.github/workflows/ci.yaml

name: ci

on:
  push:
    branches: [ main, release-* ]
    tags:
      'v*'
  pull_request:
    branches: [ main ]
env:
    QT_VERSION: 6.5.2
jobs:
  # This is a super hacky way to get this into a place that can actually be
  # used by downstream jobs because YAML values don't allow shell
  # interpolation, only github expression interpolation
  run-info:
    name: Gather Run Info
    runs-on: ubuntu-latest
    outputs:
      sha8: ${{ steps.calc-info.outputs.sha8 }}
      isRelease: ${{ steps.calc-info.outputs.isRelease }}
      signMacRelease: ${{ steps.calc-info.outputs.signMacRelease }}
      signWinRelease: ${{ steps.calc-info.outputs.signWinRelease }}
    steps:
      - name: CheckRun Info
        env:
          MCERT: ${{secrets.MACOS_CERT}}
          WCERT: ${{ secrets.WINDOWS_CERT }}
        id: calc-info
        run: |
          MSIGN="false"
          WSIGN="false"
          RELEASE="false"
          if [[ "$GITHUB_REF" == *"tags/v"* || "$GITHUB_REF" == *"refs/heads/release" ]]; then
              RELEASE="true"
              NAME="$GITHUB_REF_NAME"
          fi
          if [[ "$MCERT" != "" ]]; then
              MSIGN="true"
          fi
          if [[ "$WCERT" != "" ]]; then
              WSIGN="true"
          fi
          if [[ "$NAME" == "" ]]; then
              NAME="continuous"
          fi
          echo "signMacRelease=$MSIGN" >> $GITHUB_OUTPUT
          echo "signWinRelease=$WSIGN" >> $GITHUB_OUTPUT
          echo "sha8=$NAME" >> $GITHUB_OUTPUT
          echo "isRelease=$RELEASE" >> $GITHUB_OUTPUT

  build:
    name: ${{ matrix.config.name }}
    runs-on: ${{ matrix.config.os }}
    needs: run-info
    strategy:
      fail-fast: false
      matrix:
        config:
        - {
            name: "Linux"
            , os: ubuntu-20.04
            , QT_INST_DIR: /opt
            , extraCMakeConfig: "-DCMAKE_INSTALL_PREFIX=/usr"
          }
        - {
            name: "Mac"
            , os: macos-latest
            , QT_INST_DIR: /Users/runner
            , extraCMakeConfig: "-DCMAKE_OSX_ARCHITECTURES=\"arm64;x86_64\""
            , cmakeSigning: "-DNOTARIZE_AS=\"John Kennedy\""
            , buildTarget: "--target package"
          }
        - {
            name: "Windows", WIN_ARCH: "x64"
            , os: windows-2019
            , QT_INST_DIR: "C:/", QT_ARCH: win64_msvc2019_64
            , extraCMakeConfig: "-G Ninja"
            , buildTarget: "--target package"
          }
    steps:
    - name: Setup env
      shell: bash
      run: |
        echo "name=ashirt-${{ needs.run-info.outputs.sha8 }}" >> $GITHUB_ENV
        echo "githash=${{ needs.run-info.outputs.sha8 }}" >> $GITHUB_ENV
        echo "signMacRelease=${{ needs.run-info.outputs.signMacRelease }}" >> $GITHUB_ENV
        echo "signWinRelease=${{ needs.run-info.outputs.signWinRelease }}" >> $GITHUB_ENV

    - name: Check out code
      uses: actions/checkout@v4
      with:
        submodules: true
        fetch-depth: 0
    - run: git fetch --tags --force

    - name: Env Script (windows)
      uses: ilammy/msvc-dev-cmd@v1
      if: runner.os == 'Windows'
      with:
        arch: ${{matrix.config.WIN_ARCH}}

    - name: Import Signing Certificate ( windows )
      if: runner.os == 'Windows' && env.signWinRelease == 'true'
      run: |
        New-Item -ItemType directory -Path build\certificate
        Set-Content -Path build\certificate\certificate.txt -Value '${{ secrets.WINDOWS_CERT }}'
        certutil -decode build\certificate\certificate.txt build\certificate\certificate.pfx

    - name: Import Signing Certificate ( macos )
      if: runner.os == 'macOS' && env.signMacRelease == 'true'
      uses: Apple-Actions/import-codesign-certs@v3
      with:
        p12-file-base64: ${{ secrets.MACOS_CERT }}
        p12-password: ${{ secrets.MACOS_PASS }}

