From f8a8be4e528c0916471c885e2a15e13b34c1ab94 Mon Sep 17 00:00:00 2001
From: Mathew <77069472+Matte22@users.noreply.github.com>
Date: Sun, 3 Mar 2024 17:19:48 -0500
Subject: [PATCH] CI/CD: Workflow to build and sign binary artifacts (#100)

* Adds a build workflow, edited build script and the pub key

* remove items from tesitng

* squashing

* removed testing options
---
 .github/workflows/build-binary-artifacts.yml | 74 ++++++++++++++++++++
 build.sh                                     | 25 +++++--
 nuwcdivnpt-bot.gpg.asc                       | 38 ++++++++++
 3 files changed, 131 insertions(+), 6 deletions(-)
 create mode 100644 .github/workflows/build-binary-artifacts.yml
 create mode 100644 nuwcdivnpt-bot.gpg.asc

diff --git a/.github/workflows/build-binary-artifacts.yml b/.github/workflows/build-binary-artifacts.yml
new file mode 100644
index 0000000..3b5a1c0
--- /dev/null
+++ b/.github/workflows/build-binary-artifacts.yml
@@ -0,0 +1,74 @@
+name: Build and Sign Binary Artifacts
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+    paths:
+      - "lib/**"
+      - "index.js"
+      - "build.sh"
+      - "nuwcdivnpt-bot.gpg.asc"
+      - ".github/workflows/build-binary-artifacts.yml"
+jobs:
+  build-binary-artifacts-and-sign:
+    name: Build binary artifacts, sign, export
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v3
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: run build script
+        id: run_build_script
+        run: ./build.sh
+
+      - name: Import GPG Key
+        id: import_gpg
+        run: | 
+          if ! echo "${{ secrets.WATCHER_PRIVATE_KEY }}" | gpg --import; then
+            echo "::warning ::Private key GPG Import failed"
+            exit 1
+          fi
+      
+      - name: Get version from package.json
+        id: package_version
+        run: echo "PACKAGE_VERSION=$(jq -r '.version' package.json)" >> $GITHUB_ENV
+
+      - name: Sign Artifacts
+        id: sign_artifacts
+        run: |
+         if ! gpg --default-key nuwcdivnpt-bot@users.noreply.github.com --armor --detach-sig ./dist/stigman-watcher-linux-${{ env.PACKAGE_VERSION }}.tar.gz; then
+            echo "::warning ::Linux Signing failed"
+            exit 1
+          fi
+         if ! gpg --default-key nuwcdivnpt-bot@users.noreply.github.com --armor --detach-sig ./dist/stigman-watcher-win-${{ env.PACKAGE_VERSION }}.zip; then
+            echo "::warning ::Windows Signing failed"
+            exit 1
+         fi
+      
+      - name: Verify Signatures
+        id: verify_signatures
+        working-directory: ./dist
+        run: |
+          if ! gpg --verify stigman-watcher-linux-${{ env.PACKAGE_VERSION }}.tar.gz.asc stigman-watcher-linux-${{ env.PACKAGE_VERSION }}.tar.gz; then
+            echo "::warning ::Signature verification for Linux failed"
+            exit 1
+          fi
+          if ! gpg --verify stigman-watcher-win-${{ env.PACKAGE_VERSION }}.zip.asc stigman-watcher-win-${{ env.PACKAGE_VERSION }}.zip; then
+            echo "::warning ::Signature verification for Windows failed"
+            exit 1
+          fi
+
+      - name: Upload Artifacts
+        uses: actions/upload-artifact@v3
+        if: always() 
+        with:
+          name: binary-artifacts
+          path: |
+            ./dist/
+          if-no-files-found: error
\ No newline at end of file
diff --git a/build.sh b/build.sh
index 59a48a2..c51404b 100755
--- a/build.sh
+++ b/build.sh
@@ -6,10 +6,15 @@
 # - jq
 # - zip
 # - tar
-# - gpg, if you wish to produce detached signatures
 
