Skip to content

Commit

Permalink
CI/CD: Workflow to build and sign binary artifacts (#100)
Browse files Browse the repository at this point in the history
* Adds a build workflow, edited build script and the pub key

* remove items from tesitng

* squashing

* removed testing options
  • Loading branch information
Matte22 authored Mar 3, 2024
1 parent f08e187 commit f8a8be4
Show file tree
Hide file tree
Showing 3 changed files with 131 additions and 6 deletions.
74 changes: 74 additions & 0 deletions .github/workflows/build-binary-artifacts.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
name: Build and Sign Binary Artifacts
on:
release:
types: [published]
workflow_dispatch:
push:
branches:
- main
paths:
- "lib/**"
- "index.js"
- "build.sh"
- "nuwcdivnpt-bot.gpg.asc"
- ".github/workflows/build-binary-artifacts.yml"
jobs:
build-binary-artifacts-and-sign:
name: Build binary artifacts, sign, export
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v3
with:
ref: main
fetch-depth: 0

- name: run build script
id: run_build_script
run: ./build.sh

- name: Import GPG Key
id: import_gpg
run: |
if ! echo "${{ secrets.WATCHER_PRIVATE_KEY }}" | gpg --import; then
echo "::warning ::Private key GPG Import failed"
exit 1
fi
- name: Get version from package.json
id: package_version
run: echo "PACKAGE_VERSION=$(jq -r '.version' package.json)" >> $GITHUB_ENV

- name: Sign Artifacts
id: sign_artifacts
run: |
if ! gpg --default-key [email protected] --armor --detach-sig ./dist/stigman-watcher-linux-${{ env.PACKAGE_VERSION }}.tar.gz; then
echo "::warning ::Linux Signing failed"
exit 1
fi
if ! gpg --default-key [email protected] --armor --detach-sig ./dist/stigman-watcher-win-${{ env.PACKAGE_VERSION }}.zip; then
echo "::warning ::Windows Signing failed"
exit 1
fi
- name: Verify Signatures
id: verify_signatures
working-directory: ./dist
run: |
if ! gpg --verify stigman-watcher-linux-${{ env.PACKAGE_VERSION }}.tar.gz.asc stigman-watcher-linux-${{ env.PACKAGE_VERSION }}.tar.gz; then
echo "::warning ::Signature verification for Linux failed"
exit 1
fi
if ! gpg --verify stigman-watcher-win-${{ env.PACKAGE_VERSION }}.zip.asc stigman-watcher-win-${{ env.PACKAGE_VERSION }}.zip; then
echo "::warning ::Signature verification for Windows failed"
exit 1
fi
- name: Upload Artifacts
uses: actions/upload-artifact@v3
if: always()
with:
name: binary-artifacts
path: |
./dist/
if-no-files-found: error
25 changes: 19 additions & 6 deletions build.sh
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,15 @@
# - jq
# - zip
# - tar
# - gpg, if you wish to produce detached signatures

keyring=stig-manager.gpg
signing_key="[email protected]"
check_exit_status() {
if [[ $? -eq 0 ]]; then
echo "[BUILD_TASK] $1 succeeded"
else
echo "[BUILD_TASK] $1 failed"
exit $2
fi
}

bin_dir=./bin
dist_dir=./dist
Expand All @@ -28,26 +33,34 @@ rm -rf $dist_dir/*
printf "[BUILD_TASK] Fetching node_modules\n"
rm -rf ./node_modules
npm ci
npm install -g pkg

# bundle
# Bundle
printf "[BUILD_TASK] Bundling\n"
npx esbuild index.js --bundle --platform=node --outfile=bundle.js
check_exit_status "Bundling" 1

# version=$(git describe --tags | sed 's/\(.*\)-.*/\1/')
#get version from package.json
version=$(jq -r .version package.json)
check_exit_status "Getting Version" 5
printf "\n[BUILD_TASK] Using version string: $version\n"

# Make binaries
printf "\n[BUILD_TASK] Building binaries in $bin_dir\n"
pkg -C gzip --public --public-packages=* --no-bytecode pkg.config.json
check_exit_status "Building Binaries" 2

# Windows archive
windows_archive=$dist_dir/stigman-watcher-win-$version.zip
printf "\n[BUILD_TASK] Creating $windows_archive\n"
zip --junk-paths $windows_archive ./dotenv-example $bin_dir/stigman-watcher-win.exe
[[ $1 == "--sign" ]] && gpg --keyring $keyring --default-key $signing_key --armor --detach-sig $windows_archive
check_exit_status "Zipping Windows Archive" 3

