Sign binaries with SignPath #52
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| pull_request: | |
| paths: | |
| - .github/workflows/build.yml | |
| - build-exe/** | |
| push: | |
| branches: | |
| - main | |
| tags-ignore: | |
| - "**" | |
| paths: | |
| - .github/workflows/build.yml | |
| - build-exe/** | |
| workflow_dispatch: | |
| env: | |
| CLDR_VERSION: 45 | |
| ICONV_VERSION: 1.17 | |
| GETTEXT_VERSION: 0.22.5a | |
| jobs: | |
| exe: | |
| name: Build executables ${{ matrix.link }} ${{ matrix.bits}} bits | |
| runs-on: windows-2022 | |
| strategy: | |
| matrix: | |
| bits: | |
| - 32 | |
| #- 64 @todo uncomment | |
| link: | |
| - shared | |
| #- static @todo uncomment | |
| env: | |
| CYGWIN_NOWINPATH: 1 | |
| CHERE_INVOKING: 1 | |
| defaults: | |
| run: | |
| shell: C:\cygwin\bin\bash.exe --login -o igncr -o errexit -o pipefail {0} | |
| steps: | |
| - | |
| name: Configure git | |
| shell: cmd | |
| run: git config --global core.autocrlf input | |
| - | |
| name: Checkout | |
| uses: actions/checkout@v4 | |
| - | |
| name: Restore cache | |
| id: restore-cache | |
| uses: actions/cache/restore@v4 | |
| with: | |
| key: ${{ matrix.link }}-${{ matrix.bits }} | |
| path: | | |
| src\downloads | |
| C:\cygwin-packages | |
| - | |
| name: Set variables | |
| id: vars | |
| shell: pwsh | |
| run: ./build-exe/vars.ps1 -Bits ${{ matrix.bits }} -Link ${{ matrix.link }} | |
| - | |
| name: Download Cygwin installer | |
| shell: pwsh | |
| run: Invoke-WebRequest -Uri https://cygwin.com/setup-x86_64.exe -OutFile C:\CygwinInstaller.exe | |
| - | |
| name: Install Cygwin | |
| shell: cmd | |
| run: > | |
| C:\CygwinInstaller.exe | |
| --root C:\cygwin | |
| --local-package-dir C:\cygwin-packages | |
| --packages ${{ steps.vars.outputs.cygwin-packages }} | |
| --site http://mirrors.kernel.org/sourceware/cygwin/ | |
| --only-site | |
| --quiet-mode | |
| --upgrade-also | |
| --no-shortcuts | |
| --no-admin | |
| - | |
| name: Setup Cygwin environment | |
| run: | | |
| cd -- "$(/bin/cygpath -au '${{ github.workspace }}')" | |
| /bin/printf 'Working directory: %s\n' "$(/bin/pwd)" | |
| /bin/mkdir -p src/downloads | |
| /bin/mkdir installed | |
| /bin/mkdir files-unsigned | |
| /bin/mkdir files-signed | |
| /bin/mkdir installer-unsigned | |
| /bin/mkdir installer-signed | |
| /bin/perl -pe 's/\r\n|\n|\r/\r\n/g' < build-exe/license-for-distribution.txt > files-unsigned/license.txt | |
| INSTALLED_PATH="$(/bin/cygpath -au ./installed)" | |
| /bin/echo "INSTALLED_PATH=$INSTALLED_PATH" >> $GITHUB_ENV | |
| /bin/mkdir -p "$HOME" | |
| /bin/printf '\nPATH=%s:${{ steps.vars.outputs.cygwin-path }}\nexport PATH\n' "$INSTALLED_PATH" >>$HOME/.bash_profile | |
| - | |
| name: Dump Cygwin PATH | |
| run: | | |
| IFS=: | |
| for p in $PATH; do | |
| printf '%s\n' "$p" | |
| done | |
| - | |
| name: Download CLDR | |
| if: false # @todo removeme | |
| working-directory: src\downloads | |
| shell: pwsh | |
| run: | | |
| if (Test-Path -LiteralPath "cldr-$env:CLDR_VERSION.zip" -PathType Leaf) { | |
| Write-Host -Object 'Already downloaded' | |
| } else { | |
| Invoke-WebRequest "https://unicode.org/Public/cldr/$env:CLDR_VERSION/core.zip" -OutFile "cldr-$env:CLDR_VERSION.zip" | |
| Write-Host -Object 'Downloaded' | |
| } | |
| - | |
| name: Extract CLDR | |
| if: false # @todo removeme | |
| working-directory: installed | |
| run: | | |
| unzip -p ../src/downloads/cldr-$CLDR_VERSION.zip LICENSE >cldr-license.txt | |
| unzip -p ../src/downloads/cldr-$CLDR_VERSION.zip common/supplemental/plurals.xml >cldr-plurals.xml | |
| - | |
| name: Download iconv | |
| working-directory: src\downloads | |
| shell: pwsh | |
| run: | | |
| if (Test-Path -LiteralPath "libiconv-$env:ICONV_VERSION.tar.gz" -PathType Leaf) { | |
