Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: code signing and integration with CrabNebula #375

Merged
merged 1 commit into from
Jan 22, 2025
Merged

feat: code signing and integration with CrabNebula #375

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 66 additions & 31 deletions .github/actions/build-linux/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,18 +1,46 @@
name: 'Build for Linux'
description: 'Build for Linux'
inputs:
production-release:
description: 'Whether this is a production release'
required: true
release-version:
description: 'The release version'
required: true
release-tag:
description: 'The release tag'
required: true
crabnebula-release-id:
description: 'The CrabNebula release ID'
required: true
tauri-signing-private-key:
description: 'The Tauri signing private key'
required: true
tauri-signing-private-key-password:
description: 'The Tauri signing private key password'
required: true
tauri-signing-public-key:
description: 'The Tauri signing public key'
required: true
crabnebula-org-name:
description: 'The CrabNebula org name'
required: true
crabnebula-app-name:
description: 'The CrabNebula app name'
required: true
crabnebula-api-key:
description: 'The CrabNebula API key'
required: true
appimage-signing-private-key:
description: 'The AppImage signing private key'
required: true
appimage-signing-private-key-password:
description: 'The AppImage signing private key password'
required: true
lempira marked this conversation as resolved.
Show resolved Hide resolved

runs:
using: 'composite'
steps:
- name: Get artifact name
id: set-env
run: |
echo "artifact_name=algokit-lora-linux-${{ runner.arch }}" >> $GITHUB_OUTPUT
shell: bash

- name: Install dependencies
run: |
sudo apt-get update
Expand All @@ -24,42 +52,49 @@ runs:
libxdo-dev \
libssl-dev \
libayatana-appindicator3-dev \
librsvg2-dev
librsvg2-dev \
gnupg2
shell: bash

- name: Bump version in tauri.conf.json
- name: Setup tauri.conf.json
if: ${{ inputs.release-version != '' }}
run: |
sed -i "s/\"version\": \"0.0.0\"/\"version\": \"${{ inputs.release-version }}\"/g" "src-tauri/tauri.conf.json"
sed -i "s/\"version\": \"0.1.0\"/\"version\": \"${{ inputs.release-version }}\"/g" "src-tauri/tauri.conf.json"
sed -i "s/\"createUpdaterArtifacts\": false/\"createUpdaterArtifacts\": true/g" "src-tauri/tauri.conf.json"
sed -i "s/CN_ORG_NAME/${{ inputs.crabnebula-org-name }}/g" "src-tauri/tauri.conf.json"
sed -i "s/CN_APP_NAME/${{ inputs.crabnebula-app-name }}/g" "src-tauri/tauri.conf.json"
sed -i "s/CN_CHANNEL/${{ inputs.production-release != 'true' && '?channel=beta' || '' }}/g" "src-tauri/tauri.conf.json"
sed -i "s/TAURI_SIGNING_PUBLIC_KEY/${{ inputs.tauri-signing-public-key }}/g" "src-tauri/tauri.conf.json"
shell: bash

- name: Build tauri app
- name: Import AppImage signing key
run: |
npm run tauri build
echo "${{ inputs.appimage-signing-private-key }}" > appimage.key
gpg2 --batch --passphrase ${{ inputs.appimage-signing-private-key-password }} --import appimage.key
shell: bash

- name: Create icons and desktop file
run: |
chmod +x ./scripts/snap/create-desktop-file.sh
./scripts/snap/create-desktop-file.sh ${{ github.workspace }}/src-tauri/target/release
cp ${{ github.workspace }}/src-tauri/icons ${{ github.workspace }}/src-tauri/target/release/icons -r
shell: bash

- name: Zip to preserve permissions
- name: Build tauri app
run: |
cd src-tauri/target/release
tar -czvf ${{ github.workspace }}/${{ steps.set-env.outputs.artifact_name }}.tar.gz --exclude=bundle --exclude=build --exclude=deps .
npm run tauri build -- --bundles appimage
shell: bash
env:
TAURI_SIGNING_PRIVATE_KEY: ${{ inputs.tauri-signing-private-key }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ inputs.tauri-signing-private-key-password }}
SIGN: 1
APPIMAGETOOL_SIGN_PASSPHRASE: ${{ inputs.appimage-signing-private-key-password }}
APPIMAGETOOL_FORCE_SIGN: 1

