Skip to content
.github/workflows/build-secure.yml

removed arm64 build for now #24

Sign in to view logs

removed arm64 build for now

removed arm64 build for now #24

Workflow file for this run

.github/workflows/build-secure.yml at 6d98afa
name: Secure Production Build

Check failure on line 1 in .github/workflows/build-secure.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/build-secure.yml

Invalid workflow file 

(Line: 156, Col: 13): Unrecognized named-value: 'secrets'. Located at position 29 within expression: matrix.goos == 'windows' && secrets.WINDOWS_CERT_BASE64 != '', (Line: 164, Col: 13): Unrecognized named-value: 'secrets'. Located at position 28 within expression: matrix.goos == 'darwin' && secrets.APPLE_CERT_BASE64 != ''
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
version:
description: 'Version number (e.g., 0.1.0)'
required: true
env:
GO_VERSION: '1.23'
NODE_VERSION: '20'
jobs:
# Security scanning before build
security-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Install Security Tools
run: |
go install golang.org/x/vuln/cmd/govulncheck@latest
go install github.com/securego/gosec/v2/cmd/gosec@latest
- name: Run Go Vulnerability Check
run: govulncheck ./...
- name: Run Security Scanner
run: gosec -severity medium -confidence medium -quiet ./...
- name: Run Go Vet
run: go vet ./...
- name: Frontend Security Audit
run: |
cd frontend
npm ci
npm audit --audit-level=high
# Build for all platforms
build:
needs: security-scan
strategy:
fail-fast: false
matrix:
include:
- os: windows-latest
platform: windows/amd64
output: volt-api-windows-amd64.exe
goos: windows
goarch: amd64
- os: windows-latest
platform: windows/arm64
output: volt-api-windows-arm64.exe
goos: windows
goarch: arm64
- os: macos-13 # Intel
platform: darwin/amd64
output: volt-api-darwin-amd64
goos: darwin
goarch: amd64
- os: macos-14 # Apple Silicon
platform: darwin/arm64
output: volt-api-darwin-arm64
goos: darwin
goarch: arm64
- os: ubuntu-latest
platform: linux/amd64
output: volt-api-linux-amd64
goos: linux
goarch: amd64
- os: ubuntu-latest
platform: linux/arm64
output: volt-api-linux-arm64
goos: linux
goarch: arm64
runs-on: ${{ matrix.os }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: ${{ env.GO_VERSION }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Install Wails
run: go install github.com/wailsapp/wails/v2/cmd/wails@latest
- name: Install Garble (Obfuscation)
run: go install mvdan.cc/garble@latest
- name: Install Linux Dependencies
if: runner.os == 'Linux'
run: |
sudo apt-get update
sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev
- name: Install UPX
if: runner.os == 'Linux'
run: sudo apt-get install -y upx
- name: Install UPX (macOS)
if: runner.os == 'macOS'
run: brew install upx
- name: Install UPX (Windows)
if: runner.os == 'Windows'
run: choco install upx
- name: Install Frontend Dependencies
run: |
cd frontend
npm ci
- name: Build (Production Secure)
run: |
wails build \
-clean \
-platform ${{ matrix.platform }} \
-trimpath \
-ldflags="-s -w -X main.Version=${{ github.ref_name }} -X main.BuildTime=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
-tags production \
-o ${{ matrix.output }}
shell: bash
- name: Compress with UPX
if: matrix.goos != 'darwin' # UPX doesn't work well with macOS
run: |
upx --best --lzma build/bin/${{ matrix.output }} || true
shell: bash
- name: Generate Checksum
run: |
cd build/bin
sha256sum ${{ matrix.output }} > ${{ matrix.output }}.sha256
shell: bash
- name: Sign Windows Binary
if: matrix.goos == 'windows' && secrets.WINDOWS_CERT_BASE64 != ''
run: |
echo "${{ secrets.WINDOWS_CERT_BASE64 }}" | base64 -d > cert.pfx
signtool sign /f cert.pfx /p "${{ secrets.WINDOWS_CERT_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 build/bin/${{ matrix.output }}
rm cert.pfx
shell: bash
- name: Sign macOS Binary
if: matrix.goos == 'darwin' && secrets.APPLE_CERT_BASE64 != ''
run: |
# Import certificate
echo "${{ secrets.APPLE_CERT_BASE64 }}" | base64 -d > cert.p12
security create-keychain -p "" build.keychain
security import cert.p12 -k build.keychain -P "${{ secrets.APPLE_CERT_PASSWORD }}" -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple: -s -k "" build.keychain
# Sign
codesign --force --deep --sign "${{ secrets.APPLE_IDENTITY }}" build/bin/${{ matrix.output }}
rm cert.p12
- name: Upload Artifact
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.output }}
path: |
build/bin/${{ matrix.output }}
build/bin/${{ matrix.output }}.sha256
# Create release with all artifacts
release:
needs: build
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Download All Artifacts
uses: actions/download-artifact@v4
with:
path: artifacts
- name: Flatten Artifacts
run: |
mkdir -p release
find artifacts -type f -exec mv {} release/ \;
- name: Generate Combined Checksums
run: |
cd release
cat *.sha256 > checksums.sha256
rm -f *.sha256.sha256
- name: Create Release
uses: softprops/action-gh-release@v1
with:
files: release/*
generate_release_notes: true
body: |
## Checksums
Verify your download:
```bash
sha256sum -c checksums.sha256
```
## Security
- All binaries built with `-trimpath` and stripped symbols
- Go vulnerability scan passed
- Frontend security audit passed
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}