Merge pull request #88 from metalsoft-io/update_sdk #209
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: release | |
on: | |
push: | |
tags: | |
- "v*" | |
jobs: | |
build-linux-and-darwin: | |
strategy: | |
matrix: | |
GOOS: [linux, darwin] | |
runs-on: ubuntu-latest | |
environment: prod | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Unshallow | |
run: git fetch --prune --unshallow | |
- name: Set up Go | |
uses: actions/setup-go@v2 | |
with: | |
go-version: 1.21 | |
#we get the release id from the git so we can identify the files in the cache (we use the cache to merge windows and linux/darwin builds) | |
- shell: bash | |
run: | | |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
#save the cache | |
- id: cache | |
uses: actions/cache@v3 | |
with: | |
path: dist/${{ matrix.GOOS }} | |
key: ${{ matrix.GOOS }}-${{ env.sha_short }} | |
#build the darwin and linux here notice the split option (requires pro license of goreleaser) | |
- | |
name: Build | |
uses: goreleaser/goreleaser-action@v5 | |
with: | |
version: latest | |
distribution: goreleaser-pro | |
args: release --clean --split | |
env: | |
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} | |
# GitHub sets this automatically | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
GOOS: ${{ matrix.GOOS }} | |
build-windows: | |
runs-on: windows-latest | |
environment: prod | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v2.3.4 | |
- | |
name: Unshallow | |
run: git fetch --prune --unshallow | |
- | |
name: Set up Go | |
uses: actions/setup-go@v2 | |
with: | |
go-version: 1.21 | |
- shell: bash | |
run: | | |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
- id: cache | |
uses: actions/cache@v3 | |
with: | |
path: dist/windows | |
key: windows-${{ env.sha_short }} | |
enableCrossOsArchive: true | |
- | |
name: Build | |
uses: goreleaser/goreleaser-action@v5 | |
with: | |
version: latest | |
distribution: goreleaser-pro | |
args: release --clean --split | |
env: | |
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} | |
# GitHub sets this automatically | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
GOOS: windows | |
- | |
name: Setup certificate | |
shell: bash | |
run: | | |
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 | |
- | |
name: Set signing variables | |
shell: bash | |
run: | | |
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" | |
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" | |
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" | |
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH | |
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH | |
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH | |
- | |
name: Setup SSM KSP on windows latest | |
shell: cmd | |
run: | | |
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi | |
msiexec /i smtools-windows-x64.msi /quiet /qn | |
smksp_registrar.exe list | |
smctl.exe keypair ls | |
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user | |
smksp_cert_sync.exe | |
- | |
name: Signing using Signtool | |
shell: cmd | |
run: | | |
for /f "tokens=1,2 delims=,:{} " %%A in (dist/windows/artifacts.json) do @if "%%~A"=="path" @if %%~xB==.exe signtool.exe sign /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 "%%~B" | |
for /f "tokens=1,2 delims=,:{} " %%A in (dist/windows/artifacts.json) do @if "%%~A"=="path" @if %%~xB==.exe signtool.exe verify /v /pa "%%~B" | |
release: | |
runs-on: ubuntu-latest | |
environment: prod | |
needs: | |
- build-linux-and-darwin | |
- build-windows | |
steps: | |
- | |
name: Checkout | |
uses: actions/checkout@v2.3.4 | |
- | |
name: Unshallow | |
run: git fetch --prune --unshallow | |
- uses: actions/setup-go@v3 | |
with: | |
go-version: 1.21 | |
cache: true | |
# copy the cashes from prepare | |
- shell: bash | |
run: | | |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
- uses: actions/cache@v3 | |
with: | |
path: dist/linux | |
key: linux-${{ env.sha_short }} | |
- uses: actions/cache@v3 | |
with: | |
path: dist/darwin | |
key: darwin-${{ env.sha_short }} | |
- uses: actions/cache@v3 | |
with: | |
path: dist/windows | |
key: windows-${{ env.sha_short }} | |
enableCrossOsArchive: true | |
- | |
name: Import GPG key | |
id: import_gpg | |
uses: crazy-max/ghaction-import-gpg@v5.0.0 | |
with: | |
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | |
passphrase: ${{ secrets.PASSPHRASE }} | |
- | |
name: Create SHA256 checksums, sign them and release | |
uses: goreleaser/goreleaser-action@v5 | |
with: | |
version: latest | |
distribution: goreleaser-pro | |
args: continue --merge | |
env: | |
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} | |
# GitHub sets this automatically | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
GH_TOKEN_ALEX_HOMEBREW_METALSOFT: ${{ secrets.GH_TOKEN_ALEX_HOMEBREW_METALSOFT }} |