- name: Upload binary as artifact
id: upload-artifact
uses: actions/upload-artifact@v4
- name: Upload artifacts to release
uses: softprops/action-gh-release@v1
with:
if-no-files-found: error
name: ${{ steps.set-env.outputs.artifact_name }}
path: ${{ github.workspace }}/${{ steps.set-env.outputs.artifact_name }}.tar.gz
fail_on_unmatched_files: true
files: |
src-tauri/target/release/bundle/appimage/algokit-lora*.AppImage
tag_name: ${{ inputs.release-tag }}
prerelease: ${{ inputs.production-release != 'true' }}

outputs:
artifact-name:
description: 'The name of the artifact'
value: ${{ steps.set-env.outputs.artifact_name }}.tar.gz
- name: Upload artifacts to CrabNebula
uses: crabnebula-dev/[email protected]
with:
command: release upload "${{ inputs.crabnebula-org-name }}/${{ inputs.crabnebula-app-name }}" --framework tauri ${{ inputs.production-release != 'true' && '--channel beta' || '' }}
api-key: ${{ inputs.crabnebula-api-key }}
108 changes: 94 additions & 14 deletions .github/actions/build-mac/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,37 +2,117 @@ name: 'Build for Mac'
description: 'Build for Mac'
inputs:
production-release:
description: 'Production release?'
description: 'Whether this is a production release'
required: true
release-version:
description: 'The release version'
required: true
release-tag:
description: 'The release tag'
required: true
crabnebula-release-id:
description: 'The CrabNebula release ID'
required: true
apple-certificate:
description: 'The Apple certificate'
required: true
apple-certificate-password:
description: 'The Apple certificate password'
required: true
keychain-password:
description: 'The keychain password'
required: true
apple-id:
description: 'The Apple ID'
required: true
apple-password:
description: 'The Apple password'
required: true
apple-team-id:
description: 'The Apple team ID'
required: true
tauri-signing-private-key:
description: 'The Tauri signing private key'
required: true
tauri-signing-private-key-password:
description: 'The Tauri signing private key password'
required: true
tauri-signing-public-key:
description: 'The Tauri signing public key'
required: true
crabnebula-org-name:
description: 'The CrabNebula org name'
required: true
crabnebula-app-name:
description: 'The CrabNebula app name'
required: true
crabnebula-api-key:
description: 'The CrabNebula API key'
required: true

runs:
using: 'composite'
steps:
# TODO: set up signing certs here when releasing to production

- name: Get artifact name
id: set-env
- name: Import Apple Developer Certificate
env:
APPLE_CERTIFICATE: ${{ inputs.apple-certificate }}
APPLE_CERTIFICATE_PASSWORD: ${{ inputs.apple-certificate-password }}
KEYCHAIN_PASSWORD: ${{ inputs.keychain-password }}
shell: bash
run: |
echo "artifact_name=algokit-lora-mac-${{ runner.arch }}" >> $GITHUB_OUTPUT
echo $APPLE_CERTIFICATE | base64 --decode > certificate.p12
security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
security set-keychain-settings -t 3600 -u build.keychain
security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
security find-identity -v -p codesigning build.keychain

- name: Verify Certificate
shell: bash
run: |
CERT_INFO=$(security find-identity -v -p codesigning build.keychain | grep "Developer ID Application")
CERT_ID=$(echo "$CERT_INFO" | awk -F'"' '{print $2}')
echo "CERT_ID=$CERT_ID" >> $GITHUB_ENV
echo "Certificate imported."

