From 3e6482648854ce83d72b76fb8d955bebc28a54b1 Mon Sep 17 00:00:00 2001 From: Phil Rzewski Date: Tue, 16 Apr 2024 11:44:24 -0700 Subject: [PATCH 1/9] Make builds using the new ssl.com code signing certificate --- .github/actions/build-zui/action.yml | 41 +++++++++-- .github/workflows/build-insiders.yml | 6 +- .github/workflows/build.yml | 6 +- .github/workflows/release-insiders.yml | 6 +- .github/workflows/release.yml | 6 +- apps/zui/electron-builder-config.js | 73 ++++++++++++++++++++ apps/zui/electron-builder-insiders-config.js | 16 +++++ apps/zui/electron-builder-insiders.json | 14 ---- apps/zui/electron-builder.json | 25 ------- apps/zui/package.json | 8 +-- 10 files changed, 146 insertions(+), 55 deletions(-) create mode 100644 apps/zui/electron-builder-config.js create mode 100644 apps/zui/electron-builder-insiders-config.js delete mode 100644 apps/zui/electron-builder-insiders.json delete mode 100644 apps/zui/electron-builder.json diff --git a/.github/actions/build-zui/action.yml b/.github/actions/build-zui/action.yml index 5877eff3c7..f79f6e130a 100644 --- a/.github/actions/build-zui/action.yml +++ b/.github/actions/build-zui/action.yml @@ -8,9 +8,13 @@ inputs: required: true # Windows Inputs - csc_key_password: + ssl_com_username: required: true - csc_link: + ssl_com_password: + required: true + ssl_com_totp_secret: + required: true + ssl_com_credential_id: required: true # Mac Inputs @@ -47,16 +51,45 @@ runs: security find-identity -p codesigning -v shell: bash + - name: Checkout esigner-codesign repository + if: runner.os == 'Windows' + uses: actions/checkout@v3 + with: + repository: 'SSLcom/esigner-codesign' + path: esigner-codesign + + - name: Make values from package.json available in Actions steps + id: zui-package + uses: RadovanPelka/github-action-json@v1.0.1 + with: + path: apps/zui/package.json + - name: Build & Publish run: ${{ inputs.cmd }} shell: bash env: GH_TOKEN: ${{ inputs.gh_token }} - WIN_CSC_KEY_PASSWORD: ${{ inputs.csc_key_password }} - WIN_CSC_LINK: ${{ inputs.csc_link }} APPLE_ID: ${{ inputs.apple_id }} APPLE_ID_PASSWORD: ${{ inputs.apple_id_password }} APPLE_TEAM_ID: ${{ inputs.apple_team_id }} + CODE_SIGN_SCRIPT_PATH: ${{ github.workspace }}/esigner-codesign/dist/index.js + INPUT_COMMAND: sign + INPUT_FILE_PATH: ${{ github.workspace }}/dist/apps/zui/${{ fromJSON(steps.zui-package.outputs.productName) }} Setup ${{ fromJSON(steps.zui-package.outputs.version) }}.exe + INPUT_OVERRIDE: true + INPUT_MALWARE_BLOCK: false + INPUT_CLEAN_LOGS: false + INPUT_JVM_MAX_MEMORY: 1024M + INPUT_ENVIRONMENT_NAME: PROD + INPUT_USERNAME: ${{ inputs.ssl_com_username }} + INPUT_PASSWORD: ${{ inputs.ssl_com_password }} + INPUT_TOTP_SECRET: ${{ inputs.ssl_com_totp_secret }} + INPUT_CREDENTIAL_ID: ${{ inputs.ssl_com_credential_id }} + + - name: Check for successful signing with SignTool + if: runner.os == 'Windows' + run: | + "C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe" verify /pa "${{ github.workspace }}/dist/apps/zui/${{ fromJSON(steps.zui-package.outputs.productName) }} Setup ${{ fromJSON(steps.zui-package.outputs.version) }}.exe" + shell: cmd - name: Check notorization with gatekeeper if: runner.os == 'macOS' diff --git a/.github/workflows/build-insiders.yml b/.github/workflows/build-insiders.yml index d992bc9671..36ed7106b8 100644 --- a/.github/workflows/build-insiders.yml +++ b/.github/workflows/build-insiders.yml @@ -56,8 +56,10 @@ jobs: cmd: yarn nx package-insiders zui gh_token: ${{ secrets.PAT_TOKEN }} # Windows - csc_key_password: ${{ secrets.WINDOWS_SIGNING_PASSPHRASE }} - csc_link: ${{ secrets.WINDOWS_SIGNING_PFX_BASE64 }} + ssl_com_username: ${{ secrets.WINDOWS_SIGNING_SSL_COM_USERNAME }} + ssl_com_password: ${{ secrets.WINDOWS_SIGNING_SSL_COM_PASSWORD }} + ssl_com_totp_secret: ${{ secrets.WINDOWS_SIGNING_SSL_COM_TOTP_SECRET }} + ssl_com_credential_id: ${{ secrets.WINDOWS_SIGNING_SSL_COM_CREDENTIAL_ID }} # Mac apple_id: ${{ secrets.APPLEID_USER }} apple_id_password: ${{ secrets.APPLEID_PASSWORD }} diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 957eefd265..8d5fc25e06 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -25,8 +25,10 @@ jobs: cmd: yarn nx package-zui zui gh_token: ${{ secrets.GITHUB_TOKEN }} # Windows - csc_key_password: ${{ secrets.WINDOWS_SIGNING_PASSPHRASE }} - csc_link: ${{ secrets.WINDOWS_SIGNING_PFX_BASE64 }} + ssl_com_username: ${{ secrets.WINDOWS_SIGNING_SSL_COM_USERNAME }} + ssl_com_password: ${{ secrets.WINDOWS_SIGNING_SSL_COM_PASSWORD }} + ssl_com_totp_secret: ${{ secrets.WINDOWS_SIGNING_SSL_COM_TOTP_SECRET }} + ssl_com_credential_id: ${{ secrets.WINDOWS_SIGNING_SSL_COM_CREDENTIAL_ID }} # Mac apple_id: ${{ secrets.APPLEID_USER }} apple_id_password: ${{ secrets.APPLEID_PASSWORD }} diff --git a/.github/workflows/release-insiders.yml b/.github/workflows/release-insiders.yml index d1b731b1a4..6a1e581416 100644 --- a/.github/workflows/release-insiders.yml +++ b/.github/workflows/release-insiders.yml @@ -56,8 +56,10 @@ jobs: cmd: yarn nx release-insiders zui gh_token: ${{ secrets.PAT_TOKEN }} # Windows - csc_key_password: ${{ secrets.WINDOWS_SIGNING_PASSPHRASE }} - csc_link: ${{ secrets.WINDOWS_SIGNING_PFX_BASE64 }} + ssl_com_username: ${{ secrets.WINDOWS_SIGNING_SSL_COM_USERNAME }} + ssl_com_password: ${{ secrets.WINDOWS_SIGNING_SSL_COM_PASSWORD }} + ssl_com_totp_secret: ${{ secrets.WINDOWS_SIGNING_SSL_COM_TOTP_SECRET }} + ssl_com_credential_id: ${{ secrets.WINDOWS_SIGNING_SSL_COM_CREDENTIAL_ID }} # Mac apple_id: ${{ secrets.APPLEID_USER }} apple_id_password: ${{ secrets.APPLEID_PASSWORD }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b94f2e9487..0ec9586cae 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -25,8 +25,10 @@ jobs: cmd: yarn nx release-zui zui gh_token: ${{ secrets.GITHUB_TOKEN }} # Windows - csc_key_password: ${{ secrets.WINDOWS_SIGNING_PASSPHRASE }} - csc_link: ${{ secrets.WINDOWS_SIGNING_PFX_BASE64 }} + ssl_com_username: ${{ secrets.WINDOWS_SIGNING_SSL_COM_USERNAME }} + ssl_com_password: ${{ secrets.WINDOWS_SIGNING_SSL_COM_PASSWORD }} + ssl_com_totp_secret: ${{ secrets.WINDOWS_SIGNING_SSL_COM_TOTP_SECRET }} + ssl_com_credential_id: ${{ secrets.WINDOWS_SIGNING_SSL_COM_CREDENTIAL_ID }} # Mac apple_id: ${{ secrets.APPLEID_USER }} apple_id_password: ${{ secrets.APPLEID_PASSWORD }} diff --git a/apps/zui/electron-builder-config.js b/apps/zui/electron-builder-config.js new file mode 100644 index 0000000000..7f72e0d58c --- /dev/null +++ b/apps/zui/electron-builder-config.js @@ -0,0 +1,73 @@ +const { execSync } = require('child_process'); +const zuiPackage = require('./package.json') + +const config = { + appId: "io.brimdata.zui", + asar: true, + asarUnpack: ["zdeps", "LICENSE.txt", "acknowledgments.txt", "**/*.node"], + directories: {output: "../../dist/apps/zui"}, + protocols: [{name: "zui", "schemes": ["zui"]}], + win: {target: ["nsis"]}, + linux: {target: ["deb", "rpm"]}, + rpm: {depends: ["openssl"]}, + deb: {depends: ["openssl"]}, + nsis: {oneClick: false, perMachine: false}, + forceCodeSigning: true, + afterSign: "electron-builder-notarize", + publish: { + provider: "github" + }, + files: [ + "dist/**", + "out/**", + "build/**", + "zdeps/**", + "LICENSE.txt", + "acknowledgments.txt", + "package.json" + ], +} + +// Code below for code signing with SSL.com cert in electron-builder via GitHub +// Actions taken from: +// https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-1994110062 +if (process.env.CODE_SIGN_SCRIPT_PATH) { + const version = zuiPackage.version; + const productName = zuiPackage.productName; + const versionedExe = `${productName} Setup ${version}.exe`; + + config.win.sign = (configuration) => { + console.log("Requested signing for ", configuration.path); + + // Only proceed if the versioned exe file is in the configuration path - skip signing everything else + if (!configuration.path.includes(versionedExe)) { + console.log("Configuration path does not include the versioned exe, signing skipped."); + return true; + } + + const scriptPath = process.env.CODE_SIGN_SCRIPT_PATH; + + try { + // Execute the sign script synchronously + const output = execSync(`node "${scriptPath}"`).toString(); + console.log(`Script output: ${output}`); + } catch (error) { + console.error(`Error executing script: ${error.message}`); + if (error.stdout) { + console.log(`Script stdout: ${error.stdout.toString()}`); + } + if (error.stderr) { + console.error(`Script stderr: ${error.stderr.toString()}`); + } + return false; + } + + return true; // Return true at the end of successful signing + }; + + // Sign only for Windows 10 and above + config.win.signingHashAlgorithms = ["sha256"]; + +} + +module.exports = config; diff --git a/apps/zui/electron-builder-insiders-config.js b/apps/zui/electron-builder-insiders-config.js new file mode 100644 index 0000000000..159b348d29 --- /dev/null +++ b/apps/zui/electron-builder-insiders-config.js @@ -0,0 +1,16 @@ +const config = { + extends: "./electron-builder-config.js", + appId: "io.brimdata.zui-insiders", + mac: { + icon: "build/insiders/icon.icns" + }, + win: { + icon: "build/insiders/icon.ico" + }, + publish: { + provider: "github", + releaseType: "release" + } +} + +module.exports = config; diff --git a/apps/zui/electron-builder-insiders.json b/apps/zui/electron-builder-insiders.json deleted file mode 100644 index 64cb835c5b..0000000000 --- a/apps/zui/electron-builder-insiders.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "extends": "./electron-builder.json", - "appId": "io.brimdata.zui-insiders", - "mac": { - "icon": "build/insiders/icon.icns" - }, - "win": { - "icon": "build/insiders/icon.ico" - }, - "publish": { - "provider": "github", - "releaseType": "release" - } -} diff --git a/apps/zui/electron-builder.json b/apps/zui/electron-builder.json deleted file mode 100644 index 9ed8a20ca3..0000000000 --- a/apps/zui/electron-builder.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "appId": "io.brimdata.zui", - "asar": true, - "asarUnpack": ["zdeps", "LICENSE.txt", "acknowledgments.txt", "**/*.node"], - "directories": {"output": "../../dist/apps/zui"}, - "protocols": [{"name": "zui", "schemes": ["zui"]}], - "linux": {"target": ["deb", "rpm"]}, - "rpm": {"depends": ["openssl"]}, - "deb": {"depends": ["openssl"]}, - "nsis": {"oneClick": false, "perMachine": false}, - "forceCodeSigning": true, - "afterSign": "electron-builder-notarize", - "publish": { - "provider": "github" - }, - "files": [ - "dist/**", - "out/**", - "build/**", - "zdeps/**", - "LICENSE.txt", - "acknowledgments.txt", - "package.json" - ] -} diff --git a/apps/zui/package.json b/apps/zui/package.json index 491ac00d71..e8a8d2ec45 100644 --- a/apps/zui/package.json +++ b/apps/zui/package.json @@ -27,10 +27,10 @@ "tsc": "tsc", "postinstall": "node scripts/post-install", "prepare": "husky install", - "package-zui": "electron-builder --publish never", - "release-zui": "electron-builder", - "package-insiders": "electron-builder --config electron-builder-insiders.json --publish never", - "release-insiders": "electron-builder --config electron-builder-insiders.json --publish always" + "package-zui": "electron-builder --config electron-builder-config.js --publish never", + "release-zui": "electron-builder --config electron-builder-config.js", + "package-insiders": "electron-builder --config electron-builder-insiders-config.js --publish never", + "release-insiders": "electron-builder --config electron-builder-insiders-config.js --publish always" }, "dependencies": { "keytar": "^7.7.0", From 22602cbbfed201ff4b306589ca01b54f36257683 Mon Sep 17 00:00:00 2001 From: James Kerr Date: Mon, 22 Apr 2024 15:35:24 -0700 Subject: [PATCH 2/9] Organize Windows Code Signing Script --- .github/actions/build-zui/action.yml | 16 ++-- apps/zui/electron-builder-config.js | 73 ------------------- apps/zui/electron-builder-config.json | 30 ++++++++ apps/zui/electron-builder-insiders-config.js | 16 ---- .../zui/electron-builder-insiders-config.json | 14 ++++ apps/zui/scripts/artifact.js | 18 +++++ apps/zui/scripts/sign.js | 56 ++++++++++++++ package.json | 3 +- tools/scripts/artifact-path.js | 3 + 9 files changed, 130 insertions(+), 99 deletions(-) delete mode 100644 apps/zui/electron-builder-config.js create mode 100644 apps/zui/electron-builder-config.json delete mode 100644 apps/zui/electron-builder-insiders-config.js create mode 100644 apps/zui/electron-builder-insiders-config.json create mode 100644 apps/zui/scripts/artifact.js create mode 100644 apps/zui/scripts/sign.js create mode 100644 tools/scripts/artifact-path.js diff --git a/.github/actions/build-zui/action.yml b/.github/actions/build-zui/action.yml index f79f6e130a..63593b26fb 100644 --- a/.github/actions/build-zui/action.yml +++ b/.github/actions/build-zui/action.yml @@ -55,14 +55,12 @@ runs: if: runner.os == 'Windows' uses: actions/checkout@v3 with: - repository: 'SSLcom/esigner-codesign' - path: esigner-codesign + repository: 'SSLcom/esigner-codesign' + path: esigner-codesign - - name: Make values from package.json available in Actions steps - id: zui-package - uses: RadovanPelka/github-action-json@v1.0.1 - with: - path: apps/zui/package.json + - name: Expose the Artifact Path + id: paths + run: echo "artifact='$(yarn artifact-path)'" >> "$GITHUB_OUTPUT" - name: Build & Publish run: ${{ inputs.cmd }} @@ -74,7 +72,7 @@ runs: APPLE_TEAM_ID: ${{ inputs.apple_team_id }} CODE_SIGN_SCRIPT_PATH: ${{ github.workspace }}/esigner-codesign/dist/index.js INPUT_COMMAND: sign - INPUT_FILE_PATH: ${{ github.workspace }}/dist/apps/zui/${{ fromJSON(steps.zui-package.outputs.productName) }} Setup ${{ fromJSON(steps.zui-package.outputs.version) }}.exe + INPUT_FILE_PATH: ${{ steps.paths.outputs.artifact }} INPUT_OVERRIDE: true INPUT_MALWARE_BLOCK: false INPUT_CLEAN_LOGS: false @@ -88,7 +86,7 @@ runs: - name: Check for successful signing with SignTool if: runner.os == 'Windows' run: | - "C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe" verify /pa "${{ github.workspace }}/dist/apps/zui/${{ fromJSON(steps.zui-package.outputs.productName) }} Setup ${{ fromJSON(steps.zui-package.outputs.version) }}.exe" + "C:\Program Files (x86)\Microsoft SDKs\ClickOnce\SignTool\signtool.exe" verify /pa "${{ steps.paths.outputs.artifact }}" shell: cmd - name: Check notorization with gatekeeper diff --git a/apps/zui/electron-builder-config.js b/apps/zui/electron-builder-config.js deleted file mode 100644 index 7f72e0d58c..0000000000 --- a/apps/zui/electron-builder-config.js +++ /dev/null @@ -1,73 +0,0 @@ -const { execSync } = require('child_process'); -const zuiPackage = require('./package.json') - -const config = { - appId: "io.brimdata.zui", - asar: true, - asarUnpack: ["zdeps", "LICENSE.txt", "acknowledgments.txt", "**/*.node"], - directories: {output: "../../dist/apps/zui"}, - protocols: [{name: "zui", "schemes": ["zui"]}], - win: {target: ["nsis"]}, - linux: {target: ["deb", "rpm"]}, - rpm: {depends: ["openssl"]}, - deb: {depends: ["openssl"]}, - nsis: {oneClick: false, perMachine: false}, - forceCodeSigning: true, - afterSign: "electron-builder-notarize", - publish: { - provider: "github" - }, - files: [ - "dist/**", - "out/**", - "build/**", - "zdeps/**", - "LICENSE.txt", - "acknowledgments.txt", - "package.json" - ], -} - -// Code below for code signing with SSL.com cert in electron-builder via GitHub -// Actions taken from: -// https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-1994110062 -if (process.env.CODE_SIGN_SCRIPT_PATH) { - const version = zuiPackage.version; - const productName = zuiPackage.productName; - const versionedExe = `${productName} Setup ${version}.exe`; - - config.win.sign = (configuration) => { - console.log("Requested signing for ", configuration.path); - - // Only proceed if the versioned exe file is in the configuration path - skip signing everything else - if (!configuration.path.includes(versionedExe)) { - console.log("Configuration path does not include the versioned exe, signing skipped."); - return true; - } - - const scriptPath = process.env.CODE_SIGN_SCRIPT_PATH; - - try { - // Execute the sign script synchronously - const output = execSync(`node "${scriptPath}"`).toString(); - console.log(`Script output: ${output}`); - } catch (error) { - console.error(`Error executing script: ${error.message}`); - if (error.stdout) { - console.log(`Script stdout: ${error.stdout.toString()}`); - } - if (error.stderr) { - console.error(`Script stderr: ${error.stderr.toString()}`); - } - return false; - } - - return true; // Return true at the end of successful signing - }; - - // Sign only for Windows 10 and above - config.win.signingHashAlgorithms = ["sha256"]; - -} - -module.exports = config; diff --git a/apps/zui/electron-builder-config.json b/apps/zui/electron-builder-config.json new file mode 100644 index 0000000000..4830d1e82b --- /dev/null +++ b/apps/zui/electron-builder-config.json @@ -0,0 +1,30 @@ +{ + "appId": "io.brimdata.zui", + "asar": true, + "asarUnpack": ["zdeps", "LICENSE.txt", "acknowledgments.txt", "**/*.node"], + "directories": {"output": "../../dist/apps/zui"}, + "protocols": [{"name": "zui", "schemes": ["zui"]}], + "win": { + "target": ["nsis"], + "signingHashAlgorithms": ["sha256"], + "sign": "./scripts/sign.js" + }, + "linux": {"target": ["deb", "rpm"]}, + "rpm": {"depends": ["openssl"]}, + "deb": {"depends": ["openssl"]}, + "nsis": {"oneClick": false, "perMachine": false}, + "forceCodeSigning": true, + "afterSign": "electron-builder-notarize", + "publish": { + "provider": "github" + }, + "files": [ + "dist/**", + "out/**", + "build/**", + "zdeps/**", + "LICENSE.txt", + "acknowledgments.txt", + "package.json" + ] +} diff --git a/apps/zui/electron-builder-insiders-config.js b/apps/zui/electron-builder-insiders-config.js deleted file mode 100644 index 