-keyring=stig-manager.gpg 
-signing_key="nuwcdivnpt-bot@users.noreply.github.com"
+check_exit_status() {
+  if [[ $? -eq 0 ]]; then
+    echo "[BUILD_TASK] $1 succeeded"
+  else
+    echo "[BUILD_TASK] $1 failed"
+    exit $2
+  fi
+}
 
 bin_dir=./bin
 dist_dir=./dist
@@ -28,26 +33,34 @@ rm -rf $dist_dir/*
 printf "[BUILD_TASK] Fetching node_modules\n"
 rm -rf ./node_modules
 npm ci
+npm install -g pkg
 
-# bundle
+# Bundle
+printf "[BUILD_TASK] Bundling\n"
 npx esbuild index.js --bundle --platform=node --outfile=bundle.js
+check_exit_status "Bundling" 1
 
 # version=$(git describe --tags | sed 's/\(.*\)-.*/\1/')
+#get version from package.json
 version=$(jq -r .version package.json)
+check_exit_status "Getting Version" 5
 printf "\n[BUILD_TASK] Using version string: $version\n"
 
 # Make binaries
 printf "\n[BUILD_TASK] Building binaries in $bin_dir\n"
 pkg -C gzip --public --public-packages=* --no-bytecode pkg.config.json
+check_exit_status "Building Binaries" 2
+
 # Windows archive
 windows_archive=$dist_dir/stigman-watcher-win-$version.zip
 printf "\n[BUILD_TASK] Creating $windows_archive\n"
 zip --junk-paths $windows_archive ./dotenv-example $bin_dir/stigman-watcher-win.exe
-[[ $1 == "--sign" ]] && gpg --keyring $keyring --default-key $signing_key --armor --detach-sig  $windows_archive
+check_exit_status "Zipping Windows Archive" 3
+
 # Linux archive
 linux_archive=$dist_dir/stigman-watcher-linux-$version.tar.gz
 printf "\n[BUILD_TASK] Creating $linux_archive\n"
 tar -czvf $linux_archive --xform='s|^|stigman-watcher/|S' -C . dotenv-example -C $bin_dir stigman-watcher-linuxstatic
-[[ $1 == "--sign" ]] && gpg --keyring $keyring --default-key $signing_key --armor --detach-sig $linux_archive
+check_exit_status "Tarring linux Archive" 4
 
