mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-07-15 09:06:19 +08:00
99 lines
4.0 KiB
YAML
99 lines
4.0 KiB
YAML
name: Windows Signer
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
artifact-name:
|
|
required: true
|
|
type: string
|
|
files:
|
|
required: true
|
|
type: string
|
|
jobs:
|
|
sign:
|
|
runs-on: windows-latest
|
|
env:
|
|
ARCHIVE_DIR: ${{ github.run_id }}-${{ github.run_attempt }}-${{ inputs.artifact-name }}
|
|
AFFINE_SIGNER_ADDR: ${{ secrets.AFFINE_SIGNER_ADDR }}
|
|
AFFINE_SIGNER_TOKEN: ${{ secrets.AFFINE_SIGNER_TOKEN }}
|
|
TS_AUTH_KEY: ${{ secrets.AFFINE_SIGNER_TS_AUTH_KEY }}
|
|
TS_CONTROL_URL: ${{ secrets.AFFINE_SIGNER_TS_CONTROL_URL }}
|
|
TS_RS_EXPERIMENT: this_is_unstable_software
|
|
steps:
|
|
- uses: actions/download-artifact@v4
|
|
with:
|
|
name: ${{ inputs.artifact-name }}
|
|
path: ${{ env.ARCHIVE_DIR }}
|
|
- name: Download remote signer client
|
|
shell: pwsh
|
|
run: |
|
|
if (!$env:AFFINE_SIGN_CLIENT_HASH) {
|
|
throw 'AFFINE_SIGN_CLIENT_HASH is required.'
|
|
}
|
|
Invoke-WebRequest -Uri "https://cdn.affine.pro/sign-client/$env:AFFINE_SIGN_CLIENT_HASH" -OutFile affine-sign-client.exe
|
|
env:
|
|
AFFINE_SIGN_CLIENT_HASH: ${{ secrets.AFFINE_SIGN_CLIENT_HASH }}
|
|
- name: Prepare public signing certificate
|
|
shell: pwsh
|
|
run: |
|
|
if (!$env:WINDOWS_SIGNER_PUBLIC_CERT_BASE64) {
|
|
throw 'WINDOWS_SIGNER_PUBLIC_CERT_BASE64 is required.'
|
|
}
|
|
[IO.File]::WriteAllBytes('windows-signer-public.cer', [Convert]::FromBase64String($env:WINDOWS_SIGNER_PUBLIC_CERT_BASE64))
|
|
env:
|
|
WINDOWS_SIGNER_PUBLIC_CERT_BASE64: ${{ secrets.WINDOWS_SIGNER_PUBLIC_CERT_BASE64 }}
|
|
- name: unzip file
|
|
shell: pwsh
|
|
run: |
|
|
New-Item -ItemType Directory -Path '${{ env.ARCHIVE_DIR }}/out' -Force | Out-Null
|
|
Expand-Archive -Path '${{ env.ARCHIVE_DIR }}/archive.zip' -DestinationPath '${{ env.ARCHIVE_DIR }}/out'
|
|
- name: sign
|
|
shell: pwsh
|
|
run: |
|
|
./affine-sign-client.exe `
|
|
--server "$env:AFFINE_SIGNER_ADDR" `
|
|
--token "$env:AFFINE_SIGNER_TOKEN" `
|
|
--workdir '${{ env.ARCHIVE_DIR }}/out' `
|
|
--files '${{ inputs.files }}' `
|
|
--cert windows-signer-public.cer `
|
|
--allow-file-fallback
|
|
- name: collect signed file diff
|
|
shell: powershell -NoProfile -NonInteractive -ExecutionPolicy Bypass -File {0}
|
|
run: |
|
|
$OutDir = Join-Path '${{ env.ARCHIVE_DIR }}' 'out'
|
|
$DiffDir = Join-Path '${{ env.ARCHIVE_DIR }}' 'signed-diff'
|
|
$FilesDir = Join-Path $DiffDir 'files'
|
|
New-Item -ItemType Directory -Path $FilesDir -Force | Out-Null
|
|
|
|
$SignedFiles = [regex]::Matches('${{ inputs.files }}', '"([^"]+)"') | ForEach-Object { $_.Groups[1].Value }
|
|
if ($SignedFiles.Count -eq 0) {
|
|
throw 'No files to sign were provided.'
|
|
}
|
|
|
|
$Manifest = @()
|
|
foreach ($RelativePath in $SignedFiles) {
|
|
$SourcePath = Join-Path $OutDir $RelativePath
|
|
if (!(Test-Path -LiteralPath $SourcePath -PathType Leaf)) {
|
|
throw "Signed file not found: $RelativePath"
|
|
}
|
|
|
|
$TargetPath = Join-Path $FilesDir $RelativePath
|
|
$TargetDir = Split-Path -Parent $TargetPath
|
|
if ($TargetDir) {
|
|
New-Item -ItemType Directory -Path $TargetDir -Force | Out-Null
|
|
}
|
|
|
|
Copy-Item -LiteralPath $SourcePath -Destination $TargetPath -Force
|
|
$Manifest += [PSCustomObject]@{
|
|
path = $RelativePath
|
|
sha256 = (Get-FileHash -Algorithm SHA256 -LiteralPath $TargetPath).Hash
|
|
}
|
|
}
|
|
|
|
$Manifest | ConvertTo-Json -Depth 4 | Out-File -FilePath (Join-Path $DiffDir 'manifest.json') -Encoding utf8
|
|
Write-Host "Collected $($SignedFiles.Count) signed files."
|
|
- name: upload
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: signed-${{ inputs.artifact-name }}
|
|
path: ${{ env.ARCHIVE_DIR }}/signed-diff
|