Skip to content

Commit

Permalink
CI: update workflows to use Azure Trusted Signing
Browse files Browse the repository at this point in the history
Signed-off-by: Nicola Murino <[email protected]>
  • Loading branch information
drakkan committed Nov 23, 2024
1 parent 5b20f4e commit 7519b74
Show file tree
Hide file tree
Showing 2 changed files with 133 additions and 35 deletions.
80 changes: 59 additions & 21 deletions .github/workflows/development.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ on:
branches: [main]
pull_request:

permissions:
id-token: write
contents: read

env:
GO_VERSION: '1.23'

Expand All @@ -25,10 +29,7 @@ jobs:

- name: Build
run: |
sudo apt-get update -q -y
sudo apt-get install -q -y osslsigncode
go install github.com/tc-hib/go-winres@latest
GIT_COMMIT=`git describe --always --dirty`
LATEST_TAG=$(git describe --always --tags $(git rev-list --tags --max-count=1))
NUM_COMMITS_FROM_TAG=$(git rev-list ${LATEST_TAG}.. --count)
Expand All @@ -37,40 +38,77 @@ jobs:
mkdir bin
go-winres simply --arch amd64 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin geoipfilter" --product-name "SFTPGo plugin geoipfilter" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-geoipfilter-windows-x86_64.exe --icon res/icon.ico
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o sftpgo-plugin-geoipfilter-windows-x86_64.exe
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-windows-x86_64.exe
go-winres simply --arch arm64 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin geoipfilter" --product-name "SFTPGo plugin geoipfilter" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-geoipfilter-windows-arm64.exe --icon res/icon.ico
CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o sftpgo-plugin-geoipfilter-windows-arm64.exe
CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-windows-arm64.exe
go-winres simply --arch 386 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin geoipfilter" --product-name "SFTPGo plugin geoipfilter" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-geoipfilter-windows-x86.exe --icon res/icon.ico
CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o sftpgo-plugin-geoipfilter-windows-x86.exe
if [ "${{ github.event_name }}" = "pull_request" ]; then
mv sftpgo-plugin-geoipfilter-windows-x86_64.exe bin/
mv sftpgo-plugin-geoipfilter-windows-arm64.exe bin/
mv sftpgo-plugin-geoipfilter-windows-x86.exe bin/
else
echo $CERT_DATA | base64 --decode > cert.pfx
osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin geoipfilter" -i "https://github.com/sftpgo/sftpgo-plugin-geoipfilter" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-geoipfilter-windows-x86_64.exe -out bin/sftpgo-plugin-geoipfilter-windows-x86_64.exe
osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin geoipfilter" -i "https://github.com/sftpgo/sftpgo-plugin-geoipfilter" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-geoipfilter-windows-arm64.exe -out bin/sftpgo-plugin-geoipfilter-windows-arm64.exe
osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin geoipfilter" -i "https://github.com/sftpgo/sftpgo-plugin-geoipfilter" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-geoipfilter-windows-x86.exe -out bin/sftpgo-plugin-geoipfilter-windows-x86.exe
rm -f cert.pfx
fi
CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-windows-x86.exe
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-linux-amd64
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-linux-arm64
CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-linux-armv7
CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-linux-ppc64le
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-darwin-amd64
CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-darwin-arm64
shell: bash
env:
CERT_DATA: ${{ secrets.CERT_DATA }}
CERT_PASS: ${{ secrets.CERT_PASS }}

- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
name: sftpgo-plugin-geoipfilter
path: bin

sign-windows-binaries:
name: Sign Windows binaries
if: ${{ github.event_name != 'pull_request' }}
environment: signing
needs: [build]
runs-on: windows-latest

steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: sftpgo-plugin-geoipfilter
path: ${{ github.workspace }}/bin

- name: Azure login
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- name: Sign
uses: azure/[email protected]
with:
endpoint: https://eus.codesigning.azure.net/
trusted-signing-account-name: nicola
certificate-profile-name: SFTPGo
files: |
${{ github.workspace }}\bin\sftpgo-plugin-geoipfilter-windows-x86_64.exe
${{ github.workspace }}\bin\sftpgo-plugin-geoipfilter-windows-arm64.exe
${{ github.workspace }}\bin\sftpgo-plugin-geoipfilter-windows-x86.exe
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256
exclude-environment-credential: true
exclude-workload-identity-credential: true
exclude-managed-identity-credential: true
exclude-shared-token-cache-credential: true
exclude-visual-studio-credential: true
exclude-visual-studio-code-credential: true
exclude-azure-cli-credential: false
exclude-azure-powershell-credential: true
exclude-azure-developer-cli-credential: true
exclude-interactive-browser-credential: true

- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
name: sftpgo-plugin-geoipfilter
path: bin
overwrite: true

golangci-lint:
name: golangci-lint
runs-on: ubuntu-latest
Expand Down
88 changes: 74 additions & 14 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ on:
push:
tags: 'v*'

permissions:
id-token: write
contents: write

env:
GO_VERSION: 1.23.3

Expand All @@ -22,26 +26,20 @@ jobs:

