ci-build updated

stamepicmorg · stamepicmorg · commit 65031f3fdcc6 · 2025-07-16T17:17:27.000+03:00
+ added signing
+ migrated to windows-2025 runner
+ wmic deprecated and migrated to ps
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -5,16 +5,18 @@ on:
     branches: [master]
     paths-ignore:
       - '**.md'
+      - '.github/**'
 
   pull_request:
     types: [opened, reopened, synchronize]
   release:
     types: [published]
+  workflow_dispatch:
 
 jobs:
   windows:
     name: 'Windows'
-    runs-on: windows-2019
+    runs-on: windows-2025
 
     env:
       solution: 'msvc/reapi.sln'
@@ -32,12 +34,52 @@ jobs:
 
       - name: Setup MSBuild
         uses: microsoft/setup-msbuild@v2
-        with:
-          vs-version: '16'
 
+# TODO: add support of 141_xp toolchain at VS2022+
+#      - name: Install v140, v141 and v142 toolsets
+#        shell: cmd
+#        run: |
+#          "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.exe" modify ^
+#          --installPath "C:\Program Files\Microsoft Visual Studio\2022\Enterprise" ^
+#          --add Microsoft.VisualStudio.Component.WindowsXP ^
+#          --add Microsoft.VisualStudio.Component.VC.v140 ^
+#          --add Microsoft.VisualStudio.Component.VC.v140.x86.x64 ^
+#          --add Microsoft.VisualStudio.Component.VC.v140.xp ^
+#          --add Microsoft.VisualStudio.Component.VC.140.CRT ^
+#          --add Microsoft.VisualStudio.Component.VC.v141 ^
+#          --add Microsoft.VisualStudio.Component.VC.v141.x86.x64 ^
+#          --add Microsoft.VisualStudio.Component.VC.v141.xp ^
+#          --add Microsoft.VisualStudio.Component.VC.v142 ^
+#          --add Microsoft.VisualStudio.Component.VC.v142.x86.x64 ^
+#          --quiet --norestart
+
+      - name: Select PlatformToolset
+        id: select_toolset
+        shell: pwsh
+        run: |
+          $vswhere = "${env:ProgramFiles(x86)}\Microsoft Visual Studio\Installer\vswhere.exe"
+          $vs2019 = & $vswhere -products * -version "[16.0,17.0)" -property installationPath -latest
+          $vs2022 = & $vswhere -products * -version "[17.0,)" -property installationPath -latest
+          
+          if ($vs2019) {
+            "toolset=v140_xp" >> $env:GITHUB_OUTPUT
+            Write-Host "Selected v140_xp toolset"
+          } elseif ($vs2022) {
+            "toolset=v143" >> $env:GITHUB_OUTPUT
+            Write-Host "Selected v143 toolset"
+          } else {
+            Write-Error "No suitable Visual Studio installation found"
+            exit 1
+          }
       - name: Build
         run: |
-          msbuild ${{ env.solution }} -p:Configuration="${{ env.buildRelease }}" /t:Clean,Build /p:Platform=${{ env.buildPlatform }} /p:PlatformToolset=v140_xp /p:XPDeprecationWarning=false
+          $toolset = '${{ steps.select_toolset.outputs.toolset }}'
+          msbuild ${{ env.solution }} -p:Configuration="${{ env.buildRelease }}" /t:Clean,Build /p:Platform=${{ env.buildPlatform }} /p:PlatformToolset=$toolset /p:XPDeprecationWarning=false
+
+#      - name: Get rcedit from chocolatey
+#        shell: pwsh
+#        run: |
+#          choco install rcedit -y
 
       - name: Move files
         run: |
@@ -47,6 +89,44 @@ jobs:
           move msvc\${{ env.buildRelease }}\reapi_amxx.dll publish\addons\amxmodx\modules\reapi_amxx.dll
           move msvc\${{ env.buildRelease }}\reapi_amxx.pdb publish\debug\reapi_amxx.pdb
 
