CI: update workflows to use Azure Trusted Signing #44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
push: | |
branches: [main] | |
pull_request: | |
permissions: | |
id-token: write | |
contents: read | |
env: | |
GO_VERSION: '1.23' | |
jobs: | |
build: | |
name: Build | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- name: Build | |
run: | | |
go install github.com/tc-hib/go-winres@latest | |
GIT_COMMIT=`git describe --always --dirty` | |
LATEST_TAG=$(git describe --tags $(git rev-list --tags --max-count=1)) | |
NUM_COMMITS_FROM_TAG=$(git rev-list ${LATEST_TAG}.. --count) | |
VERSION=$(echo "${LATEST_TAG}" | awk -F. -v OFS=. '{$NF++;print}')-dev.${NUM_COMMITS_FROM_TAG} | |
FILE_VERSION=${LATEST_TAG:1}.${NUM_COMMITS_FROM_TAG} | |
mkdir bin | |
go-winres simply --arch amd64 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin KMS" --product-name "SFTPGo plugin KMS" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-kms-windows-x86_64.exe --icon res/icon.ico | |
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-windows-x86_64.exe | |
go-winres simply --arch arm64 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin KMS" --product-name "SFTPGo plugin KMS" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-kms-windows-arm64.exe --icon res/icon.ico | |
CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-windows-arm64.exe | |
go-winres simply --arch 386 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin KMS" --product-name "SFTPGo plugin KMS" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-kms-windows-x86.exe --icon res/icon.ico | |
CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-windows-x86.exe | |
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-linux-amd64 | |
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-linux-arm64 | |
CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-linux-armv7 | |
CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-linux-ppc64le | |
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-darwin-amd64 | |
CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-darwin-arm64 | |
shell: bash | |
- name: Upload build artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sftpgo-plugin-kms | |
path: bin | |
sign-windows-binaries: | |
name: Sign Windows binaries | |
if: ${{ github.event_name != 'pull_request' }} | |
environment: signing | |
needs: [build] | |
runs-on: windows-latest | |
steps: | |
- name: Download artifact | |
uses: actions/download-artifact@v4 | |
with: | |
name: sftpgo-plugin-kms | |
path: ${{ github.workspace }}/bin | |
- name: Azure login | |
uses: azure/login@v2 | |
with: | |
client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
- name: Sign | |
uses: azure/trusted-signing-action@v0.5.0 | |
with: | |
endpoint: https://eus.codesigning.azure.net/ | |
trusted-signing-account-name: nicola | |
certificate-profile-name: SFTPGo | |
files: | | |
${{ github.workspace }}\bin\sftpgo-plugin-kms-windows-x86_64.exe | |
${{ github.workspace }}\bin\sftpgo-plugin-kms-windows-arm64.exe | |
${{ github.workspace }}\bin\sftpgo-plugin-kms-windows-x86.exe | |
file-digest: SHA256 | |
timestamp-rfc3161: http://timestamp.acs.microsoft.com | |
timestamp-digest: SHA256 | |
exclude-environment-credential: true | |
exclude-workload-identity-credential: true | |
exclude-managed-identity-credential: true | |
exclude-shared-token-cache-credential: true | |
exclude-visual-studio-credential: true | |
exclude-visual-studio-code-credential: true | |
exclude-azure-cli-credential: false | |
exclude-azure-powershell-credential: true | |
exclude-azure-developer-cli-credential: true | |
exclude-interactive-browser-credential: true | |
- name: Upload build artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sftpgo-plugin-kms | |
path: bin | |
overwrite: true |