windows/bwdc.exe -v' - if($testVersion -ne $env:PACKAGE_VERSION) { - Throw "Version test failed." - } - } -- ps: | - if($isWindows) { - checksum -f="./dist-cli/bwdc-windows-${env:PACKAGE_VERSION}.zip" ` - -t sha256 | Out-File ./dist-cli/bwdc-windows-sha256-${env:PACKAGE_VERSION}.txt - checksum -f="./dist-cli/bwdc-macos-${env:PACKAGE_VERSION}.zip" ` - -t sha256 | Out-File ./dist-cli/bwdc-macos-sha256-${env:PACKAGE_VERSION}.txt - checksum -f="./dist-cli/bwdc-linux-${env:PACKAGE_VERSION}.zip" ` - -t sha256 | Out-File ./dist-cli/bwdc-linux-sha256-${env:PACKAGE_VERSION}.txt - } -- ps: | - if($isLinux) { - Push-AppveyorArtifact ./dist/Bitwarden-Connector-${env:PACKAGE_VERSION}-x86_64.AppImage - } - else { - Push-AppveyorArtifact .\dist\Bitwarden-Connector-Portable-${env:PACKAGE_VERSION}.exe - Push-AppveyorArtifact .\dist\Bitwarden-Connector-Installer-${env:PACKAGE_VERSION}.exe - Push-AppveyorArtifact .\dist-cli\bwdc-windows-${env:PACKAGE_VERSION}.zip - Push-AppveyorArtifact .\dist-cli\bwdc-macos-${env:PACKAGE_VERSION}.zip - Push-AppveyorArtifact .\dist-cli\bwdc-linux-${env:PACKAGE_VERSION}.zip - Push-AppveyorArtifact .\dist-cli\bwdc-windows-sha256-${env:PACKAGE_VERSION}.txt - Push-AppveyorArtifact .\dist-cli\bwdc-macos-sha256-${env:PACKAGE_VERSION}.txt - Push-AppveyorArtifact .\dist-cli\bwdc-linux-sha256-${env:PACKAGE_VERSION}.txt - } - -on_finish: - - ps: | - if($isWindows -and $env:DEBUG_RDP -eq "true") { - $blockRdp = $true - iex ((new-object net.webclient).DownloadString(` - 'https://raw.githubusercontent.com/appveyor/ci/master/scripts/enable-rdp.ps1')) - } - -for: -- - matrix: - only: - - image: Visual Studio 2017 - cache: - - '%LOCALAPPDATA%\electron' - - '%LOCALAPPDATA%\electron-builder' - - 'C:\Users\appveyor\.pkg-cache\' - -- - matrix: - only: - - image: Ubuntu1804 - cache: - - '/home/appveyor/.cache/electron' - - '/home/appveyor/.cache/electron-builder' - -deploy: - tag: $(APPVEYOR_REPO_TAG_NAME) - release: $(RELEASE_NAME) - provider: GitHub - auth_token: $(GH_TOKEN) - artifact: /.*\.(zip|txt)/, - force_update: true - on: - branch: master - APPVEYOR_REPO_TAG: true diff --git a/package.json b/package.json index ab69c15b..86a99eb6 100644 --- a/package.json +++ b/package.json @@ -85,7 +85,8 @@ "target": [ "portable", "nsis" - ] + ], + "sign": "scripts/sign.js" }, "linux": { "category": "Utility", diff --git a/make-versioninfo.ps1 b/scripts/make-versioninfo.ps1 similarity index 100% rename from make-versioninfo.ps1 rename to scripts/make-versioninfo.ps1 diff --git a/scripts/sign.js b/scripts/sign.js new file mode 100644 index 00000000..1cf95813 --- /dev/null +++ b/scripts/sign.js @@ -0,0 +1,23 @@ +exports.default = async function(configuration) { + if ( + parseInt(process.env.ELECTRON_BUILDER_SIGN) === 1 && + configuration.path.slice(-4) == ".exe" + ) { + console.log(`[*] Signing file: ${configuration.path}`) + require("child_process").execSync( + `azuresigntool sign ` + + `-kvu ${process.env.SIGNING_VAULT_URL} ` + + `-kvi ${process.env.SIGNING_CLIENT_ID} ` + + `-kvt ${process.env.SIGNING_TENANT_ID} ` + + `-kvs ${process.env.SIGNING_CLIENT_SECRET} ` + + `-kvc ${process.env.SIGNING_CERT_NAME} ` + + `-fd ${configuration.hash} ` + + `-du ${configuration.site} ` + + `-tr http://timestamp.digicert.com ` + + `"${configuration.path}"`, + { + stdio: "inherit" + } + ); + } +};