+      - name: Get app version
+        id: get_version
+        shell: pwsh
+        run: |
+          $versionFile = "rehlds/version/appversion.h"
+          if (-not (Test-Path $versionFile)) {
+            Write-Error "Version file not found: $versionFile"
+            exit 1
+          }
+
+          $content = Get-Content $versionFile
+          foreach ($line in $content) {
+            if ($line -match '^\s*#define\s+APP_VERSION\s+"([^"]+)"') {
+              $version = $matches[1]
+              "version=$version" >> $env:GITHUB_OUTPUT
+              Write-Host "Found version: $version"
+              exit 0
+            }
+          }
+          Write-Error "APP_VERSION not found in file"
+          exit 1
+
+      - name: Show version
+        run: echo "Version is ${{ steps.get_version.outputs.version }}"
+
+      - name: Import PFX and sign
+        if: github.event_name != 'pull_request'
+        env:
+          KEY_PFX_PASS: ${{ secrets.KEY_PFX_PASS }}
+        # https://github.com/actions/runner-images/blob/main/images/windows/Windows2025-Readme.md
+        run: |
+               $pfxBase64 = "${{ secrets.KEY_PFX_B64 }}"
+               [IO.File]::WriteAllBytes("${{ github.workspace }}\signing-cert.pfx", [Convert]::FromBase64String($pfxBase64))
+               certutil -f -p "${{ secrets.KEY_PFX_PASS }}" -importPFX "${{ github.workspace }}\signing-cert.pfx"
+               & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x86\signtool.exe' sign /a /f "${{ github.workspace }}\signing-cert.pfx"  /p $env:KEY_PFX_PASS /d "ReAPI - AMX Mod X module, using API regamedll & rehlds" /du "https://rehlds.dev/" /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 /v ${{ github.workspace }}\publish\addons\amxmodx\modules\reapi_amxx.dll
+               Remove-Item -Recurse -Force "${{ github.workspace }}\signing-cert.pfx"
+        shell: "pwsh"
+
       - name: Deploy artifacts
         uses: actions/upload-artifact@v4
         with:
@@ -80,6 +160,49 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: GPG Import
+        run: |
+          echo "${{ secrets.PUB_ASC }}" > "${{ secrets.PUB_ASC_FILE }}"
+          echo "${{ secrets.KEY_ASC }}" > "${{ secrets.KEY_ASC_FILE }}"
+
+          # Import the public key
+          gpg --batch --yes --import "${{ secrets.PUB_ASC_FILE }}"
+          if [[ $? -ne 0 ]]; then
+            echo "Error: Failed to import the public key"
+            exit 1
+          fi
+          
+          # Import the private key
+          gpg --batch --yes --import "${{ secrets.KEY_ASC_FILE }}"
+          if [[ $? -ne 0 ]]; then
+            echo "Error: Failed to import the private key"
+            exit 2
+          fi
+          
+          # Extract the fingerprint of the imported public key
+          GPG_LINUX_FINGERPRINT=$(gpg --list-keys --with-colons | grep '^fpr' | head -n 1 | cut -d: -f10)
+          
+          # Check if the fingerprint was extracted
+          if [[ -z "$GPG_LINUX_FINGERPRINT" ]]; then
+            echo "Error: Failed to extract the fingerprint of the key"
+            exit 3
+          fi
+          
+          # Set the trust level for the key
+          echo "$GPG_LINUX_FINGERPRINT:6:" | gpg --batch --import-ownertrust
+          if [ $? -ne 0 ]; then
+            echo "Error: Failed to set trust for the key $GPG_LINUX_FINGERPRINT"
+            exit 4
+          fi
+          
+          echo "Key $GPG_LINUX_FINGERPRINT successfully imported and trusted"
+          gpg --list-keys
+
+          #export for global use
+          echo "GPG_LINUX_FINGERPRINT=$GPG_LINUX_FINGERPRINT" >> $GITHUB_ENV
+        shell: bash
+        if: github.event_name != 'pull_request'
+
       - name: Build
         run: |
           rm -rf build && CC=gcc CXX=g++ cmake -B build && cmake --build build -j8
@@ -94,6 +217,7 @@ jobs:
             else
               # Remove quotes
               APP_VERSION=$(echo $APP_VERSION | xargs)
+              echo "APP_VERSION=${APP_VERSION}" >> $GITHUB_ENV
             fi
           fi
           echo "version=${APP_VERSION}" >> "$GITHUB_OUTPUT"
@@ -150,7 +274,29 @@ jobs:
           github.event.action == 'published' &&
           startsWith(github.ref, 'refs/tags/')
         run: |
+        
+          # new runner, niw signs
+          echo "${{ secrets.PUB_ASC }}" > "${{ secrets.PUB_ASC_FILE }}"
+          echo "${{ secrets.KEY_ASC }}" > "${{ secrets.KEY_ASC_FILE }}"
+          gpg --batch --yes --import "${{ secrets.PUB_ASC_FILE }}"
+          gpg --batch --yes --import "${{ secrets.KEY_ASC_FILE }}"
+          GPG_LINUX_FINGERPRINT=$(gpg --list-keys --with-colons | grep '^fpr' | head -n 1 | cut -d: -f10)
+          echo "$GPG_LINUX_FINGERPRINT:6:" | gpg --batch --import-ownertrust
+          echo "GPG_LINUX_FINGERPRINT=$GPG_LINUX_FINGERPRINT" >> $GITHUB_ENV
+
+          sign_file() {
+            local file=$1
+            gpg --batch --yes --detach-sign --armor -u "$GPG_LINUX_FINGERPRINT" "$file"
+            if [ $? -ne 0 ]; then
+              echo "Error: Failed to sign $file"
+              exit 2
+            fi
+            echo "$file signed successfully."
+          }
+          
+          # Pack and sign final archive
           7z a -tzip reapi-bin-${{ needs.linux.outputs.app-version }}.zip addons/
+          sign_file "reapi-bin-${{ env.APP_VERSION }}.zip"
 