159b348d29..0000000000 --- a/apps/zui/electron-builder-insiders-config.js +++ /dev/null @@ -1,16 +0,0 @@ -const config = { - extends: "./electron-builder-config.js", - appId: "io.brimdata.zui-insiders", - mac: { - icon: "build/insiders/icon.icns" - }, - win: { - icon: "build/insiders/icon.ico" - }, - publish: { - provider: "github", - releaseType: "release" - } -} - -module.exports = config; diff --git a/apps/zui/electron-builder-insiders-config.json b/apps/zui/electron-builder-insiders-config.json new file mode 100644 index 0000000000..33e8d4a6cd --- /dev/null +++ b/apps/zui/electron-builder-insiders-config.json @@ -0,0 +1,14 @@ +{ + "extends": "./electron-builder-config.js", + "appId": "io.brimdata.zui-insiders", + "mac": { + "icon": "build/insiders/icon.icns" + }, + "win": { + "icon": "build/insiders/icon.ico" + }, + "publish": { + "provider": "github", + "releaseType": "release" + } +} diff --git a/apps/zui/scripts/artifact.js b/apps/zui/scripts/artifact.js new file mode 100644 index 0000000000..7da4f67104 --- /dev/null +++ b/apps/zui/scripts/artifact.js @@ -0,0 +1,18 @@ +const pkg = require("../package.json") +const {join} = require("node:path") + +class Artifact { + get name() { + return `${pkg.productName} Setup ${pkg.version}.exe` + } + + get dir() { + return join(__dirname, "../../../dist/apps/zui") + } + + get path() { + return join(this.dir, this.name) + } +} + +module.exports = new Artifact() diff --git a/apps/zui/scripts/sign.js b/apps/zui/scripts/sign.js new file mode 100644 index 0000000000..611b2eccd0 --- /dev/null +++ b/apps/zui/scripts/sign.js @@ -0,0 +1,56 @@ +const {execSync} = require("child_process") +const artifact = require("./artifact") + +// Code below for code signing with SSL.com cert in electron-builder via GitHub +// Inspired from this comment: +// https://github.com/electron-userland/electron-builder/issues/6158#issuecomment-1994110062 + +function sign() { + const scriptPath = process.env.CODE_SIGN_SCRIPT_PATH + process.env.INPUT_COMMAND = "sign" + process.env.INPUT_OVERRIDE = "true" + process.env.INPUT_MALWARE_BLOCK = "false" + process.env.INPUT_CLEAN_LOGS = "false" + process.env.INPUT_JVM_MAX_MEMORY = "1024M" + process.env.INPUT_ENVIRONMENT_NAME = "PROD" + + try { + const output = execSync(`node "${scriptPath}"`).toString() + console.log(`Signing Output: ${output}`) + return true + } catch (error) { + console.error(`Signing Error: ${error.message}`) + if (error.stdout) { + console.log(`Signing Stdout: ${error.stdout.toString()}`) + } + if (error.stderr) { + console.error(`Signing Stderr: ${error.stderr.toString()}`) + } + return false + } +} + +function shouldSign(filePath) { + if (filePath !== artifact.path) { + console.log("Signing Skipped: path not in whitelist '", filePath, "'") + return false + } + if (filePath === artifact.path) { + console.log("Signing Started: '" + filePath + "'") + return true + } +} + +exports.default = async function (configuration) { + if (!process.env.CODE_SIGN_SCRIPT_PATH) { + console.log( + "Signing Skipped: no script path provided in CODE_SIGN_SCRIPT_PATH" + ) + return true + } + if (shouldSign(configuration.path)) { + return sign() + } else { + return true + } +} diff --git a/package.json b/package.json index 6cbb628aa9..8d23713f35 100644 --- a/package.json +++ b/package.json @@ -15,7 +15,8 @@ "test": "nx run-many -t test --all --exclude zui-player --skip-nx-cache", "start": "nx start zui", "e2e": "NODE_ENV=production nx test zui-player", - "e2e:ci": "NODE_ENV=production nx ci zui-player" + "e2e:ci": "NODE_ENV=production nx