    - name: Install Qt
      uses: jurplel/install-qt-action@v4.0.0
      with:
       aqtversion: ==2.0.0
       py7zrversion: ==0.16.2
       dir: ${{matrix.config.QT_INST_DIR}}
       arch: ${{ matrix.config.QT_ARCH }}
       version: ${{ env.QT_VERSION }}

    - name: Install Dependencies
      shell: bash
      run: |
        if [ "$RUNNER_OS" == "Linux" ]; then
            sudo apt-get update > /dev/null && sudo apt-get install -qqq libxcb-keysyms1-dev libxkbcommon-dev libxkbcommon-x11-dev libxcb-cursor0 > /dev/null
        elif [ "$RUNNER_OS" == "Windows" ]; then
            choco install ninja --ignore-checksums
        fi

    - name: Build
      shell: bash
      run: |
        if [[ "${{ env.signMacRelease }}" == "true" ]]; then
            cmake -S. -Bbuild -DCMAKE_BUILD_TYPE=Release -DCPACK_PACKAGE_VERSION="${{env.githash}}" ${{matrix.config.extraCMakeConfig}} ${{matrix.config.cmakeSigning}}
        else
            cmake -S. -Bbuild -DCMAKE_BUILD_TYPE=Release -DCPACK_PACKAGE_VERSION="${{env.githash}}" ${{matrix.config.extraCMakeConfig}}
        fi
        cmake --build build ${{ matrix.config.buildTarget }}
        cd build
        mkdir -p dist
        if [ "$RUNNER_OS" == "Linux" ]; then
            wget -qc "https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-x86_64.AppImage"
            wget -qc "https://github.com/linuxdeploy/linuxdeploy-plugin-qt/releases/download/continuous/linuxdeploy-plugin-qt-x86_64.AppImage"
            chmod a+x linuxdeploy*.AppImage
            export VERSION=${{ env.githash }}
            export PATH=$PATH:/opt/Qt/${{env.QT_VERSION}}/gcc_64/libexec
            ./linuxdeploy-x86_64.AppImage --appdir=appdir  --output appimage \
                -e src/ashirt \
                -d ../deploy/ashirt.desktop \
                -i ../deploy/hicolor/128x128/apps/ashirt.png \
                --plugin=qt
        elif [[ "$RUNNER_OS" == "macOS" && "${{ env.signMacRelease }}" == "true" ]]; then
            # Prepare application for notarization
            xcrun notarytool store-credentials "AC_PASSWORD" --apple-id ${{ secrets.APPLE_ID }} --team-id ${{ secrets.TEAM_ID }} --password ${{ secrets.APP_SPECIFIC_PASSWORD }}
            # Notarize the application
            xcrun notarytool submit ${{env.name}}.dmg --keychain-profile "AC_PASSWORD" --wait
            # Staple the ticket to the application
            xcrun stapler staple ${{env.name}}.dmg
        mv ashirt*.* dist/

    - name: Sign Artifact with CodeSignTool
      uses: sslcom/esigner-codesign@develop
      if: ${{ env.signWinRelease == "true" && RUNNER_OS == "Windows"}}
      with:
        command: sign
        username: ${{secrets.ES_USERNAME}}
        password: ${{secrets.ES_PASSWORD}}
        credential_id: ${{secrets.CREDENTIAL_ID}}
        totp_secret: ${{secrets.ES_TOTP_SECRET}}
        file_path: build/${{env.name}}.exe
        output_path: dist/

    - name: Archive production artifacts
      uses: actions/upload-artifact@v4
      with:
        name: ${{env.name}}-${{ matrix.config.os }}
        path: build/dist/ashirt*.*

  release:
    name: Release
    needs: [run-info, build]
    runs-on: ubuntu-latest
    steps:
    - name: Download Files
      uses: actions/download-artifact@v4

    - name: Deploy Continuous
      if: github.ref == 'refs/heads/main'
      uses: "marvinpinto/action-automatic-releases@latest"
      with:
       repo_token: "${{ secrets.GITHUB_TOKEN }}"
       automatic_release_tag: "continuous"
       prerelease: true
       title: "Continuous Build"
       files: ashirt-*/ashirt-*.*

    - name: Deploy Tag
      if: contains(github.ref, 'tags/v') || github.ref == 'refs/heads/release'
      uses: "marvinpinto/action-automatic-releases@latest"
      with:
       repo_token: "${{ secrets.GITHUB_TOKEN }}"
       automatic_release_tag: ${{ github.ref_name }}
       prerelease: false
       title: ${{ github.ref }}
       files: ashirt-*/ashirt-*.*