mirror of
https://github.com/CringeStudios/element-desktop.git
synced 2025-01-18 23:44:59 +01:00
Assert release & nightly builds are signed, notarised & accessible before deployment (#559)
This commit is contained in:
parent
383793640d
commit
126d2c336b
8
.github/workflows/build_macos.yaml
vendored
8
.github/workflows/build_macos.yaml
vendored
@ -88,6 +88,14 @@ jobs:
|
|||||||
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }}
|
CSC_KEY_PASSWORD: ${{ secrets.APPLE_CSC_KEY_PASSWORD }}
|
||||||
CSC_LINK: ${{ secrets.APPLE_CSC_LINK }}
|
CSC_LINK: ${{ secrets.APPLE_CSC_LINK }}
|
||||||
|
|
||||||
|
- name: Check app was signed & notarised successfully
|
||||||
|
if: inputs.sign != ''
|
||||||
|
run: |
|
||||||
|
hdiutil attach dist/*.dmg
|
||||||
|
codesign -dv --verbose=4 /Volumes/Element*/*.app
|
||||||
|
spctl -a -vvv -t install /Volumes/Element*/*.app
|
||||||
|
hdiutil detach /Volumes/Element*
|
||||||
|
|
||||||
- name: "[Unsigned] Build App"
|
- name: "[Unsigned] Build App"
|
||||||
if: inputs.sign == ''
|
if: inputs.sign == ''
|
||||||
run: |
|
run: |
|
||||||
|
11
.github/workflows/build_windows.yaml
vendored
11
.github/workflows/build_windows.yaml
vendored
@ -31,6 +31,8 @@ jobs:
|
|||||||
build:
|
build:
|
||||||
runs-on: windows-latest
|
runs-on: windows-latest
|
||||||
environment: ${{ inputs.sign && 'packages.element.io' || '' }}
|
environment: ${{ inputs.sign && 'packages.element.io' || '' }}
|
||||||
|
env:
|
||||||
|
SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe"
|
||||||
steps:
|
steps:
|
||||||
- uses: kanga333/variable-mapper@master
|
- uses: kanga333/variable-mapper@master
|
||||||
id: config
|
id: config
|
||||||
@ -154,8 +156,13 @@ jobs:
|
|||||||
run: |
|
run: |
|
||||||
yarn ts-node scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} ${{ steps.esigner.outputs.config-args }}
|
yarn ts-node scripts/generate-builder-config.ts ${{ steps.nightly.outputs.config-args }} ${{ steps.esigner.outputs.config-args }}
|
||||||
yarn build --publish never -w --config electron-builder.json ${{ steps.config.outputs.build-args }}
|
yarn build --publish never -w --config electron-builder.json ${{ steps.config.outputs.build-args }}
|
||||||
env:
|
|
||||||
SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe"
|
- name: Check app was signed successfully
|
||||||
|
if: inputs.sign != ''
|
||||||
|
# XXX: UPDATE THIS BEFORE WHEN GOING LIVE
|
||||||
|
continue-on-error: true
|
||||||
|
run: |
|
||||||
|
. "$env:SIGNTOOL_PATH" verify /pa (get-item ./dist/squirrel-windows*/*.exe)
|
||||||
|
|
||||||
- name: Prepare artifacts for deployment
|
- name: Prepare artifacts for deployment
|
||||||
if: inputs.deploy-mode
|
if: inputs.deploy-mode
|
||||||
|
19
.github/workflows/reprepro.yaml
vendored
19
.github/workflows/reprepro.yaml
vendored
@ -59,6 +59,25 @@ jobs:
|
|||||||
reprepro -b debian includedeb "$target" ./dist/*.deb
|
reprepro -b debian includedeb "$target" ./dist/*.deb
|
||||||
done
|
done
|
||||||
|
|
||||||
|
- name: Check repository works
|
||||||
|
run: |
|
||||||
|
# Download signing keyring
|
||||||
|
sudo wget -O /usr/share/keyrings/element-io-archive-keyring.gpg https://packages.element.io/debian/element-io-archive-keyring.gpg
|
||||||
|
# Point apt at local apt repo
|
||||||
|
echo "deb [signed-by=/usr/share/keyrings/element-io-archive-keyring.gpg] http://localhost:8000/debian/ default main" | sudo tee /etc/apt/sources.list.d/element-io.list
|
||||||
|
|
||||||
|
# Start http server and fetch from it via apt
|
||||||
|
python3 -m http.server 8000 &
|
||||||
|
sudo apt-get update --allow-insecure-repositories
|
||||||
|
killall python3
|
||||||
|
|
||||||
|
# Validate the package in the repo quacks like the one we expect
|
||||||
|
info=$(dpkg --info ../dist/*.deb)
|
||||||
|
package=$(echo "$info" | grep "Package:" | sed -n 's/ Package: //p')
|
||||||
|
version=$(echo "$info" | grep "Version:" | sed -n 's/ Version: //p')
|
||||||
|
apt-cache show "$package" | grep "Version: $version"
|
||||||
|
working-directory: ./packages.element.io
|
||||||
|
|
||||||
- name: Deploy debian repo
|
- name: Deploy debian repo
|
||||||
run: |
|
run: |
|
||||||
aws s3 cp --recursive packages.element.io/debian/ s3://$R2_BUCKET/debian --endpoint-url $R2_URL --region auto
|
aws s3 cp --recursive packages.element.io/debian/ s3://$R2_BUCKET/debian --endpoint-url $R2_URL --region auto
|
||||||
|
Loading…
Reference in New Issue
Block a user