Clean up for PR

2025-04-11 09:47:45 -04:00
parent c1894edaed
commit e8a82ea85e
3 changed files with 8 additions and 110 deletions
--- a/.github/workflows/build-apps.yml
+++ b/.github/workflows/build-apps.yml
@ -5,7 +5,6 @@ on:
  push:
    branches:
      - main
-      - pierremtb/issue6256-Updater-on-Nightly-on-Windows-failed
    tags:
      - 'v[0-9]+.[0-9]+.[0-9]+'
      - 'nightly-v[0-9]+.[0-9]+.[0-9]+'
@ -31,8 +30,7 @@ jobs:
      - uses: actions/setup-node@v4
        with:
          node-version-file: '.nvmrc'
-          # Forget cache for now
-          # cache: 'yarn'
+          cache: 'yarn'

      - run: yarn install

@ -46,7 +44,7 @@ jobs:

      - name: Download Wasm Cache
        id: download-wasm
-        # if: ${{ github.event_name == 'pull_request' && steps.filter.outputs.rust == 'false' }}
+        if: ${{ github.event_name == 'pull_request' && steps.filter.outputs.rust == 'false' }}
        uses: dawidd6/action-download-artifact@v7
        continue-on-error: true
        with:
@ -62,8 +60,7 @@ jobs:
          set -euox pipefail
          # Build wasm if this is a push to main or tag, there are Rust changes, or
          # downloading from the wasm cache failed.
-          # if [[ ${{github.event_name}} == 'push' || ${{steps.filter.outputs.rust}} == 'true' || ${{steps.download-wasm.outcome}} == 'failure' ]]; then
-          if [[ ${{steps.filter.outputs.rust}} == 'true' || ${{steps.download-wasm.outcome}} == 'failure' ]]; then
+          if [[ ${{github.event_name}} == 'push' || ${{steps.filter.outputs.rust}} == 'true' || ${{steps.download-wasm.outcome}} == 'failure' ]]; then
            echo "should-build-wasm=true" >> $GITHUB_OUTPUT
          else
            echo "should-build-wasm=false" >> $GITHUB_OUTPUT
@ -176,8 +173,7 @@ jobs:
        uses: actions/setup-node@v4
        with:
          node-version-file: '.nvmrc'
-          # Forget cache for now
-          # cache: 'yarn' # Set this to npm, yarn or pnpm.
+          cache: 'yarn' # Set this to npm, yarn or pnpm.

      - name: yarn install
        # Windows is picky sometimes and fails on fetch. Step takes about ~30s
@ -216,13 +212,6 @@ jobs:
          smctl windows certsync
        shell: cmd

-      # This is what electron-builder seems to want
-      - name: List certs
-        if: ${{ (env.IS_RELEASE == 'true' || env.IS_NIGHTLY == 'true') && matrix.os == 'windows-2022' }}
-        shell: pwsh
-        run: |
-          Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Property Subject,PSParentPath,Thumbprint
-
      - name: Build the app (debug)
        if: ${{ env.IS_RELEASE == 'false' && env.IS_NIGHTLY == 'false' }}
        # electron-builder doesn't have a concept of release vs debug,
@ -236,10 +225,10 @@ jobs:
          APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
-          # CSC_LINK: ${{ secrets.APPLE_CERTIFICATE }}
-          # CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
-          # CSC_KEYCHAIN: ${{ secrets.APPLE_SIGNING_IDENTITY }}
-          # WINDOWS_CERTIFICATE_THUMBPRINT: ${{ secrets.WINDOWS_CERTIFICATE_THUMBPRINT }}
+          CSC_LINK: ${{ secrets.APPLE_CERTIFICATE }}
+          CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
+          CSC_KEYCHAIN: ${{ secrets.APPLE_SIGNING_IDENTITY }}
+          # DEBUG: "electron-notarize*"
          DEBUG: electron-builder
        # TODO: Fix electron-notarize flakes. The logs above should help gather more data on failures
        uses: nick-fields/retry@v3.0.2
--- a/.github/workflows/pierre-test-windows-code-sign.yml
+++ b/.github/workflows/pierre-test-windows-code-sign.yml
@ -1,56 +0,0 @@
-name: pierre-test-windows-code-sign
-
-on:
-  push:
-    branches:
-      - pierremtb/issue6256-Updater-on-Nightly-on-Windows-failed
-
-jobs:
-  build-apps:
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: windows-2022
-            platform: win
-    runs-on: ${{ matrix.os }}
-    steps:
-
-      # From https://docs.digicert.com/en/digicert-keylocker/ci-cd-integrations/scripts/github/scripts-for-signing-using-ksp-library-on-github.html#ksp-signing-using-github-action-488726
-      - name: Setup Certificate
-        run: |
-          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
-          cat /d/Certificate_pkcs12.p12
-        shell: bash
-          
-      - name: Set variables
-        id: variables
-        run: |
-          echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
-          echo "KEYPAIR_NAME=gt-standard-keypair" >> $GITHUB_OUTPUT
-          echo "CERTIFICATE_NAME=gt-certificate" >> $GITHUB_OUTPUT
-          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
-          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
-          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
-          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
-          echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
-          echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
-          echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH
-        shell: bash
-
-      - name: Setup SSM KSP on windows latest
-        run: |
-          curl -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi
-          msiexec /i Keylockertools-windows-x64.msi /quiet /qn
-          smksp_registrar.exe list
-          smctl.exe keypair ls
-          C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
-          smksp_cert_sync.exe
-          smctl windows certsync
-        shell: cmd
-
-      # This is what electron-builder seems to want
-      - name: List certs
-        shell: pwsh
-        run: |
-          Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Property Subject,PSParentPath,Thumbprint
--- a/scripts/sign-win.js
+++ b/scripts/sign-win.js
@ -1,35 +0,0 @@
-// From https://github.com/OpenBuilds/OpenBuilds-CONTROL/blob/4800540ffaa517925fc2cff26670809efa341ffe/signWin.js
-const { execSync } = require('node:child_process')
-
-exports.default = async (configuration) => {
-  if (!process.env.SM_API_KEY) {
-    console.error(
-      'Signing using signWin.js script: failed: SM_API_KEY ENV VAR NOT FOUND'
-    )
-    return
-  }
-
-  if (!process.env.WINDOWS_CERTIFICATE_THUMBPRINT) {
-    console.error(
-      'Signing using signWin.js script: failed: FINGERPRINT ENV VAR NOT FOUND'
-    )
-    return
-  }
-
-  if (!configuration.path) {
-    throw new Error(
-      `Signing using signWin.js script: failed: TARGET PATH NOT FOUND`
-    )
-  }
-
-  try {
-    const result = execSync(
-      `smctl sign --fingerprint="${process.env.WINDOWS_CERTIFICATE_THUMBPRINT
-      }" --input "${String(configuration.path)}"`,
-    ).toString()
-    console.log('execSync result', result)
-    console.log('Signing using signWin.js script: successful')
-  } catch (error) {
-    throw new Error('Signing using signWin.js script: failed:', error)
-  }
-}