Skip to content

trigger ci 3

trigger ci 3 #170

Workflow file for this run

name: 'Build app and create release'
on:
push:
tags:
- v*.*.*
branches:
- arm-deb
jobs:
# build-wireguard-go:
# strategy:
# fail-fast: false
# matrix:
# architecture: [arm64, amd64]
# runs-on: [self-hosted, macOS]
# steps:
# - uses: actions/checkout@v4
# with:
# repository: WireGuard/wireguard-go
# ref: master
# fetch-depth: 0
# - name: Set up Go
# uses: actions/setup-go@v5
# with:
# go-version: '1.22'
# - name: Build wireguard-go binary
# run: make
# env:
# GOOS: darwin
# GOARCH: ${{ matrix.architecture }}
# - name: Upload binary artifact arm64
# if: matrix.architecture == 'arm64'
# uses: actions/upload-artifact@v4
# with:
# name: wireguard-go-aarch64-apple-darwin
# path: wireguard-go
# - name: Upload binary artifact amd64
# if: matrix.architecture == 'amd64'
# uses: actions/upload-artifact@v4
# with:
# name: wireguard-go-x86_64-apple-darwin
# path: wireguard-go
# create-release:
# name: create-release
# runs-on: self-hosted
# outputs:
# upload_url: ${{ steps.release.outputs.upload_url }}
# steps:
# - name: Create GitHub release
# id: release
# uses: softprops/action-gh-release@v1
# with:
# draft: true
# generate_release_notes: true
build-linux:
# needs:
# - create-release
runs-on:
- self-hosted
- Linux
- ${{ matrix.architecture }}
strategy:
fail-fast: false
matrix:
# architecture: [ARM64, X64]
architecture: [ARM64]
steps:
- uses: actions/checkout@v4
with:
submodules: 'recursive'
- name: Write release version
run: |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
echo Version: $VERSION
echo "VERSION=$VERSION" >> $GITHUB_ENV
- uses: actions/setup-node@v3
with:
node-version: '20'
- uses: pnpm/action-setup@v2
with:
version: 9
run_install: false
- name: Get pnpm store directory
shell: bash
run: |
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
- uses: actions/cache@v3
name: Setup pnpm cache
with:
path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-build-store-
- name: Install Node dependencies
run: pnpm install --frozen-lockfile
- uses: dtolnay/rust-toolchain@stable
- name: Install Linux dependencies
run: |
sudo apt-get update
sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libappindicator3-dev librsvg2-dev patchelf libssl-dev unzip
- name: Build packages
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# - name: Upload DEB
# uses: actions/upload-release-asset@v1.0.2
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# upload_url: ${{ needs.create-release.outputs.upload_url }}
# asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_amd64.deb
# asset_name: defguard-client_${{ env.VERSION }}_amd64.deb
# asset_content_type: application/octet-stream
# - name: Upload AppImage
# uses: actions/upload-release-asset@v1.0.2
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# upload_url: ${{ needs.create-release.outputs.upload_url }}
# asset_path: src-tauri/target/release/bundle/appimage/defguard-client_${{ env.VERSION }}_amd64.AppImage
# asset_name: defguard-client_${{ env.VERSION }}_amd64.AppImage
# asset_content_type: application/octet-stream
# - name: Rename client binary
# run: mv src-tauri/target/release/defguard-client defguard-client-linux-x86_64-${{ github.ref_name }}
# - name: Tar client binary
# uses: a7ul/tar-action@v1.1.0
# with:
# command: c
# files: |
# defguard-client-linux-x86_64-${{ github.ref_name }}
# outPath: defguard-client-linux-x86_64-${{ github.ref_name }}.tar.gz
# - name: Upload client archive
# uses: actions/upload-release-asset@v1.0.2
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# upload_url: ${{ needs.create-release.outputs.upload_url }}
# asset_path: defguard-client-linux-x86_64-${{ github.ref_name }}.tar.gz
# asset_name: defguard-client-linux-x86_64-${{ github.ref_name }}.tar.gz
# asset_content_type: application/octet-stream
# - name: Rename daemon binary
# run: mv src-tauri/target/release/defguard-service defguard-service-linux-x86_64-${{ github.ref_name }}
# - name: Tar daemon binary
# uses: a7ul/tar-action@v1.1.0
# with:
# command: c
# files: |
# defguard-service-linux-x86_64-${{ github.ref_name }}
# outPath: defguard-service-linux-x86_64-${{ github.ref_name }}.tar.gz
# - name: Upload daemon archive
# uses: actions/upload-release-asset@v1.0.2
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# upload_url: ${{ needs.create-release.outputs.upload_url }}
# asset_path: defguard-service-linux-x86_64-${{ github.ref_name }}.tar.gz
# asset_name: defguard-service-linux-x86_64-${{ github.ref_name }}.tar.gz
# asset_content_type: application/octet-stream
# build-macos:
# needs:
# - create-release
# - build-wireguard-go
# strategy:
# fail-fast: false
# matrix:
# target: [aarch64-apple-darwin, x86_64-apple-darwin]
# runs-on:
# - self-hosted
# - macOS
# steps:
# - uses: actions/checkout@v4
# with:
# submodules: 'recursive'
# - name: Write release version
# run: |
# VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
# echo Version: $VERSION
# echo "VERSION=$VERSION" >> $GITHUB_ENV
# - uses: actions/setup-node@v3
# with:
# node-version: '20'
# - uses: pnpm/action-setup@v2
# with:
# version: 9
# run_install: false
# - name: Get pnpm store directory
# shell: bash
# run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
# - uses: actions/cache@v3
# name: Setup pnpm cache
# with:
# path: ${{ env.STORE_PATH }}
# key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
# restore-keys: |
# ${{ runner.os }}-pnpm-build-store-
# - name: Install deps
# run: pnpm install --frozen-lockfile
# - uses: dtolnay/rust-toolchain@stable
# - name: Install protobuf compiler
# run: brew install protobuf
# - name: Install ARM target
# run: rustup target add aarch64-apple-darwin
# - name: Download wireguard-go binary
# uses: actions/download-artifact@v4
# with:
# name: wireguard-go-${{ matrix.target }}
# path: src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }}
# - name: Unlock keychain
# run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain
# - name: Build app
# uses: tauri-apps/tauri-action@v0
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# APPLE_SIGNING_IDENTITY: 'Developer ID Application: TEONITE (6WD6W6WQNV)'
# APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
# APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
# APPLE_ID: 'admin@teonite.com'
# APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }}
# APPLE_TEAM_ID: '6WD6W6WQNV'
# with:
# args: --target ${{ matrix.target }} -v
# - name: Build installation package
# run: |
# bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts "Developer ID Installer: TEONITE (6WD6W6WQNV)" /Users/admin/Library/Keychains/login.keychain
# xcrun notarytool submit --wait --apple-id admin@teonite.com --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id 6WD6W6WQNV src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
# xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
# - name: Upload installation package
# uses: actions/upload-release-asset@v1.0.2
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# upload_url: ${{ needs.create-release.outputs.upload_url }}
# asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
# asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg
# asset_content_type: application/octet-stream
# Building signed windows bundle involves a few steps as described here:
# https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line
# 1. Build defguard & bundle the binaries (defguard & wireguard) using wix (windows)
# 2. Detach the burn engine from the bundle so that it can be signed (also windows)
# 3. Sign the burn engine (linux)
# 4. Reattach the burn engine back to the bundle (windows again)
# 5. Sign the whole bundle (linux)
# build-windows:
# needs:
# - create-release
# runs-on: windows-latest
# steps:
# - uses: actions/checkout@v4
# with:
# submodules: 'recursive'
# - name: Write release version
# run: |
# $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0]
# echo Version: $env:VERSION
# echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV
# - uses: actions/setup-node@v3
# with:
# node-version: '20'
# - uses: pnpm/action-setup@v2
# with:
# version: 9
# run_install: false
# - name: Get pnpm store directory
# shell: bash
# run: echo "STORE_PATH=$(pnpm store path --silent)" >> $env:GITHUB_ENV
# - uses: actions/cache@v3
# name: Setup pnpm cache
# with:
# path: ${{ env.STORE_PATH }}
# key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
# restore-keys: |
# ${{ runner.os }}-pnpm-build-store-
# - name: Install deps
# run: pnpm install --frozen-lockfile
# - uses: dtolnay/rust-toolchain@stable
# - name: Install Protoc
# uses: arduino/setup-protoc@v2
# with:
# repo-token: ${{ secrets.GITHUB_TOKEN }}
# - name: Remove "default-run" line from Cargo.toml
# run: |
# Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch)
# - name: Build packages
# uses: tauri-apps/tauri-action@v0
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# - name: Bundle application
# run: |
# # prepare wix extension
# dotnet tool install --global wix --version 4.0.5
# wix extension add WixToolset.Bal.wixext/4
# # bundle defguard & wireguard binaries together
# wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll
# # detach burn engine from the bundle to be signed
# wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe
# - name: Upload unsigned bundle and burn-engine
# uses: actions/upload-artifact@v4
# with:
# name: unsigned-bundle-and-burnengine
# path: |
# src-tauri/resources-windows/defguard-client.exe
# src-tauri/resources-windows/burnengine.exe
# sign-burn-engine:
# needs:
# - build-windows
# runs-on:
# - self-hosted
# - Linux
# - X64
# steps:
# - name: Write release version
# run: |
# VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
# echo Version: $VERSION
# echo "VERSION=$VERSION" >> $GITHUB_ENV
# - name: Download unsigned bundle & burn-engine
# uses: actions/download-artifact@v4
# with:
# name: unsigned-bundle-and-burnengine
# - name: Sign burn-engine
# run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe
# - name: Upload bundle and burn-engine artifact
# uses: actions/upload-artifact@v4
# with:
# name: unsigned-bundle-and-signed-burnengine
# path: |
# defguard-client.exe
# burnengine-signed.exe
# reattach-burn-engine:
# needs:
# - sign-burn-engine
# runs-on: windows-latest
# steps:
# - name: Download unsigned bundle and signed burn-engine
# uses: actions/download-artifact@v4
# with:
# name: unsigned-bundle-and-signed-burnengine
# - name: Reattach burn-engine
# run: |
# # prepare wix extension
# dotnet tool install --global wix --version 4.0.5
# wix extension add WixToolset.Bal.wixext/4
# # reattach burn engine to the bundle
# wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe
# - name: Upload bundle with reattached burn-engine
# uses: actions/upload-artifact@v4
# with:
# name: unsigned-bundle-with-reattached-signed-burn-engine
# path: defguard-client-reattached.exe
# sign-bundle:
# needs:
# - create-release
# - reattach-burn-engine
# runs-on:
# - self-hosted
# - Linux
# - X64
# steps:
# - name: Write release version
# run: |
# VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
# echo Version: $VERSION
# echo "VERSION=$VERSION" >> $GITHUB_ENV
# - name: Download unsigned bundle & signed burn-engine
# uses: actions/download-artifact@v4
# with:
# name: unsigned-bundle-with-reattached-signed-burn-engine
# - name: Sign bundle
# run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe
# - name: Upload installer asset
# uses: actions/upload-release-asset@v1.0.2
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# with:
# upload_url: ${{ needs.create-release.outputs.upload_url }}
# asset_path: defguard-client-signed.exe
# asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe
# asset_content_type: application/octet-stream