-
Notifications
You must be signed in to change notification settings - Fork 0
246 lines (211 loc) · 8.9 KB
/
Copy pathrelease-windows.yml
File metadata and controls
246 lines (211 loc) · 8.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
name: Release Windows
on:
push:
tags:
- "v*"
workflow_dispatch:
inputs:
tag:
description: "Tag to release (e.g. v0.1.5)"
required: true
type: string
permissions:
contents: write
id-token: write
attestations: write
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
env:
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
jobs:
release:
name: Build and publish signed Windows release
runs-on: windows-2022
environment: production-release
timeout-minutes: 120
env:
GH_TOKEN: ${{ github.token }}
steps:
- name: Checkout tag/ref
uses: actions/checkout@v6
with:
fetch-depth: 0
ref: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref }}
- name: Verify tag matches package version
shell: pwsh
run: |
$pkgVersion = (Get-Content package.json -Raw | ConvertFrom-Json).version
$expectedTag = "v$pkgVersion"
$actualTag = if ('${{ github.event_name }}' -eq 'workflow_dispatch') { '${{ inputs.tag }}' } else { '${{ github.ref_name }}' }
if ($actualTag -ne $expectedTag) {
throw "Tag/package mismatch: got '$actualTag' but package.json version expects '$expectedTag'."
}
- name: Setup pnpm
uses: pnpm/action-setup@v5
with:
version: 9.15.0
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 24
cache: pnpm
- name: Setup Hugo Extended
shell: pwsh
run: |
$ErrorActionPreference = 'Stop'
function Test-HugoExtended {
if (-not (Get-Command hugo -ErrorAction SilentlyContinue)) {
return $false
}
$versionText = & hugo version
if ($versionText -match 'extended') {
Write-Host "Hugo Extended ready: $versionText"
return $true
}
return $false
}
function Try-ChocoInstall {
if (-not (Get-Command choco -ErrorAction SilentlyContinue)) {
return $false
}
Write-Host 'Attempting Hugo Extended install via Chocolatey...'
choco install hugo-extended -y --no-progress
return $LASTEXITCODE -eq 0
}
function Try-WingetInstall {
if (-not (Get-Command winget -ErrorAction SilentlyContinue)) {
return $false
}
Write-Host 'Attempting Hugo Extended install via Winget...'
winget install --id Hugo.Hugo.Extended --silent --accept-package-agreements --accept-source-agreements --disable-interactivity
return $LASTEXITCODE -eq 0
}
function Try-DirectZipInstall {
Write-Host 'Attempting Hugo Extended direct download install...'
$apiUrl = 'https://api.github.com/repos/gohugoio/hugo/releases/latest'
$release = Invoke-RestMethod -Uri $apiUrl -Headers @{ 'User-Agent' = 'BlogForEveryone-CI' }
$asset = $release.assets | Where-Object { $_.name -match '^hugo_extended_.*_windows-amd64\.zip$' } | Select-Object -First 1
if (-not $asset) {
return $false
}
$zipPath = Join-Path $env:RUNNER_TEMP 'hugo-extended.zip'
$extractDir = Join-Path $env:RUNNER_TEMP 'hugo-extended-bin'
Invoke-WebRequest -Uri $asset.browser_download_url -OutFile $zipPath
if (Test-Path $extractDir) {
Remove-Item -Recurse -Force $extractDir
}
Expand-Archive -Path $zipPath -DestinationPath $extractDir -Force
$envPath = $env:GITHUB_PATH
if (-not $envPath) {
return $false
}
Add-Content -Path $envPath -Value $extractDir
$env:PATH = "$extractDir;$env:PATH"
return $true
}
if (Test-HugoExtended) {
exit 0
}
$installed = $false
try { if (Try-ChocoInstall) { $installed = Test-HugoExtended } } catch { Write-Warning "Chocolatey install failed: $($_.Exception.Message)" }
if (-not $installed) {
try { if (Try-WingetInstall) { $installed = Test-HugoExtended } } catch { Write-Warning "Winget install failed: $($_.Exception.Message)" }
}
if (-not $installed) {
try { if (Try-DirectZipInstall) { $installed = Test-HugoExtended } } catch { Write-Warning "Direct ZIP install failed: $($_.Exception.Message)" }
}
if (-not $installed) {
throw 'Failed to install Hugo Extended via Chocolatey, Winget, or direct ZIP download.'
