Skip to content
Package

Package #147

Sign in to view logs

Package

Package #147

Workflow file for this run

.github/workflows/package.yml at 656a2de
name: Package
on:
workflow_dispatch:
inputs:
run:
description: 'The CI workflow run to package'
required: true
validate-dependency:
description: 'Validate that the CI workflow ran to completion'
type: boolean
required: false
default: true
jetsocat-nuget-version:
description: 'Jetsocat nuget package version'
required: false
workflow_call:
inputs:
dispatch:
description: "Marker to indicate that the workflow was dispatched via workflow_call"
type: string
required: false
default: "workflow_call"
ref:
description: "The commit SHA to build"
required: false
type: string
jobs:
preflight:
name: Preflight
runs-on: ubuntu-20.04
outputs:
run: ${{ steps.get-run.outputs.run }}
commit: ${{ steps.get-commit.outputs.commit }}
version: ${{ steps.get-version.outputs.version }}
steps:
## workflow_dispatch: The run_id is read from the inputs
## workflow_call: The run_id is the current run_id
- name: Get run
id: get-run
shell: pwsh
run: |
if ('${{ github.event.inputs.run }}') {
echo "run=${{ github.event.inputs.run }}" >> $Env:GITHUB_OUTPUT
} else {
echo "run=${{ github.run_id }}" >> $Env:GITHUB_OUTPUT
}
## To consistently repackage the CI artifacts, we must use the same commit that produced the artifacts
##
## workflow_dispatch: Lookup the SHA from the given run_id
## workflow_call: Use the input SHA; otherwise lookup the SHA from the current run_id
- name: Get commit
id: get-commit
shell: pwsh
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CI_RUN: ${{ steps.get-run.outputs.run }}
run: |
$Ref = '${{ inputs.ref }}'
if (-Not $Ref) {
$Run = gh api /repos/$Env:GITHUB_REPOSITORY/actions/runs/$Env:CI_RUN | ConvertFrom-Json
if ($($Run.head_branch) -Ne "master") {
echo "::notice::specified run is not on master"
}
$ValidateDependency = $false
if ('${{ github.event.inputs.validate-dependency }}') {
$ValidateDependency = [System.Convert]::ToBoolean('${{ github.event.inputs.validate-dependency }}')
}
if ($ValidateDependency) {
if (($($Run.status) -Ne "completed") -Or ($($Run.conclusion) -Ne "success")) {
echo "::error::specified run is either not complete or not successful"
exit 1
}
}
$Ref = $($Run.head_sha)
}
echo "commit=$Ref" >> $Env:GITHUB_OUTPUT
echo "::notice::Packaging artifacts built from commit $Ref in run ${{ steps.get-run.outputs.run }}"
- name: Checkout ${{ github.repository }}
uses: actions/checkout@v4
with:
ref: ${{ steps.get-commit.outputs.commit }}
- name: Upload version artifact
uses: actions/upload-artifact@v4
with:
name: version
path: VERSION
overwrite: true
- name: Upload docker file artifacts
uses: actions/upload-artifact@v4
with:
name: docker
path: package/**/Dockerfile
- name: Upload changelog artifacts
uses: actions/upload-artifact@v4
with:
name: changelog
path: CHANGELOG.md
- name: Get version
id: get-version
shell: pwsh
run: |
$Version = Get-Content VERSION -TotalCount 1
echo "version=$Version" >> $Env:GITHUB_OUTPUT
codesign:
name: Codesign
runs-on: ${{ matrix.runner }}
environment: publish-prod
needs: preflight
strategy:
matrix:
project: [ jetsocat, devolutions-gateway ]
os: [ windows, macos, linux ]
include:
- os: windows
runner: windows-2022
- os: macos
runner: macos-latest
- os: linux
runner: ubuntu-20.04
exclude:
- project: devolutions-gateway
os: macos
steps:
- name: Checkout ${{ github.repository }}
uses: actions/checkout@v4
with:
ref: ${{ needs.preflight.outputs.commit }}
