From c774dbdc00bbb11d8b1f278511bb7bf5a3277dea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Roger=20Boixader=20G=C3=BCell?= Date: Thu, 29 Feb 2024 09:25:28 +0100 Subject: [PATCH] chore: versions and build (#15) * chore: versions and build * chore: format * chore: build * chore: build * chore: prettier * chore: format electron * chore: git attributes * chore: format * chore: build python 11 macos * chore: build * chore: try publish * chore: publish script * chore: electron scripts * chore: env * chore: build GITHUB_TOKEN * chore: build self hosted windows * chore: labels * chore: runs on self hosted * chore: power shell * chore: build wind * chore: windows build * chore: build * chore: build * chore: delete shell * chore: shell * chore: shell * chore: build * chore: package * chore: sign app win * chore: sign tool * chore: sign * chore: build * chore: build nuclia * chore: cert * chore: avoid sign * chore: publish win * chore: release * chore: release * chore: build release * chore: release files * chore: sign win * chore: sign exe win * chore: ios release * chore: build * chore: build * echo: build * chore: build * chore: use b64 * chore: release actions * chore: delete unused code --- .github/workflows/build-win.yml | 69 +++++++++++++++++++++++++++++++++ .github/workflows/build.yml | 54 +++++++++++++++++++------- electron-app/.gitattributes | 1 + electron-app/.prettierignore | 3 +- electron-app/add-osx-cert.sh | 23 +++++++++++ electron-app/entitlements.plist | 16 ++++++++ electron-app/forge.config.js | 15 ++++++- electron-app/package-lock.json | 14 +++---- electron-app/package.json | 11 +++--- package.json | 4 +- server/.gitattributes | 1 + 11 files changed, 180 insertions(+), 31 deletions(-) create mode 100644 .github/workflows/build-win.yml create mode 100644 electron-app/.gitattributes create mode 100644 electron-app/add-osx-cert.sh create mode 100644 electron-app/entitlements.plist create mode 100644 server/.gitattributes diff --git a/.github/workflows/build-win.yml b/.github/workflows/build-win.yml new file mode 100644 index 0000000..efe9c63 --- /dev/null +++ b/.github/workflows/build-win.yml @@ -0,0 +1,69 @@ +name: build-windows +on: + push: + branches: + - main + +jobs: + build_job: + runs-on: self-hosted + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: justincy/github-action-npm-release@2.0.2 + id: release + - uses: actions/setup-node@master + with: + node-version: 20 + - name: install dependencies electron-app + run: npm install + working-directory: electron-app + + - name: install dependencies server + run: npm install + working-directory: server + + - name: lint/format electron-app + env: + CI: false + run: npm run ci:format + working-directory: electron-app + + - name: lint/format server + env: + CI: false + run: npm run ci:format + working-directory: server + + - name: test + env: + CI: false + run: npm run test + working-directory: server + + - name: compile server + env: + CI: false + run: npm run compile + working-directory: server + + - name: build + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }} + CERTIFICATE_CONTAINER_ID: ${{ secrets.CERTIFICATE_CONTAINER_ID }} + CERTIFICATE_READER: ${{ secrets.CERTIFICATE_READER }} + run: | + Copy-Item server/src electron-app/src/sync-agent -r + npm run make-win + & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x86\signtool.exe' sign /tr http://timestamp.digicert.com /td sha256 /fd sha256 /f C:\Users\user\Documents\nuclia-certificate.cer /csp "eToken Base Cryptographic Provider" /kc "[$env:CERTIFICATE_READER{{$env:CERTIFICATE_PASSWORD}}]=$env:CERTIFICATE_CONTAINER_ID" electron-app/out/make/squirrel.windows/x64/Nuclia-Sync-Setup.exe + + - name: Release Windows installer + uses: softprops/action-gh-release@v1 + if: steps.release.outputs.released == 'true' + with: + tag_name: ${{ steps.release.outputs.release_id }} + files: | + C:/Users/user/actions-runner/_work/sync-agent/sync-agent/electron-app/out/make/squirrel.windows/x64/Nuclia-Sync-Setup.exe \ No newline at end of file diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 321047c..27521c6 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,37 +3,43 @@ on: push: branches: - main - pull_request: - branches: - - main + jobs: build_job: - runs-on: ${{ matrix.os }} + runs-on: ${{ matrix.os }} strategy: matrix: - os: [ubuntu-latest] + os: [macos-latest, ubuntu-latest] steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + - uses: justincy/github-action-npm-release@2.0.2 + id: release + - uses: actions/setup-python@v5 + if: matrix.os == 'macos-latest' + with: + python-version: '3.11' - uses: actions/setup-node@master with: node-version: 20 - - name: install dependencies + - name: install dependencies electron-app run: npm install working-directory: electron-app - - name: install dependencies + - name: install dependencies server run: npm install working-directory: server - - name: lint/format + - name: lint/format electron-app env: CI: false run: npm run ci:format working-directory: electron-app - - name: lint/format + - name: lint/format server env: CI: false run: npm run ci:format @@ -50,8 +56,28 @@ jobs: CI: false run: npm run compile working-directory: server + - name: Add MacOS certs + if: matrix.os == 'macos-latest' && steps.release.outputs.released == 'true' + run: chmod +x add-osx-cert.sh && ./add-osx-cert.sh + working-directory: electron-app + env: + CERTIFICATE_OSX_APPLICATION_BASE64: ${{ secrets.CERTIFICATE_OSX_APPLICATION_BASE64 }} + CERTIFICATE_OSX_PASSWORD: ${{ secrets.CERTIFICATE_OSX_PASSWORD }} + - name: Prepare for app notarization + if: matrix.os == 'macos-latest' && steps.release.outputs.released == 'true' + run: |- + mkdir -p ~/private_keys/ + echo '${{ secrets.APPLE_API_SECRET_BASE_64 }}' | base64 --decode > ~/private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8 + - name: build and publish + if: steps.release.outputs.released == 'true' + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + APPLE_API_KEY: "~/private_keys/AuthKey_${{ secrets.APPLE_API_KEY_ID }}.p8" + APPLE_API_ISSUER: ${{ secrets.APPLE_API_ISSUER }} + APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }} + CI: false + run: npm run publish - # - name: build - # env: - # CI: false - # run: npm run make \ No newline at end of file + - name: build + if: steps.release.outputs.released != 'true' + run: npm run make \ No newline at end of file diff --git a/electron-app/.gitattributes b/electron-app/.gitattributes new file mode 100644 index 0000000..94f480d --- /dev/null +++ b/electron-app/.gitattributes @@ -0,0 +1 @@ +* text=auto eol=lf \ No newline at end of file diff --git a/electron-app/.prettierignore b/electron-app/.prettierignore index d9859ad..a406d07 100644 --- a/electron-app/.prettierignore +++ b/electron-app/.prettierignore @@ -3,4 +3,5 @@ node_modules out package.json package-lock.json -src/sync-agent \ No newline at end of file +src/sync-agent +forge.config.js \ No newline at end of file diff --git a/electron-app/add-osx-cert.sh b/electron-app/add-osx-cert.sh new file mode 100644 index 0000000..90fbaff --- /dev/null +++ b/electron-app/add-osx-cert.sh @@ -0,0 +1,23 @@ +#!/usr/bin/env sh + +KEY_CHAIN=build.keychain +CERTIFICATE_P12=certificate.p12 + +# Recreate the certificate from the secure environment variable +echo $CERTIFICATE_OSX_APPLICATION_BASE64 | base64 --decode > $CERTIFICATE_P12 + +#create a keychain +security create-keychain -p actions $KEY_CHAIN + +# Make the keychain the default so identities are found +security default-keychain -s $KEY_CHAIN + +# Unlock the keychain +security unlock-keychain -p actions $KEY_CHAIN + +security import $CERTIFICATE_P12 -k $KEY_CHAIN -P $CERTIFICATE_OSX_PASSWORD -T /usr/bin/codesign; + +security set-key-partition-list -S apple-tool:,apple: -s -k actions $KEY_CHAIN + +# remove certs +rm -fr *.p12 \ No newline at end of file diff --git a/electron-app/entitlements.plist b/electron-app/entitlements.plist new file mode 100644 index 0000000..983f109 --- /dev/null +++ b/electron-app/entitlements.plist @@ -0,0 +1,16 @@ + + + + + com.apple.security.cs.allow-jit + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.cs.disable-library-validation + + com.apple.security.cs.disable-executable-page-protection + + com.apple.security.automation.apple-events + + + \ No newline at end of file diff --git a/electron-app/forge.config.js b/electron-app/forge.config.js index ad3c94a..5cd8ea9 100644 --- a/electron-app/forge.config.js +++ b/electron-app/forge.config.js @@ -4,6 +4,19 @@ module.exports = { icon: 'public/logo.