ByoungSooPark/modeling-app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Clean up for PR

Browse Source
This commit is contained in:
Pierre Jacquier
2025-04-11 09:47:45 -04:00
parent c1894edaed
commit e8a82ea85e
3 changed files with 8 additions and 110 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
.github/workflows/build-apps.yml vendored
View File

@ -5,7 +5,6 @@ on:
push: push:
branches: branches:
- main - main
- pierremtb/issue6256-Updater-on-Nightly-on-Windows-failed
tags: tags:
- 'v[0-9]+.[0-9]+.[0-9]+' - 'v[0-9]+.[0-9]+.[0-9]+'
- 'nightly-v[0-9]+.[0-9]+.[0-9]+' - 'nightly-v[0-9]+.[0-9]+.[0-9]+'
@ -31,8 +30,7 @@ jobs:
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4
with: with:
node-version-file: '.nvmrc' node-version-file: '.nvmrc'
# Forget cache for now cache: 'yarn'
# cache: 'yarn'
- run: yarn install - run: yarn install
@ -46,7 +44,7 @@ jobs:
- name: Download Wasm Cache - name: Download Wasm Cache
id: download-wasm id: download-wasm
# if: ${{ github.event_name == 'pull_request' && steps.filter.outputs.rust == 'false' }} if: ${{ github.event_name == 'pull_request' && steps.filter.outputs.rust == 'false' }}
uses: dawidd6/action-download-artifact@v7 uses: dawidd6/action-download-artifact@v7
continue-on-error: true continue-on-error: true
with: with:
@ -62,8 +60,7 @@ jobs:
set -euox pipefail set -euox pipefail
# Build wasm if this is a push to main or tag, there are Rust changes, or # Build wasm if this is a push to main or tag, there are Rust changes, or
# downloading from the wasm cache failed. # downloading from the wasm cache failed.
# if [[ ${{github.event_name}} == 'push' || ${{steps.filter.outputs.rust}} == 'true' || ${{steps.download-wasm.outcome}} == 'failure' ]]; then if [[ ${{github.event_name}} == 'push' || ${{steps.filter.outputs.rust}} == 'true' || ${{steps.download-wasm.outcome}} == 'failure' ]]; then
if [[ ${{steps.filter.outputs.rust}} == 'true' || ${{steps.download-wasm.outcome}} == 'failure' ]]; then
echo "should-build-wasm=true" >> $GITHUB_OUTPUT echo "should-build-wasm=true" >> $GITHUB_OUTPUT
else else
echo "should-build-wasm=false" >> $GITHUB_OUTPUT echo "should-build-wasm=false" >> $GITHUB_OUTPUT
@ -176,8 +173,7 @@ jobs:
uses: actions/setup-node@v4 uses: actions/setup-node@v4
with: with:
node-version-file: '.nvmrc' node-version-file: '.nvmrc'
# Forget cache for now cache: 'yarn' # Set this to npm, yarn or pnpm.
# cache: 'yarn' # Set this to npm, yarn or pnpm.
- name: yarn install - name: yarn install
# Windows is picky sometimes and fails on fetch. Step takes about ~30s # Windows is picky sometimes and fails on fetch. Step takes about ~30s
@ -216,13 +212,6 @@ jobs:
smctl windows certsync smctl windows certsync
shell: cmd shell: cmd
# This is what electron-builder seems to want
- name: List certs
if: ${{ (env.IS_RELEASE == 'true' || env.IS_NIGHTLY == 'true') && matrix.os == 'windows-2022' }}
shell: pwsh
run: |
Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Property Subject,PSParentPath,Thumbprint
- name: Build the app (debug) - name: Build the app (debug)
if: ${{ env.IS_RELEASE == 'false' && env.IS_NIGHTLY == 'false' }} if: ${{ env.IS_RELEASE == 'false' && env.IS_NIGHTLY == 'false' }}
# electron-builder doesn't have a concept of release vs debug, # electron-builder doesn't have a concept of release vs debug,
@ -236,10 +225,10 @@ jobs:
APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }} APPLE_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_PASSWORD }} APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_PASSWORD }}
APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }} APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
# CSC_LINK: ${{ secrets.APPLE_CERTIFICATE }} CSC_LINK: ${{ secrets.APPLE_CERTIFICATE }}
# CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} CSC_KEY_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
# CSC_KEYCHAIN: ${{ secrets.APPLE_SIGNING_IDENTITY }} CSC_KEYCHAIN: ${{ secrets.APPLE_SIGNING_IDENTITY }}
# WINDOWS_CERTIFICATE_THUMBPRINT: ${{ secrets.WINDOWS_CERTIFICATE_THUMBPRINT }} # DEBUG: "electron-notarize*"
DEBUG: electron-builder DEBUG: electron-builder
# TODO: Fix electron-notarize flakes. The logs above should help gather more data on failures # TODO: Fix electron-notarize flakes. The logs above should help gather more data on failures
uses: nick-fields/retry@v3.0.2 uses: nick-fields/retry@v3.0.2