- name: Download artifacts
shell: pwsh
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
$Destination = Join-Path ${{ runner.temp }} ${{ matrix.project }}
gh run download ${{ needs.preflight.outputs.run }} -n ${{ matrix.project }} -D "$Destination"
## Delete the files that we won't operate on to prevent them being re-uploaded
## This ensures consistency of the artifact since we are operating in a matrix
- name: Manage artifacts
shell: pwsh
run: |
$Destination = Join-Path ${{ runner.temp }} ${{ matrix.project }}
$Exclusions = @('${{ matrix.os }}', 'Powershell')
Get-ChildItem "$Destination" -Exclude $Exclusions | Remove-Item -Recurse
- name: Install AzureSignTool
if: matrix.os == 'windows'
run: |
dotnet tool install --global AzureSignTool
- name: Configure certificates (macOS)
if: matrix.os == 'macos'
env:
DEVELOPER_ID_CERTIFICATE: ${{ secrets.APPLE_APP_DEV_ID_APP_CERTIFICATE }}
DEVELOPER_ID_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_APP_DEV_ID_APP_CERTIFICATE_PASSWORD }}
run: |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
KEYCHAIN_PASSWORD=Price2011
DEVELOPER_ID_CERTIFICATE_PATH=$RUNNER_TEMP/dev_id_cert.p12
echo -n "$DEVELOPER_ID_CERTIFICATE" | base64 --decode --output $DEVELOPER_ID_CERTIFICATE_PATH
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security import $DEVELOPER_ID_CERTIFICATE_PATH -P "$DEVELOPER_ID_CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- name: Configure runner (Windows)
if: matrix.os == 'windows'
run: |
echo "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x64" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
$WixToolsetItem = Get-ChildItem -Path "C:\Program Files (x86)\" -Filter "WiX Toolset v*" | Select-Object -First 1
echo "C:\Program Files (x86)\$($WixToolsetItem.Name)\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
- name: Sign executables
if: matrix.os == 'windows' || matrix.os == 'macos'
shell: pwsh
run: |
$IncludePattern = switch ('${{ matrix.project }}') {
'devolutions-gateway' { 'DevolutionsGateway_*.exe' }
'jetsocat' { 'jetsocat_*' }
}
$ExcludePattern = "*.pdb"
Get-ChildItem -Path ${{ runner.temp }} -Recurse -Include "$IncludePattern" -Exclude $ExcludePattern | % {
if ('${{ matrix.os }}' -Eq 'windows') {
$Params = @('sign',
'-kvt', '${{ secrets.AZURE_TENANT_ID }}',
'-kvu', '${{ secrets.CODE_SIGNING_KEYVAULT_URL }}',
'-kvi', '${{ secrets.CODE_SIGNING_CLIENT_ID }}',
'-kvs', '${{ secrets.CODE_SIGNING_CLIENT_SECRET }}',
'-kvc', '${{ secrets.CODE_SIGNING_CERTIFICATE_NAME }}',
'-tr', '${{ vars.CODE_SIGNING_TIMESTAMP_SERVER }}',
'-v')
AzureSignTool @Params $_.FullName
} elseif ('${{ matrix.os }}' -Eq 'macos') {
$SignCmd = $(@(
'codesign',
'--timestamp',
'--options=runtime',
'-s', '"Developer ID Application: Devolutions inc. (N592S9ASDB)"',
'-v',
$_.FullName
)) -Join ' '
Write-Host $SignCmd
Invoke-Expression $SignCmd
} else {
echo "::debug::nothing to do for ${{ matrix.os }}"
}
}
- name: Download web client artifacts
if: matrix.os == 'windows' && matrix.project == 'devolutions-gateway'
shell: pwsh
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
$Destination = Join-Path "webapp" "client"
gh run download ${{ needs.preflight.outputs.run }} -n webapp-client -D "$Destination"
- name: Add msbuild to PATH
if: matrix.os == 'windows' && matrix.project == 'devolutions-gateway'
uses: microsoft/setup-msbuild@v2
- name: Regenerate MSI
if: matrix.project == 'devolutions-gateway' && matrix.os == 'windows'
shell: pwsh
run: |