*', name: 'Nuclia sync', executableName: 'nuclia-sync-agent', + osxSign: { + entitlements: 'entitlements.plist', + 'entitlements-inherit': 'entitlements.plist', + 'gatekeeper-assess': false, + hardenedRuntime: true, + identity: 'Developer ID Application: BOSUTECH XXI SL (DF2C2RHNCR)', + }, + osxNotarize: { + tool: 'notarytool', + appleApiKey: process.env.APPLE_API_KEY, + appleApiKeyId: process.env.APPLE_API_KEY_ID, + appleApiIssuer: process.env.APPLE_API_ISSUER, + }, }, rebuildConfig: {}, makers: [ @@ -12,7 +25,7 @@ module.exports = { config: { // An URL to an ICO file to use as the application icon (displayed in Control Panel > Programs and Features). iconUrl: 'https://storage.googleapis.com/iskra/logo.ico', - setupExe: `Nuclia-Sync-Setup.exe`, + setupExe: 'Nuclia-Sync-Setup.exe', }, }, { diff --git a/electron-app/package-lock.json b/electron-app/package-lock.json index 01c3d69..7079cfa 100644 --- a/electron-app/package-lock.json +++ b/electron-app/package-lock.json @@ -19,6 +19,7 @@ "localstorage-polyfill": "^1.0.1", "mime-types": "^2.1.35", "rxjs": "^7.8.1", + "socks": "^2.7.3", "typescript": "^5.2.2", "uuid": "^9.0.1", "zod": "^3.22.4" @@ -4564,7 +4565,6 @@ "version": "9.0.5", "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-9.0.5.tgz", "integrity": "sha512-zHtQzGojZXTwZTHQqra+ETKd4Sn3vgi7uBmlPoXVWZqYvuKmtI0l/VZTjqGmJY9x88GGOaZ9+G9ES8hC4T4X8g==", - "dev": true, "dependencies": { "jsbn": "1.1.0", "sprintf-js": "^1.1.3" @@ -4777,8 +4777,7 @@ "node_modules/jsbn": { "version": "1.1.0", "resolved": "https://registry.npmjs.org/jsbn/-/jsbn-1.1.0.tgz", - "integrity": "sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A==", - "dev": true + "integrity": "sha512-4bYVV3aAMtDTTu4+xsDYa6sy9GyJ69/amsu9sYF2zqjiEoZA5xJi3BrfX3uY+/IekIu7MwdObdbDWpoZdBv3/A==" }, "node_modules/json-buffer": { "version": "3.0.1", @@ -6683,17 +6682,15 @@ "version": "4.2.0", "resolved": "https://registry.npmjs.org/smart-buffer/-/smart-buffer-4.2.0.tgz", "integrity": "sha512-94hK0Hh8rPqQl2xXc3HsaBoOXKV20MToPkcXvwbISWLEs+64sBq5kFgn2kJDHb1Pry9yrP0dxrCI9RRci7RXKg==", - "dev": true, "engines": { "node": ">= 6.0.0", "npm": ">= 3.0.0" } }, "node_modules/socks": { - "version": "2.7.1", - "resolved": "https://registry.npmjs.org/socks/-/socks-2.7.1.tgz", - "integrity": "sha512-7maUZy1N7uo6+WVEX6psASxtNlKaNVMlGQKkG/63nEDdLOWNbiUMoLK7X4uYoLhQstau72mLgfEWcXcwsaHbYQ==", - "dev": true, + "version": "2.7.3", + "resolved": "https://registry.npmjs.org/socks/-/socks-2.7.3.tgz", + "integrity": "sha512-vfuYK48HXCTFD03G/1/zkIls3Ebr2YNa4qU9gHDZdblHLiqhJrJGkY3+0Nx0JpN9qBhJbVObc1CNciT1bIZJxw==", "dependencies": { "ip-address": "^9.0.5", "smart-buffer": "^4.2.0" @@ -6770,7 +6767,6 @@ }, "node_modules/sprintf-js": { "version": "1.1.3", - "dev": true, "license": "BSD-3-Clause" }, "node_modules/ssri": { diff --git a/electron-app/package.json b/electron-app/package.json index e7f4adc..9dcbbe0 100644 --- a/electron-app/package.json +++ b/electron-app/package.json @@ -9,11 +9,11 @@ "start": "npm run compile && electron-forge start", "package": "electron-forge package", "make": "npm run compile && electron-forge make", - "publish": "electron-forge publish", - "lint": "eslint .", - "format:check": "prettier . --check", - "format": "prettier . --write", - "ci:format": "prettier . --check && eslint ." + "publish": "npm run compile && electron-forge publish", + "lint": "eslint src/index.ts", + "format:check": "prettier src/index.ts --check", + "format": "prettier src/index.ts --write", + "ci:format": "prettier src/index.ts --check && eslint ." }, "keywords": [], "author": { @@ -32,6 +32,7 @@ "localstorage-polyfill": "^1.0.1", "mime-types": "^2.1.35", "rxjs": "^7.8.1", + "socks": "^2.7.3", "typescript": "^5.2.2", "uuid": "^9.0.1", "zod": "^3.22.4" diff --git a/package.json b/package.json index 1560563..a0d3f60 100644 --- a/package.json +++ b/package.json @@ -6,7 +6,9 @@ "scripts": { "copy-server-to-electron": "rm -rf electron-app/src/sync-agent && cp -r server/src electron-app/src/sync-agent", "start": "npm run copy-server-to-electron && cd electron-app && npm run start", - "make": "npm run copy-server-to-electron && cd electron-app && npm run make" + "make": "npm run copy-server-to-electron && cd electron-app && npm run make", + "publish": "npm run copy-server-to-electron && cd electron-app && npm run publish", + "make-win": "cd electron-app && npm run make" }, "keywords": [ "electron", diff --git a/server/.gitattributes b/server/.gitattributes new file mode 100644 index 0000000..94f480d --- /dev/null +++ b/server/.gitattributes @@ -0,0 +1 @@ +* text=auto eol=lf \ No newline at end of file