| Write-Host -Object 'Already downloaded' | |
| } else { | |
| Invoke-WebRequest "https://ftp.gnu.org/pub/gnu/libiconv/libiconv-$env:ICONV_VERSION.tar.gz" -OutFile "libiconv-$env:ICONV_VERSION.tar.gz" | |
| Write-Host -Object 'Downloaded' | |
| } | |
| - | |
| name: Extract iconv | |
| working-directory: src | |
| run: tar x -z -f downloads/libiconv-$ICONV_VERSION.tar.gz | |
| - | |
| name: Configure iconv | |
| id: iconv-configure | |
| working-directory: src\libiconv-${{ env.ICONV_VERSION }} | |
| run: | | |
| mkdir build | |
| cd build | |
| ../configure \ | |
| CPPFLAGS='${{ steps.vars.outputs.cpp-flags }}' \ | |
| LDFLAGS='${{ steps.vars.outputs.ld-flags }}' \ | |
| ${{ steps.vars.outputs.configure-args }} \ | |
| --prefix=$INSTALLED_PATH | |
| - | |
| name: Compile iconv | |
| working-directory: src\libiconv-${{ env.ICONV_VERSION }}\build | |
| run: make --jobs=$(nproc) | |
| - | |
| name: Check iconv | |
| if: false # @todo removeme | |
| working-directory: src\libiconv-${{ env.ICONV_VERSION }}\build | |
| run: make check --jobs=$(nproc) | |
| - | |
| name: Install iconv | |
| working-directory: src\libiconv-${{ env.ICONV_VERSION }}\build | |
| run: make install && cp ../COPYING $INSTALLED_PATH/iconv-license.txt | |
| - | |
| name: Download gettext | |
| if: false # @todo removeme | |
| working-directory: src\downloads | |
| shell: pwsh | |
| run: | | |
| if (Test-Path -LiteralPath "gettext-$env:GETTEXT_VERSION.tar.gz" -PathType Leaf) { | |
| Write-Host -Object 'Already downloaded' | |
| } else { | |
| Invoke-WebRequest "${{ steps.vars.outputs.gettext-source-url }}" -OutFile "gettext-$env:GETTEXT_VERSION.tar.gz" | |
| Write-Host -Object 'Downloaded' | |
| } | |
| - | |
| name: Extract gettext | |
| if: false # @todo removeme | |
| working-directory: src | |
| run: tar x -z -f downloads/gettext-$GETTEXT_VERSION.tar.gz | |
| - | |
| name: Configure gettext | |
| if: false # @todo removeme | |
| id: gettext-configure | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }} | |
| run: | | |
| mkdir build | |
| cd build | |
| ../configure \ | |
| CPPFLAGS="-I$INSTALLED_PATH/include ${{ steps.vars.outputs.cpp-flags }}" \ | |
| LDFLAGS="-L$INSTALLED_PATH/lib ${{ steps.vars.outputs.ld-flags }}' \ | |
| ${{ steps.vars.outputs.configure-args }} \ | |
| --prefix=$INSTALLED_PATH | |
| --disable-java \ | |
| --disable-native-java \ | |
| --disable-csharp \ | |
| --disable-openmp \ | |
| --disable-curses \ | |
| --without-emacs \ | |
| --with-included-libxml \ | |
| --without-bzip2 \ | |
| --without-xz | |
| - | |
| name: Ignore gettext C tests | |
| if: false # @todo removeme | |
| #if: steps.vars.outputs.gettext-ignore-tests-c @todo uncomment | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }} | |
| run: for f in ${{ steps.vars.outputs.gettext-ignore-tests-c }}; do echo 'int main() { return 0; }' >$f; done | |
| - | |
| name: Install gettext license | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }} | |
| run: cp COPYING $INSTALLED_PATH/gettext-license.txt | |
| - | |
| name: Compile gettext/gnulib-local | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gnulib-local | |
| run: make --jobs=$(nproc) | |
| - | |
| name: Check gettext/gnulib-local | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gnulib-local | |
| run: make --jobs=$(nproc) check | |
| - | |
| name: Install gettext/gnulib-local | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gnulib-local | |
| run: make --jobs=$(nproc) install | |
| - | |
| name: Compile gettext/gettext-runtime | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gettext-runtime | |
| run: make --jobs=$(nproc) | |
| - | |
| name: Check gettext/gettext-runtime | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gettext-runtime | |
| run: make --jobs=$(nproc) check | |
| - | |
