-
Notifications
You must be signed in to change notification settings - Fork 7
89 lines (75 loc) · 2.29 KB
/
build-windows.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
name: Build Windows
on:
workflow_dispatch:
push:
branches:
- master
- 'release**'
tags:
- 'v**'
jobs:
build:
name: Build windows binaries
runs-on: windows-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@v4
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version: '16'
- name: Run build
env:
CI: true
PKG_CACHE_PATH: ${{ runner.temp }}
run: |
# try and avoid timeout errors
yarn config set network-timeout 100000 -g
yarn do:build-win32:ci
- name: Sign executables
shell: bash
continue-on-error: true
env:
WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
run: |
if [[ ! -z "$WINDOWS_CERTIFICATE" ]]; then
# write certficate to file
echo "$WINDOWS_CERTIFICATE" | base64 -d > certificate.pfx
for FILE in deploy/*.exe; do
echo "Trying to sign ${FILE}"
# This path is a bit fragile, but necessary as no signtool is on the path.
# If this path breaks, then find what versions of windows kits are installed in the updated runner image https://github.com/actions/runner-images#available-images
'C:/Program Files (x86)/Windows Kits/10/bin/10.0.17763.0/x86/signtool.exe' sign //fd SHA256 //f certificate.pfx //p "${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}" $FILE
done
else
echo "No certificate found"
fi
- name: Verify build
run: yarn verify:build-win32
env:
CI: true
- name: Upload artifacts
uses: actions/upload-artifact@v3
with:
name: Windows
path: deploy
release:
name: Create Release
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
needs:
- build
permissions:
contents: write
steps:
- name: Download artifact
uses: actions/download-artifact@v3
with:
name: Windows
path: deploy
- name: Create Release
uses: softprops/action-gh-release@v1
with:
files: deploy/*
prerelease: ${{ contains(github.ref, '-') }}
fail_on_unmatched_files: true