ssl.com action #926
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| branches: [ main, release-* ] | |
| tags: | |
| 'v*' | |
| pull_request: | |
| branches: [ main ] | |
| env: | |
| QT_VERSION: 6.5.2 | |
| jobs: | |
| # This is a super hacky way to get this into a place that can actually be | |
| # used by downstream jobs because YAML values don't allow shell | |
| # interpolation, only github expression interpolation | |
| run-info: | |
| name: Gather Run Info | |
| runs-on: ubuntu-latest | |
| outputs: | |
| sha8: ${{ steps.calc-info.outputs.sha8 }} | |
| isRelease: ${{ steps.calc-info.outputs.isRelease }} | |
| signMacRelease: ${{ steps.calc-info.outputs.signMacRelease }} | |
| signWinRelease: ${{ steps.calc-info.outputs.signWinRelease }} | |
| steps: | |
| - name: CheckRun Info | |
| env: | |
| MCERT: ${{secrets.MACOS_CERT}} | |
| WCERT: ${{ secrets.WINDOWS_CERT }} | |
| id: calc-info | |
| run: | | |
| MSIGN="false" | |
| WSIGN="false" | |
| RELEASE="false" | |
| if [[ "$GITHUB_REF" == *"tags/v"* || "$GITHUB_REF" == *"refs/heads/release" ]]; then | |
| RELEASE="true" | |
| NAME="$GITHUB_REF_NAME" | |
| fi | |
| if [[ "$MCERT" != "" ]]; then | |
| MSIGN="true" | |
| fi | |
| if [[ "$WCERT" != "" ]]; then | |
| WSIGN="true" | |
| fi | |
| if [[ "$NAME" == "" ]]; then | |
| NAME="continuous" | |
| fi | |
| echo "signMacRelease=$MSIGN" >> $GITHUB_OUTPUT | |
| echo "signWinRelease=$WSIGN" >> $GITHUB_OUTPUT | |
| echo "sha8=$NAME" >> $GITHUB_OUTPUT | |
| echo "isRelease=$RELEASE" >> $GITHUB_OUTPUT | |
| build: | |
| name: ${{ matrix.config.name }} | |
| runs-on: ${{ matrix.config.os }} | |
| needs: run-info | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| config: | |
| - { | |
| name: "Linux" | |
| , os: ubuntu-20.04 | |
| , QT_INST_DIR: /opt | |
| , extraCMakeConfig: "-DCMAKE_INSTALL_PREFIX=/usr" | |
| } | |
| - { | |
| name: "Mac" | |
| , os: macos-latest | |
| , QT_INST_DIR: /Users/runner | |
| , extraCMakeConfig: "-DCMAKE_OSX_ARCHITECTURES=\"arm64;x86_64\"" | |
| , cmakeSigning: "-DNOTARIZE_AS=\"John Kennedy\"" | |
| , buildTarget: "--target package" | |
| } | |
| - { | |
| name: "Windows", WIN_ARCH: "x64" | |
| , os: windows-2019 | |
| , QT_INST_DIR: "C:/", QT_ARCH: win64_msvc2019_64 | |
| , extraCMakeConfig: "-G Ninja" | |
| , buildTarget: "--target package" | |
| } | |
| steps: | |
| - name: Setup env | |
| shell: bash | |
| run: | | |
| echo "name=ashirt-${{ needs.run-info.outputs.sha8 }}" >> $GITHUB_ENV | |
| echo "githash=${{ needs.run-info.outputs.sha8 }}" >> $GITHUB_ENV | |
| echo "signMacRelease=${{ needs.run-info.outputs.signMacRelease }}" >> $GITHUB_ENV | |
| echo "signWinRelease=${{ needs.run-info.outputs.signWinRelease }}" >> $GITHUB_ENV | |
| - name: Check out code | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: true | |
| fetch-depth: 0 | |
| - run: git fetch --tags --force | |
| - name: Env Script (windows) | |
| uses: ilammy/msvc-dev-cmd@v1 | |
| if: runner.os == 'Windows' | |
| with: | |
| arch: ${{matrix.config.WIN_ARCH}} | |
| - name: Import Signing Certificate ( windows ) | |
| if: runner.os == 'Windows' && env.signWinRelease == 'true' | |
| run: | | |
| New-Item -ItemType directory -Path build\certificate | |
| Set-Content -Path build\certificate\certificate.txt -Value '${{ secrets.WINDOWS_CERT }}' | |
| certutil -decode build\certificate\certificate.txt build\certificate\certificate.pfx | |
| - name: Import Signing Certificate ( macos ) | |
| if: runner.os == 'macOS' && env.signMacRelease == 'true' | |
| uses: Apple-Actions/import-codesign-certs@v3 | |
| with: | |
| p12-file-base64: ${{ secrets.MACOS_CERT }} | |
| p12-password: ${{ secrets.MACOS_PASS }} | |
| - name: Install Qt | |