ci zui-player", + "artifact-path": "node tools/scripts/artifact-path.js" }, "devDependencies": { "@nx-go/nx-go": "^2.7.0", diff --git a/tools/scripts/artifact-path.js b/tools/scripts/artifact-path.js new file mode 100644 index 0000000000..637d2caba2 --- /dev/null +++ b/tools/scripts/artifact-path.js @@ -0,0 +1,3 @@ +const artifact = require('../../apps/zui/scripts/artifact'); + +console.log(artifact.path); From 9f447ff1b0d2edb50e061d7cdb684896001a00a6 Mon Sep 17 00:00:00 2001 From: James Kerr Date: Mon, 22 Apr 2024 15:49:51 -0700 Subject: [PATCH 3/9] Keep env vars close to script --- .github/actions/build-zui/action.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/actions/build-zui/action.yml b/.github/actions/build-zui/action.yml index 63593b26fb..0793183991 100644 --- a/.github/actions/build-zui/action.yml +++ b/.github/actions/build-zui/action.yml @@ -71,13 +71,7 @@ runs: APPLE_ID_PASSWORD: ${{ inputs.apple_id_password }} APPLE_TEAM_ID: ${{ inputs.apple_team_id }} CODE_SIGN_SCRIPT_PATH: ${{ github.workspace }}/esigner-codesign/dist/index.js - INPUT_COMMAND: sign INPUT_FILE_PATH: ${{ steps.paths.outputs.artifact }} - INPUT_OVERRIDE: true - INPUT_MALWARE_BLOCK: false - INPUT_CLEAN_LOGS: false - INPUT_JVM_MAX_MEMORY: 1024M - INPUT_ENVIRONMENT_NAME: PROD INPUT_USERNAME: ${{ inputs.ssl_com_username }} INPUT_PASSWORD: ${{ inputs.ssl_com_password }} INPUT_TOTP_SECRET: ${{ inputs.ssl_com_totp_secret }} From 01422607d8cf7304fce970de5fc7aaf77a06c558 Mon Sep 17 00:00:00 2001 From: James Kerr Date: Mon, 22 Apr 2024 15:52:04 -0700 Subject: [PATCH 4/9] Switch back to .json --- apps/zui/electron-builder-insiders-config.json | 2 +- apps/zui/package.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/apps/zui/electron-builder-insiders-config.json b/apps/zui/electron-builder-insiders-config.json index 33e8d4a6cd..ee5f1993e3 100644 --- a/apps/zui/electron-builder-insiders-config.json +++ b/apps/zui/electron-builder-insiders-config.json @@ -1,5 +1,5 @@ { - "extends": "./electron-builder-config.js", + "extends": "./electron-builder-config.json", "appId": "io.brimdata.zui-insiders", "mac": { "icon": "build/insiders/icon.icns" diff --git a/apps/zui/package.json b/apps/zui/package.json index e8a8d2ec45..9882dd29b0 100644 --- a/apps/zui/package.json +++ b/apps/zui/package.json @@ -27,8 +27,8 @@ "tsc": "tsc", "postinstall": "node scripts/post-install", "prepare": "husky install", - "package-zui": "electron-builder --config electron-builder-config.js --publish never", - "release-zui": "electron-builder --config electron-builder-config.js", + "package-zui": "electron-builder --publish never", + "release-zui": "electron-builder", "package-insiders": "electron-builder --config electron-builder-insiders-config.js --publish never", "release-insiders": "electron-builder --config electron-builder-insiders-config.js --publish always" }, From dd2f7df36521d78e0be22e1db407383997b6bb28 Mon Sep 17 00:00:00 2001 From: James Kerr Date: Mon, 22 Apr 2024 16:05:09 -0700 Subject: [PATCH 5/9] Rename back to defaults --- ...lder-insiders-config.json => electron-builder-insiders.json} | 2 +- .../zui/{electron-builder-config.json => electron-builder.json} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename apps/zui/{electron-builder-insiders-config.json => electron-builder-insiders.json} (82%) rename apps/zui/{electron-builder-config.json => electron-builder.json} (100%) diff --git a/apps/zui/electron-builder-insiders-config.json b/apps/zui/electron-builder-insiders.json similarity index 82% rename from