Files
AFFiNE-Mirror/.github/workflows/windows-signer.yml
T
2026-07-04 00:13:48 +08:00

99 lines
4.0 KiB
YAML

name: Windows Signer
on:
workflow_call:
inputs:
artifact-name:
required: true
type: string
files:
required: true
type: string
jobs:
sign:
runs-on: windows-latest
env:
ARCHIVE_DIR: ${{ github.run_id }}-${{ github.run_attempt }}-${{ inputs.artifact-name }}
AFFINE_SIGNER_ADDR: ${{ secrets.AFFINE_SIGNER_ADDR }}
AFFINE_SIGNER_TOKEN: ${{ secrets.AFFINE_SIGNER_TOKEN }}
TS_AUTH_KEY: ${{ secrets.AFFINE_SIGNER_TS_AUTH_KEY }}
TS_CONTROL_URL: ${{ secrets.AFFINE_SIGNER_TS_CONTROL_URL }}
TS_RS_EXPERIMENT: this_is_unstable_software
steps:
- uses: actions/download-artifact@v4
with:
name: ${{ inputs.artifact-name }}
path: ${{ env.ARCHIVE_DIR }}
- name: Download remote signer client
shell: pwsh
run: |
if (!$env:AFFINE_SIGN_CLIENT_HASH) {
throw 'AFFINE_SIGN_CLIENT_HASH is required.'
}
Invoke-WebRequest -Uri "https://cdn.affine.pro/sign-client/$env:AFFINE_SIGN_CLIENT_HASH" -OutFile affine-sign-client.exe
env:
AFFINE_SIGN_CLIENT_HASH: ${{ secrets.AFFINE_SIGN_CLIENT_HASH }}
- name: Prepare public signing certificate
shell: pwsh
run: |
if (!$env:WINDOWS_SIGNER_PUBLIC_CERT_BASE64) {
throw 'WINDOWS_SIGNER_PUBLIC_CERT_BASE64 is required.'
}
[IO.File]::WriteAllBytes('windows-signer-public.cer', [Convert]::FromBase64String($env:WINDOWS_SIGNER_PUBLIC_CERT_BASE64))
env:
WINDOWS_SIGNER_PUBLIC_CERT_BASE64: ${{ secrets.WINDOWS_SIGNER_PUBLIC_CERT_BASE64 }}
- name: unzip file
shell: pwsh
run: |
New-Item -ItemType Directory -Path '${{ env.ARCHIVE_DIR }}/out' -Force | Out-Null
Expand-Archive -Path '${{ env.ARCHIVE_DIR }}/archive.zip' -DestinationPath '${{ env.ARCHIVE_DIR }}/out'
- name: sign
shell: pwsh
run: |
./affine-sign-client.exe `
--server "$env:AFFINE_SIGNER_ADDR" `
--token "$env:AFFINE_SIGNER_TOKEN" `
--workdir '${{ env.ARCHIVE_DIR }}/out' `
--files '${{ inputs.files }}' `
--cert windows-signer-public.cer `
--allow-file-fallback
- name: collect signed file diff
shell: powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -File {0}
run: |
$OutDir = Join-Path '${{ env.ARCHIVE_DIR }}' 'out'
$DiffDir = Join-Path '${{ env.ARCHIVE_DIR }}' 'signed-diff'
$FilesDir = Join-Path $DiffDir 'files'
New-Item -ItemType Directory -Path $FilesDir -Force | Out-Null
$SignedFiles = [regex]::Matches('${{ inputs.files }}', '"([^"]+)"') | ForEach-Object { $_.Groups[1].Value }
if ($SignedFiles.Count -eq 0) {
throw 'No files to sign were provided.'
}
$Manifest = @()
foreach ($RelativePath in $SignedFiles) {
$SourcePath = Join-Path $OutDir $RelativePath
if (!(Test-Path -LiteralPath $SourcePath -PathType Leaf)) {
throw "Signed file not found: $RelativePath"
}
$TargetPath = Join-Path $FilesDir $RelativePath
$TargetDir = Split-Path -Parent $TargetPath
if ($TargetDir) {
New-Item -ItemType Directory -Path $TargetDir -Force | Out-Null
}
Copy-Item -LiteralPath $SourcePath -Destination $TargetPath -Force
$Manifest += [PSCustomObject]@{
path = $RelativePath
sha256 = (Get-FileHash -Algorithm SHA256 -LiteralPath $TargetPath).Hash
}
}
$Manifest | ConvertTo-Json -Depth 4 | Out-File -FilePath (Join-Path $DiffDir 'manifest.json') -Encoding utf8
Write-Host "Collected $($SignedFiles.Count) signed files."
- name: upload
uses: actions/upload-artifact@v4
with:
name: signed-${{ inputs.artifact-name }}
path: ${{ env.ARCHIVE_DIR }}/signed-diff