shellwright/.github/workflows/release.yml at main · code-lodge/shellwright · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
# ── shellwright release workflow ───────────────────────────────────────────────
#
# Triggers on:
#   • push of a version tag  (v0.1.0, v1.2.3, …)
#   • manual dispatch via the GitHub UI
#
# Steps:
#   1. Build a release binary on windows-latest (GitHub-hosted runner — required
#      by SignPath to verify build provenance).
#   2. Package the binary as an MSI installer with cargo-wix.
#   3. Upload the unsigned artifacts (EXE + MSI) to GitHub Actions.
#   4. Submit to SignPath for Authenticode signing.
#      SignPath pulls the artifact directly from GitHub, signs it, and returns
#      the signed copy.
#   5. Create a GitHub Release and attach the signed MSI (and EXE fallback).
#
# Required repository secrets:
#   SIGNPATH_API_TOKEN   — REST API token from your SignPath organisation
#   SIGNPATH_ORG_ID      — Organisation ID shown in the SignPath dashboard
#
# SignPath project / policy slugs are hard-coded below; update them to match
# the values you created in the SignPath dashboard.
#
# SignPath OSS programme: https://signpath.io/solutions/open-source-community

name: Release

on:
  push:
    tags:
      - "v[0-9]+.[0-9]+.[0-9]+"
      - "v[0-9]+.[0-9]+.[0-9]+-*"
  workflow_dispatch:
    inputs:
      sign:
        description: "Submit to SignPath for signing"
        type: boolean
        default: true

permissions:
  contents: write   # needed to create a GitHub Release
  id-token: write   # needed by SignPath connector to verify build provenance

env:
  CARGO_TERM_COLOR: always
  RUST_BACKTRACE: 1
  # SignPath project and policy slugs — update to match your SignPath dashboard.
  SIGNPATH_PROJECT_SLUG: shellwright
  SIGNPATH_POLICY_SLUG:  release-signing

jobs:
  # ── 1. Build ────────────────────────────────────────────────────────────────
  build:
    name: Build (Windows x86-64)
    runs-on: windows-latest          # GitHub-hosted runner required by SignPath

    outputs:
      artifact-id: ${{ steps.upload-unsigned.outputs.artifact-id }}
      version:     ${{ steps.version.outputs.value }}

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      # Resolve version: strip the leading 'v' from the tag, or use the short
      # commit SHA for workflow_dispatch runs without a tag.
      - name: Resolve version
        id: version
        shell: bash
        run: |
          if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
            echo "value=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
          else
            echo "value=0.0.0-dev.${GITHUB_SHA::8}" >> "$GITHUB_OUTPUT"
          fi

      - name: Install Rust toolchain
        uses: dtolnay/rust-toolchain@stable
        with:
          targets: x86_64-pc-windows-msvc

      # Cargo cache — dramatically reduces build time on repeat runs.
      - name: Cache Cargo registry and build artefacts
        uses: Swatinem/rust-cache@v2
        with:
          key: windows-release

      - name: Build release binary
        run: cargo build --release --target x86_64-pc-windows-msvc -p shellwright

      # ── MSI packaging ────────────────────────────────────────────────────────
      # cargo-wix wraps the WiX Toolset (pre-installed on windows-latest) to
      # produce a signed-ready MSI installer from the release binary.

      - name: Install cargo-wix
        run: cargo install cargo-wix --locked

      # Generate WiX source files on first use. --force overwrites so CI is
      # always idempotent; commit wix/main.wxs to customise the installer UI.
      - name: Initialize WiX sources
        working-directory: crates/shellwright
        run: cargo wix init --force

      - name: Build MSI
        run: cargo wix --package shellwright --nocapture

      # ── Stage artifacts ──────────────────────────────────────────────────────
      - name: Stage artifacts
        shell: bash
        run: |
          mkdir -p staging
          cp target/x86_64-pc-windows-msvc/release/window-manager.exe \
             "staging/shellwright-${{ steps.version.outputs.value }}-windows-x86_64.exe"
          # cargo-wix outputs to target/wix/
          cp target/wix/shellwright-*.msi \
             "staging/shellwright-${{ steps.version.outputs.value }}-windows-x86_64.msi"

      # Upload the unsigned artifacts.  SignPath pulls from here.
      - name: Upload unsigned artifacts
        id: upload-unsigned
        uses: actions/upload-artifact@v4
        with:
          name: shellwright-unsigned
          path: staging/
          if-no-files-found: error
          retention-days: 7

  # ── 2. Sign ─────────────────────────────────────────────────────────────────
  sign:
    name: Sign with SignPath
    runs-on: ubuntu-latest           # signing submission only — no Windows needed
    needs: build

    # Skip signing on workflow_dispatch when the 'sign' input is false.
    if: |
      github.event_name == 'push' ||
      (github.event_name == 'workflow_dispatch' && inputs.sign == true)

    steps:
      - name: Submit to SignPath
        id: signpath
        uses: SignPath/github-action-submit-signing-request@v2
        with:
          api-token:             ${{ secrets.SIGNPATH_API_TOKEN }}
          organization-id:       ${{ secrets.SIGNPATH_ORG_ID }}
          project-slug:          ${{ env.SIGNPATH_PROJECT_SLUG }}
          signing-policy-slug:   ${{ env.SIGNPATH_POLICY_SLUG }}
          github-artifact-id:    ${{ needs.build.outputs.artifact-id }}
          output-artifact-directory: signed/
          wait-for-completion:   true

      # Re-upload the signed artifacts so the release job can download them
      # regardless of which runner it lands on.
      - name: Upload signed artifacts
        id: upload-signed
        uses: actions/upload-artifact@v4
        with:
          name: shellwright-signed
          path: signed/
          if-no-files-found: error
          retention-days: 7

  # ── 3. Release ──────────────────────────────────────────────────────────────
  release:
    name: Create GitHub Release
    runs-on: ubuntu-latest
    needs: [build, sign]
    # Run even if 'sign' was skipped (workflow_dispatch with sign=false).
    if: always() && needs.build.result == 'success'

    steps:
      # Prefer the signed artifacts; fall back to unsigned if signing was skipped.
      - name: Download signed artifacts
        id: dl-signed
        uses: actions/download-artifact@v4
        continue-on-error: true
        with:
          name: shellwright-signed
          path: release-assets/

      - name: Download unsigned artifacts (fallback)
        if: steps.dl-signed.outcome != 'success'
        uses: actions/download-artifact@v4
        with:
          name: shellwright-unsigned
          path: release-assets/

      - name: Create GitHub Release
        uses: softprops/action-gh-release@v2
        if: startsWith(github.ref, 'refs/tags/')
        with:
          name: shellwright ${{ needs.build.outputs.version }}
          tag_name: ${{ github.ref_name }}
          draft: false
          prerelease: ${{ contains(github.ref_name, '-') }}
          generate_release_notes: true
          files: release-assets/**