Skip to content

Fixes for release github action #62

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
garnold54 merged 13 commits into from
Oct 23, 2025
Merged

Fixes for release github action #62

Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
09e8610
Update release action to use Azure Key Vault for digital signing.
garnold54 Oct 22, 2025
7663e81
Update macos runner version. Comment out docker for testing.
garnold54 Oct 22, 2025
28cd93e
Install Azure CLI manually because Windows.
garnold54 Oct 22, 2025
7ace22e
Accept agreements.
garnold54 Oct 22, 2025
d93c8d6
Try not installing the Azure CLI
garnold54 Oct 22, 2025
a0ed025
Move command to single line.
garnold54 Oct 22, 2025
85c0711
Remove accidental bashism
garnold54 Oct 22, 2025
d812012
Fix multiline command escape character
garnold54 Oct 22, 2025
76ed5ad
Suppress az cli output.
garnold54 Oct 22, 2025
6130788
Abandon multiline commands
garnold54 Oct 22, 2025
a71f1b3
Fix secret specification.
garnold54 Oct 22, 2025
ddfa1da
Remove testing changes.
garnold54 Oct 22, 2025
4630cac
Remove commented out action.
garnold54 Oct 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 38 additions & 16 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
CGO_ENABLED=0 go build -o fmeflow${{ matrix.exe-ext }} -ldflags="-X \"github.com/safesoftware/fmeflow-cli/cmd.appVersion=${{ env.APP_VERSION }}\""

- name: Upload artifact for later steps
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: fmeflow-${{ matrix.os }}-${{ matrix.arch }}
path: fmeflow${{ matrix.exe-ext }}
Expand Down Expand Up @@ -78,39 +78,60 @@ jobs:
runs-on: windows-latest
steps:
- name: Download
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: fmeflow-windows-amd64

- uses: azure/login@v2
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}

- name: Whitelist GitHub Runner IP
run: |
$agentIP = (Invoke-WebRequest -Uri https://api.ipify.org/).Content
az keyvault network-rule add -g "${{ secrets.AZURE_RESOURCE_GROUP }}" -n "${{ secrets.KEY_VAULT_NAME }}" --ip-address $agentIP --output none
az keyvault network-rule wait -n "${{ secrets.KEY_VAULT_NAME }}" --updated --output none

- name: Install AzureSignTool
run: |
dotnet tool install --global AzureSignTool --version 6.0.1

- name: Sign
env:
CERTPASS: ${{secrets.PROD_WIN_CERTIFICATE_PWD}}
SIGNCERT: ${{secrets.PROD_WIN_CERTIFICATE}}
run: |
# Create buffer from the BASE64 string of the PFX stored in the secret
$buffer = [System.Convert]::FromBase64String($env:SIGNCERT)
# Create new certificate object from the buffer and the certificate pass
$certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::New($buffer, $env:CERTPASS)
Set-AuthenticodeSignature -HashAlgorithm SHA256 -Certificate $certificate -TimestampServer http://timestamp.digicert.com -FilePath fmeflow.exe
azuresigntool sign -coe `
--azure-key-vault-url https://${{ secrets.KEY_VAULT_NAME }}.vault.azure.net/ `
--azure-key-vault-managed-identity `
--azure-key-vault-tenant-id ${{ secrets.AZURE_TENANT_ID }} `
--azure-key-vault-certificate '${{ secrets.AZURE_CERTIFICATE_NAME }}' `
--file-digest SHA256 `
--timestamp-rfc3161 http://timestamp.digicert.com `
--timestamp-digest SHA256 `
fmeflow.exe

- name: Remove IP from Key Vault firewall
run: |
$agentIP = (Invoke-WebRequest -Uri https://api.ipify.org/).Content
az keyvault network-rule remove -g "${{ secrets.AZURE_RESOURCE_GROUP }}" -n "${{ secrets.KEY_VAULT_NAME }}" --ip-address $agentIP --output none

- name: Reupload artifact
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: fmeflow-windows-amd64
path: fmeflow.exe
overwrite: true

sign-macosx:
name: Sign Mac Binaries
needs: build-matrix
runs-on: macos-11
runs-on: macos-14
strategy:
matrix:
# sign both darwin/amd64, darwin/arm64
os: [darwin]
arch: [amd64, arm64]
steps:
- name: Download
uses: actions/download-artifact@v3
uses: actions/download-artifact@v4
with:
name: fmeflow-${{ matrix.os }}-${{ matrix.arch }}

Expand Down Expand Up @@ -169,10 +190,11 @@ jobs:
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait

- name: Reupload artifact
uses: actions/upload-artifact@v3
uses: actions/upload-artifact@v4
with:
name: fmeflow-${{ matrix.os }}-${{ matrix.arch }}
path: fmeflow
overwrite: true

compress-files:
name: Compress binaries and release
Expand Down Expand Up @@ -200,7 +222,7 @@ jobs:
type: tar
steps:
- name: Checkout code
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Download
uses: actions/download-artifact@v3
with:
Expand All @@ -227,7 +249,7 @@ jobs:
cat fmeflow-${{ matrix.os }}-${{ matrix.arch }}.${{ matrix.zip-ext }}.md5

# Add compressed files and md5 hashes to the release
- uses: AButler/upload-release-assets@v2.0
- uses: AButler/upload-release-assets@v3.0
with:
files: '*.md5;*.zip;*.tar.gz'
repo-token: ${{ secrets.GITHUB_TOKEN }}
Expand Down