| name: Install gettext/gettext-runtime | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gettext-runtime | |
| run: make --jobs=$(nproc) install | |
| - | |
| name: Compile gettext/libtextstyle | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\libtextstyle | |
| run: make --jobs=$(nproc) | |
| - | |
| name: Check gettext/libtextstyle | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\libtextstyle | |
| run: make --jobs=$(nproc) check | |
| - | |
| name: Install gettext/libtextstyle | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\libtextstyle | |
| run: make --jobs=$(nproc) install | |
| - | |
| name: Compile gettext/gettext-tools | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gettext-tools | |
| run: make --jobs=$(nproc) | |
| - | |
| name: Check gettext/gettext-tools | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gettext-tools | |
| run: XFAIL_TESTS='${{ steps.vars.outputs.gettext-xfail-gettext-tools }}' make --jobs=$(nproc) check | |
| - | |
| name: Install gettext/gettext-tools | |
| if: false # @todo removeme | |
| working-directory: src\gettext-${{ env.GETTEXT_VERSION }}\build\gettext-tools | |
| run: make --jobs=$(nproc) install | |
| - | |
| name: Prepare build log | |
| id: prepare-build-log | |
| if: (success() || failure()) && steps.iconv-configure.outcome == 'success' | |
| run: | | |
| mkdir build-log | |
| if [ -d src/libiconv-$ICONV_VERSION/build ]; then | |
| tar c -J -f build-log/iconv.tar.xz src/libiconv-$ICONV_VERSION/build | |
| fi | |
| if [ -d src/gettext-$GETTEXT_VERSION/build ]; then | |
| tar c -J -f build-log/gettext.tar.xz src/gettext-$GETTEXT_VERSION/build | |
| fi | |
| if find installed -mindepth 1 -maxdepth 1 | read; then | |
| tar c -J -f build-log/installed.tar.xz installed | |
| fi | |
| ls -al build-log | |
| - | |
| name: Copy built assets | |
| run: ./build-exe/create-output.sh installed files-unsigned '${{ steps.vars.outputs.mingw-host }}' | |
| - | |
| name: Delete install directory | |
| run: rm -rf installed | |
| - | |
| name: Process dependencies | |
| shell: pwsh | |
| run: > | |
| ./build-exe/process-dependencies.ps1 | |
| -Bits ${{ matrix.bits }} | |
| -Link ${{ matrix.link }} | |
| -OutputPath files-unsigned | |
| -MinGWPath C:\cygwin\usr\${{ steps.vars.outputs.mingw-host }} | |
| - | |
| name: Check bitness | |
| run: ./build-exe/check-bits.sh ${{ matrix.bits }} files-unsigned | |
| - | |
| name: Check if programs load translations correctly | |
| if: false # @todo removeme | |
| shell: pwsh | |
| run: | | |
| $env:LANGUAGE = 'it' | |
| $stdout = & .\files-unsigned\bin\xgettext.exe --help | |
| if (-not($?)) { | |
| throw "xgettext.exe failed" | |
| } | |
| $stdout = $stdout -join "`n" | |
| if (!$stdout.Contains('impostazione predefinita')) { | |
| throw "xgettext.exe didn't load the translations.`nIts output is:`n$stdout" | |
| } | |
| Write-Host "xgettext.exe correctly loaded the translations when LANGUAGE=$env:LANGUAGE`nIts localized output is`n$stdout" | |
| - | |
| name: Upload unsigned files | |
| if: steps.vars.outputs.signpath-signing-policy | |
| id: upload-files-unsigned | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.link }}-${{ matrix.bits }}-files-unsigned | |
| path: files-unsigned | |
| if-no-files-found: error | |
| retention-days: 1 | |
| - | |
| name: Sign files | |
| if: steps.vars.outputs.signpath-signing-policy | |
| id: sign-files | |
| uses: signpath/github-action-submit-signing-request@v1 | |
| with: | |
| api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' | |
| organization-id: 98c3accc-92c9-4962-b150-ff1f5c6356b8 | |
| project-slug: gettext-iconv-windows | |
| signing-policy-slug: '${{ steps.vars.outputs.signpath-signing-policy }}' | |
| artifact-configuration-slug: gh_sigh_files | |
