-
Notifications
You must be signed in to change notification settings - Fork 0
114 lines (100 loc) · 3.88 KB
/
distribute-binaries.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
name: Distribute Binaries
on:
push:
tags:
- 'v*' # Trigger the workflow for tags like v1.0, v2.1, etc.
jobs:
build:
runs-on: ubuntu-latest
steps:
# Checkout the code
- name: Checkout code
if: env.skip != 'true'
uses: actions/checkout@v2
# Set up Go environment
- name: Set up Go
if: env.skip != 'true'
uses: actions/setup-go@v3
with:
go-version: '1.23'
# Install necessary build tools for cgo and osslsigncode
- name: Install build tools
if: env.skip != 'true'
run: |
sudo apt-get update
sudo apt-get install -y gcc g++ libc6-dev gcc-multilib g++-x86-64-linux-gnu osslsigncode openssl
# Prepare the signing certificate (Generate .p12 file)
- name: Prepare signing certificate
if: env.skip != 'true'
env:
PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
REQUEST_CSR: ${{ secrets.REQUEST_CSR }}
SIGN_PASSWORD: ${{ secrets.SIGN_PASSWORD }}
run: |
# Decode the PRIVATE_KEY secret and save it to a file
echo "${PRIVATE_KEY}" > private.key
# Decode the REQUEST_CSR secret and save it to a file
echo "${REQUEST_CSR}" > request.csr
# Decode the SIGN_PASSWORD secret and save it to a file
echo "${SIGN_PASSWORD}" > sign_password.txt
# Create the .p12 certificate using the private key and certificate (self-signed or CA-signed)
openssl pkcs12 -export -out certificate.p12 -inkey private.key -in request.csr -passout file:sign_password.txt
# Clean up sensitive files after use
rm private.key request.csr sign_password.txt
# Get the version from the tag
- name: Get version from tag
if: env.skip != 'true'
id: get_version
run: |
echo "VERSION=$(echo ${GITHUB_REF} | sed 's/refs\/tags\///')" >> $GITHUB_ENV
# Get the repository name from the GitHub context
- name: Get repo name
if: env.skip != 'true'
id: get_repo_name
run: |
REPO_NAME=$(echo "${GITHUB_REPOSITORY}" | cut -d'/' -f2)
echo "REPO_NAME=${REPO_NAME}" >> $GITHUB_ENV
echo "Repository name: ${REPO_NAME}"
# Build binaries
- name: Build binaries
if: env.skip != 'true'
run: |
GOOS_ARCH_LIST=( "windows/386" "windows/amd64" "windows/arm" "windows/arm64" )
VERSION=${{ env.VERSION }}
REPO_NAME=${{ env.REPO_NAME }}
DIST_LOCATION=dist
mkdir -p ${DIST_LOCATION}
for GOOS_ARCH in "${GOOS_ARCH_LIST[@]}"; do
GOOS=$(echo $GOOS_ARCH | cut -d'/' -f1)
GOARCH=$(echo $GOOS_ARCH | cut -d'/' -f2)
FILENAME="${REPO_NAME}-${VERSION}-${GOOS}-${GOARCH}.exe"
OUTPUT_LOCATION=${DIST_LOCATION}/${FILENAME}
export GOOS GOARCH CGO_ENABLED=0
go build -ldflags "-X main.name=${REPO_NAME} -X main.version=${VERSION}" -o "${OUTPUT_LOCATION}"
echo "Built binary: ${OUTPUT_LOCATION}"
done
# Sign Windows binaries
- name: Sign Windows binaries
if: env.skip != 'true'
env:
SIGN_PASSWORD: ${{ secrets.SIGN_PASSWORD }}
run: |
mkdir -p signed
for FILE in dist/*.exe; do
SIGNED_FILE="signed/$(basename $FILE)"
osslsigncode sign \
-pkcs12 certificate.p12 \
-pass "${SIGN_PASSWORD}" \
-t http://timestamp.digicert.com \
-in "$FILE" \
-out "$SIGNED_FILE"
echo "Signed binary: $SIGNED_FILE"
done
# Upload signed binaries to GitHub Releases
- name: Upload signed binaries to release
if: env.skip != 'true'
uses: softprops/action-gh-release@v1
with:
files: signed/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}