 printf "\n[BUILD_TASK] Done\n"
diff --git a/nuwcdivnpt-bot.gpg.asc b/nuwcdivnpt-bot.gpg.asc
new file mode 100644
index 0000000..7f52790
--- /dev/null
+++ b/nuwcdivnpt-bot.gpg.asc
@@ -0,0 +1,38 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBGXcsB0BCADIpexQoymA+0AGb9ojtisErQ5cp+xWv3SlPd5kOhuCpbhRhTnB
+yQMBr50jqpPZeDtV80V9zyrGg+yLy4MdWM0sBIaW9ixDYeOShRei/GKHVrKxvJI7
+YQLZhkng4LqQLgI1AimEzBm5roqfrDQoEnvsj8PbD3iXj7kPrPoUeqZ/3DIVIvKw
+DtwfiWb7ycWJjjWe9g9F6T4YLbAidNVwo8QAnGrr7YFKtqhKYpjkK8ZHIDArpzVU
+kqTeFJpkC9MchTLmYMLdgjfJAV/NcA7NA+8pUC+jIoT7oLkMgw47iH6ifjarw2+w
+HUGuOrhpBF9WCW9OUlJmknjUQEeJeUYn5bXjABEBAAG0Xm51d2NkaXZucHQtYm90
+QHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbSAoU3RpZ21hbktleSkgPG51d2NkaXZu
+cHQtYm90QHVzZXJzLm5vcmVwbHkuZ2l0aHViLmNvbT6JAVQEEwEKAD4WIQRR1CQf
+lX8LfXypLo8UO6ovUu6kagUCZdywHQIbLwUJEswDAAULCQgHAgYVCgkICwIEFgID
+AQIeAQIXgAAKCRAUO6ovUu6kagZXB/oDogvKYf5vDc8Cu2mrvtGbKO2VXDeLHQJ4
+N1X/ZK/Lr4RTZFYDqHJPiqJYlhg58sR+EDsy2HWI3Qxpk7C65SrEF0CwEfNbcHtH
+71g7KwHrgDEJw46yCmrt61pjAXVCeokVDPpUozYFoZoCRUHPpWDKEhcR2sizhOeh
+0HCOcV2yq308IZKzemAaJU9sAKcjHNB7RQkNbLl50/awINQY0F2kFCUItI8GQ9JA
+1+belDh0x5r2dQWCT4O2IIJjUhnKdoMovtp2TlU/ynpKKt781CKF7L548r35eaSM
+KRvO2kdsvFuvYe3372kkpkT8edEtxduJnqzZMWyINV43mtCk1GV/uQENBGXcsB0B
+CADJtfxgwXWBt3XY0s5iBKPFZFkYEgBKrFJF5YHJV2o8P6+AWIg03KynoJg0yf0h
+006tTegUYi53NJpUACUtkRRaDAy4g3xV4bLfK+aN50GWGqIdlIeFeaq93RYLgwL3
+GTB/msHoA6CTlQSrSIpjxeqifBPKcklq540AVR4aenntqEjHjpxEjkfzeB0nM1kA
+u/4H9N8/B8FM4PqOzF5YlTaTK/UtCJU6TqMTTAg0VMlZjRRItjUUt3Oq+4bOakeX
+F+JUiOaYaaYO2OJGiLm9HMuaRSiZGaothkZ/C5LgtkDqIGVcCMgYH0L4l+14IaVJ
+iu60rX9Yhca0OOa9gqbR4VQLABEBAAGJAnIEGAEKACYWIQRR1CQflX8LfXypLo8U
+O6ovUu6kagUCZdywHQIbLgUJEswDAAFACRAUO6ovUu6kasB0IAQZAQoAHRYhBHS9
+Eu1c1I822bsN1VTlnNMfBHn8BQJl3LAdAAoJEFTlnNMfBHn8fAgH/RBVKMde+uEt
+18c9gYXLInBu1qvzFIbYpH2hUHXSZcvdaj5AH7i6OF2Ix0jQiaFrnY14FawQkofp
+Kd2uYjgyqbdKqn+wTwQhFGgyy5PQBuoLyKmlLXJgIHdsjsmMckDG6R6cA7du4IZx
+AUCYsJEoAcnQXuP/XRXDiu8ODpOkMtqnmUn74gDtTALQ5j9mMwVrm7TfT0lFsjj5
+W8I2SqZS4YQWKIfdbtUmqHWrzWwVYbzBBkK34YkaFdHd7YpLFSpGUJRgkQfPCu2U
+cuO1Tn25VaYaw8xTstk5ul/3sPyuGvbaJnvFBtt+xQgQo6H0+aAbhDDxzxrhtUTg
+0MPOw657viZijwf/Vgj1WfpXCxY6v3B4Qghg3dOgsQDAinrWM9xaYueT9bkBWjnD
+fZ4Z3iNfUipLFDwJ2XeRBz5MQGwK3d5N11xDMXnYO6IH5m0+0vSLmh12hWQYdGAa
+pedI3qbKsZ4/UQfG8ZfKyeBUunZDWNTbR61rFKi+ZNb4W4vF5pVX4kLIIzcJpqa7
+8+cUWuD5jUKJt9fZ0cEUlLmZqJ7jsseHE81L2sULIo74p2xgGX1kGpNw5/oyyHRf
+/Rf7n9Wqs21lvHK4cqIpmTTUxkEOVomoB7LWlrqhUNMEPmnJes5oWkfN/t1euy8o
+OJ/jXthJZVWrxBzZtOmsDMQmJNhTXhgTxlEzvQ==
+=b4ti
+-----END PGP PUBLIC KEY BLOCK-----