Code signing in release flow (#73)

* Initial build workflow changes to do signing stuff automatically * Run regular builds on GH Actions general CI * Update used actions to ones that are node20 based * Fix workflow having some windows steps disabled for win-signing * Run setup-msbuild on custom runner as well * Put setup-msbuild back to only GH actions windows runner * Update setup-msbuild * all caps? * Don't use bash for signing step
WootingKb · Oct 17, 2024 · 1e629dd · 1e629dd
1 parent ebce02b
commit 1e629dd
Showing 1 changed file with 22 additions and 8 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -25,19 +25,20 @@ jobs:
       matrix:
         os: [macos-latest, ubuntu-24.04]
         include:
-          - os: windows-latest
+          - os: ${{startsWith(github.ref, 'refs/tags/v') && 'win-signing' || 'windows-latest'}}
             target: x64
-          - os: windows-latest
+          - os: ${{startsWith(github.ref, 'refs/tags/v') && 'win-signing' || 'windows-latest'}}
             target: x86
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           submodules: true
 
+      # This is set specifically to windows prefix so it only runs on the GH Actions runner and not our own
       - name: Add MSBuild to PATH (Windows)
         if: startsWith(matrix.os, 'windows')
-        uses: microsoft/setup-msbuild@v1.1
+        uses: microsoft/setup-msbuild@v2
 
       - name: Install dependencies
         uses: ConorMacBride/install-package@v1
@@ -54,7 +55,7 @@ jobs:
         run: cd mac && make CDEFS="-Werror"
 
       - name: Build (Windows)
-        if: startsWith(matrix.os, 'windows')
+        if: startsWith(matrix.os, 'win')
         working-directory: ${{env.GITHUB_WORKSPACE}}
         # Add additional options to the MSBuild command line here (like platform or verbosity level).
         # See https://docs.microsoft.com/visualstudio/msbuild/msbuild-command-line-reference
@@ -94,7 +95,7 @@ jobs:
           cp mac/*.dylib dist/
 
       - name: Copy dist files (Windows)
-        if: startsWith(github.ref, 'refs/tags/v') && startsWith(matrix.os, 'windows')
+        if: startsWith(github.ref, 'refs/tags/v') && startsWith(matrix.os, 'win')
         shell: bash
         run: |
           # Copy Windows x64 files
@@ -107,17 +108,30 @@ jobs:
           cp windows/${{env.BUILD_CONFIGURATION}}/wooting-rgb-sdk.lib dist/ || true
           cp windows/${{env.BUILD_CONFIGURATION}}/wooting-rgb-sdk.pdb dist/ || true
 
+      - name: Sign dlls (Windows)
+        if: startsWith(github.ref, 'refs/tags/v') && startsWith(matrix.os, 'win')
+        env:
+          TIMESTAMP: ${{secrets.WIN_EV_CSC_TIMESTAMP}}
+          CERT_FILE: ${{secrets.WIN_EV_CSC_CERT_FILE}}
+          CRYPT_PROVIDER: ${{secrets.WIN_EV_CSC_CRYPT_PROVIDER}}
+          READER: ${{secrets.WIN_EV_CSC_READER}}
+          PASS: ${{secrets.WIN_EV_CSC_PASS}}
+          CONTAINER: ${{secrets.WIN_EV_CSC_CONTAINER}}
+        run: |
+          signtool.exe sign /fd sha256 /td sha256 /tr ${Env:TIMESTAMP}?td=sha256 /f $Env:CERT_FILE /csp "$Env:CRYPT_PROVIDER" /kc "[${Env:READER}{{${Env:PASS}}}]=${Env:CONTAINER}" "dist\wooting-rgb-sdk${{matrix.target == 'x64' && '64' || ''}}.dll"
+          signtool.exe verify /pa "dist\wooting-rgb-sdk${{matrix.target == 'x64' && '64' || ''}}.dll"
+
       - name: Zip files
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: vimtor/action-zip@v1.1
+        uses: vimtor/action-zip@v1.2
         with:
           files: dist/
           recursive: true
           dest: ${{env.RELEASE_NAME}}.zip
 
       - name: Make Release
         if: startsWith(github.ref, 'refs/tags/v')
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           files: ${{env.RELEASE_NAME}}.zip
           token: ${{ secrets.GITHUB_TOKEN }}