diff options
| -rwxr-xr-x | .github/workflows/build.yml | 110 | ||||
| -rwxr-xr-x | bin/build-windows-installer | 10 |
2 files changed, 115 insertions, 5 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 31bf207a..a28ce665 100755 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -315,15 +315,65 @@ jobs: make dist env: BUILD: windows + - name: upload-unsigned-exe + id: upload-unsigned-exe + uses: actions/upload-artifact@v4 + with: + name: inkstitch-windows32-exe + path: | + dist/inkstitch/bin/inkstitch.exe + - name: Set siging policy to release + if: ${{ startsWith(github.ref, 'refs/tags/v*') }} + shell: bash + run: | + echo release_policy="release-signing" >> $GITHUB_ENV + - name: Set siging policy to test + if: ${{ ! startsWith(github.ref, 'refs/tags/v*') }} + shell: bash + run: | + echo release_policy="test-signing" >> $GITHUB_ENV + - name: Sign-exe + id: Sign-exe + uses: signpath/github-action-submit-signing-request@v1.1 + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: '6b880880-2af8-4cf3-a8e7-1b4977c593df' + project-slug: 'inkstitch' + signing-policy-slug: '${{ env.release_policy }}' + github-artifact-id: '${{ steps.upload-unsigned-exe.outputs.artifact-id }}' + wait-for-completion: true + output-artifact-directory: 'signed-artifacts' + - name: Copy signed exe to dist + shell: bash + run: | + mv -f signed-artifacts/inkstitch.exe dist/inkstitch/bin/inkstitch.exe - shell: bash run: | bash bin/build-windows-installer env: BUILD: windows + - name: upload-unsigned-installer + id: upload-unsigned-installer + uses: actions/upload-artifact@v4 + with: + name: inkstitch-windows32-installer + path: artifacts + - name: Sign-installer + id: Sign-installer + uses: signpath/github-action-submit-signing-request@v1.1 + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: '6b880880-2af8-4cf3-a8e7-1b4977c593df' + project-slug: 'inkstitch' + signing-policy-slug: '${{ env.release_policy }}' + artifact-configuration-slug: 'windows-installer-config' + github-artifact-id: '${{ steps.upload-unsigned-installer.outputs.artifact-id }}' + wait-for-completion: true + output-artifact-directory: 'signed-artifacts' - uses: actions/upload-artifact@v4 with: name: inkstitch-windows32 - path: artifacts + path: signed-artifacts windows64: runs-on: windows-2019 steps: @@ -381,15 +431,65 @@ jobs: make dist env: BUILD: windows + - name: Set siging policy to release + if: ${{ startsWith(github.ref, 'refs/tags/v*') }} + shell: bash + run: | + echo release_policy="release-signing" >> $GITHUB_ENV + - name: Set siging policy to test + if: ${{ ! startsWith(github.ref, 'refs/tags/v*') }} + shell: bash + run: | + echo release_policy="test-signing" >> $GITHUB_ENV + - name: upload-unsigned-exe + id: upload-unsigned-exe + uses: actions/upload-artifact@v4 + with: + name: inkstitch-windows64-exe + path: | + dist/inkstitch/bin/inkstitch.exe + - name: Sign-exe + id: Sign-exe + uses: signpath/github-action-submit-signing-request@v1.1 + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: '6b880880-2af8-4cf3-a8e7-1b4977c593df' + project-slug: 'inkstitch' + signing-policy-slug: '${{ env.release_policy }}' + github-artifact-id: '${{ steps.upload-unsigned-exe.outputs.artifact-id }}' + wait-for-completion: true + output-artifact-directory: 'signed-artifacts' + - name: Copy signed exe to dist + shell: bash + run: | + mv -f signed-artifacts/inkstitch.exe dist/inkstitch/bin/inkstitch.exe - shell: bash run: | bash bin/build-windows-installer env: BUILD: windows + - name: upload-unsigned-installer + id: upload-unsigned-installer + uses: actions/upload-artifact@v4 + with: + name: inkstitch-windows64-installer + path: artifacts + - name: Sign-installer + id: Sign-installer + uses: signpath/github-action-submit-signing-request@v1.1 + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: '6b880880-2af8-4cf3-a8e7-1b4977c593df' + project-slug: 'inkstitch' + signing-policy-slug: '${{ env.release_policy }}' + artifact-configuration-slug: 'windows-installer-config' + github-artifact-id: '${{ steps.upload-unsigned-installer.outputs.artifact-id }}' + wait-for-completion: true + output-artifact-directory: 'signed-artifacts' - uses: actions/upload-artifact@v4 with: name: inkstitch-windows64 - path: artifacts + path: signed-artifacts macx86: runs-on: macos-13 steps: @@ -568,13 +668,13 @@ jobs: uses: actions/download-artifact@v4 with: name: 'inkstitch-windows32' - path: 'artifacts/' + path: 'signed-artifacts/' if: always() - name: download windows64 uses: actions/download-artifact@v4 with: name: 'inkstitch-windows64' - path: 'artifacts/' + path: 'signed-artifacts/' if: always() - name: download macx86 uses: actions/download-artifact@v4 @@ -604,3 +704,5 @@ jobs: artifacts/*.tar.xz artifacts/*.sh artifacts/*.zip + signed-artifacts/*.exe + signed-artifacts/*.zip diff --git a/bin/build-windows-installer b/bin/build-windows-installer index bf7b8288..1f05d91b 100755 --- a/bin/build-windows-installer +++ b/bin/build-windows-installer @@ -24,7 +24,15 @@ iscc win/win_build.iss mv win/inkstitch.exe artifacts/inkstitch-${VERSION}-${OS}-${ARCH}.exe cd dist echo "Creating zip" +if [[ -d "../signed-artifacts" ]]; then + DIRECTORY="signed-artifacts" + echo "Found signed artifacts" +else + DIRECTORY="artifacts" + echo "No signed artifacts found, local build" +fi + # The python zipfile command line utility can't handle directories # containing files with UTF-8 names on Windows, so we use 7-zip instead. -7z a ../artifacts/inkstitch-${VERSION}-${OS}-${ARCH}.zip * +7z a ../${DIRECTORY}/inkstitch-${VERSION}-${OS}-${ARCH}.zip * cd .. |