diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..4c6459f --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,32 @@ +name: build +on: + workflow_dispatch: + pull_request: + types: [opened, synchronize, reopened] + push: + branches: + - trunk + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + with: + submodules: recursive + + - name: Install Python + uses: actions/setup-python@v4 + with: + python-version: 3.13 + + - name: Make Package + run: | + make package + + - name: Upload Artifact + uses: actions/upload-artifact@v4 + with: + name: spice.unsigned.taco + path: spice.taco diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9cdae53..6ca2a16 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,36 +1,67 @@ name: release on: workflow_dispatch: + inputs: + workflow_run_id: + description: 'ID of the workflow run to fetch artifacts from' + required: true + type: string + signed_binary_name: + description: 'Name of the signed binary' + required: false + default: 'spiceai.taco' + type: string release: types: [created] + jobs: - build: - runs-on: macos-latest + release: + runs-on: code-signing + environment: signed_release steps: - name: Checkout uses: actions/checkout@v4 with: submodules: recursive - - name: Install Python - uses: actions/setup-python@v4 + - name: Download Artifact + uses: actions/download-artifact@v4 with: - python-version: 3.13 + name: spice.unsigned.taco + github-token: ${{ secrets.GITHUB_TOKEN }} + run-id: ${{ inputs.workflow_run_id }} - - name: Install Make + - name: Copy unsigned taco run: | - brew install make + cp spice.taco ${{ inputs.signed_binary_name }} + echo "Signed binary name: ${{ inputs.signed_binary_name }}" - - name: Package (unsigned) - run: | - make package - mv spice.taco spice_unsigned.taco + - name: Set up Java for signing + uses: actions/setup-java@v4 + with: + java-version: '11' + distribution: 'zulu' + + - name: Sign ${{ inputs.signed_binary_name }} + shell: powershell + env: + DIGICERT_TOKEN_PASSWORD: ${{ secrets.DIGICERT_TOKEN_PASSWORD }} + DIGICERT_KEY_ALIAS: ${{ secrets.DIGICERT_KEY_ALIAS }} + DIGICERT_TOKEN_CFG_PATH: ${{ secrets.DIGICERT_TOKEN_CFG_PATH }} + SIGNED_BINARY_NAME: ${{ inputs.signed_binary_name }} + run: .\sign.ps1 + + - name: Upload ${{ inputs.signed_binary_name }} + uses: actions/upload-artifact@v4 + with: + name: ${{ inputs.signed_binary_name }} + path: ${{ inputs.signed_binary_name }} - - name: Upload + - name: Upload to release uses: softprops/action-gh-release@v2 if: startsWith(github.ref, 'refs/tags/') with: draft: true prerelease: true fail_on_unmatched_files: true - files: spice_unsigned.taco \ No newline at end of file + files: ${{ inputs.signed_binary_name }} diff --git a/sign.ps1 b/sign.ps1 new file mode 100644 index 0000000..c3277f6 --- /dev/null +++ b/sign.ps1 @@ -0,0 +1,31 @@ +echo "Signing with Digicert Token" + +# Check if the required environment variables are set +if (-not $env:DIGICERT_TOKEN_PASSWORD) { + Write-Host "Error: DIGICERT_TOKEN_PASSWORD environment variable is not set." + exit 1 +} +if (-not $env:DIGICERT_TOKEN_CFG_PATH) { + Write-Host "Error: DIGICERT_TOKEN_CFG_PATH environment variable is not set." + exit 1 +} +if (-not $env:DIGICERT_KEY_ALIAS) { + Write-Host "Error: DIGICERT_KEY_ALIAS environment variable is not set." + exit 1 +} +if (-not $env:SIGNED_BINARY_NAME) { + Write-Host "Error: SIGNED_BINARY_NAME environment variable is not set." + exit 1 +} + +jarsigner -verbose ` + -tsa http://timestamp.digicert.com ` + -keystore NONE ` + -storetype PKCS11 ` + -storepass $env:DIGICERT_TOKEN_PASSWORD ` + -providerClass sun.security.pkcs11.SunPKCS11 ` + -providerArg "$env:DIGICERT_TOKEN_CFG_PATH" ` + -sigalg SHA256withRSA ` + -signedjar $env:SIGNED_BINARY_NAME ` + spice.taco ` + "$env:DIGICERT_KEY_ALIAS" \ No newline at end of file