COR-1627: streamline windows node signing process #378

Workflow file for this run

.github/workflows/release.yaml at 21b04e4

	name: Windows signing streamlining

	on:
	push:
	branches: cor_1627_streamline_windows_signing_process

	env:
	UBUNTU_VERSION: '22.04'
	STATIC_LIBRARIES_IMAGE_TAG: 'rust-1.82_ghc-9.10.2'
	RUST_VERSION: '1.82'
	STACK_VERSION: '3.7.1'
	FLATBUFFERS_VERSION: '23.5.26'
	GHC_VERSION: '9.10.2'
	PROTOC_VERSION: '28.3'
	STATIC_NODE_BINARY_IMAGE_NAME: 'static-node-binaries'
	DOCKER_ARTIFACT_NAME: 'image'
	AWS_ROLE_TO_ASSUME: 'arn:aws:iam::192549843005:role/github_concordium-node'
	S3_ARN_TEMPLATES: '{
	\"database-exporter\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"tools/linux\", \"name\": \"database-exporter_${VERSION}.deb\"},
	\"p2p-bootstrapper\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"tools/linux\", \"name\": \"p2p-bootstrapper_${VERSION}.deb\"},
	\"node-stagenet-linux\": {\"bucket\": \"distribution.stagenet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-stagenet-node_${VERSION}_amd64.deb\"},
	\"node-flynet-linux\": {\"bucket\": \"distribution.flynet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-flynet-node_${VERSION}_amd64.deb\"},
	\"node-testnet-linux\": {\"bucket\": \"distribution.testnet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-testnet-node_${VERSION}_amd64.deb\"},
	\"node-mainnet-linux\": {\"bucket\": \"distribution.mainnet.concordium.software\", \"dir\": \"deb\", \"name\": \"concordium-mainnet-node_${VERSION}_amd64.deb\"},
	\"node-macos\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"macos\", \"name\": \"concordium-node-${VERSION}.pkg\"},
	\"node-windows\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"windows\", \"name\": \"Node-${VERSION}.msi\"}
	}'
	DOCKER_TAGS_TEMPLATES: '{
	\"docker-stagenet\": \"concordium/stagenet-node:${VERSION}\",
	\"docker-testnet\": \"concordium/testnet-node:${VERSION}\",
	\"docker-mainnet\": \"concordium/mainnet-node:${VERSION}\",
	\"docker-bootstrapper\": \"concordium/bootstrapper:${VERSION}\"
	}'
	REGISTRY: docker.io
	SERVICE: "node-windows"

	permissions:
	id-token: write
	contents: read

	jobs:

	validate-preconditions:
	runs-on: ubuntu-latest
	outputs:
	s3_arns: ${{ steps.render.outputs.s3_arns }}
	docker_tags: ${{ steps.render.outputs.docker_tags }}
	release_type: ${{ steps.versions_derivation.outputs.release_type }}
	base_version: ${{ steps.versions_derivation.outputs.base_version }}
	version: ${{ steps.versions_derivation.outputs.version }}
	steps:
	- name: Checkout Repository
	uses: actions/checkout@v4

	- name: Validate version
	id: versions_derivation
	run: \|
	CARGO_VERSION=$(yq .package.version concordium-node/Cargo.toml)
	if [ -z "${{ env.SERVICE }}" ]; then
	IFS='-' read -r VERSION BUILD RELEASE_TYPE <<< "${{ github.ref_name }}"
	# if [ ! "$VERSION" = "$CARGO_VERSION" ]; then
	# echo "::error::${CARGO_VERSION} does not match ${VERSION}."
	# exit 1
	# fi
	else
	RELEASE_TYPE="${{ env.SERVICE }}"
	BUILD=$(git rev-parse --short HEAD)
	fi
	echo "::notice::RELEASE_TYPE=${RELEASE_TYPE}"
	echo "release_type=${RELEASE_TYPE}" >> "$GITHUB_OUTPUT"
	echo "version=${CARGO_VERSION}-${BUILD}" >> "$GITHUB_OUTPUT"
	echo "base_version=${CARGO_VERSION}" >> "$GITHUB_OUTPUT"

	# TODO (drsk) undo
	- name: Templates rendering
	id: render
	run: \|
	export VERSION="1.2.3.4"
	echo "s3_arns=${{ env.S3_ARN_TEMPLATES }}" >> $GITHUB_OUTPUT
	echo "docker_tags=${{ env.DOCKER_TAGS_TEMPLATES }}" >> $GITHUB_OUTPUT
	# - name: Templates rendering
	# id: render
	# run: \|
	# export VERSION="${{ steps.versions_derivation.outputs.version }}"
	# echo "s3_arns=${{ env.S3_ARN_TEMPLATES }}" >> $GITHUB_OUTPUT
	# echo "docker_tags=${{ env.DOCKER_TAGS_TEMPLATES }}" >> $GITHUB_OUTPUT

	node-windows:
	runs-on: windows-latest
	environment: release # This step needs to use the release context to access credentials for code signing.
	needs: [validate-preconditions]
	if: contains(fromJSON('["rc", "alpha", "node-windows"]'), needs.validate-preconditions.outputs.release_type)
	defaults:
	run:
	shell: pwsh
	steps:
	- name: Checkout Repository
	uses: actions/checkout@v4
	with:
	submodules: recursive