56
.github/workflows/pierre-test-windows-code-sign.yml vendored
View File

@ -1,56 +0,0 @@
name: pierre-test-windows-code-sign
on:
push:
branches:
- pierremtb/issue6256-Updater-on-Nightly-on-Windows-failed
jobs:
build-apps:
strategy:
fail-fast: false
matrix:
include:
- os: windows-2022
platform: win
runs-on: ${{ matrix.os }}
steps:
# From https://docs.digicert.com/en/digicert-keylocker/ci-cd-integrations/scripts/github/scripts-for-signing-using-ksp-library-on-github.html#ksp-signing-using-github-action-488726
- name: Setup Certificate
run: |
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
cat /d/Certificate_pkcs12.p12
shell: bash
- name: Set variables
id: variables
run: |
echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
echo "KEYPAIR_NAME=gt-standard-keypair" >> $GITHUB_OUTPUT
echo "CERTIFICATE_NAME=gt-certificate" >> $GITHUB_OUTPUT
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
echo "C:\Program Files\DigiCert\DigiCert Keylocker Tools" >> $GITHUB_PATH
shell: bash
- name: Setup SSM KSP on windows latest
run: |
curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/Keylockertools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o Keylockertools-windows-x64.msi
msiexec /i Keylockertools-windows-x64.msi /quiet /qn
smksp_registrar.exe list
smctl.exe keypair ls
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
smksp_cert_sync.exe
smctl windows certsync
shell: cmd
# This is what electron-builder seems to want
- name: List certs
shell: pwsh
run: |
Get-ChildItem -Recurse Cert: -CodeSigningCert | Select-Object -Property Subject,PSParentPath,Thumbprint

35
scripts/sign-win.js
View File

@ -1,35 +0,0 @@
// From https://github.com/OpenBuilds/OpenBuilds-CONTROL/blob/4800540ffaa517925fc2cff26670809efa341ffe/signWin.js
const { execSync } = require('node:child_process')
exports.default = async (configuration) => {
if (!process.env.SM_API_KEY) {
console.error(
'Signing using signWin.js script: failed: SM_API_KEY ENV VAR NOT FOUND'
)
return
}
if (!process.env.WINDOWS_CERTIFICATE_THUMBPRINT) {
console.error(
'Signing using signWin.js script: failed: FINGERPRINT ENV VAR NOT FOUND'
)
return
}
if (!configuration.path) {
throw new Error(
`Signing using signWin.js script: failed: TARGET PATH NOT FOUND`
)
}
try {
const result = execSync(
`smctl sign --fingerprint="${process.env.WINDOWS_CERTIFICATE_THUMBPRINT
}" --input "${String(configuration.path)}"`,
).toString()
console.log('execSync result', result)
console.log('Signing using signWin.js script: successful')
} catch (error) {
throw new Error('Signing using signWin.js script: failed:', error)
}
}