| uses: jurplel/[email protected] | |
| with: | |
| aqtversion: ==2.0.0 | |
| py7zrversion: ==0.16.2 | |
| dir: ${{matrix.config.QT_INST_DIR}} | |
| arch: ${{ matrix.config.QT_ARCH }} | |
| version: ${{ env.QT_VERSION }} | |
| - name: Install Dependencies | |
| shell: bash | |
| run: | | |
| if [ "$RUNNER_OS" == "Linux" ]; then | |
| sudo apt-get update > /dev/null && sudo apt-get install -qqq libxcb-keysyms1-dev libxkbcommon-dev libxkbcommon-x11-dev libxcb-cursor0 > /dev/null | |
| elif [ "$RUNNER_OS" == "Windows" ]; then | |
| choco install ninja --ignore-checksums | |
| fi | |
| - name: Build | |
| shell: bash | |
| run: | | |
| if [[ "${{ env.signMacRelease }}" == "true" ]]; then | |
| cmake -S. -Bbuild -DCMAKE_BUILD_TYPE=Release -DCPACK_PACKAGE_VERSION="${{env.githash}}" ${{matrix.config.extraCMakeConfig}} ${{matrix.config.cmakeSigning}} | |
| else | |
| cmake -S. -Bbuild -DCMAKE_BUILD_TYPE=Release -DCPACK_PACKAGE_VERSION="${{env.githash}}" ${{matrix.config.extraCMakeConfig}} | |
| fi | |
| cmake --build build ${{ matrix.config.buildTarget }} | |
| cd build | |
| mkdir -p dist | |
| if [ "$RUNNER_OS" == "Linux" ]; then | |
| wget -qc "https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-x86_64.AppImage" | |
| wget -qc "https://github.com/linuxdeploy/linuxdeploy-plugin-qt/releases/download/continuous/linuxdeploy-plugin-qt-x86_64.AppImage" | |
| chmod a+x linuxdeploy*.AppImage | |
| export VERSION=${{ env.githash }} | |
| export PATH=$PATH:/opt/Qt/${{env.QT_VERSION}}/gcc_64/libexec | |
| ./linuxdeploy-x86_64.AppImage --appdir=appdir --output appimage \ | |
| -e src/ashirt \ | |
| -d ../deploy/ashirt.desktop \ | |
| -i ../deploy/hicolor/128x128/apps/ashirt.png \ | |
| --plugin=qt | |
| elif [[ "$RUNNER_OS" == "macOS" && "${{ env.signMacRelease }}" == "true" ]]; then | |
| # Prepare application for notarization | |
| xcrun notarytool store-credentials "AC_PASSWORD" --apple-id ${{ secrets.APPLE_ID }} --team-id ${{ secrets.TEAM_ID }} --password ${{ secrets.APP_SPECIFIC_PASSWORD }} | |
| # Notarize the application | |
| xcrun notarytool submit ${{env.name}}.dmg --keychain-profile "AC_PASSWORD" --wait | |
| # Staple the ticket to the application | |
| xcrun stapler staple ${{env.name}}.dmg | |
| mv ashirt*.* dist/ | |
| - name: Sign Artifact with CodeSignTool | |
| uses: sslcom/esigner-codesign@develop | |
| if: ${{ env.signWinRelease == 'true' && matrix.config.os == 'windows-2019' }} | |
| with: | |
| command: sign | |
| username: ${{secrets.ES_USERNAME}} | |
| password: ${{secrets.ES_PASSWORD}} | |
| credential_id: ${{secrets.CREDENTIAL_ID}} | |
| totp_secret: ${{secrets.ES_TOTP_SECRET}} | |
| file_path: build/${{env.name}}.exe | |
| output_path: dist/ | |
| - name: Archive production artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{env.name}}-${{ matrix.config.os }} | |
| path: build/dist/ashirt*.* | |
| release: | |
| name: Release | |
| needs: [run-info, build] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Download Files | |
| uses: actions/download-artifact@v4 | |
| - name: Deploy Continuous | |
| if: github.ref == 'refs/heads/main' | |
| uses: "marvinpinto/action-automatic-releases@latest" | |
| with: | |
| repo_token: "${{ secrets.GITHUB_TOKEN }}" | |
| automatic_release_tag: "continuous" | |
| prerelease: true | |
| title: "Continuous Build" | |
| files: ashirt-*/ashirt-*.* | |
| - name: Deploy Tag | |
| if: contains(github.ref, 'tags/v') || github.ref == 'refs/heads/release' | |
| uses: "marvinpinto/action-automatic-releases@latest" | |
| with: | |
| repo_token: "${{ secrets.GITHUB_TOKEN }}" | |
| automatic_release_tag: ${{ github.ref_name }} | |
| prerelease: false | |
| title: ${{ github.ref }} | |
| files: ashirt-*/ashirt-*.* |