Skip to content

feat: add timestamping support to Azure Trusted Signing #677

feat: add timestamping support to Azure Trusted Signing

feat: add timestamping support to Azure Trusted Signing #677

Workflow file for this run

name: Build
on:
push:
branches:
- 'main'
- 'feat/azure-1'
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'
- 'v[0-9]+.[0-9]+.[0-9]+-**'
paths-ignore:
- '**.md'
- '**.spec.js'
- '.idea'
- '.vscode'
- '.dockerignore'
- 'Dockerfile'
- '.gitignore'
pull_request:
types: [opened, synchronize, reopened, ready_for_review, converted_to_ready_for_review]
branches:
- 'main'
paths-ignore:
- '**.md'
- '**.spec.js'
- '.idea'
- '.vscode'
- '.dockerignore'
- 'Dockerfile'
- '.gitignore'
jobs:
build:
runs-on: ${{ matrix.os }}
permissions:
contents: write
strategy:
matrix:
os:
- windows-latest
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
- uses: oven-sh/setup-bun@v1
with:
bun-version: latest
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Build foundation
run: bun build:foundation
- name: Set environment variables
shell: bash
run: |
echo "VITE_SUPABASE_API_URL=${{ secrets.SUPABASE_API_URL }}" >> $GITHUB_ENV
echo "VITE_SUPABASE_ANON_KEY=${{ secrets.SUPABASE_ANON_KEY }}" >> $GITHUB_ENV
echo "VITE_MIXPANEL_TOKEN=${{ secrets.MIXPANEL_TOKEN }}" >> $GITHUB_ENV
echo "VITE_ANTHROPIC_API_KEY=${{ secrets.ANTHROPIC_API_KEY }}" >> $GITHUB_ENV
echo "VITE_OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}" >> $GITHUB_ENV
echo "VITE_LANGFUSE_PUBLIC_KEY=${{ secrets.LANGFUSE_PUBLIC_KEY }}" >> $GITHUB_ENV
echo "VITE_LANGFUSE_SECRET_KEY=${{ secrets.LANGFUSE_SECRET_KEY }}" >> $GITHUB_ENV
# Build the app first
- name: Build Vite App
working-directory: apps/studio
run: bun run build
# Package the app
- name: Build Electron App
working-directory: apps/studio
run: npx electron-builder --win --dir
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Sign with Azure Trusted Signing
- name: Azure Trusted Signing
uses: azure/trusted-signing-action@v0.3.16
with:
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
endpoint: ${{ secrets.AZURE_ENDPOINT }}
code-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
file-digest: SHA256
files-folder: apps/studio/release/0.1.4-beta/win-unpacked
files-folder-filter: exe
timestamp-rfc3161-url: http://timestamp.digicert.com
# Verify package signatures
- name: Verify Package Signatures
shell: powershell
run: |
$files = Get-ChildItem -Path "apps/studio/release/0.1.4-beta/win-unpacked/*.exe" -Recurse
foreach ($file in $files) {
Write-Host "Verifying signature for: $($file.FullName)"
$sig = Get-AuthenticodeSignature $file.FullName
if ($sig.Status -ne "Valid") {
Write-Host "Invalid signature found for $($file.FullName)"
Write-Host "Status: $($sig.Status)"
Write-Host "Signer: $($sig.SignerCertificate.Subject)"
exit 1
}
Write-Host "Valid signature found:"
Write-Host "Status: $($sig.Status)"
Write-Host "Signer: $($sig.SignerCertificate.Subject)"
Write-Host "Timestamp: $($sig.TimeStamper)"
}
# Upload signed artifacts for verification
- name: Upload Signed Artifacts
uses: actions/upload-artifact@v4
with:
name: signed-windows-binaries
path: apps/studio/release/0.1.4-beta/win-unpacked/*.exe
# Publish the signed artifacts
- name: Publish Signed Artifacts
working-directory: apps/studio
run: npx electron-builder --win --publish always --dir
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
EP_GH_IGNORE_TIME: true