-
Notifications
You must be signed in to change notification settings - Fork 0
114 lines (107 loc) · 3.95 KB
/
ci.yaml
File metadata and controls
114 lines (107 loc) · 3.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
name: Publish
on:
release:
types: [published]
jobs:
certificate:
name: Retrieve Certificate
runs-on: ubuntu-latest
steps:
- name: Setup AZ CLI
run: |
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
shell: bash
- name: Azure Login
uses: Azure/login@v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: AKV Cert Download
uses: azure/CLI@v1
with:
inlineScript: |
az keyvault secret download --file ./signcode.pfx --encoding base64 --name codesigning-gtp-ey --version e433457e4a0e42049a4d3e23acf57f62 --vault-name csakv001
- name: Upload PFX file
uses: actions/upload-artifact@v3
with:
name: signcodecert
path: signcode.pfx
release:
name: Release
needs: certificate
strategy:
matrix:
kind: ['linux', 'windows']
include:
- kind: linux
os: ubuntu-latest
target: linux-x64
- kind: windows
os: windows-latest
target: win-x64
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup dotnet
uses: actions/setup-dotnet@v3
with:
dotnet-version: '6.0.x'
dotnet-quality: 'preview'
- name: Install az cli osslsigncode
run: |
if [ "$RUNNER_OS" == "Linux" ]; then
sudo apt-get update && sudo apt-get install -y osslsigncode
curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
fi
shell: bash
- name: Build
shell: bash
run: |
tag=$(git describe --tags --abbrev=0)
release_name="HelloWorld-$tag-${{ matrix.target }}"
# Build everything
dotnet publish -f net6.0 --no-self-contained --runtime "${{ matrix.target }}" -c Release -o "$release_name"
- name: Download Certificate
uses: actions/download-artifact@v3
with:
name: signcodecert
- name: Sign PowerShell scripts
env:
CERTPASS: ${{secrets.CERTPASS}}
SIGNCERT: ${{secrets.SIGNCERT}}
shell: pwsh
if: matrix.os == 'windows-latest'
run: |
# Create buffer from the BASE64 string of the PFX stored in the secret
$buffer = [System.Convert]::FromBase64String($env:SIGNCERT)
# Create new certificate object from the buffer and the certificate pass
#$certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::New($buffer, '')
$certificate = Get-PfxCertificate -FilePath signcode.pfx
Get-ChildItem ./ -File -Recurse -Include HelloWorld.dll, HelloWorld.exe | Set-AuthenticodeSignature -HashAlgorithm SHA256 -Certificate $certificate -TimestampServer http://timestamp.digicert.com
- name: osslsigncode sign
shell: bash
if: matrix.os == 'ubuntu-latest'
run: |
tag=$(git describe --tags --abbrev=0)
release_name="HelloWorld-$tag-${{ matrix.target }}"
find "$release_name" -type f -name HelloWorld.dll -exec osslsigncode sign -h sha256 -n codesigning-gtp-ey -pkcs12 signcode.pfx -t http://timestamp.digicert.com -in {} -out {}.signed \; -exec mv -f {}.signed {} \;
- name: Package
shell: bash
run: |
tag=$(git describe --tags --abbrev=0)
release_name="HelloWorld-$tag-${{ matrix.target }}"
# Pack files
if [ "${{ matrix.target }}" == "win-x64" ]; then
# Pack to zip for Windows
7z a -tzip "${release_name}.zip" "./${release_name}/*"
else
tar czvf "${release_name}.tar.gz" "$release_name"
fi
# Delete output directory
rm -r "$release_name"
- name: Publish
uses: softprops/action-gh-release@v1
with:
files: "HelloWorld*"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}