fix: unblock alpha release without windows cert
This commit is contained in:
41
.github/workflows/release-build-artifacts.yml
vendored
41
.github/workflows/release-build-artifacts.yml
vendored
@@ -13,6 +13,10 @@ on:
|
||||
upload_macos_dmg:
|
||||
required: true
|
||||
type: boolean
|
||||
require_windows_authenticode:
|
||||
required: false
|
||||
type: boolean
|
||||
default: true
|
||||
|
||||
env:
|
||||
# Bump this when Tauri/Rust target artifacts capture stale absolute paths.
|
||||
@@ -412,6 +416,7 @@ jobs:
|
||||
(Get-Content "src-tauri/Cargo.toml") -replace '^version = ".*"$', "version = `"$version`"" | Set-Content "src-tauri/Cargo.toml"
|
||||
|
||||
- name: Validate Windows release env
|
||||
id: windows-signing
|
||||
shell: bash
|
||||
env:
|
||||
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
|
||||
@@ -420,6 +425,7 @@ jobs:
|
||||
WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD }}
|
||||
WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
|
||||
WINDOWS_CERTIFICATE_PASSWORD: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }}
|
||||
REQUIRE_WINDOWS_AUTHENTICODE: ${{ inputs.require_windows_authenticode }}
|
||||
run: |
|
||||
for name in TAURI_SIGNING_PRIVATE_KEY TAURI_KEY_PASSWORD; do
|
||||
if [ -z "${!name}" ]; then
|
||||
@@ -427,16 +433,33 @@ jobs:
|
||||
exit 1
|
||||
fi
|
||||
done
|
||||
if [ -z "$WINDOWS_CODE_SIGNING_CERTIFICATE" ] && [ -z "$WINDOWS_CERTIFICATE" ]; then
|
||||
echo "::error::WINDOWS_CODE_SIGNING_CERTIFICATE or WINDOWS_CERTIFICATE is required to Authenticode-sign Windows installers."
|
||||
exit 1
|
||||
|
||||
has_certificate=false
|
||||
has_password=false
|
||||
if [ -n "$WINDOWS_CODE_SIGNING_CERTIFICATE" ] || [ -n "$WINDOWS_CERTIFICATE" ]; then
|
||||
has_certificate=true
|
||||
fi
|
||||
if [ -z "$WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD" ] && [ -z "$WINDOWS_CERTIFICATE_PASSWORD" ]; then
|
||||
echo "::error::WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD or WINDOWS_CERTIFICATE_PASSWORD is required to import the Windows signing certificate."
|
||||
if [ -n "$WINDOWS_CODE_SIGNING_CERTIFICATE_PASSWORD" ] || [ -n "$WINDOWS_CERTIFICATE_PASSWORD" ]; then
|
||||
has_password=true
|
||||
fi
|
||||
|
||||
if [ "$has_certificate" != "$has_password" ]; then
|
||||
echo "::error::Windows Authenticode signing is partially configured. Set both certificate and password secrets, or remove both for unsigned alpha Windows artifacts."
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "$has_certificate" = "true" ]; then
|
||||
echo "authenticode_available=true" >> "$GITHUB_OUTPUT"
|
||||
elif [ "$REQUIRE_WINDOWS_AUTHENTICODE" = "true" ]; then
|
||||
echo "::error::WINDOWS_CODE_SIGNING_CERTIFICATE or WINDOWS_CERTIFICATE is required to Authenticode-sign Windows installers."
|
||||
exit 1
|
||||
else
|
||||
echo "::warning::Windows Authenticode certificate secrets are not configured. Building alpha Windows artifacts without Authenticode signatures; Tauri updater signatures are still required."
|
||||
echo "authenticode_available=false" >> "$GITHUB_OUTPUT"
|
||||
fi
|
||||
|
||||
- name: Prepare Windows Authenticode signing
|
||||
if: ${{ steps.windows-signing.outputs.authenticode_available == 'true' }}
|
||||
shell: pwsh
|
||||
env:
|
||||
WINDOWS_CODE_SIGNING_CERTIFICATE: ${{ secrets.WINDOWS_CODE_SIGNING_CERTIFICATE }}
|
||||
@@ -450,6 +473,7 @@ jobs:
|
||||
run: ./.github/scripts/configure-windows-authenticode.ps1
|
||||
|
||||
- name: Build Tauri app (Windows bundles)
|
||||
shell: pwsh
|
||||
env:
|
||||
TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
|
||||
TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}
|
||||
@@ -459,9 +483,14 @@ jobs:
|
||||
VITE_POSTHOG_KEY: ${{ secrets.VITE_POSTHOG_KEY }}
|
||||
VITE_POSTHOG_HOST: ${{ secrets.VITE_POSTHOG_HOST }}
|
||||
run: |
|
||||
pnpm tauri build --target x86_64-pc-windows-msvc --bundles nsis --config src-tauri/tauri.windows-signing.conf.json
|
||||
if ("${{ steps.windows-signing.outputs.authenticode_available }}" -eq "true") {
|
||||
pnpm tauri build --target x86_64-pc-windows-msvc --bundles nsis --config src-tauri/tauri.windows-signing.conf.json
|
||||
} else {
|
||||
pnpm tauri build --target x86_64-pc-windows-msvc --bundles nsis
|
||||
}
|
||||
|
||||
- name: Validate Windows Authenticode signatures
|
||||
if: ${{ steps.windows-signing.outputs.authenticode_available == 'true' }}
|
||||
shell: pwsh
|
||||
run: |
|
||||
$expectedThumbprint = $env:WINDOWS_CODE_SIGNING_CERTIFICATE_THUMBPRINT
|
||||
|
||||
1
.github/workflows/release-stable.yml
vendored
1
.github/workflows/release-stable.yml
vendored
@@ -67,6 +67,7 @@ jobs:
|
||||
version: ${{ needs.version.outputs.version }}
|
||||
macos_bundles: ""
|
||||
upload_macos_dmg: true
|
||||
require_windows_authenticode: true
|
||||
secrets: inherit
|
||||
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
|
||||
2
.github/workflows/release.yml
vendored
2
.github/workflows/release.yml
vendored
@@ -8,7 +8,6 @@ on:
|
||||
- ".husky/**"
|
||||
- ".github/workflows/deploy-docs.yml"
|
||||
- ".github/workflows/release.yml"
|
||||
- ".github/workflows/release-build-artifacts.yml"
|
||||
- "site/**"
|
||||
|
||||
concurrency:
|
||||
@@ -128,6 +127,7 @@ jobs:
|
||||
version: ${{ needs.version.outputs.version }}
|
||||
macos_bundles: app
|
||||
upload_macos_dmg: false
|
||||
require_windows_authenticode: false
|
||||
secrets: inherit
|
||||
|
||||
# ─────────────────────────────────────────────────────────────
|
||||
|
||||
Reference in New Issue
Block a user