}
$hugoCommand = Get-Command hugo -ErrorAction Stop
"HUGO_EXECUTABLE=$($hugoCommand.Source)" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
Write-Host "Pinned HUGO_EXECUTABLE to $($hugoCommand.Source)"
- name: Install dependencies
run: pnpm install --frozen-lockfile
- name: Setup Dart Sass
shell: pwsh
run: |
$installed = $false
try {
choco install sass --yes --no-progress
$installed = $true
} catch {
Write-Warning "Chocolatey Sass install failed: $($_.Exception.Message)"
}
if (-not $installed) {
Write-Host "Falling back to pnpm global sass install"
pnpm add -g sass
}
$sassCommand = Get-Command sass -ErrorAction Stop
$sassExecutable = $sassCommand.Source
if ($sassExecutable -match '\.ps1$') {
$cmdCandidate = [IO.Path]::ChangeExtension($sassExecutable, '.cmd')
if (Test-Path $cmdCandidate) {
$sassExecutable = $cmdCandidate
} else {
$batCandidate = [IO.Path]::ChangeExtension($sassExecutable, '.bat')
if (Test-Path $batCandidate) {
$sassExecutable = $batCandidate
}
}
}
if (-not (Test-Path $sassExecutable)) {
throw "Resolved Sass executable does not exist: $sassExecutable"
}
& $sassExecutable --version
"SASS_EXECUTABLE=$sassExecutable" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
Write-Host "Pinned SASS_EXECUTABLE to $sassExecutable"
- name: Restore signing certificate into temp file
shell: pwsh
run: |
$pfxPath = Join-Path $env:RUNNER_TEMP "codesign.pfx"
[IO.File]::WriteAllBytes($pfxPath, [Convert]::FromBase64String('${{ secrets.BFE_CODESIGN_PFX_B64 }}'))
"CSC_LINK=$pfxPath" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
"CSC_KEY_PASSWORD=${{ secrets.BFE_CODESIGN_PFX_PASSWORD }}" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append
- name: Verify signing env
run: pnpm run verify:windows-signing-env
- name: Run full release pipeline
run: pnpm run release
- name: Verify installer signature
shell: pwsh
run: |
$exe = Get-ChildItem dist -Filter "*Setup-*.exe" | Sort-Object LastWriteTime -Descending | Select-Object -First 1
if (-not $exe) { throw "No installer found in dist/." }
$signTool = Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin" -Recurse -Filter signtool.exe |
Sort-Object FullName -Descending | Select-Object -First 1
if (-not $signTool) { throw "signtool.exe not found" }
$verifyOutput = & $signTool.FullName verify /pa /v $exe.FullName 2>&1
$verifyText = ($verifyOutput | Out-String)
$verifyExitCode = $LASTEXITCODE
Write-Host $verifyText
if ($verifyExitCode -eq 0) {
Write-Host "signtool verify: OK"
exit 0
}
if ($verifyText -match 'terminated in a root\s+certificate which is not trusted by the trust provider') {
Write-Warning "signtool verify reported an untrusted root certificate. This is expected for self-signed CI certificates; continuing."
Write-Host "::warning::SignTool reported an untrusted root certificate. Treating as expected for CI self-signed certs."
exit 0
}
throw "signtool verify failed with exit code $verifyExitCode"
- name: Upload release artifacts for audit
uses: actions/upload-artifact@v4
with:
name: windows-release-assets-${{ github.ref_name }}
path: |
dist/*.exe
dist/*.blockmap
dist/latest.yml
- name: Attest build provenance
uses: actions/attest-build-provenance@v2
with:
subject-path: |
dist/*.exe
dist/*.blockmap
dist/latest.yml
- name: Cleanup certificate file
if: always()
shell: pwsh
run: |
Remove-Item (Join-Path $env:RUNNER_TEMP "codesign.pfx") -ErrorAction SilentlyContinue