diff --git a/.github/workflows/release-prod.yml b/.github/workflows/release-prod.yml index 5b782b091..01552b11b 100644 --- a/.github/workflows/release-prod.yml +++ b/.github/workflows/release-prod.yml @@ -251,6 +251,51 @@ jobs: CPAL_ASIO_DIR: ${{ github.workspace }}/asiosdk_2.3.3_2019-06-14 LIBCLANG_PATH: C:\Program Files\LLVM\bin NODE_OPTIONS: "--max_old_space_size=8192" + +# --- Signing process --- + - name: 'Google auth' + if: ${{ matrix.arch == 'x86_64-pc-windows-msvc' }} + id: 'auth' + uses: 'google-github-actions/auth@v2' + with: + workload_identity_provider: '${{ secrets.WIF_PROVIDER }}' + service_account: '${{ secrets.SERVICE_ACCOUNT }}' + + - name: 'Set up Cloud SDK' + if: ${{ matrix.arch == 'x86_64-pc-windows-msvc' }} + uses: 'google-github-actions/setup-gcloud@v2' + with: + project_id: 'shinkai-412316' + + + - name: Set up Java + if: ${{ matrix.arch == 'x86_64-pc-windows-msvc' }} + uses: actions/setup-java@v4 + with: + java-version: 17 + distribution: 'temurin' + - name: Download Jsign + run: wget https://github.com/ebourg/jsign/releases/download/7.0/jsign-7.0.jar + + - name: Cert to file + if: ${{ matrix.arch == 'x86_64-pc-windows-msvc' }} + run: | + echo -n "$EV_CODE_SIGNING_CERTIFICATE" | base64 --decode -o OS20241029372986.pem + + - name: Sign + if: ${{ matrix.arch == 'x86_64-pc-windows-msvc' }} + run: > + java -jar jsign.jar \ + --storetype GOOGLECLOUD \ + --storepass "$(gcloud auth print-access-token)" \ + --keystore "projects/shinkai-412316/locations/us/keyRings/shinkai-apps" \ + --alias "EVCodeSigning" \ + --certfile "OS20241029372986.pem" \ + --tsmode RFC3161 \ + --tsaurl http://timestamp.globalsign.com/tsa/r6advanced1 \ + ${{ matrix.build_output_file_path }} +# --- + - name: Prepare binary files id: prepare-files shell: bash