- name: Build
run: |
sudo apt-get update -q -y
sudo apt-get install -q -y osslsigncode
go install github.com/tc-hib/go-winres@latest
VERSION=${GITHUB_REF/refs\/tags\//}
GIT_COMMIT=`git describe --always --dirty`
FILE_VERSION=${VERSION:1}.0
mkdir bin
mkdir win
go-winres simply --arch amd64 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin geoipfilter" --product-name "SFTPGo plugin geoipfilter" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-geoipfilter-windows-x86_64.exe --icon res/icon.ico
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o sftpgo-plugin-geoipfilter-windows-x86_64.exe
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o win/sftpgo-plugin-geoipfilter-windows-x86_64.exe
go-winres simply --arch arm64 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin geoipfilter" --product-name "SFTPGo plugin geoipfilter" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-geoipfilter-windows-arm64.exe --icon res/icon.ico
CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o sftpgo-plugin-geoipfilter-windows-arm64.exe
CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o win/sftpgo-plugin-geoipfilter-windows-arm64.exe
go-winres simply --arch 386 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin geoipfilter" --product-name "SFTPGo plugin geoipfilter" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-geoipfilter-windows-x86.exe --icon res/icon.ico
CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o sftpgo-plugin-geoipfilter-windows-x86.exe
echo $CERT_DATA | base64 --decode > cert.pfx
osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin geoipfilter" -i "https://github.com/sftpgo/sftpgo-plugin-geoipfilter" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-geoipfilter-windows-x86_64.exe -out bin/sftpgo-plugin-geoipfilter-windows-x86_64.exe
osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin geoipfilter" -i "https://github.com/sftpgo/sftpgo-plugin-geoipfilter" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-geoipfilter-windows-arm64.exe -out bin/sftpgo-plugin-geoipfilter-windows-arm64.exe
osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin geoipfilter" -i "https://github.com/sftpgo/sftpgo-plugin-geoipfilter" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-geoipfilter-windows-x86.exe -out bin/sftpgo-plugin-geoipfilter-windows-x86.exe
rm -f cert.pfx *.exe *.syso
CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o win/sftpgo-plugin-geoipfilter-windows-x86.exe
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-linux-amd64
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-linux-arm64
Expand All @@ -50,16 +48,20 @@ jobs:
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-darwin-amd64
CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -trimpath -ldflags "-s -w -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.commitHash=`git describe --always --dirty` -X github.com/sftpgo/sftpgo-plugin-geoipfilter/cmd.buildDate=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-geoipfilter-darwin-arm64
shell: bash
env:
CERT_DATA: ${{ secrets.CERT_DATA }}
CERT_PASS: ${{ secrets.CERT_PASS }}

- name: Upload Windows artifact
uses: actions/upload-artifact@v4
with:
name: win
path: win
retention-days: 1

- name: Prepare vendored sources
run: |
VERSION=${GITHUB_REF/refs\/tags\//}
go mod vendor
echo "${VERSION}" > VERSION.txt
tar --exclude=bin -cJvf sftpgo-plugin-geoipfilter_${VERSION}_src_with_deps.tar.xz *
tar --exclude=bin --exclude=win -cJvf sftpgo-plugin-geoipfilter_${VERSION}_src_with_deps.tar.xz *
- name: Create release
run: |
Expand All @@ -70,3 +72,61 @@ jobs:
gh release view "${VERSION}"
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

release-windows-binaries:
name: Release Windows binaries
environment: signing
needs: [build]
runs-on: windows-latest

steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Download artifact
uses: actions/download-artifact@v4
with:
name: win

- name: Azure login
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

- name: Sign
uses: azure/[email protected]
with:
endpoint: https://eus.codesigning.azure.net/
trusted-signing-account-name: nicola
certificate-profile-name: SFTPGo
files: |
${{ github.workspace }}\sftpgo-plugin-geoipfilter-windows-x86_64.exe
${{ github.workspace }}\sftpgo-plugin-geoipfilter-windows-arm64.exe
${{ github.workspace }}\sftpgo-plugin-geoipfilter-windows-x86.exe
file-digest: SHA256
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256
exclude-environment-credential: true
exclude-workload-identity-credential: true
exclude-managed-identity-credential: true
exclude-shared-token-cache-credential: true
exclude-visual-studio-credential: true
exclude-visual-studio-code-credential: true
exclude-azure-cli-credential: false
exclude-azure-powershell-credential: true
exclude-azure-developer-cli-credential: true
exclude-interactive-browser-credential: true

- name: Upload to release
run: |
VERSION=${GITHUB_REF/refs\/tags\//}
gh release upload "${VERSION}" sftpgo-plugin-geoipfilter-windows-x86_64.exe
gh release upload "${VERSION}" sftpgo-plugin-geoipfilter-windows-arm64.exe
gh release upload "${VERSION}" sftpgo-plugin-geoipfilter-windows-x86.exe
gh release view "${VERSION}"
shell: bash
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

0 comments on commit 7519b74

Please sign in to comment.