       - name: Publish artifacts
         uses: softprops/action-gh-release@v2
diff --git a/reapi/version/appversion.bat b/reapi/version/appversion.bat
@@ -23,13 +23,32 @@ set commitURL=
 set commitCount=0
 set branch_name=master
 
-for /f "delims=" %%a in ('wmic OS Get localdatetime  ^| find "."') do set "dt=%%a"
-set "YYYY=%dt:~0,4%"
-set "MM=%dt:~4,2%"
-set "DD=%dt:~6,2%"
-set "hour=%dt:~8,2%"
-set "min=%dt:~10,2%"
-set "sec=%dt:~12,2%"
+for /f "tokens=*" %%i in ('powershell -NoProfile -Command ^
+    "$now = Get-Date; Write-Output ('{0:yyyy}|{0:MM}|{0:dd}|{0:HH}|{0:mm}|{0:ss}' -f $now)"') do (
+    for /f "tokens=1-6 delims=|" %%a in ("%%i") do (
+        set "YYYY=%%a"
+        set "MM=%%b"
+        set "DD=%%c"
+        set "hour=%%d"
+        set "min=%%e"
+        set "sec=%%f"
+    )
+)
+
+echo YYYY=%YYYY%
+echo MM=%MM%
+echo DD=%DD%
+echo hour=%hour%
+echo min=%min%
+echo sec=%sec%
+
+:: for /f "delims=" %%a in ('wmic OS Get localdatetime  ^| find "."') do set "dt=%%a"
+:: set "YYYY=%dt:~0,4%"
+:: set "MM=%dt:~4,2%"
+:: set "DD=%dt:~6,2%"
+:: set "hour=%dt:~8,2%"
+:: set "min=%dt:~10,2%"
+:: set "sec=%dt:~12,2%"
 
 ::
 :: Remove leading zero from MM (e.g 09 > 9)
