aitebar/.github/workflows/release.yml at master · codebdbd/aitebar · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
name: Release

on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
      version:
        description: "Version to validate for a dry-run release. Defaults to AiteBar.csproj Version."
        required: false
        type: string

permissions:
  contents: write

concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: false

jobs:
  release:
    name: Build installer and publish release
    runs-on: windows-latest
    env:
      WINDOWS_SIGNING_CERT_BASE64: ${{ secrets.WINDOWS_SIGNING_CERT_BASE64 }}
      WINDOWS_SIGNING_CERT_PASSWORD: ${{ secrets.WINDOWS_SIGNING_CERT_PASSWORD }}

    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Setup .NET
        uses: actions/setup-dotnet@v5
        with:
          global-json-file: global.json

      - name: Install Inno Setup
        run: choco install innosetup --no-progress -y

      - name: Log Inno Setup version
        shell: pwsh
        run: |
          $iscc = @(
            "${env:ProgramFiles(x86)}\Inno Setup 6\ISCC.exe",
            "$env:ProgramFiles\Inno Setup 6\ISCC.exe"
          ) | Where-Object { Test-Path $_ } | Select-Object -First 1

          if (-not $iscc) {
            throw "ISCC.exe not found after Chocolatey install."
          }

          $version = (Get-Item $iscc).VersionInfo.ProductVersion
          "Inno Setup compiler: $iscc"
          "Inno Setup version: $version"

      - name: Restore locked dependencies
        run: dotnet restore .\AiteBar.sln --locked-mode

      - name: Verify tag matches project version
        shell: pwsh
        run: |
          $project = [xml](Get-Content .\AiteBar\AiteBar.csproj)
          $projectVersion = $project.Project.PropertyGroup.Version | Select-Object -First 1
          $expectedVersion = "${{ inputs.version }}"

          if ("${{ github.ref_type }}" -eq "tag") {
            $tag = "${{ github.ref_name }}"
            if (-not $tag.StartsWith("v")) {
              throw "Release tag must start with v. Actual tag: $tag"
            }

            $expectedVersion = $tag.Substring(1)
          }

          if ([string]::IsNullOrWhiteSpace($expectedVersion)) {
            $expectedVersion = $projectVersion
          }

          if ($expectedVersion -ne $projectVersion) {
            throw "Release version $expectedVersion does not match project version $projectVersion."
          }

      - name: Build Release
        run: dotnet build .\AiteBar.sln -c Release --no-restore

      - name: Run tests
        run: dotnet test .\AiteBar.Tests\AiteBar.Tests.csproj -c Release --no-build

      - name: Prepare signing certificate
        if: ${{ env.WINDOWS_SIGNING_CERT_BASE64 != '' }}
        shell: pwsh
        run: |
          if ([string]::IsNullOrWhiteSpace($env:WINDOWS_SIGNING_CERT_PASSWORD)) {
            throw "WINDOWS_SIGNING_CERT_BASE64 is set, but WINDOWS_SIGNING_CERT_PASSWORD is missing."
          }

          $certPath = Join-Path $env:RUNNER_TEMP "aitebar-signing.pfx"
          [IO.File]::WriteAllBytes($certPath, [Convert]::FromBase64String($env:WINDOWS_SIGNING_CERT_BASE64))
          "AITEBAR_SIGN_CERT_PATH=$certPath" >> $env:GITHUB_ENV
          "AITEBAR_SIGN_CERT_PASSWORD=$env:WINDOWS_SIGNING_CERT_PASSWORD" >> $env:GITHUB_ENV

      - name: Build installer
        shell: pwsh
        run: |
          if ($env:AITEBAR_SIGN_CERT_PATH) {
            .\installer\Build-Installer.ps1 -Configuration Release -Sign
          } else {
            .\installer\Build-Installer.ps1 -Configuration Release
          }

      - name: Verify installer artifact
        shell: pwsh
        run: |
          $installers = Get-ChildItem .\artifacts\installer -Filter "*.exe" -File
          if ($installers.Count -ne 1) {
            throw "Expected exactly one installer artifact, found $($installers.Count)."
          }

          if ($installers[0].Length -le 0) {
            throw "Installer artifact is empty: $($installers[0].FullName)"
          }

          $project = [xml](Get-Content .\AiteBar\AiteBar.csproj)
          $projectVersion = $project.Project.PropertyGroup.Version | Select-Object -First 1
          $installerVersion = (Get-Item $installers[0].FullName).VersionInfo.ProductVersion
          $installerVersion = if ($installerVersion) { $installerVersion.Trim() } else { "" }
          if ($installerVersion -and $installerVersion -ne $projectVersion) {
            throw "Installer ProductVersion $installerVersion does not match project version $projectVersion."
          }

          if ($env:AITEBAR_SIGN_CERT_PATH) {
            $signature = Get-AuthenticodeSignature -FilePath $installers[0].FullName
            if ($signature.Status -ne "Valid") {
              throw "Installer signature is not valid. Status: $($signature.Status)"
            }
          }

          "Installer artifact: $($installers[0].FullName) ($($installers[0].Length) bytes)"

      - name: Generate installer checksum
        shell: pwsh
        run: |
          $installer = Get-ChildItem .\artifacts\installer -Filter "*.exe" -File | Select-Object -First 1
          if (-not $installer) {
            throw "Installer artifact not found."
          }

          $hash = Get-FileHash -Algorithm SHA256 -LiteralPath $installer.FullName
          "$($hash.Hash)  $($installer.Name)" | Set-Content .\artifacts\installer\SHA256SUMS.txt -Encoding ASCII

      - name: Generate release notes
        shell: pwsh
        run: |
          if ("${{ github.ref_type }}" -eq "tag") {
            $version = "${{ github.ref_name }}".Substring(1)
          } else {
            $version = "${{ inputs.version }}"
            if ([string]::IsNullOrWhiteSpace($version)) {
              $project = [xml](Get-Content .\AiteBar\AiteBar.csproj)
              $version = $project.Project.PropertyGroup.Version | Select-Object -First 1
            }
          }

          $content = Get-Content .\CHANGELOG.md -Raw
          $pattern = "## \[$([regex]::Escape($version))\]"
          $match = [regex]::Match($content, $pattern)

          if (-not $match.Success) {
            throw "CHANGELOG.md does not contain a release section for $version."
          }

          $start = $match.Index
          $next = $content.IndexOf("## [", $start + 1)
          if ($next -lt 0) {
            $content.Substring($start).Trim() | Set-Content .\release_notes.md -Encoding UTF8
          } else {
              $content.Substring($start, $next - $start).Trim() | Set-Content .\release_notes.md -Encoding UTF8
          }

      - name: Upload release dry-run artifacts
        uses: actions/upload-artifact@v7
        with:
          name: release-artifacts-${{ github.run_number }}
          path: |
            artifacts/installer/*.exe
            artifacts/installer/SHA256SUMS.txt
            release_notes.md
          if-no-files-found: error
          retention-days: 14

      - name: Publish GitHub Release
        if: ${{ github.ref_type == 'tag' }}
        uses: softprops/action-gh-release@v3
        with:
          body_path: release_notes.md
          files: |
            artifacts/installer/*.exe
            artifacts/installer/SHA256SUMS.txt