# Linux archive
linux_archive=$dist_dir/stigman-watcher-linux-$version.tar.gz
printf "\n[BUILD_TASK] Creating $linux_archive\n"
tar -czvf $linux_archive --xform='s|^|stigman-watcher/|S' -C . dotenv-example -C $bin_dir stigman-watcher-linuxstatic
[[ $1 == "--sign" ]] && gpg --keyring $keyring --default-key $signing_key --armor --detach-sig $linux_archive
check_exit_status "Tarring linux Archive" 4

printf "\n[BUILD_TASK] Done\n"
38 changes: 38 additions & 0 deletions nuwcdivnpt-bot.gpg.asc
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGXcsB0BCADIpexQoymA+0AGb9ojtisErQ5cp+xWv3SlPd5kOhuCpbhRhTnB
yQMBr50jqpPZeDtV80V9zyrGg+yLy4MdWM0sBIaW9ixDYeOShRei/GKHVrKxvJI7
YQLZhkng4LqQLgI1AimEzBm5roqfrDQoEnvsj8PbD3iXj7kPrPoUeqZ/3DIVIvKw
DtwfiWb7ycWJjjWe9g9F6T4YLbAidNVwo8QAnGrr7YFKtqhKYpjkK8ZHIDArpzVU
kqTeFJpkC9MchTLmYMLdgjfJAV/NcA7NA+8pUC+jIoT7oLkMgw47iH6ifjarw2+w
HUGuOrhpBF9WCW9OUlJmknjUQEeJeUYn5bXjABEBAAG0Xm51d2NkaXZucHQtYm90
QHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbSAoU3RpZ21hbktleSkgPG51d2NkaXZu
cHQtYm90QHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbT6JAVQEEwEKAD4WIQRR1CQf
lX8LfXypLo8UO6ovUu6kagUCZdywHQIbLwUJEswDAAULCQgHAgYVCgkICwIEFgID
AQIeAQIXgAAKCRAUO6ovUu6kagZXB/oDogvKYf5vDc8Cu2mrvtGbKO2VXDeLHQJ4
N1X/ZK/Lr4RTZFYDqHJPiqJYlhg58sR+EDsy2HWI3Qxpk7C65SrEF0CwEfNbcHtH
71g7KwHrgDEJw46yCmrt61pjAXVCeokVDPpUozYFoZoCRUHPpWDKEhcR2sizhOeh
0HCOcV2yq308IZKzemAaJU9sAKcjHNB7RQkNbLl50/awINQY0F2kFCUItI8GQ9JA
1+belDh0x5r2dQWCT4O2IIJjUhnKdoMovtp2TlU/ynpKKt781CKF7L548r35eaSM
KRvO2kdsvFuvYe3372kkpkT8edEtxduJnqzZMWyINV43mtCk1GV/uQENBGXcsB0B
CADJtfxgwXWBt3XY0s5iBKPFZFkYEgBKrFJF5YHJV2o8P6+AWIg03KynoJg0yf0h
006tTegUYi53NJpUACUtkRRaDAy4g3xV4bLfK+aN50GWGqIdlIeFeaq93RYLgwL3
GTB/msHoA6CTlQSrSIpjxeqifBPKcklq540AVR4aenntqEjHjpxEjkfzeB0nM1kA
u/4H9N8/B8FM4PqOzF5YlTaTK/UtCJU6TqMTTAg0VMlZjRRItjUUt3Oq+4bOakeX
F+JUiOaYaaYO2OJGiLm9HMuaRSiZGaothkZ/C5LgtkDqIGVcCMgYH0L4l+14IaVJ
iu60rX9Yhca0OOa9gqbR4VQLABEBAAGJAnIEGAEKACYWIQRR1CQflX8LfXypLo8U
O6ovUu6kagUCZdywHQIbLgUJEswDAAFACRAUO6ovUu6kasB0IAQZAQoAHRYhBHS9
Eu1c1I822bsN1VTlnNMfBHn8BQJl3LAdAAoJEFTlnNMfBHn8fAgH/RBVKMde+uEt
18c9gYXLInBu1qvzFIbYpH2hUHXSZcvdaj5AH7i6OF2Ix0jQiaFrnY14FawQkofp
Kd2uYjgyqbdKqn+wTwQhFGgyy5PQBuoLyKmlLXJgIHdsjsmMckDG6R6cA7du4IZx
AUCYsJEoAcnQXuP/XRXDiu8ODpOkMtqnmUn74gDtTALQ5j9mMwVrm7TfT0lFsjj5
W8I2SqZS4YQWKIfdbtUmqHWrzWwVYbzBBkK34YkaFdHd7YpLFSpGUJRgkQfPCu2U
cuO1Tn25VaYaw8xTstk5ul/3sPyuGvbaJnvFBtt+xQgQo6H0+aAbhDDxzxrhtUTg
0MPOw657viZijwf/Vgj1WfpXCxY6v3B4Qghg3dOgsQDAinrWM9xaYueT9bkBWjnD
fZ4Z3iNfUipLFDwJ2XeRBz5MQGwK3d5N11xDMXnYO6IH5m0+0vSLmh12hWQYdGAa
pedI3qbKsZ4/UQfG8ZfKyeBUunZDWNTbR61rFKi+ZNb4W4vF5pVX4kLIIzcJpqa7
8+cUWuD5jUKJt9fZ0cEUlLmZqJ7jsseHE81L2sULIo74p2xgGX1kGpNw5/oyyHRf
/Rf7n9Wqs21lvHK4cqIpmTTUxkEOVomoB7LWlrqhUNMEPmnJes5oWkfN/t1euy8o
OJ/jXthJZVWrxBzZtOmsDMQmJNhTXhgTxlEzvQ==
=b4ti
-----END PGP PUBLIC KEY BLOCK-----

0 comments on commit f8a8be4

Please sign in to comment.