Skip to content

Refactor build for non-UNIX machines #207

Refactor build for non-UNIX machines

Refactor build for non-UNIX machines #207

Workflow file for this run

name: 'Build app and create release'
on:
push:
tags:
- v*.*.*
branches:
- cli
jobs:
build-wireguard-go:
strategy:
fail-fast: false
matrix:
architecture: [arm64, amd64]
runs-on: [self-hosted, macOS]
steps:
- uses: actions/checkout@v4
with:
repository: WireGuard/wireguard-go
ref: master
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.22'
- name: Build wireguard-go binary
run: make
env:
GOOS: darwin
GOARCH: ${{ matrix.architecture }}
- name: Upload binary artifact arm64
if: matrix.architecture == 'arm64'
uses: actions/upload-artifact@v4
with:
name: wireguard-go-aarch64-apple-darwin
path: wireguard-go
- name: Upload binary artifact amd64
if: matrix.architecture == 'amd64'
uses: actions/upload-artifact@v4
with:
name: wireguard-go-x86_64-apple-darwin
path: wireguard-go
create-release:
name: create-release
runs-on: self-hosted
outputs:
upload_url: ${{ steps.release.outputs.upload_url }}
steps:
- name: Create GitHub release
id: release
uses: softprops/action-gh-release@v2
with:
draft: true
generate_release_notes: true
build-linux:
needs:
- create-release
runs-on:
- self-hosted
- Linux
- ${{ matrix.architecture }}
strategy:
fail-fast: false
matrix:
architecture: [ARM64, X64]
include:
- architecture: ARM64
deb_arch: arm64
binary_arch: aarch64
- architecture: X64
deb_arch: amd64
binary_arch: x86_64
steps:
- uses: actions/checkout@v4
with:
submodules: 'recursive'
- name: Write release version
run: |
# VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
VERSION=1.1.1
echo Version: $VERSION
echo "VERSION=$VERSION" >> $GITHUB_ENV
- uses: actions/setup-node@v3
with:
node-version: '20'
- uses: pnpm/action-setup@v2
with:
version: 9
run_install: false
- name: Get pnpm store directory
shell: bash
run: |
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
- uses: actions/cache@v3
name: Setup pnpm cache
with:
path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-build-store-
- name: Install Node dependencies
run: pnpm install --frozen-lockfile
- uses: dtolnay/rust-toolchain@stable
- name: Install Linux dependencies
run: |
sudo apt-get update
sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libappindicator3-dev librsvg2-dev patchelf libssl-dev unzip protobuf-compiler libprotobuf-dev rpm
- name: Build packages
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Create RPM
run: |
rpmbuild --build-in-place --define "_topdir $(pwd)" --define "version ${{ env.VERSION }}" -bb resources-linux/defguard-client.spec
- name: Upload RPM
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-release.outputs.upload_url }}
asset_path: RPMS/${{ matrix.binary_arch }}/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm
asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm
asset_content_type: application/octet-stream
- name: Upload DEB
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-release.outputs.upload_url }}
asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb
asset_content_type: application/octet-stream
- name: Rename client binary
run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- name: Tar client binary
uses: a7ul/tar-action@v1.2.0
with:
command: c
files: |
defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- name: Upload client archive
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-release.outputs.upload_url }}
asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
asset_content_type: application/octet-stream
- name: Rename daemon binary
run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- name: Tar daemon binary
uses: a7ul/tar-action@v1.2.0
with:
command: c
files: |
defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- name: Upload daemon archive
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-release.outputs.upload_url }}
asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
asset_content_type: application/octet-stream
- name: Rename dg binary
run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
- name: Tar dg binary
uses: a7ul/tar-action@v1.2.0
with:
command: c
files: |
dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}
outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
- name: Upload dg archive
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-release.outputs.upload_url }}
asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz
asset_content_type: application/octet-stream
build-macos:
needs:
- create-release
- build-wireguard-go
strategy:
fail-fast: false
matrix:
target: [aarch64-apple-darwin, x86_64-apple-darwin]
runs-on:
- self-hosted
- macOS
steps:
- uses: actions/checkout@v4
with:
submodules: 'recursive'
- name: Write release version
run: |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
echo Version: $VERSION
echo "VERSION=$VERSION" >> $GITHUB_ENV
- uses: actions/setup-node@v3
with:
node-version: '20'
- uses: pnpm/action-setup@v2
with:
version: 9
run_install: false
- name: Get pnpm store directory
shell: bash
run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
- uses: actions/cache@v3
name: Setup pnpm cache
with:
path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-build-store-
- name: Install deps
run: pnpm install --frozen-lockfile
- uses: dtolnay/rust-toolchain@stable
