From 2692103f9799ec26c88012863cb941a9a49b5a89 Mon Sep 17 00:00:00 2001 From: Zeke Foppa Date: Tue, 3 Mar 2026 10:37:00 -0800 Subject: [PATCH 1/8] [bfops/package-ci]: CI - Reduce when package job runs --- .github/workflows/package.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index c4590a54c90..33384047865 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -5,8 +5,8 @@ on: tags: - '**' branches: - - master - release/* + workflow_dispatch: jobs: build-cli: From 54bfc9aed44e5bb981d49c1a848ffe3dc9c657b5 Mon Sep 17 00:00:00 2001 From: Zeke Foppa Date: Wed, 4 Mar 2026 10:36:41 -0800 Subject: [PATCH 2/8] [bfops/fix-package-job]: Fix package job --- .github/workflows/package.yml | 99 ++++++++--------------------------- 1 file changed, 22 insertions(+), 77 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index a80d64315aa..1e498516293 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -28,7 +28,7 @@ jobs: # - { name: aarch64 Linux musl, target: aarch64-unknown-linux-musl, runner: arm-runner } - { name: aarch64 macOS, target: aarch64-apple-darwin, runner: macos-latest } - { name: x86_64 macOS, target: x86_64-apple-darwin, runner: macos-latest } - - { name: x86_64 Windows, target: x86_64-pc-windows-msvc, runner: windows-latest } + - { name: x86_64 Windows, target: x86_64-pc-windows-msvc, runner: [self-hosted, windows, signing] } name: Build CLI for ${{ matrix.name }} runs-on: ${{ matrix.runner }} @@ -57,70 +57,16 @@ jobs: run: | cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update - - name: Package (unix) - if: ${{ runner.os != 'Windows' }} - shell: bash - run: | - mkdir build - cd target/${{matrix.target}}/release - cp spacetimedb-update ../../../build/spacetimedb-update-${{matrix.target}} - tar -czf ../../../build/spacetime-${{matrix.target}}.tar.gz spacetimedb-{cli,standalone} - - - name: Package (windows) - if: ${{ runner.os == 'Windows' }} - shell: bash - run: | - mkdir build - cd target/${{matrix.target}}/release - cp spacetimedb-update.exe ../../../build/spacetimedb-update-${{matrix.target}}.exe - 7z a ../../../build/spacetime-${{matrix.target}}.zip spacetimedb-cli.exe spacetimedb-standalone.exe - - - name: Extract branch name - shell: bash - run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT - id: extract_branch - - - name: Upload to DO Spaces - uses: shallwefootball/s3-upload-action@master - with: - aws_key_id: ${{ secrets.AWS_KEY_ID }} - aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY}} - aws_bucket: ${{ vars.AWS_BUCKET }} - source_dir: build - endpoint: https://nyc3.digitaloceanspaces.com - destination_dir: ${{ steps.extract_branch.outputs.branch }} - - build-cli-windows-signed: - if: ${{ startsWith(github.ref, 'refs/tags/') }} - name: Build and sign CLI for x86_64 Windows - runs-on: [self-hosted, windows, signing] - environment: codesign - concurrency: - group: codesign-${{ github.ref }} - cancel-in-progress: false - - steps: - - name: Checkout - uses: actions/checkout@v3 - - - name: Install Rust - uses: dsherret/rust-toolchain-file@v1 - - - name: Install rust target - run: rustup target add x86_64-pc-windows-msvc - - - name: Compile - run: | - cargo build --release --target x86_64-pc-windows-msvc -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update - - - name: Write certificate file + - name: Write certificate file for signing + if: ${{ startsWith(github.ref, 'refs/tags/') && runner.os == 'Windows' }} shell: powershell env: DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }} run: | [IO.File]::WriteAllBytes("digicert.crt", [Convert]::FromBase64String($env:DIGICERT_CERT_B64)) - - name: Sign binaries + - name: Sign binaries for Windows + if: ${{ startsWith(github.ref, 'refs/tags/') && runner.os == 'Windows' }} shell: powershell env: DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }} @@ -142,28 +88,27 @@ jobs: & $signtool.Path verify /v /pa $file } - - name: Package (windows) - shell: powershell + - name: Package (unix) + if: ${{ runner.os != 'Windows' }} + shell: bash run: | - $ErrorActionPreference = 'Stop' - New-Item -ItemType Directory -Force -Path build | Out-Null - $releaseDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' + mkdir build + cd target/${{matrix.target}}/release + cp spacetimedb-update ../../../build/spacetimedb-update-${{matrix.target}} + tar -czf ../../../build/spacetime-${{matrix.target}}.tar.gz spacetimedb-{cli,standalone} - Copy-Item (Join-Path $releaseDir 'spacetimedb-update.exe') (Join-Path $env:GITHUB_WORKSPACE 'build\spacetimedb-update-x86_64-pc-windows-msvc.exe') - Compress-Archive -Force -Path @( - (Join-Path $releaseDir 'spacetimedb-cli.exe'), - (Join-Path $releaseDir 'spacetimedb-standalone.exe') - ) -DestinationPath (Join-Path $env:GITHUB_WORKSPACE 'build\spacetime-x86_64-pc-windows-msvc.zip') + - name: Package (windows) + if: ${{ runner.os == 'Windows' }} + shell: bash + run: | + mkdir build + cd target/${{matrix.target}}/release + cp spacetimedb-update.exe ../../../build/spacetimedb-update-${{matrix.target}}.exe + 7z a ../../../build/spacetime-${{matrix.target}}.zip spacetimedb-cli.exe spacetimedb-standalone.exe - name: Extract branch name - shell: powershell - run: | - $ErrorActionPreference = 'Stop' - $branch = $env:GITHUB_HEAD_REF - if ([string]::IsNullOrEmpty($branch)) { - $branch = $env:GITHUB_REF -replace '^refs/heads/', '' - } - "branch=$branch" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append + shell: bash + run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT id: extract_branch - name: Upload to DO Spaces From 3dc0e18eb3eb297cf3ebf5212ee1390e229f4acf Mon Sep 17 00:00:00 2001 From: Zeke Foppa Date: Wed, 4 Mar 2026 10:39:51 -0800 Subject: [PATCH 3/8] [bfops/fix-package-job]: updates --- .github/workflows/package.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 1e498516293..1cc013b8e4e 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -4,8 +4,6 @@ on: push: tags: - '**' - branches: - - release/* workflow_dispatch: permissions: @@ -13,7 +11,6 @@ permissions: jobs: build-cli: - if: ${{ !(startsWith(github.ref, 'refs/tags/') && matrix.target == 'x86_64-pc-windows-msvc') }} strategy: fail-fast: false matrix: @@ -28,7 +25,7 @@ jobs: # - { name: aarch64 Linux musl, target: aarch64-unknown-linux-musl, runner: arm-runner } - { name: aarch64 macOS, target: aarch64-apple-darwin, runner: macos-latest } - { name: x86_64 macOS, target: x86_64-apple-darwin, runner: macos-latest } - - { name: x86_64 Windows, target: x86_64-pc-windows-msvc, runner: [self-hosted, windows, signing] } + - { name: x86_64 Windows, target: x86_64-pc-windows-msvc, runner: windows-latest } name: Build CLI for ${{ matrix.name }} runs-on: ${{ matrix.runner }} @@ -58,7 +55,7 @@ jobs: cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update - name: Write certificate file for signing - if: ${{ startsWith(github.ref, 'refs/tags/') && runner.os == 'Windows' }} + if: ${{ runner.os == 'Windows' }} shell: powershell env: DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }} @@ -66,7 +63,7 @@ jobs: [IO.File]::WriteAllBytes("digicert.crt", [Convert]::FromBase64String($env:DIGICERT_CERT_B64)) - name: Sign binaries for Windows - if: ${{ startsWith(github.ref, 'refs/tags/') && runner.os == 'Windows' }} + if: ${{ runner.os == 'Windows' }} shell: powershell env: DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }} From 081d555e286554bd0a3b12041e55e30ffa674ce2 Mon Sep 17 00:00:00 2001 From: Zeke Foppa Date: Wed, 4 Mar 2026 10:40:10 -0800 Subject: [PATCH 4/8] [bfops/package-ci]: also do not run on release branches; only tags --- .github/workflows/package.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index a80d64315aa..eb188e16205 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -4,8 +4,6 @@ on: push: tags: - '**' - branches: - - release/* workflow_dispatch: permissions: From 875aa0d02be698d878508d9c44c2b3ed49ed6616 Mon Sep 17 00:00:00 2001 From: Zeke Foppa Date: Wed, 4 Mar 2026 13:57:32 -0800 Subject: [PATCH 5/8] [bfops/fix-package-job]: add signtool to path --- .github/workflows/package.