fix: update to DigiCert timestamp server for code signing #680
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| - 'feat/azure-1' | |
| tags: | |
| - 'v[0-9]+.[0-9]+.[0-9]+' | |
| - 'v[0-9]+.[0-9]+.[0-9]+-**' | |
| paths-ignore: | |
| - '**.md' | |
| - '**.spec.js' | |
| - '.idea' | |
| - '.vscode' | |
| - '.dockerignore' | |
| - 'Dockerfile' | |
| - '.gitignore' | |
| pull_request: | |
| types: [opened, synchronize, reopened, ready_for_review, converted_to_ready_for_review] | |
| branches: | |
| - 'main' | |
| paths-ignore: | |
| - '**.md' | |
| - '**.spec.js' | |
| - '.idea' | |
| - '.vscode' | |
| - '.dockerignore' | |
| - 'Dockerfile' | |
| - '.gitignore' | |
| jobs: | |
| build: | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: write | |
| strategy: | |
| matrix: | |
| os: | |
| - windows-latest | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| - uses: oven-sh/setup-bun@v1 | |
| with: | |
| bun-version: latest | |
| - name: Install dependencies | |
| run: bun install --frozen-lockfile | |
| - name: Build foundation | |
| run: bun build:foundation | |
| - name: Set environment variables | |
| shell: bash | |
| run: | | |
| echo "VITE_SUPABASE_API_URL=${{ secrets.SUPABASE_API_URL }}" >> $GITHUB_ENV | |
| echo "VITE_SUPABASE_ANON_KEY=${{ secrets.SUPABASE_ANON_KEY }}" >> $GITHUB_ENV | |
| echo "VITE_MIXPANEL_TOKEN=${{ secrets.MIXPANEL_TOKEN }}" >> $GITHUB_ENV | |
| echo "VITE_ANTHROPIC_API_KEY=${{ secrets.ANTHROPIC_API_KEY }}" >> $GITHUB_ENV | |
| echo "VITE_OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}" >> $GITHUB_ENV | |
| echo "VITE_LANGFUSE_PUBLIC_KEY=${{ secrets.LANGFUSE_PUBLIC_KEY }}" >> $GITHUB_ENV | |
| echo "VITE_LANGFUSE_SECRET_KEY=${{ secrets.LANGFUSE_SECRET_KEY }}" >> $GITHUB_ENV | |
| # Build the app first | |
| - name: Build Vite App | |
| working-directory: apps/studio | |
| run: bun run build | |
| # Package the app | |
| - name: Build Electron App | |
| working-directory: apps/studio | |
| run: npx electron-builder --win --dir | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Sign with Azure Trusted Signing | |
| - name: Azure Trusted Signing | |
| uses: azure/trusted-signing-action@v0.3.16 | |
| with: | |
| azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| azure-client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} | |
| endpoint: ${{ secrets.AZURE_ENDPOINT }} | |
| code-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }} | |
| certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }} | |
| file-digest: SHA256 | |
| files-folder: apps/studio/release/0.1.4-beta/win-unpacked | |
| files-folder-filter: exe | |
| timestamp-rfc3161: http://timestamp.digicert.com | |
| # Verify package signatures | |
| - name: Verify Package Signatures | |
| shell: powershell | |
| run: | | |
| $files = Get-ChildItem -Path "apps/studio/release/0.1.4-beta/win-unpacked/*.exe" -Recurse | |
| foreach ($file in $files) { | |
| Write-Host "Verifying signature for: $($file.FullName)" | |
| $sig = Get-AuthenticodeSignature $file.FullName | |
| if ($sig.Status -ne "Valid") { | |
| Write-Host "Invalid signature found for $($file.FullName)" | |
| Write-Host "Status: $($sig.Status)" | |
| Write-Host "Signer: $($sig.SignerCertificate.Subject)" | |
| exit 1 | |
| } | |
| Write-Host "Valid signature found:" | |
| Write-Host "Status: $($sig.Status)" | |
| Write-Host "Signer: $($sig.SignerCertificate.Subject)" | |
| Write-Host "Timestamp: $($sig.TimeStamper)" | |
| } | |
| # Upload signed artifacts for verification | |
| - name: Upload Signed Artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: signed-windows-binaries | |
| path: apps/studio/release/0.1.4-beta/win-unpacked/*.exe | |
| # Publish the signed artifacts | |
| - name: Publish Signed Artifacts | |
| working-directory: apps/studio | |
| run: npx electron-builder --win --publish always --dir | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| EP_GH_IGNORE_TIME: true |