diff options
author | David Knaack <davidkna@users.noreply.github.com> | 2024-04-28 11:57:59 +0200 |
---|---|---|
committer | David Knaack <davidkna@users.noreply.github.com> | 2024-04-28 11:57:59 +0200 |
commit | cd71ac36da09f08e41a5e21949069e153a3ab945 (patch) | |
tree | bcd50c403a567bc97c62999799f4d3d83c572819 | |
parent | efb9ea110c7f4917c7b431f6d92def7e6fbd9d11 (diff) |
ci: add preliminary windows codesigning via signpathsignpath
-rw-r--r-- | .github/workflows/release.yml | 30 | ||||
-rw-r--r-- | .github/workflows/workflow.yml | 27 | ||||
-rw-r--r-- | README.md | 4 |
3 files changed, 58 insertions, 3 deletions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d4d9f44fa..eb72eeb7d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -123,7 +123,33 @@ jobs: run: > cargo wix -v --no-build --nocapture -I install/windows/main.wxs --target ${{ matrix.target }} - --output target/wix/starship-${{ matrix.target }}.msi + --output target/${{ matrix.target }}/release/starship-${{ matrix.target }}.msi + + - name: Sign | Upload [Windows] + continue-on-error: true + if: matrix.os == 'windows-latest' + uses: actions/upload-artifact@v4 + with: + name: unsigned-${{ matrix.name }} + path: | + target/${{ matrix.target }}/release/starship.exe + target/${{ matrix.target }}/release/starship-${{ matrix.target }}.msi + + - name: Sign | Sign [Windows] + continue-on-error: true + if: matrix.os == 'windows-latest' + uses: signpath/github-action-submit-signing-request@v0.3 + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}' + project-slug: 'starship' + signing-policy-slug: 'test-signing' + github-artifact-name: 'unsigned-${{ matrix.name }}' + wait-for-completion: false + # TODO use release-signing certificate: + # signing-policy-slug: 'release-signing' + # wait-for-completion: true + # output-artifact-directory: 'target/${{ matrix.target }}/release' - name: Post Build | Prepare artifacts [Windows] if: matrix.os == 'windows-latest' @@ -151,7 +177,7 @@ jobs: uses: actions/upload-artifact@v4 with: name: starship-${{ matrix.target }}.msi - path: target/wix/starship-${{ matrix.target }}.msi + path: target/${{ matrix.target }}/release/starship-${{ matrix.target }}.msi # Notarize starship binaries for MacOS and build notarized pkg installers notarize_and_pkgbuild: diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index aa683ff51..79632412c 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -201,7 +201,9 @@ jobs: - name: Build | Installer [Windows] continue-on-error: true if: matrix.os == 'windows-latest' && matrix.rust == 'stable' - run: cargo wix --dbg-build -v --nocapture -I install/windows/main.wxs + run: > + cargo wix --dbg-build -v --nocapture -I install/windows/main.wxs + --output target/debug/starship-x86_64-pc-windows-msvc.msi - name: Build | Chocolatey Package [Windows] continue-on-error: true @@ -219,6 +221,29 @@ jobs: env: STARSHIP_VERSION: v1.2.3 + - name: Sign | Upload Executable [Windows] + uses: actions/upload-artifact@v4 + continue-on-error: true + if: matrix.os == 'windows-latest' && matrix.rust == 'stable' && github.event_name == 'push' && github.repository == 'starship/starship' + with: + name: unsigned-artifacts-dbg + path: | + target/debug/starship.exe + target/debug/starship-x86_64-pc-windows-msvc.msi + + - name: Sign | Sign [Windows] + uses: signpath/github-action-submit-signing-request@v0.3 + continue-on-error: true + if: matrix.os == 'windows-latest' && matrix.rust == 'stable' && github.event_name == 'push' && github.repository == 'starship/starship' + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}' + project-slug: 'starship' + github-artifact-name: 'unsigned-artifacts-dbg' + signing-policy-slug: 'test-signing' + wait-for-completion: true + output-artifact-directory: target/debug + - name: Upload coverage to Codecov uses: codecov/codecov-action@v4 if: github.repository == 'starship/starship' @@ -433,6 +433,8 @@ Please check out these previous works that helped inspire the creation of starsh Support this project by [becoming a sponsor](https://github.com/sponsors/starship). Your name or logo will show up here with a link to your website. +- Free code signing provided by [SignPath.io], certificate by [SignPath Foundation] + <p align="center"> <br> <img width="100" src="https://raw.githubusercontent.com/starship/starship/master/media/icon.png" alt="Starship rocket icon"> @@ -458,6 +460,8 @@ This project is [ISC](https://github.com/starship/starship/blob/master/LICENSE) [OSS]: https://software.opensuse.org/package/starship [pkgsrc]: https://pkgsrc.se/shells/starship [scoop]: https://github.com/ScoopInstaller/Main/blob/master/bucket/starship.json +[SignPath Foundation]: https://signpath.org +[SignPath.io]: https://signpath.io [termux]: https://github.com/termux/termux-packages/tree/master/packages/starship [void linux packages]: https://github.com/void-linux/void-packages/tree/master/srcpkgs/starship [winget]: https://github.com/microsoft/winget-pkgs/tree/master/manifests/s/Starship/Starship |