Skip to content

Commit

Permalink
[GHA] TPE signing service adoption
Browse files Browse the repository at this point in the history
  • Loading branch information
@BoykoAlex
BoykoAlex committed Nov 7, 2024
1 parent c824872 commit d6281a0
Show file tree
Hide file tree
Showing 3 changed files with 105 additions and 62 deletions.
2 changes: 1 addition & 1 deletion .github/scripts/sign-exe-in-zip-file.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ echo "Successfully extracted ${filename}"
sts_folder=`find ./${destination_folder_name} -maxdepth 1 -type d -name 'sts-*' -print -quit`
echo "Found STS distro folder: ${sts_folder}"
echo "About to sign win exe file: ${sts_folder}/SpringToolSuite4.exe (id = ${id})"
$sign_script ${sts_folder}/SpringToolSuite4.exe ${sts_folder}/SpringToolSuite4.exe $id
$sign_script ${sts_folder}/SpringToolSuite4.exe ${sts_folder}/SpringToolSuite4.exe "${id}-${filename%.*}" 30
echo "Adding to zip contents of a folder ${destination_folder_name}"
cd ${destination_folder_name}
zip -r -q ../$file .
Expand Down
26 changes: 15 additions & 11 deletions .github/scripts/sign-exe.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,17 +2,21 @@ set -e
in_file=$1
out_file=$2
id=$3
wait_time=$4

in_filename="$(basename -- $in_file)"
echo "Setting up folder ${id} on the remote machine"
ssh -i $SSH_KEY $SSH_USER@vm-tools.spring.vmware.com -- mkdir /opt/bamboo/$id
echo "Copying $in_filename to remote machine into /opt/bamboo/${id}..."
scp -i $SSH_KEY $in_file $SSH_USER@vm-tools.spring.vmware.com:/opt/bamboo/$id
echo "Signing $in_filename..."
ssh -i $SSH_KEY $SSH_USER@vm-tools.spring.vmware.com -- /build/apps/signing/signserver/signc -v --input=/opt/bamboo/$id/$in_filename --keyid=authenticode_SHA2 --signmethod="winddk-8.1" --output=/opt/bamboo/$id/$in_filename --hash sha256
echo "Copying **signed** $in_filename back... (into $out_file)"
scp -i $SSH_KEY $SSH_USER@vm-tools.spring.vmware.com:/opt/bamboo/$id/$in_filename $out_file
echo "Cleaning up remote machine..."
ssh -i $SSH_KEY $SSH_USER@vm-tools.spring.vmware.com -- rm -rf /opt/bamboo/$id
echo "Successfully signed $in_filename"
echo "Copying ${in_file} to s3 s3://${AWS_S3_BUCKET}/exes-to-sign/${id}.exe for signing"
aws s3 cp $in_file s3://$AWS_S3_BUCKET/exes-to-sign/$id.exe
for i in {1..10}
do
wait $wait_time
aws s3api head-object --bucket $CDN_BUCKET --key spring-tools/exes-signed/$id.exe || NOT_EXIST=true
if [ $NOT_EXIST ]; then
echo "Waited ${wait_time} seconds but ${in_filename} hasn't been signed yet..."
else
echo "Successfully signed file ${in_filename}"
break
fi
done
aws mv s3://$AWS_S3_BUCKET/exes-signed/$id.exe $out_file

