diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b68d75f2a4..ccac821cc4 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -52,6 +52,7 @@ jobs: build_flags: -DINITSYS=systemd -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja build_type: Release collect_symbols: false + signpath: false # This causes the AppImage to be generated, instead of just creating # the portable tree, because there seems to be no way to separate # these steps with linuxdeploy @@ -100,6 +101,7 @@ jobs: sccache_triplet: x86_64-unknown-linux-musl build_type: Release collect_symbols: false + signpath: false packager: cmake --install build --config Release --prefix . cross_qt_args: >- "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT" @@ -165,6 +167,7 @@ jobs: sccache_triplet: x86_64-unknown-linux-musl build_type: Release collect_symbols: false + signpath: false packager: cmake --install build --config Release --prefix . cross_qt_args: >- "-DANDROID_SDK_ROOT=$ANDROID_SDK_ROOT" @@ -230,6 +233,7 @@ jobs: build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja build_type: Release collect_symbols: false + signpath: false sccache_triplet: x86_64-apple-darwin packager: cpack --verbose --config build/CPackConfig.cmake -C Release @@ -241,6 +245,7 @@ jobs: build_flags: -DBUILD_PACKAGE_SUFFIX=arm64 -G Ninja build_type: Release collect_symbols: false + signpath: false sccache_triplet: aarch64-apple-darwin packager: cpack --verbose --config build/CPackConfig.cmake -C Release @@ -253,6 +258,7 @@ jobs: build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja build_type: RelWithDebInfo collect_symbols: true + signpath: true qt_pre_build: > choco install gperf jom winflexbison3 && New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe && @@ -277,6 +283,7 @@ jobs: build_flags: -DBUILD_PACKAGE_SUFFIX=x86_64 -G Ninja build_type: RelWithDebInfo collect_symbols: false + signpath: false qt_pre_build: > choco install gperf jom winflexbison3 && New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe && @@ -299,6 +306,7 @@ jobs: build_flags: -DCARGO_TRIPLE=i686-pc-windows-msvc -DBUILD_PACKAGE_SUFFIX=x86 -G Ninja build_type: RelWithDebInfo collect_symbols: false + signpath: true qt_pre_build: > choco install gperf jom winflexbison3 && New-Item -Path C:\ProgramData\Chocolatey\bin\flex.exe -ItemType SymbolicLink -Value C:\ProgramData\Chocolatey\bin\win_flex.exe && @@ -478,7 +486,7 @@ jobs: } env: WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }} - if: runner.os == 'Windows' + if: runner.os == 'Windows' && matrix.packager && (!startsWith(github.ref, 'refs/tags/') || !matrix.signpath) - name: Generate project run: > @@ -547,6 +555,51 @@ jobs: WINDOWS_PFX_TIMESTAMP_URL: 'http://timestamp.digicert.com' if: matrix.packager + - name: Upload artifacts for SignPath to sign + uses: actions/upload-artifact@v4 + id: signpath-upload + with: + name: SignPath${{ matrix.component && format('-{0}', matrix.component) }}-${{ matrix.cross_os || runner.os }}-${{ matrix.arch }}-Qt${{ matrix.qt }} + path: | + Drawpile-*.msi + Drawpile-*.zip + if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath + + - name: Delete unsigned artifacts + id: signpath-delete-unsigned + shell: bash + run: rm -vf Drawpile-*.msi Drawpile-*.zip + if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath + + - name: Submit artifacts to SignPath to sign + uses: signpath/github-action-submit-signing-request@v1 + id: signpath-sign + with: + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' + organization-id: '${{ secrets.SIGNPATH_ORGANIZATION_ID }}' + project-slug: 'Drawpile' + signing-policy-slug: 'release-signing' + artifact-configuration-slug: 'client' + github-artifact-id: '${{ steps.signpath-upload.outputs.artifact-id }}' + wait-for-completion: true + output-artifact-directory: '.' + parameters: | + Version: "${{ github.ref_name }}" + Release_Tag: "${{ github.ref_name }}" + if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath + + - name: Delete unsigned executable uploaded for SignPath after signing + uses: actions/github-script@v7 + id: signpath-exe-delete + with: + script: | + github.rest.actions.deleteArtifact({ + owner: context.repo.owner, + repo: context.repo.repo, + artifact_id: ${{ steps.signpath-upload.outputs.artifact-id }} + }); + if: runner.os == 'Windows' && matrix.packager && startsWith(github.ref, 'refs/tags/') && matrix.signpath + - name: Bundle PDBs run: > cmake "-DEXE_SEARCH_PATHS=build" @@ -613,7 +666,10 @@ jobs: - name: Collect release notes if: startsWith(github.ref, 'refs/tags/') - run: awk -v RS='' '/^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} Version ${{ github.ref_name }}/,/^[[:digit:]]/' checkout/ChangeLog | tail '+2' > release-description + run: | + echo '**Code signing policy:** ' > release-description + echo >> release-description + awk -v RS='' '/^[[:digit:]]{4}-[[:digit:]]{2}-[[:digit:]]{2} Version ${{ github.ref_name }}/,/^[[:digit:]]/' checkout/ChangeLog | tail '+2' >> release-description - name: Write continuous release description if: "!startsWith(github.ref, 'refs/tags/')"