| github-artifact-id: ${{ steps.upload-files-unsigned.outputs.artifact-id }} | |
| wait-for-completion: true | |
| output-artifact-directory: files-signed | |
| - | |
| name: Create files archive | |
| shell: pwsh | |
| run: | | |
| if ('${{ steps.vars.outputs.signpath-signing-policy }}') { | |
| Set-Location -LiteralPath 'files-signed' | |
| } else { | |
| Set-Location -LiteralPath 'files-unsigned' | |
| } | |
| & 7z.exe a -bd -bt -mx9 -r -sse -tzip ..\gettext${{ env.GETTEXT_VERSION }}-iconv${{ env.ICONV_VERSION }}-${{ matrix.link }}-${{ matrix.bits }}.zip | |
| - | |
| name: Upload files archive | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.link }}-${{ matrix.bits }}-files | |
| path: gettext${{ env.GETTEXT_VERSION }}-iconv${{ env.ICONV_VERSION }}-${{ matrix.link }}-${{ matrix.bits }}.zip | |
| if-no-files-found: error | |
| compression-level: 0 | |
| - | |
| name: Prepare installer files | |
| run: | | |
| if [ -n '${{ steps.vars.outputs.signpath-signing-policy }}' ]; then | |
| mv files-signed installer-files | |
| else | |
| mv files-unsigned installer-files | |
| fi | |
| - | |
| name: Create installer | |
| shell: pwsh | |
| run: > | |
| ./build-exe/create-installer.ps1 | |
| -Bits ${{ matrix.bits }} | |
| -Link ${{ matrix.link }} | |
| -SourceDirectory installer-files | |
| -OutputDirectory installer-unsigned | |
| - | |
| name: Check bitness | |
| run: ./build-exe/check-bits.sh 32 installer-unsigned/gettext${{ env.GETTEXT_VERSION }}-iconv${{ env.ICONV_VERSION }}-${{ matrix.link }}-${{ matrix.bits }}.exe | |
| - | |
| name: Upload unsigned installer | |
| if: steps.vars.outputs.signpath-signing-policy | |
| id: upload-installer-unsigned | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.link }}-${{ matrix.bits }}-installer-unsigned | |
| path: installer-unsigned\gettext${{ env.GETTEXT_VERSION }}-iconv${{ env.ICONV_VERSION }}-${{ matrix.link }}-${{ matrix.bits }}.exe | |
| if-no-files-found: error | |
| compression-level: 0 | |
| retention-days: 1 | |
| - | |
| name: Sign installer | |
| if: steps.vars.outputs.signpath-signing-policy | |
| id: sign-installer | |
| uses: signpath/github-action-submit-signing-request@v1 | |
| with: | |
| api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' | |
| organization-id: 98c3accc-92c9-4962-b150-ff1f5c6356b8 | |
| project-slug: gettext-iconv-windows | |
| signing-policy-slug: '${{ steps.vars.outputs.signpath-signing-policy }}' | |
| artifact-configuration-slug: gh_sigh_installer | |
| github-artifact-id: ${{ steps.upload-installer-unsigned.outputs.artifact-id }} | |
| wait-for-completion: true | |
| output-artifact-directory: installer-signed | |
| - | |
| name: Move installer | |
| run: | | |
| if [ -n '${{ steps.vars.outputs.signpath-signing-policy }}' ]; then | |
| mv installer-signed/*.exe . | |
| else | |
| mv installer-unsigned/*.exe . | |
| fi | |
| - | |
| name: Upload installer | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.link }}-${{ matrix.bits }}-installer | |
| path: gettext${{ env.GETTEXT_VERSION }}-iconv${{ env.ICONV_VERSION }}-${{ matrix.link }}-${{ matrix.bits }}.exe | |
| if-no-files-found: error | |
| compression-level: 0 | |
| - | |
| name: Upload build log | |
| if: always() && steps.prepare-build-log.outcome == 'success' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ matrix.link }}-${{ matrix.bits }}-log | |
| if-no-files-found: ignore | |
| retention-days: 1 | |
| include-hidden-files: true | |
| compression-level: 0 | |
| path: build-log | |
| - | |
| name: Persist cache | |
| if: always() && steps.restore-cache.outputs.cache-hit != 'true' | |
| uses: actions/cache/save@v4 | |
| with: | |
| key: ${{ steps.restore-cache.outputs.cache-primary-key }} | |
| path: | | |
| src\downloads | |
| C:\cygwin-packages |