139 changes: 89 additions & 50 deletions .github/workflows/gh-hosted-eclipse-distro-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,57 +153,96 @@ jobs:
p2_path: ${{ steps.s3-paths.outputs.p2_path }}
version: ${{ steps.project-version.outputs.version }}

sign-win-distros:
needs: [ eclipse-distro-build ]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
with:
sparse-checkout: |
.github
- name: Download Win Zips from S3 for Signing
run: |
rm -f spring-tool-suite-4*win*.zip*
rm -f spring-tool-suite-4*win*.self-extracting.jar*
ls
aws s3 mv s3://$AWS_S3_BUCKET/sts4-distro-ci-temp/${{ needs.eclipse-distro-build.outputs.id }} . --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip*" --exclude "*/*"
- name: Sign EXE within zip files
id: sign
run: |
files=`ls spring-tool-suite-4*win*.zip`
for file in $files
do
${{ github.workspace }}/.github/scripts/sign-exe-in-zip-file.sh $file ${{ github.workspace }}/.github/scripts/sign-exe.sh ${{ github.workspace }}/.github/scripts/self-extracting-jar-creator.jar ${{ github.run_id }}
done
- name: Update Win zip/jar on S3
id: update-s3
run: |
dist_path=${{ needs.eclipse-distro-build.outputs.dist_path }}
echo "Processing S3 update..."
ls spring-tool-suite-4*win*
echo "Removing old win zip and self extracting jar files from S3..."
aws s3 rm s3://$AWS_S3_BUCKET/${dist_path} --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip*" --include "spring-tool-suite-4*win*.self-extracting.jar*" --exclude "*/*"
echo "Uploading new win zip and self extracting jar files to S3..."
aws s3 mv . s3://$AWS_S3_BUCKET/${dist_path} --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip*" --include "spring-tool-suite-4*win*.self-extracting.jar*" --exclude "*/*" --no-progress
- name: Update Nightly Distro Downloads page
if: ${{ inputs.build_type == 'snapshot' }}
run: |
dist_path=${{ needs.eclipse-distro-build.outputs.dist_path }}
eclipse_profile=${{ inputs.eclipse_profile }}
eclipse_version=${eclipse_profile:0:2}.${eclipse_profile:2}
${{ github.workspace }}/.github/scripts/update-distro-download-page.sh $dist_path $eclipse_version ${{ inputs.build_type }} $AWS_S3_BUCKET $DOWNLOAD_URL_ROOT
sign-win-distros:
needs: [ eclipse-distro-build ]
runs-on: [ self-hosted, Linux ]
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
with:
sparse-checkout: |
.github
- name: Download Win Zips from S3 for Signing
run: |
rm -f spring-tool-suite-4*win*.zip*
rm -f spring-tool-suite-4*win*.self-extracting.jar*
ls
aws s3 mv s3://$AWS_S3_BUCKET/sts4-distro-ci-temp/${{ needs.eclipse-distro-build.outputs.id }} . --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip*" --exclude "*/*"
- name: Sign EXE within zip files
id: sign
env:
SSH_KEY: ~/.ssh/id_rsa
SSH_USER: signer
run: |
files=`ls spring-tool-suite-4*win*.zip`
for file in $files
do
${{ github.workspace }}/.github/scripts/sign-exe-in-zip-file.sh $file ${{ github.workspace }}/.github/scripts/sign-exe.sh ${{ github.workspace }}/.github/scripts/self-extracting-jar-creator.jar ${{ needs.eclipse-distro-build.outputs.id }}
done
- name: Update Win zip/jar on S3
id: update-s3
run: |
dist_path=${{ needs.eclipse-distro-build.outputs.dist_path }}
echo "Processing S3 update..."
ls spring-tool-suite-4*win*
echo "Removing old win zip and self extracting jar files from S3..."
aws s3 rm s3://$AWS_S3_BUCKET/${dist_path} --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip*" --include "spring-tool-suite-4*win*.self-extracting.jar*" --exclude "*/*"
