# This workflow relies on actions/cache to store the hak dependency artifacts as they take a long time to build # Due to this extra care must be taken to only ever run all build_* scripts against the same branch to ensure # the correct cache scoping, and additional care must be taken to not run untrusted actions on the develop branch. # Windows GHA runner by default uses the pwsh shell which breaks codeSigningCert in the workflow # We always sign using eSignerCKA to ensure it keeps working, but aside from release & nightlies we use demo credentials # which do not yield trusted signatures. defaults: run: shell: powershell on: workflow_call: secrets: ESIGNER_USER_NAME: required: false ESIGNER_USER_PASSWORD: required: false ESIGNER_USER_TOTP: required: false inputs: arch: type: string required: true description: "The architecture to build for, one of 'x64' | 'ia32' | 'arm64'" version: type: string required: false description: "Version string to override the one in package.json, used for non-release builds" sign: type: string required: false description: "Whether to sign & notarise the build, requires 'packages.element.io' environment" permissions: {} # No permissions required jobs: build: runs-on: windows-2022 environment: ${{ inputs.sign && 'packages.element.io' || '' }} env: SIGNTOOL_PATH: "C:/Program Files (x86)/Windows Kits/10/bin/10.0.22000.0/x86/signtool.exe" steps: - uses: nbucic/variable-mapper@0673f6891a0619ba7c002ecfed0f9f4f39017b6f id: config with: key: "${{ inputs.arch }}" export_to: output map: | { "x64": { "target": "x86_64-pc-windows-msvc" }, "arm64": { "target": "aarch64-pc-windows-msvc", "build-args": "--arm64", "arch": "amd64_arm64" }, "ia32": { "target": "i686-pc-windows-msvc", "build-args": "--ia32", "arch": "x86", "extra_config": "{ \"user_notice\": { \"title\": \"Element will no longer be available for this platform soon\", \"description\": \"Support for 32-bit Windows installations will be removed in the next release.\" }" } } } - uses: actions/checkout@v4 - uses: actions/download-artifact@v4 with: name: webapp - name: Cache .hak id: cache uses: actions/cache@v4 with: key: ${{ runner.os }}-${{ inputs.arch }}-${{ hashFiles('hakHash', 'electronVersion') }} path: | ./.hak # ActiveTCL package on choco is from 2015, # this one is newer but includes more than we need - name: Choco install tclsh if: steps.cache.outputs.cache-hit != 'true' shell: pwsh run: | choco install -y magicsplat-tcl-tk --no-progress echo "${HOME}/AppData/Local/Apps/Tcl86/bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - name: Choco install NetWide Assembler if: steps.cache.outputs.cache-hit != 'true' shell: pwsh run: | choco install -y nasm --no-progress echo "C:/Program Files/NASM" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - name: Install Rust if: steps.cache.outputs.cache-hit != 'true' run: | rustup toolchain install stable --profile minimal --no-self-update rustup default stable rustup target add ${{ steps.config.outputs.target }} - uses: actions/setup-node@v4 with: node-version-file: .node-version cache: "yarn" - name: Install Deps run: "yarn install --frozen-lockfile" - name: Insert config snippet if: steps.config.outputs.extra_config != '' shell: bash run: | mkdir config-edit yarn asar extract webapp.asar config-edit cd config-edit mv config.json old-config.json echo ${{ steps.config.outputs.extra_config }} | jq -s '.[0] * .