apps/zui/electron-builder-insiders-config.json rename to apps/zui/electron-builder-insiders.json index ee5f1993e3..64cb835c5b 100644 --- a/apps/zui/electron-builder-insiders-config.json +++ b/apps/zui/electron-builder-insiders.json @@ -1,5 +1,5 @@ { - "extends": "./electron-builder-config.json", + "extends": "./electron-builder.json", "appId": "io.brimdata.zui-insiders", "mac": { "icon": "build/insiders/icon.icns" diff --git a/apps/zui/electron-builder-config.json b/apps/zui/electron-builder.json similarity index 100% rename from apps/zui/electron-builder-config.json rename to apps/zui/electron-builder.json From adff6389069d726313b942173a5b3378989f1fa1 Mon Sep 17 00:00:00 2001 From: James Kerr Date: Mon, 22 Apr 2024 16:06:31 -0700 Subject: [PATCH 6/9] Remove useless if --- apps/zui/scripts/sign.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/apps/zui/scripts/sign.js b/apps/zui/scripts/sign.js index 611b2eccd0..02c721a763 100644 --- a/apps/zui/scripts/sign.js +++ b/apps/zui/scripts/sign.js @@ -34,8 +34,7 @@ function shouldSign(filePath) { if (filePath !== artifact.path) { console.log("Signing Skipped: path not in whitelist '", filePath, "'") return false - } - if (filePath === artifact.path) { + } else { console.log("Signing Started: '" + filePath + "'") return true } From 1efdf971da4f66db059672e18e6014b0bf3fd45c Mon Sep 17 00:00:00 2001 From: James Kerr Date: Mon, 22 Apr 2024 16:07:36 -0700 Subject: [PATCH 7/9] Use .json files --- apps/zui/package.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/zui/package.json b/apps/zui/package.json index 9882dd29b0..491ac00d71 100644 --- a/apps/zui/package.json +++ b/apps/zui/package.json @@ -29,8 +29,8 @@ "prepare": "husky install", "package-zui": "electron-builder --publish never", "release-zui": "electron-builder", - "package-insiders": "electron-builder --config electron-builder-insiders-config.js --publish never", - "release-insiders": "electron-builder --config electron-builder-insiders-config.js --publish always" + "package-insiders": "electron-builder --config electron-builder-insiders.json --publish never", + "release-insiders": "electron-builder --config electron-builder-insiders.json --publish always" }, "dependencies": { "keytar": "^7.7.0", From 19c01e3d52ca2f13d92fdf7315fa1b849e5a834a Mon Sep 17 00:00:00 2001 From: Phil Rzewski Date: Mon, 22 Apr 2024 17:04:47 -0700 Subject: [PATCH 8/9] Reference shell for getting artifacts path --- .github/actions/build-zui/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/actions/build-zui/action.yml b/.github/actions/build-zui/action.yml index 0793183991..60d06e9392 100644 --- a/.github/actions/build-zui/action.yml +++ b/.github/actions/build-zui/action.yml @@ -61,6 +61,7 @@ runs: - name: Expose the Artifact Path id: paths run: echo "artifact='$(yarn artifact-path)'" >> "$GITHUB_OUTPUT" + shell: bash - name: Build & Publish run: ${{ inputs.cmd }} From c048ce8b9d5fdcff43204b6f357acb9351800d2d Mon Sep 17 00:00:00 2001 From: Phil Rzewski Date: Mon, 22 Apr 2024 17:20:12 -0700 Subject: [PATCH 9/9] Drop quotes --- .github/actions/build-zui/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/build-zui/action.yml b/.github/actions/build-zui/action.yml index 60d06e9392..5cf895a8cc 100644 --- a/.github/actions/build-zui/action.yml +++ b/.github/actions/build-zui/action.yml @@ -60,7 +60,7 @@ runs: - name: Expose the Artifact Path id: paths - run: echo "artifact='$(yarn artifact-path)'" >> "$GITHUB_OUTPUT" + run: echo "artifact=$(yarn artifact-path)" >> "$GITHUB_OUTPUT" shell: bash - name: Build & Publish