echo "Uploading new win zip and self extracting jar files to S3..."
aws s3 mv . s3://$AWS_S3_BUCKET/${dist_path} --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip*" --include "spring-tool-suite-4*win*.self-extracting.jar*" --exclude "*/*" --no-progress
- name: Update Nightly Distro Downloads page
if: ${{ inputs.build_type == 'snapshot' }}
run: |
dist_path=${{ needs.eclipse-distro-build.outputs.dist_path }}
eclipse_profile=${{ inputs.eclipse_profile }}
eclipse_version=${eclipse_profile:0:2}.${eclipse_profile:2}
${{ github.workspace }}/.github/scripts/update-distro-download-page.sh $dist_path $eclipse_version ${{ inputs.build_type }} $AWS_S3_BUCKET $DOWNLOAD_URL_ROOT
- name: Cleanup
if: ${{ always() }}
env:
SSH_KEY: ~/.ssh/id_rsa
SSH_USER: signer
run: |
ssh -i $SSH_KEY $SSH_USER@vm-tools.spring.vmware.com -- rm -rf /opt/bamboo/${{ needs.eclipse-distro-build.outputs.id }}
rm -rf *spring-tool-suite-4*win*
# sign-win-distros:
# needs: [ eclipse-distro-build ]
# runs-on: [ self-hosted, Linux ]
# steps:
# - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9
# with:
# sparse-checkout: |
# .github
# - name: Download Win Zips from S3 for Signing
# run: |
# rm -f spring-tool-suite-4*win*.zip*
# rm -f spring-tool-suite-4*win*.self-extracting.jar*
# ls
# aws s3 mv s3://$AWS_S3_BUCKET/sts4-distro-ci-temp/${{ needs.eclipse-distro-build.outputs.id }} . --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip*" --exclude "*/*"
# - name: Sign EXE within zip files
# id: sign
# env:
# SSH_KEY: ~/.ssh/id_rsa
# SSH_USER: signer
# run: |
# files=`ls spring-tool-suite-4*win*.zip`
# for file in $files
# do
# ${{ github.workspace }}/.github/scripts/sign-exe-in-zip-file.sh $file ${{ github.workspace }}/.github/scripts/sign-exe.sh ${{ github.workspace }}/.github/scripts/self-extracting-jar-creator.jar ${{ needs.eclipse-distro-build.outputs.id }}
# done
# - name: Update Win zip/jar on S3
# id: update-s3
# run: |
# dist_path=${{ needs.eclipse-distro-build.outputs.dist_path }}
# echo "Processing S3 update..."
# ls spring-tool-suite-4*win*
# echo "Removing old win zip and self extracting jar files from S3..."
# aws s3 rm s3://$AWS_S3_BUCKET/${dist_path} --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip*" --include "spring-tool-suite-4*win*.self-extracting.jar*" --exclude "*/*"
# echo "Uploading new win zip and self extracting jar files to S3..."
# aws s3 mv . s3://$AWS_S3_BUCKET/${dist_path} --recursive --exclude "*" --include "spring-tool-suite-4*win*.zip*" --include "spring-tool-suite-4*win*.self-extracting.jar*" --exclude "*/*" --no-progress
# - name: Update Nightly Distro Downloads page
# if: ${{ inputs.build_type == 'snapshot' }}
# run: |
# dist_path=${{ needs.eclipse-distro-build.outputs.dist_path }}
# eclipse_profile=${{ inputs.eclipse_profile }}
# eclipse_version=${eclipse_profile:0:2}.${eclipse_profile:2}
# ${{ github.workspace }}/.github/scripts/update-distro-download-page.sh $dist_path $eclipse_version ${{ inputs.build_type }} $AWS_S3_BUCKET $DOWNLOAD_URL_ROOT
# - name: Cleanup
# if: ${{ always() }}
# env:
# SSH_KEY: ~/.ssh/id_rsa
# SSH_USER: signer
# run: |
# ssh -i $SSH_KEY $SSH_USER@vm-tools.spring.vmware.com -- rm -rf /opt/bamboo/${{ needs.eclipse-distro-build.outputs.id }}
# rm -rf *spring-tool-suite-4*win*

sign-osx-distros:
needs: [ eclipse-distro-build ]
Expand Down

0 comments on commit d6281a0

Please sign in to comment.