chore: Add signing in GHA #25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build/release | |
| on: | |
| push: | |
| branches: | |
| - master | |
| workflow_dispatch: | |
| jobs: | |
| release: | |
| runs-on: ${{ matrix.os }} | |
| strategy: | |
| # don't quit checking one OS just because another failed | |
| fail-fast: false | |
| matrix: | |
| os: [windows-latest] | |
| steps: | |
| - name: Check out Git repository | |
| uses: actions/checkout@v4 | |
| - name: Install Node.js, NPM and Yarn | |
| uses: actions/setup-node@v4 | |
| # remember to keep this in sync with package.json's volta->node setting | |
| with: | |
| node-version: 20 | |
| cache: "yarn" # I always get 'yarn cache is not found' but ah well | |
| - name: Build/release Electron app | |
| # Let's only do this if the commit is tagged with a version | |
| #if: startsWith(github.ref, 'refs/tags/v') | |
| uses: coparse-inc/[email protected] | |
| with: | |
| # GitHub token, automatically provided to the action | |
| # (No need to define this secret in the repo settings) | |
| github_token: ${{ secrets.github_token }} | |
| # If the commit is tagged with a version (e.g. "v1.0.0"), | |
| # release the app after building | |
| release: true # ${{ startsWith(github.ref, 'refs/tags/v') }} | |
| env: | |
| in_github_action: "true" | |
| sign-installer: | |
| runs-on: windows-latest | |
| steps: | |
| - name: Sign installer | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| uses: sillsdev/codesign/.github/workflows/[email protected] | |
| with: | |
| path: BloomPub*.exe | |
| description: BloomPUB Viewer installer | |
| secrets: | |
| certificate: ${{ secrets.CODESIGN_LSDEVSECTIGOEV }} | |
| - name: Confirm signature | |
| uses: sillsdev/codesign/[email protected] | |
| with: | |
| path: BloomPub*.exe |