mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-02-21 00:07:01 +08:00
73 lines
2.6 KiB
YAML
73 lines
2.6 KiB
YAML
name: Windows Signer
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
artifact-name:
|
|
required: true
|
|
type: string
|
|
files:
|
|
required: true
|
|
type: string
|
|
jobs:
|
|
sign:
|
|
runs-on: [self-hosted, win-signer]
|
|
env:
|
|
ARCHIVE_DIR: ${{ github.run_id }}-${{ github.run_attempt }}-${{ inputs.artifact-name }}
|
|
steps:
|
|
- uses: actions/download-artifact@v4
|
|
with:
|
|
name: ${{ inputs.artifact-name }}
|
|
path: ${{ env.ARCHIVE_DIR }}
|
|
- name: unzip file
|
|
shell: cmd
|
|
# 7za is pre-installed on the signer machine
|
|
run: |
|
|
cd ${{ env.ARCHIVE_DIR }}
|
|
md out
|
|
7za x archive.zip -y -oout
|
|
- name: sign
|
|
shell: cmd
|
|
run: |
|
|
cd ${{ env.ARCHIVE_DIR }}/out
|
|
signtool sign /tr http://timestamp.globalsign.com/tsa/r6advanced1 /td sha256 /fd sha256 /a ${{ inputs.files }}
|
|
- name: collect signed file diff
|
|
shell: powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -File {0}
|
|
run: |
|
|
$OutDir = Join-Path '${{ env.ARCHIVE_DIR }}' 'out'
|
|
$DiffDir = Join-Path '${{ env.ARCHIVE_DIR }}' 'signed-diff'
|
|
$FilesDir = Join-Path $DiffDir 'files'
|
|
New-Item -ItemType Directory -Path $FilesDir -Force | Out-Null
|
|
|
|
$SignedFiles = [regex]::Matches('${{ inputs.files }}', '"([^"]+)"') | ForEach-Object { $_.Groups[1].Value }
|
|
if ($SignedFiles.Count -eq 0) {
|
|
throw 'No files to sign were provided.'
|
|
}
|
|
|
|
$Manifest = @()
|
|
foreach ($RelativePath in $SignedFiles) {
|
|
$SourcePath = Join-Path $OutDir $RelativePath
|
|
if (!(Test-Path -LiteralPath $SourcePath -PathType Leaf)) {
|
|
throw "Signed file not found: $RelativePath"
|
|
}
|
|
|
|
$TargetPath = Join-Path $FilesDir $RelativePath
|
|
$TargetDir = Split-Path -Parent $TargetPath
|
|
if ($TargetDir) {
|
|
New-Item -ItemType Directory -Path $TargetDir -Force | Out-Null
|
|
}
|
|
|
|
Copy-Item -LiteralPath $SourcePath -Destination $TargetPath -Force
|
|
$Manifest += [PSCustomObject]@{
|
|
path = $RelativePath
|
|
sha256 = (Get-FileHash -Algorithm SHA256 -LiteralPath $TargetPath).Hash
|
|
}
|
|
}
|
|
|
|
$Manifest | ConvertTo-Json -Depth 4 | Out-File -FilePath (Join-Path $DiffDir 'manifest.json') -Encoding utf8
|
|
Write-Host "Collected $($SignedFiles.Count) signed files."
|
|
- name: upload
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: signed-${{ inputs.artifact-name }}
|
|
path: ${{ env.ARCHIVE_DIR }}/signed-diff
|