- name: Bump version in tauri.conf.json
- name: Setup tauri.conf.json
if: ${{ inputs.release-version != '' }}
run: |
sed -i '' "s/\"version\": \"0.0.0\"/\"version\": \"${{ inputs.release-version }}\"/g" "src-tauri/tauri.conf.json"
sed -i '' "s/\"version\": \"0.1.0\"/\"version\": \"${{ inputs.release-version }}\"/g" "src-tauri/tauri.conf.json"
sed -i '' "s/\"createUpdaterArtifacts\": false/\"createUpdaterArtifacts\": true/g" "src-tauri/tauri.conf.json"
sed -i '' "s/CN_ORG_NAME/${{ inputs.crabnebula-org-name }}/g" "src-tauri/tauri.conf.json"
sed -i '' "s/CN_APP_NAME/${{ inputs.crabnebula-app-name }}/g" "src-tauri/tauri.conf.json"
sed -i '' "s/CN_CHANNEL/${{ inputs.production-release != 'true' && '?channel=beta' || '' }}/g" "src-tauri/tauri.conf.json"
sed -i '' "s/TAURI_SIGNING_PUBLIC_KEY/${{ inputs.tauri-signing-public-key }}/g" "src-tauri/tauri.conf.json"
shell: bash

- name: Build tauri app
run: |
npm run tauri build
shell: bash
env:
APPLE_CERTIFICATE: ${{ inputs.apple-certificate }}
APPLE_CERTIFICATE_PASSWORD: ${{ inputs.apple-certificate-password }}
APPLE_SIGNING_IDENTITY: ${{ env.CERT_ID }}
APPLE_ID: ${{ inputs.apple-id }}
APPLE_PASSWORD: ${{ inputs.apple-password }}
APPLE_TEAM_ID: ${{ inputs.apple-team-id }}
TAURI_SIGNING_PRIVATE_KEY: ${{ inputs.tauri-signing-private-key }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ inputs.tauri-signing-private-key-password }}
lempira marked this conversation as resolved.
Show resolved Hide resolved

- name: Upload artifacts to release
uses: softprops/action-gh-release@v1
with:
fail_on_unmatched_files: true
files: |
src-tauri/target/release/bundle/dmg/algokit-lora_*.dmg
tag_name: ${{ inputs.release-tag }}
prerelease: ${{ inputs.production-release != 'true' }}

- name: Upload binary as artifact
id: upload-artifact
uses: actions/upload-artifact@v4
- name: Upload artifacts to CrabNebula
uses: crabnebula-dev/[email protected]
with:
if-no-files-found: error
name: ${{ steps.set-env.outputs.artifact_name }}
path: src-tauri/target/release/bundle/dmg/algokit-lora_*.dmg
command: release upload "${{ inputs.crabnebula-org-name }}/${{ inputs.crabnebula-app-name }}" --framework tauri ${{ inputs.production-release != 'true' && '--channel beta' || '' }}
api-key: ${{ inputs.crabnebula-api-key }}
69 changes: 50 additions & 19 deletions .github/actions/build-windows/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,16 @@ name: 'Build for Windows'
description: 'Build for Windows'
inputs:
production-release:
description: 'Production release?'
description: 'Whether this is a production release'
required: true
release-version:
description: 'The release version'
package_name:
description: 'The name of the package'
required: true
release-tag:
description: 'The release tag'
required: true
crabnebula-release-id:
description: 'The CrabNebula release ID'
required: true
azure_tenant_id:
description: 'The Microsoft Entra tenant (directory) ID.'
Expand All @@ -18,23 +22,39 @@ inputs:
azure_client_secret:
description: 'A client secret that was generated for the App Registration.'
required: true
tauri-signing-private-key:
description: 'The Tauri signing private key'
required: true
tauri-signing-private-key-password:
description: 'The Tauri signing private key password'
required: true
tauri-signing-public-key:
description: 'The Tauri signing public key'
required: true
crabnebula-org-name:
description: 'The CrabNebula org name'
required: true
crabnebula-app-name:
description: 'The CrabNebula app name'
required: true
crabnebula-api-key:
description: 'The CrabNebula API key'
required: true

runs:
using: 'composite'
steps:
- name: Get artifact name
id: set-env
run: |
echo "artifact_name=algokit-lora-windows-${{ runner.arch }}" >> $GITHUB_OUTPUT
shell: bash