[1]' old-config.json - > config.json rm old-config.json cd .. rm webapp.asar yarn asar pack config-edit/ webpack.asar - name: Set up sqlcipher macros if: steps.cache.outputs.cache-hit != 'true' && contains(inputs.arch, 'arm') shell: pwsh run: | echo "NCC=${{ github.workspace }}\scripts\cl.bat" | Out-File -FilePath $env:GITHUB_ENV -Encoding utf8 -Append - name: Set up build tools if: steps.cache.outputs.cache-hit != 'true' uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 with: arch: ${{ steps.config.outputs.arch || inputs.arch }} - name: Build Natives if: steps.cache.outputs.cache-hit != 'true' run: | refreshenv yarn build:native --target ${{ steps.config.outputs.target }} - name: Install and configure eSigner CKA run: | Set-StrictMode -Version 'Latest' # Download, extract, and rename Invoke-WebRequest -OutFile eSigner_CKA.zip "$env:ESIGNER_URL" Expand-Archive -Path eSigner_CKA.zip -DestinationPath . Get-ChildItem -Path * -Include "*_build_*.exe" | Rename-Item -NewName eSigner_CKA.exe # Install New-Item -ItemType Directory -Force -Path "$env:INSTALL_DIR" ./eSigner_CKA.exe /CURRENTUSER /VERYSILENT /SUPPRESSMSGBOXES /DIR="${{ env.INSTALL_DIR }}" | Out-Null # Disable logger $LogConfig = Get-Content -Path ${{ env.INSTALL_DIR }}/log4net.config $LogConfig[0] = '' $LogConfig | Set-Content -Path ${{ env.INSTALL_DIR }}/log4net.config # Configure - default credentials from https://www.ssl.com/guide/esigner-demo-credentials-and-certificates/ ${{ env.INSTALL_DIR }}/eSignerCKATool.exe config ` -mode ${{ vars.ESIGNER_MODE || 'sandbox' }} ` -user "${{ secrets.ESIGNER_USER_NAME || 'esigner_demo' }}" ` -pass "${{ secrets.ESIGNER_USER_PASSWORD || 'esignerDemo#1' }}" ` -totp "${{ secrets.ESIGNER_USER_TOTP || 'RDXYgV9qju+6/7GnMf1vCbKexXVJmUVr+86Wq/8aIGg=' }}" ` -key "${{ env.MASTER_KEY_FILE }}" -r ${{ env.INSTALL_DIR }}/eSignerCKATool.exe unload ${{ env.INSTALL_DIR }}/eSignerCKATool.exe load # Find certificate $CodeSigningCert = Get-ChildItem Cert:\CurrentUser\My -CodeSigningCert | Select-Object -First 1 echo Certificate: $CodeSigningCert # Extract thumbprint and subject name $Thumbprint = $CodeSigningCert.Thumbprint $SubjectName = ($CodeSigningCert.Subject -replace ", ?", "`n" | ConvertFrom-StringData).CN echo "ED_SIGNTOOL_THUMBPRINT=$Thumbprint" >> $env:GITHUB_ENV echo "ED_SIGNTOOL_SUBJECT_NAME=$SubjectName" >> $env:GITHUB_ENV env: ESIGNER_URL: https://github.com/SSLcom/eSignerCKA/releases/download/v1.0.6/SSL.COM-eSigner-CKA_1.0.6.zip INSTALL_DIR: C:\Users\runneradmin\eSignerCKA MASTER_KEY_FILE: C:\Users\runneradmin\eSignerCKA\master.key - name: Build App run: yarn build --publish never -w ${{ steps.config.outputs.build-args }} env: # Only set for Nightly builds ED_NIGHTLY: ${{ inputs.version }} - name: Trust eSigner sandbox cert if: inputs.sign == '' run: | Set-StrictMode -Version 'Latest' Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root -FilePath .github/SSLcom-sandbox.crt - name: Check app was signed successfully run: | Set-StrictMode -Version 'Latest' Get-ChildItem ` -Recurse dist ` -Include *.exe, *.msi ` | ForEach-Object -Process {. $env:SIGNTOOL_PATH verify /pa $_.FullName; if(!$?) { throw }} - name: Upload Artifacts uses: actions/upload-artifact@v4 with: name: win-${{ inputs.arch }} path: | dist retention-days: 1 - name: Assert all required files are present run: | Test-Path './dist/win-*unpacked/Element*.exe' Test-Path './dist/squirrel-windows*/Element Setup*.exe' Test-Path './dist/squirrel-windows*/element-desktop-*-full.nupkg' Test-Path './dist/squirrel-windows*/RELEASES' Test-Path './dist/Element*.msi'