$PackageRoot = Join-Path ${{ runner.temp }} devolutions-gateway
$Env:DGATEWAY_EXECUTABLE = Get-ChildItem -Path $PackageRoot -Recurse -Include '*DevolutionsGateway*.exe' | Select -First 1
$Env:DGATEWAY_PSMODULE_PATH = Join-Path $PackageRoot PowerShell DevolutionsGateway
$Env:DGATEWAY_WEBCLIENT_PATH = Join-Path "webapp" "client" | Resolve-Path
Get-ChildItem -Path (Join-Path $PackageRoot PowerShell "*.zip") -Recurse | % {
Remove-Item $_.FullName -Force
}
./ci/tlk.ps1 package -PackageOption generate
- name: Sign msi runtime
if: matrix.project == 'devolutions-gateway' && matrix.os == 'windows'
shell: pwsh
working-directory: package/WindowsManaged/Release
run: |
Get-ChildItem -Path .\* -Include "*.exe" | % {
$Params = @('sign',
'-kvt', '${{ secrets.AZURE_TENANT_ID }}',
'-kvu', '${{ secrets.CODE_SIGNING_KEYVAULT_URL }}',
'-kvi', '${{ secrets.CODE_SIGNING_CLIENT_ID }}',
'-kvs', '${{ secrets.CODE_SIGNING_CLIENT_SECRET }}',
'-kvc', '${{ secrets.CODE_SIGNING_CERTIFICATE_NAME }}',
'-tr', '${{ vars.CODE_SIGNING_TIMESTAMP_SERVER }}',
'-v')
AzureSignTool @Params $_.FullName
}
- name: Repackage
if: matrix.project == 'devolutions-gateway' && matrix.os == 'windows'
shell: pwsh
run: |
$PackageRoot = Join-Path ${{ runner.temp }} devolutions-gateway
$Env:DGATEWAY_PACKAGE = Get-ChildItem -Path $PackageRoot -Recurse -Include '*DevolutionsGateway*.msi' | Where-Object { $_.Name -NotLike "*legacy*"} | Select -First 1
./ci/tlk.ps1 package -PackageOption assemble
- name: Sign packages
if: matrix.project == 'devolutions-gateway' && matrix.os == 'windows'
shell: pwsh
run: |
Get-ChildItem -Path ${{ runner.temp }} -Recurse -Include '*.msi' | % {
$Params = @('sign',
'-kvt', '${{ secrets.AZURE_TENANT_ID }}',
'-kvu', '${{ secrets.CODE_SIGNING_KEYVAULT_URL }}',
'-kvi', '${{ secrets.CODE_SIGNING_CLIENT_ID }}',
'-kvs', '${{ secrets.CODE_SIGNING_CLIENT_SECRET }}',
'-kvc', '${{ secrets.CODE_SIGNING_CERTIFICATE_NAME }}',
'-tr', '${{ vars.CODE_SIGNING_TIMESTAMP_SERVER }}',
'-d', 'Devolutions Gateway',
'-v')
AzureSignTool @Params $_.FullName
}
- name: Verification
if: matrix.os == 'windows' || matrix.os == 'macos'
shell: pwsh
run: |
$RootPath = Join-Path ${{ runner.temp }} ${{ matrix.project }} ${{ matrix.os }}
if ('${{ matrix.os }}' -Eq 'windows') {
Get-ChildItem -Path $RootPath -Recurse -Include ('*.exe', '*.msi') | % {
signtool verify /pa "$($_.FullName)"
if ($LastExitCode -Ne 0) {
echo "::error::failed to verify the signature of $($_.FullName)"
exit 1
}
}
} elseif ('${{ matrix.os }}' -Eq 'macos') {
Get-ChildItem -Path $RootPath -Recurse -Include 'jetsocat_*' | % {
codesign -dvvv "$($_.FullName)"
if ($LastExitCode -Ne 0) {
echo "::error::failed to verify the signature of $($_.FullName)"
exit 1
}
}
}
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.project }}-${{ matrix.os }}
path: ${{ runner.temp }}/${{ matrix.project }}
if-no-files-found: error
retention-days: 1
devolutions-gateway-merge:
name: Merge Artifacts
runs-on: ubuntu-latest
needs: [preflight, codesign]
steps:
- name: Download Artifacts
uses: actions/download-artifact@v4
with:
pattern: devolutions-gateway-*
merge-multiple: true
- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
path: ${{ github.workspace }}/**/*
name: devolutions-gateway
overwrite: true
jetsocat-merge:
name: Merge Artifacts
runs-on: ubuntu-latest
needs: [preflight, codesign]
steps:
- name: Download Artifacts
uses: actions/download-artifact@v4
with:
pattern: jetsocat-*
merge-multiple: true
- name: Upload Artifacts