	- name: Install dependencies
	run: \|
	choco install yq jq -y
	shell: bash

	- name: Extrapolate artifact name
	run: \|
	ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' \| jq -r '.["${{ github.job }}"].name')
	echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV
	shell: bash

	- name: Install DigiCert Client tools (Windows only)
	id: digicert_client
	uses: digicert/[email protected]

	- name: Import Windows certificate (Windows only)
	id: windows_certificate
	env:
	# Base64 encoding of the pfx/p12 certificate for Windows code signing.
	SM_CLIENT_CERT_FILE_B64: ${{ secrets.WINDOWS_SM_CLIENT_CERT_FILE_B64 }}
	run: \|
	$CERTIFICATE_PATH_BASE64="$env:RUNNER_TEMP\cert-b64.txt"
	$CERTIFICATE_PATH="$env:RUNNER_TEMP\cert.pfx"

	Set-Content -Path $CERTIFICATE_PATH_BASE64 -Value $env:SM_CLIENT_CERT_FILE_B64
	certutil -decode $CERTIFICATE_PATH_BASE64 $CERTIFICATE_PATH
	echo "CERTIFICATE_PATH=$CERTIFICATE_PATH" >> $env:GITHUB_OUTPUT

	- name: Run smctl healthcheck to confirm if the tool is configured properly.
	working-directory: ${{steps.build.outputs.bin_dir}}
	env:
	WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
	WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
	SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
	SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
	SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
	SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
	run: \|
	smctl healthcheck --all
	shell: cmd

	- name: Install Rust
	uses: actions-rust-lang/setup-rust-toolchain@v1
	with:
	toolchain: ${{ env.RUST_VERSION }}-x86_64-pc-windows-msvc

	- name: Install Rust
	uses: actions-rust-lang/setup-rust-toolchain@v1
	with:
	toolchain: ${{ env.RUST_VERSION }}-x86_64-pc-windows-gnu

	- name: Setup node folder
	run: \|
	mkdir -p "C:/Program Files/node/include"
	Add-Content -Path $env:GITHUB_PATH -Value "C:/Program Files/node"

	- name: Install flatbuffers
	run: \|
	curl -L -O https://github.com/google/flatbuffers/releases/download/v${{ env.FLATBUFFERS_VERSION }}/Windows.flatc.binary.zip
	unzip Windows.flatc.binary.zip
	mv flatc.exe "C:/Program Files/node/"

	- name: Install protobuf (protoc)
	run: \|
	curl -L -O https://github.com/protocolbuffers/protobuf/releases/download/v${{ env.PROTOC_VERSION }}/protoc-${{ env.PROTOC_VERSION }}-win64.zip
	unzip protoc-${{ env.PROTOC_VERSION }}-win64.zip
	mv bin/protoc.exe "C:/Program Files/node/"
	mv include/* "C:/Program Files/node/include"

	- name: Setup Haskell
	uses: haskell-actions/setup@v2
	with:
	ghc-version: ${{ env.GHC_VERSION }}
	enable-stack: true
	stack-version: ${{ env.STACK_VERSION }}

	- uses: milliewalky/setup-7-zip@v1

	- name: Install GCC
	run: \|
	curl -L -O https://github.com/brechtsanders/winlibs_mingw/releases/download/14.2.0posix-19.1.1-12.0.0-msvcrt-r2/winlibs-x86_64-posix-seh-gcc-14.2.0-llvm-19.1.1-mingw-w64msvcrt-12.0.0-r2.7z
	7z x winlibs-x86_64-posix-seh-gcc-14.2.0-llvm-19.1.1-mingw-w64msvcrt-12.0.0-r2.7z -oC:/gcc
	Add-Content -Path $env:GITHUB_PATH -Value "C:/gcc/mingw64/bin"

	- name: Install LMDB
	run: stack exec -- pacman -S --noconfirm mingw-w64-x86_64-lmdb

	- name: Build and Sign Windows Node
	env:
	WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
	WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
	SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
	SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
	SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
	SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
	SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast"
	run: \|
	./scripts/distribution/windows/build-all.ps1 -nodeVersion ${{ needs.validate-preconditions.outputs.version }} -rustVersion ${{ env.RUST_VERSION }}

	- name: Sign installer with smctl
	working-directory: ${{steps.build.outputs.bin_dir}}
	env:
	WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }}
	WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }}
	SM_HOST: ${{ vars.WINDOWS_SM_HOST }}
	SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }}
	SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }}
	SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }}
	SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast"
	run: \|
	smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./service/windows/installer/Node.msi --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }}
	shell: cmd

	- name: Rename the package to target filename.
	run: \|
	cp ./service/windows/installer/Node.msi ./${{ env.ARTIFACT_NAME }}

	- name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{ github.job }}
	path: ${{ env.ARTIFACT_NAME }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

COR-1627: streamline windows node signing process #378

Workflow file

COR-1627: streamline windows node signing process #378

Uh oh!

Workflow file for this run