Skip to content

Commit

Permalink
Merge pull request cli#8465 from cli/andyfeller/213-windows-hsm-signing
Browse files Browse the repository at this point in the history
Update deployment workflow for final HSM solution
  • Loading branch information
andyfeller authored Dec 15, 2023
2 parents c626f90 + 98f7ec0 commit 541ce0e
Show file tree
Hide file tree
Showing 9 changed files with 39 additions and 376 deletions.
122 changes: 0 additions & 122 deletions .github/workflows/deployment-hsm-testing.yml

This file was deleted.

50 changes: 37 additions & 13 deletions .github/workflows/deployment.yml
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
name: Deployment
run-name: ${{ inputs.tag_name }} / go ${{ inputs.go_version }} / ${{ inputs.environment }}

concurrency:
group: ${{ github.workflow }}-${{ github.ref_name }}
Expand Down Expand Up @@ -130,26 +131,43 @@ jobs:
uses: actions/setup-go@v5
with:
go-version: ${{ inputs.go_version }}
- name: Obtain signing certificate
id: obtain_cert
if: inputs.environment == 'production'
shell: bash
run: |
base64 -d <<<"$CERT_CONTENTS" > ./cert.pfx
printf "cert-file=%s\n" ".\\cert.pfx" >> $GITHUB_OUTPUT
env:
CERT_CONTENTS: ${{ secrets.WINDOWS_CERT_PFX }}
- name: Install GoReleaser
uses: goreleaser/goreleaser-action@v5
with:
version: "~1.17.1"
install-only: true
- name: Install Azure Code Signing Client
shell: pwsh
env:
ACS_DIR: ${{ runner.temp }}\acs
ACS_ZIP: ${{ runner.temp }}\acs.zip
CORRELATION_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
run: |
# Download Azure Code Signing client containing the DLL needed for signtool in script/sign
Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.43 -OutFile $Env:ACS_ZIP -Verbose
Expand-Archive $Env:ACS_ZIP -Destination $Env:ACS_DIR -Force -Verbose
# Generate metadata file for signtool, used in signing box .exe and .msi
@{
CertificateProfileName = "GitHubInc"
CodeSigningAccountName = "GitHubInc"
CorrelationId = $Env:CORRELATION_ID
Endpoint = "https://wus.codesigning.azure.net/"
} | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH
# Azure Code Signing leverages the environment variables for secrets that complement the metadata.json
# file generated above (AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID)
# For more information, see https://learn.microsoft.com/en-us/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet
- name: Build release binaries
shell: bash
env:
AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.SPN_GITHUB_CLI_SIGNING }}
AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll
METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
TAG_NAME: ${{ inputs.tag_name }}
CERT_FILE: ${{ steps.obtain_cert.outputs.cert-file }}
CERT_PASSWORD: ${{ secrets.WINDOWS_CERT_PASSWORD }}
run: script/release --local "$TAG_NAME" --platform windows
- name: Set up MSBuild
id: setupmsbuild
Expand Down Expand Up @@ -184,12 +202,18 @@ jobs:
esac
"${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$source_dir" -p:OutputPath="$PWD/dist" -p:OutputName="$MSI_NAME" -p:ProductVersion="${MSI_VERSION#v}" -p:Platform="$platform"
done
- name: Sign MSI
- name: Sign .msi release binaries
if: inputs.environment == 'production'
shell: pwsh
env:
AZURE_CLIENT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_CLIENT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.SPN_GITHUB_CLI_SIGNING }}
AZURE_TENANT_ID: ${{ secrets.SPN_GITHUB_CLI_SIGNING_TENANT_ID }}
DLIB_PATH: ${{ runner.temp }}\acs\bin\x64\Azure.CodeSigning.Dlib.dll
METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
run: |
Get-ChildItem -Path .\dist -Filter *.msi | ForEach-Object {
.\script\sign $_.FullName
.\script\sign.ps1 $_.FullName
}
env:
CERT_FILE: ${{ steps.obtain_cert.outputs.cert-file }}
Expand Down
98 changes: 0 additions & 98 deletions .goreleaser-hsm.yml

This file was deleted.

2 changes: 1 addition & 1 deletion .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ builds:
hooks:
post:
- cmd: >-
{{ if eq .Runtime.Goos "windows" }}.\script\sign{{ else }}./script/sign{{ end }} '{{ .Path }}'
{{ if eq .Runtime.Goos "windows" }}pwsh .\script\sign.ps1{{ else }}./script/sign{{ end }} '{{ .Path }}'
output: true
binary: bin/gh
main: ./cmd/gh
Expand Down
Loading

0 comments on commit 541ce0e

Please sign in to comment.