- name: Install protobuf compiler
run: brew install protobuf
- name: Install ARM target
run: rustup target add aarch64-apple-darwin
- name: Download wireguard-go binary
uses: actions/download-artifact@v4
with:
name: wireguard-go-${{ matrix.target }}
path: src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }}
- name: Unlock keychain
run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain
- name: Build app
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
APPLE_SIGNING_IDENTITY: 'Developer ID Application: TEONITE (6WD6W6WQNV)'
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
APPLE_ID: 'admin@teonite.com'
APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }}
APPLE_TEAM_ID: '6WD6W6WQNV'
with:
args: --target ${{ matrix.target }} -v
- name: Build installation package
run: |
bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts "Developer ID Installer: TEONITE (6WD6W6WQNV)" /Users/admin/Library/Keychains/login.keychain
xcrun notarytool submit --wait --apple-id admin@teonite.com --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id 6WD6W6WQNV src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
- name: Upload installation package
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-release.outputs.upload_url }}
asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg
asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg
asset_content_type: application/octet-stream
# Building signed Windows bundle involves a few steps as described here:
# https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line
# 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows)
# 2. Detach the burn engine from the bundle so that it can be signed (also Windows)
# 3. Sign the burn engine (Linux)
# 4. Reattach the burn engine back to the bundle (Windows again)
# 5. Sign the whole bundle (Linux)
build-windows:
needs:
- create-release
runs-on: windows-latest
steps:
- uses: actions/checkout@v4
with:
submodules: 'recursive'
- name: Write release version
run: |
$env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0]
echo Version: $env:VERSION
echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV
- uses: actions/setup-node@v3
with:
node-version: '20'
- uses: pnpm/action-setup@v2
with:
version: 9
run_install: false
- name: Get pnpm store directory
shell: bash
run: echo "STORE_PATH=$(pnpm store path --silent)" >> $env:GITHUB_ENV
- uses: actions/cache@v3
name: Setup pnpm cache
with:
path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-build-store-
- name: Install deps
run: pnpm install --frozen-lockfile
- uses: dtolnay/rust-toolchain@stable
- name: Install Protoc
uses: arduino/setup-protoc@v2
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove "default-run" line from Cargo.toml
run: |
Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch)
- name: Build packages
uses: tauri-apps/tauri-action@v0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Bundle application
run: |
dotnet tool install --global wix --version 4.0.5
wix extension add WixToolset.Bal.wixext/4
wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll
wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe
- name: Upload unsigned bundle and burn-engine
uses: actions/upload-artifact@v4
with:
name: unsigned-bundle-and-burnengine
path: |
src-tauri/resources-windows/defguard-client.exe
src-tauri/resources-windows/burnengine.exe
sign-burn-engine:
needs:
- build-windows
runs-on:
- self-hosted
- Linux
- X64
steps:
- name: Write release version
run: |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
echo Version: $VERSION
echo "VERSION=$VERSION" >> $GITHUB_ENV
- name: Download unsigned bundle & burn-engine
uses: actions/download-artifact@v4
with:
name: unsigned-bundle-and-burnengine
- name: Sign burn-engine
run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe
- name: Upload bundle and burn-engine artifact
uses: actions/upload-artifact@v4
with:
name: unsigned-bundle-and-signed-burnengine
path: |
defguard-client.exe
burnengine-signed.exe
reattach-burn-engine:
needs:
- sign-burn-engine
runs-on: windows-latest
steps:
- name: Download unsigned bundle and signed burn-engine
uses: actions/download-artifact@v4
with:
name: unsigned-bundle-and-signed-burnengine
- name: Reattach burn-engine
run: |
dotnet tool install --global wix --version 4.0.5
wix extension add WixToolset.Bal.wixext/4
wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe
- name: Upload bundle with reattached burn-engine
uses: actions/upload-artifact@v4
with:
name: unsigned-bundle-with-reattached-signed-burn-engine
path: defguard-client-reattached.exe
sign-bundle:
needs:
- create-release
- reattach-burn-engine
runs-on:
- self-hosted
- Linux
- X64
steps:
- name: Write release version
run: |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1)
echo Version: $VERSION
echo "VERSION=$VERSION" >> $GITHUB_ENV
- name: Download unsigned bundle & signed burn-engine
uses: actions/download-artifact@v4
with:
name: unsigned-bundle-with-reattached-signed-burn-engine
- name: Sign bundle
run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe
- name: Upload installer asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ needs.create-release.outputs.upload_url }}
asset_path: defguard-client-signed.exe
asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe
asset_content_type: application/octet-stream