uses: actions/upload-artifact@v4
with:
path: ${{ github.workspace }}/**/*
name: jetsocat
overwrite: true
web-app:
name: Web App
runs-on: ubuntu-latest
needs: [preflight, codesign]
steps:
- name: Download artifacts
shell: pwsh
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh run download ${{ needs.preflight.outputs.run }} -n webapp-client -R $Env:GITHUB_REPOSITORY -D webapp-client
- name: Create tarball
run: tar -czvf devolutions_gateway_webapp_${{ needs.preflight.outputs.version }}.tar.gz webapp-client
- name: Upload artifacts
uses: actions/upload-artifact@v4
with:
name: webapp-client
path: devolutions_gateway_webapp_${{ needs.preflight.outputs.version }}.tar.gz
if-no-files-found: error
overwrite: true
nuget:
name: Nuget
runs-on: ubuntu-latest
needs: [preflight, codesign, jetsocat-merge]
steps:
- name: Checkout ${{ github.repository }}
uses: actions/checkout@v4
with:
ref: ${{ needs.preflight.outputs.commit }}
- name: Download artifacts
uses: actions/download-artifact@v4
with:
name: jetsocat
path: jetsocat/nuget/bin
- name: Rename artifacts
shell: pwsh
working-directory: jetsocat/nuget/bin
run: |
# Backward compatibility with prior nuspec versions
Get-ChildItem -Directory -Recurse "x86_64" | Rename-Item -NewName "x64"
# Remove version number and architecture from binary name
Get-ChildItem -File -Recurse -Exclude "*.pdb" | Rename-Item -NewName "jetsocat"
cd windows
Get-ChildItem -File -Recurse -Exclude "*.pdb" | Rename-Item -NewName "jetsocat.exe"
- name: Set package metadata
shell: pwsh
working-directory: jetsocat/nuget
run: |
$Version = '${{ github.event.inputs.jetsocat-nuget-version }}'
if ([string]::IsNullOrWhitespace($Version)) {
$Version = Get-Date -Format "yyyy.M.d"
}
$Nuspec = (Resolve-Path "Devolutions.Jetsocat.nuspec")
$Xml = [xml] (Get-Content $Nuspec)
Select-Xml -xml $Xml -XPath //package/metadata/version | % { $_.Node.'#text' = "$Version" }
Select-Xml -xml $Xml -XPath //package/metadata/description | % { $_.Node.'#text' = "Websocket toolkit for jet protocol related operations" }
$Xml.Save($Nuspec)
- name: Build package
shell: pwsh
working-directory: jetsocat/nuget
run: |
Install-Module -Name ZipIt -Force
& 'nuget' 'pack' 'Devolutions.Jetsocat.nuspec'
$NugetPackage = (Get-Item ".\*.nupkg" | Select-Object -First 1) | Resolve-Path -Relative
Set-ZipItUnixFilePermissions $NugetPackage -FilePattern "native/jetsocat$" -FilePermissions "r-xr-xr-x"
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: jetsocat-nuget
path: jetsocat/nuget/*.nupkg
if-no-files-found: error
generate-sbom:
name: Upload SBOM
runs-on: ubuntu-latest
needs: preflight
steps:
- name: Checkout ${{ github.repository }}
uses: actions/checkout@v4
with:
ref: ${{ needs.preflight.outputs.commit }}
- name: Check out Devolutions/actions
uses: actions/checkout@v4
with:
repository: Devolutions/actions
ref: v1
token: ${{ secrets.DEVOLUTIONSBOT_TOKEN }}
path: ./.github/workflows
- name: Install Devolutions Toolbox
uses: ./.github/workflows/toolbox-install
with:
github_token: ${{ secrets.DEVOLUTIONSBOT_TOKEN }}
- name: Generate SBOM
uses: ./.github/workflows/cdxgen
- name: Save SBOM
uses: actions/upload-artifact@v4
with:
name: bom.xml
path: bom.xml
- name: Upload SBOM to Dependency-Track
uses: ./.github/workflows/dtrack-upload-sbom
with:
api_key: ${{ secrets.DTRACK_AUTOMATION_API_KEY }}
autocreate: 'true'
bom_filename: bom.xml
project_name: devolutions-gateway
project_version: ${{ needs.preflight.outputs.version }}
server_hostname: 'dtrack-api.devolutions.com'