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 1cc013b8e4e..d8df8a38152 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -50,6 +50,25 @@ jobs: - name: Install rust target run: rustup target add ${{ matrix.target }} + - name: Add signtool.exe to PATH + shell: pwsh + run: | + $root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin" + $signtool = Get-ChildItem $root -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | + Where-Object { $_.FullName -match '\\x64\\signtool\.exe$' } | + Sort-Object FullName -Descending | + Select-Object -First 1 + + if (-not $signtool) { throw "signtool.exe not found under $root" } + + "Found: $($signtool.FullName)" + $dir = Split-Path $signtool.FullName + Add-Content -Path $env:GITHUB_PATH -Value $dir + + - name: Verify signtool + shell: pwsh + run: signtool.exe /? + - name: Compile run: | cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update From 59933aaacd0bca9378f376cbdcd653a0ed1e6352 Mon Sep 17 00:00:00 2001 From: Zeke Foppa Date: Wed, 4 Mar 2026 13:57:46 -0800 Subject: [PATCH 6/8] [bfops/fix-package-job]: windows --- .github/workflows/package.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index d8df8a38152..3d743161364 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -51,6 +51,7 @@ jobs: run: rustup target add ${{ matrix.target }} - name: Add signtool.exe to PATH + if: ${{ runner.os == 'Windows' }} shell: pwsh run: | $root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin" @@ -66,6 +67,7 @@ jobs: Add-Content -Path $env:GITHUB_PATH -Value $dir - name: Verify signtool + if: ${{ runner.os == 'Windows' }} shell: pwsh run: signtool.exe /? From 9b4da96a8fa706c24a40f265bd9c4a40fe3edf45 Mon Sep 17 00:00:00 2001 From: Zeke Foppa Date: Wed, 4 Mar 2026 14:50:30 -0800 Subject: [PATCH 7/8] [bfops/fix-package-job]: try fix? --- .github/workflows/package.yml | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 3d743161364..a175e615cca 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -66,22 +66,17 @@ jobs: $dir = Split-Path $signtool.FullName Add-Content -Path $env:GITHUB_PATH -Value $dir - - name: Verify signtool - if: ${{ runner.os == 'Windows' }} - shell: pwsh - run: signtool.exe /? - - - name: Compile - run: | - cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update - - name: Write certificate file for signing if: ${{ runner.os == 'Windows' }} shell: powershell env: DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }} run: | - [IO.File]::WriteAllBytes("digicert.crt", [Convert]::FromBase64String($env:DIGICERT_CERT_B64)) + [IO.File]::WriteAllBytes("digicert.pfx", [Convert]::FromBase64String($env:DIGICERT_CERT_B64)) + + - name: Compile + run: | + cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update - name: Sign binaries for Windows if: ${{ runner.os == 'Windows' }} @@ -91,7 +86,7 @@ jobs: run: | $ErrorActionPreference = 'Stop' $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release' - $certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.crt' + $certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.pfx' $signtool = Get-Command signtool.exe -ErrorAction Stop @@ -102,7 +97,7 @@ jobs: ) foreach ($file in $files) { - & $signtool.Path sign /csp "DigiCert Signing Manager KSP" /kc $env:DIGICERT_KEYPAIR_ALIAS /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file + & $signtool.Path sign /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file & $signtool.Path verify /v /pa $file } From c180e18caedd7b1f212576fac90f6c2bb50d958d Mon Sep 17 00:00:00 2001 From: Zeke Foppa Date: Thu, 5 Mar 2026 10:25:18 -0800 Subject: [PATCH 8/8] [bfops/fix-package-job]: disable for now --- .github/workflows/package.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index a175e615cca..2580d098000 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -79,7 +79,9 @@ jobs: cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update - name: Sign binaries for Windows - if: ${{ runner.os == 'Windows' }} + # Disabled for now since the current flow isn't working. + if: false + #if: ${{ runner.os == 'Windows' }} shell: powershell env: DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }}