From c1e81f342c0f2b37c6422e8035b87d1898a2b5e4 Mon Sep 17 00:00:00 2001 From: Sean Boult <996134+Hacksore@users.noreply.github.com> Date: Wed, 22 Nov 2023 16:20:18 -0600 Subject: [PATCH] Here we go? --- .github/workflows/release.yaml | 17 +++---- scripts/actions/create-release.js | 6 +-- .../download-draft-bins.js} | 42 ++++----------- scripts/sandbox/test.ts | 51 ------------------- scripts/sign/constants.ts | 27 ---------- scripts/sign/index.ts | 23 --------- scripts/sign/mac.ts | 39 -------------- scripts/sign/windows.ts | 48 ----------------- 8 files changed, 20 insertions(+), 233 deletions(-) rename scripts/{download-draft-bins.ts => actions/download-draft-bins.js} (56%) delete mode 100644 scripts/sandbox/test.ts delete mode 100644 scripts/sign/constants.ts delete mode 100644 scripts/sign/index.ts delete mode 100644 scripts/sign/mac.ts delete mode 100644 scripts/sign/windows.ts diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index f0bf53c0..b1b11c52 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -86,13 +86,13 @@ jobs: - uses: pnpm/action-setup@v2 with: version: 8 - - name: install frontend dependencies - run: pnpm install --filter ./ - - name: Download bins - # TODO: convert this to github script? - run: npx tsx scripts/download-draft-bins.ts ${{ needs.create-release.outputs.release_id }} - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Download draft binaries + uses: actions/github-script@v7 + with: + script: | + const { script } = await import('${{ github.workspace }}/scripts/actions/download-draft-bins.js') + const id = "${{ needs.create-release.outputs.release_id }}"; + await script({ github, context }, id); - name: Presign run: | ls -hal binaries @@ -115,8 +115,7 @@ jobs: run: | ls -hal binaries/signed sha1sum binaries/signed/* - - name: Create release or skip - id: create-release + - name: Sign && upload windows binaries uses: actions/github-script@v7 with: script: | diff --git a/scripts/actions/create-release.js b/scripts/actions/create-release.js index a1443a59..45f03e77 100644 --- a/scripts/actions/create-release.js +++ b/scripts/actions/create-release.js @@ -1,10 +1,8 @@ -// TODO: can we type this? - /** @param {import('@types/github-script').AsyncFunctionArguments} AsyncFunctionArguments */ export const script = async ({ context, github }) => { const { data: listReleases } = await github.rest.repos.listReleases({ - owner: "Hacksore", - repo: "overlayed", + owner: context.repo.owner, + repo: context.repo.repo, }); const [release] = listReleases; diff --git a/scripts/download-draft-bins.ts b/scripts/actions/download-draft-bins.js similarity index 56% rename from scripts/download-draft-bins.ts rename to scripts/actions/download-draft-bins.js index bd5a65fb..54089c7f 100644 --- a/scripts/download-draft-bins.ts +++ b/scripts/actions/download-draft-bins.js @@ -1,17 +1,6 @@ -// local testing: -// op run --env-file .env -- npx tsx scripts/download-draft-bins.ts 131013514 -import fs from "node:fs"; +import fs from "fs"; -import { Readable } from "stream"; -import { finished } from "stream/promises"; - -const { GITHUB_TOKEN } = process.env; - -if(!GITHUB_TOKEN) { - throw new Error("GITHUB_TOKEN not set") -} - -async function downloadFile(url: string, filepath = "./download") { +async function downloadFile(url, filepath = "./download") { const response = await fetch(url, { headers: { Accept: "application/octet-stream", @@ -25,27 +14,19 @@ async function downloadFile(url: string, filepath = "./download") { } const BINARIES_DIR = "binaries"; -const main = async () => { - // get first param to script - const id = process.argv[2]; - if (!id) { - throw new Error("🚫 No release id provided"); - } +/** @param {import('@types/github-script').AsyncFunctionArguments} AsyncFunctionArguments */ +/** @param id {String} */ +export const script = async ({ context, github }, id) => { console.log(`📦 downloading release artifacts for ${id}`); try { - const draftData = await fetch( - `https://api.github.com/repos/Hacksore/overlayed/releases/${id}`, - { - headers: { - Accept: "application/vnd.github+json", - Authorization: `token ${GITHUB_TOKEN}`, - "X-GitHub-Api-Version": "2022-11-28", - }, - }, - ).then((res) => res.json()); + const { data: draftData } = await github.rest.repos.getRelease({ + owner: context.repo.owner, + repo: context.repo.repo, + release_id: id, + }); console.log(draftData); @@ -58,7 +39,6 @@ const main = async () => { } for (const asset of assets) { - const url = asset.browser_download_url; const filename = asset.name; // skip non windows bins if (![".msi", ".exe"].some((ext) => filename.endsWith(ext))) { @@ -76,5 +56,3 @@ const main = async () => { console.log(err); } }; - -main(); diff --git a/scripts/sandbox/test.ts b/scripts/sandbox/test.ts deleted file mode 100644 index 0461f6d8..00000000 --- a/scripts/sandbox/test.ts +++ /dev/null @@ -1,51 +0,0 @@ -import { getOctokit } from "@actions/github"; -import fs from "node:fs"; - -const { GITHUB_TOKEN } = process.env; -if (!GITHUB_TOKEN) { - throw new Error("GITHUB_TOKEN not set"); -} - -const releaseId = 131045109; -const github = getOctokit(GITHUB_TOKEN); - -// read all files from the binariees dir -const files = fs.readdirSync("./binaries"); - -const { data } = await github.rest.repos.listReleases({ - owner: "Hacksore", - repo: "overlayed", -}); - -const [latestRelease] = data; - -for (const asset of latestRelease?.assets ?? []) { - // skip if the asset doesnt end with msi or exe - if (![".msi", ".exe"].some((ext) => asset.name.endsWith(ext))) { - continue; - } - - console.log("deleting asset", asset.name, asset.id); - await github.rest.repos.deleteReleaseAsset({ - owner: "Hacksore", - repo: "overlayed", - release_id: releaseId, - asset_id: asset.id, - }); -} - -for (const file of files) { - const filePath = `./binaries/${file}`; - const fileData = fs.readFileSync(filePath); - - const { data: uploadResponse } = await github.rest.repos.uploadReleaseAsset({ - owner: "Hacksore", - repo: "overlayed", - release_id: releaseId, - // @ts-ignore - data: fileData, - name: file, - }); - - console.log(uploadResponse); -} diff --git a/scripts/sign/constants.ts b/scripts/sign/constants.ts deleted file mode 100644 index da82c690..00000000 --- a/scripts/sign/constants.ts +++ /dev/null @@ -1,27 +0,0 @@ -// the base path of the tauri build -export const BASE_PATH = "apps/desktop/src-tauri"; - -type BinType = { - bin: string; - bundle: string; - target: string; -}; - -export type AllowedPlatforms = "darwin" | "win32" | "linux"; -export const BINS: Record = { - darwin: { - bin: "overlayed.app", - bundle: "macos", - target: "aarch64-apple-darwin", - }, - win32: { - bin: "overlayed_*.exe", - bundle: "nsis", - target: "x86_64-pc-windows-msvc", - }, - linux: { - bin: "overlayed", - bundle: "deb", - target: "x86_64-unknown-linux-gnu", - }, -} as const; diff --git a/scripts/sign/index.ts b/scripts/sign/index.ts deleted file mode 100644 index d959e80e..00000000 --- a/scripts/sign/index.ts +++ /dev/null @@ -1,23 +0,0 @@ -import { notarizeMacBinary, signMacBinary, zipMacBinary } from "./mac"; -import { signWindowsBinary } from "./windows"; - -const main = async () => { - // we don't need to sign linux binaries - if (process.platform === "linux") return; - - console.log("🚀 Begin signing binaries"); - - if (process.platform === "win32") { - await signWindowsBinary(); - } - - if (process.platform === "darwin") { - signMacBinary(); - zipMacBinary(); - notarizeMacBinary(); - } - - console.log("✅ Signing completed"); -}; - -main(); diff --git a/scripts/sign/mac.ts b/scripts/sign/mac.ts deleted file mode 100644 index 9fac8e25..00000000 --- a/scripts/sign/mac.ts +++ /dev/null @@ -1,39 +0,0 @@ -import { execSync } from "node:child_process"; -import { BASE_PATH, BINS } from "./constants"; - -const { APPLE_ID, APPLE_TEAM_ID, APPLE_PASSWORD, APPLE_SIGNING_IDENTITY } = - process.env; - -const { bundle } = BINS.darwin; -const appBasePath = `${BASE_PATH}/target/universal-apple-darwin/release/bundle/${bundle}`; -const zipPath = `${appBasePath}/overlayed.zip`; -const appPath = `${appBasePath}/overlayed.app`; - -export const signMacBinary = () => { - console.log("Signing mac binary", appPath); - - execSync( - `/usr/bin/codesign --force -s "${APPLE_SIGNING_IDENTITY}" --options=runtime --deep ${appPath} -v`, - { stdio: "inherit" }, - ); -}; - -export const zipMacBinary = () => { - console.log("Zipping mac binary", zipPath); - - execSync(`zip -r ${zipPath} ${appBasePath}`, { stdio: "inherit" }); -}; - -export const notarizeMacBinary = () => { - console.log("Notarizing mac binary", zipPath); - execSync( - `xcrun notarytool store-credentials "notarytool-profile" --apple-id ${APPLE_ID} --team-id=${APPLE_TEAM_ID} --password ${APPLE_PASSWORD}`, - { stdio: "inherit" }, - ); - - // notarize - execSync( - `xcrun notarytool submit ${zipPath} --keychain-profile "notarytool-profile" --wait`, - { stdio: "inherit" }, - ); -}; diff --git a/scripts/sign/windows.ts b/scripts/sign/windows.ts deleted file mode 100644 index d8b1e143..00000000 --- a/scripts/sign/windows.ts +++ /dev/null @@ -1,48 +0,0 @@ -import { execSync } from "node:child_process"; -import path from "node:path"; - -import { glob } from "glob"; -import { BASE_PATH, BINS } from "./constants"; - -const { ES_TOTP_SECRET, ES_USERNAME, ES_PASSWORD, ES_CREDENTIAL_ID } = - process.env; - - -// sign the windows bin with the docker image -export const signWindowsBinary = async () => { - const { bundle, target } = BINS.win32; - const binBasePath = `${BASE_PATH}/target/${target}/release/bundle/${bundle}`; - const globPath = `${binBasePath}/*.exe`; - - const [foundBinary] = await glob(globPath); - - if (!foundBinary) { - throw new Error(`No binary found at ${binBasePath}`); - } - - console.log("found bin:", foundBinary); - // exe name of last part of the path - const exeName = foundBinary.split(path.sep).pop(); - - console.log("found exe:", exeName); - - const commandArray = [ - "docker", - "run", - "-it", - "--rm", - "-v", - `"${binBasePath}:/code"`, - "ghcr.io/sslcom/codesigner:latest", - "sign", - `-username=${ES_USERNAME}`, - `-password=${ES_PASSWORD}`, - `-credential_id=${ES_CREDENTIAL_ID}`, - `-totp_secret=${ES_TOTP_SECRET}`, - `-input_file_path=/code/${exeName}`, - "-override=true", - "-malware_block=false", - ]; - - execSync(commandArray.join(" "), { stdio: "inherit" }); -};