- name: Bump version in tauri.conf.json and Cargo files
- name: Setup tauri.conf.json
if: ${{ inputs.release-version != '' }}
run: |
version="${{ inputs.release-version }}"
sed -i "s/\"version\": \"0.0.0\"/\"version\": \"$version\"/g" "src-tauri/tauri.conf.json"
sed -i "s/version = \"0.0.0\"/version = \"$version\"/g" "src-tauri/Cargo.toml"
sed -i "s/version = \"0.0.0\"/version = \"$version\"/g" "src-tauri/Cargo.lock"
input_version="${{ inputs.release-version }}"
version="${input_version/beta./""}"
sed -i "s/\"version\": \"0.1.0\"/\"version\": \"$version\"/g" "src-tauri/tauri.conf.json"
sed -i "s/\"createUpdaterArtifacts\": false/\"createUpdaterArtifacts\": true/g" "src-tauri/tauri.conf.json"
sed -i "s/CN_ORG_NAME/${{ inputs.crabnebula-org-name }}/g" "src-tauri/tauri.conf.json"
sed -i "s/CN_APP_NAME/${{ inputs.crabnebula-app-name }}/g" "src-tauri/tauri.conf.json"
sed -i "s/CN_CHANNEL/${{ inputs.production-release != 'true' && '?channel=beta' || '' }}/g" "src-tauri/tauri.conf.json"
sed -i "s/TAURI_SIGNING_PUBLIC_KEY/${{ inputs.tauri-signing-public-key }}/g" "src-tauri/tauri.conf.json"
shell: bash

# Create a dummy file to sign, so we can install the signing tools without any errors
Expand Down Expand Up @@ -76,6 +96,8 @@ runs:
AZURE_TENANT_ID: ${{ inputs.azure_tenant_id }}
AZURE_CLIENT_ID: ${{ inputs.azure_client_id }}
AZURE_CLIENT_SECRET: ${{ inputs.azure_client_secret }}
TAURI_SIGNING_PRIVATE_KEY: ${{ inputs.tauri-signing-private-key }}
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ inputs.tauri-signing-private-key-password }}
run: |
npm run tauri build
shell: pwsh
Expand All @@ -95,9 +117,18 @@ runs:
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256

- name: Upload installer artifact
uses: actions/upload-artifact@v4
- name: Upload artifacts to release
uses: softprops/action-gh-release@v1
with:
fail_on_unmatched_files: true
files: |
src-tauri/target/release/bundle/msi/algokit-lora*.msi
src-tauri/target/release/bundle/nsis/algokit-lora*.exe
tag_name: ${{ inputs.release-tag }}
prerelease: ${{ inputs.production-release != 'true' }}

- name: Upload artifacts to CrabNebula
uses: crabnebula-dev/[email protected]
with:
if-no-files-found: error
name: ${{ steps.set-env.outputs.artifact_name }}
path: ${{ github.workspace }}\src-tauri\target\release\bundle\msi\algokit-lora*.msi
command: release upload "${{ inputs.crabnebula-org-name }}/${{ inputs.crabnebula-app-name }}" "${{ inputs.crabnebula-release-id }}" --framework tauri ${{ inputs.production-release != 'true' && '--channel beta' || '' }}
api-key: ${{ inputs.crabnebula-api-key }}
16 changes: 4 additions & 12 deletions .github/actions/create-release/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,23 +39,15 @@ runs:

- name: Get next version (dry run)
id: get-next-version
run: npx semantic-release --dry-run
run: npx semantic-release --dry-run ${{ inputs.production-release == 'true' && '--branches main' || '' }}
env:
GITHUB_TOKEN: ${{ inputs.github-token }}
shell: bash

- name: Create release - beta
if: ${{ inputs.production-release != 'true' }}
- name: Create release ${{ inputs.production-release == 'true' && '' || 'beta' }}
env:
GITHUB_TOKEN: ${{ inputs.github-token }}
run: 'npx semantic-release'
shell: bash

- name: Create release
if: ${{ inputs.production-release == 'true' }}
env:
GITHUB_TOKEN: ${{ inputs.github-token }}
run: 'npx semantic-release --branches main'
run: npx semantic-release ${{ inputs.production-release == 'true' && '--branches main' || '' }}
shell: bash

- name: Get release tag
Expand All @@ -73,6 +65,6 @@ runs:
const { data } = await github.rest.repos.getReleaseByTag({
owner: context.repo.owner,
repo: context.repo.repo,
tag: "${{ steps.get-release-tag.outputs.release-tag }}"
tag: "${{ steps.get-next-version.outputs.new-release-git-tag }}"
lempira marked this conversation as resolved.
Show resolved Hide resolved
})
return data.id
Loading
Loading