Rework instance config fetching (#301) #158
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Build app and create release' | |
on: | |
push: | |
tags: | |
- v*.*.* | |
jobs: | |
build-wireguard-go: | |
strategy: | |
fail-fast: false | |
matrix: | |
architecture: [arm64, amd64] | |
runs-on: [self-hosted, macOS] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
repository: WireGuard/wireguard-go | |
ref: master | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
go-version: '1.22' | |
- name: Build wireguard-go binary | |
run: make | |
env: | |
GOOS: darwin | |
GOARCH: ${{ matrix.architecture }} | |
- name: Upload binary artifact arm64 | |
if: matrix.architecture == 'arm64' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: wireguard-go-aarch64-apple-darwin | |
path: wireguard-go | |
- name: Upload binary artifact amd64 | |
if: matrix.architecture == 'amd64' | |
uses: actions/upload-artifact@v4 | |
with: | |
name: wireguard-go-x86_64-apple-darwin | |
path: wireguard-go | |
create-release: | |
name: create-release | |
runs-on: self-hosted | |
outputs: | |
upload_url: ${{ steps.release.outputs.upload_url }} | |
steps: | |
- name: Create GitHub release | |
id: release | |
uses: softprops/action-gh-release@v1 | |
with: | |
draft: true | |
generate_release_notes: true | |
build-linux: | |
needs: | |
- create-release | |
runs-on: | |
- self-hosted | |
- Linux | |
- X64 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- name: Write release version | |
run: | | |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) | |
echo Version: $VERSION | |
echo "VERSION=$VERSION" >> $GITHUB_ENV | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '20' | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: 9 | |
run_install: false | |
- name: Get pnpm store directory | |
shell: bash | |
run: | | |
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | |
- uses: actions/cache@v3 | |
name: Setup pnpm cache | |
with: | |
path: ${{ env.STORE_PATH }} | |
key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
restore-keys: | | |
${{ runner.os }}-pnpm-build-store- | |
- name: Install Node dependencies | |
run: pnpm install --frozen-lockfile | |
- uses: dtolnay/rust-toolchain@stable | |
- name: Install Linux dependencies | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libappindicator3-dev librsvg2-dev patchelf libssl-dev unzip | |
- name: Build packages | |
uses: tauri-apps/tauri-action@v0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Upload DEB | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_amd64.deb | |
asset_name: defguard-client_${{ env.VERSION }}_amd64.deb | |
asset_content_type: application/octet-stream | |
- name: Upload AppImage | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: src-tauri/target/release/bundle/appimage/defguard-client_${{ env.VERSION }}_amd64.AppImage | |
asset_name: defguard-client_${{ env.VERSION }}_amd64.AppImage | |
asset_content_type: application/octet-stream | |
- name: Rename client binary | |
run: mv src-tauri/target/release/defguard-client defguard-client-linux-x86_64-${{ github.ref_name }} | |
- name: Tar client binary | |
uses: a7ul/[email protected] | |
with: | |
command: c | |
files: | | |
defguard-client-linux-x86_64-${{ github.ref_name }} | |
outPath: defguard-client-linux-x86_64-${{ github.ref_name }}.tar.gz | |
- name: Upload client archive | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: defguard-client-linux-x86_64-${{ github.ref_name }}.tar.gz | |
asset_name: defguard-client-linux-x86_64-${{ github.ref_name }}.tar.gz | |
asset_content_type: application/octet-stream | |
- name: Rename daemon binary | |
run: mv src-tauri/target/release/defguard-service defguard-service-linux-x86_64-${{ github.ref_name }} | |
- name: Tar daemon binary | |
uses: a7ul/[email protected] | |
with: | |
command: c | |
files: | | |
defguard-service-linux-x86_64-${{ github.ref_name }} | |
outPath: defguard-service-linux-x86_64-${{ github.ref_name }}.tar.gz | |
- name: Upload daemon archive | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: defguard-service-linux-x86_64-${{ github.ref_name }}.tar.gz | |
asset_name: defguard-service-linux-x86_64-${{ github.ref_name }}.tar.gz | |
asset_content_type: application/octet-stream | |
build-macos: | |
needs: | |
- create-release | |
- build-wireguard-go | |
strategy: | |
fail-fast: false | |
matrix: | |
target: [aarch64-apple-darwin, x86_64-apple-darwin] | |
runs-on: | |
- self-hosted | |
- macOS | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- name: Write release version | |
run: | | |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) | |
echo Version: $VERSION | |
echo "VERSION=$VERSION" >> $GITHUB_ENV | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '20' | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: 9 | |
run_install: false | |
- name: Get pnpm store directory | |
shell: bash | |
run: echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | |
- uses: actions/cache@v3 | |
name: Setup pnpm cache | |
with: | |
path: ${{ env.STORE_PATH }} | |
key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
restore-keys: | | |
${{ runner.os }}-pnpm-build-store- | |
- name: Install deps | |
run: pnpm install --frozen-lockfile | |
- uses: dtolnay/rust-toolchain@stable | |
- name: Install protobuf compiler | |
run: brew install protobuf | |
- name: Install ARM target | |
run: rustup target add aarch64-apple-darwin | |
- name: Download wireguard-go binary | |
uses: actions/download-artifact@v4 | |
with: | |
name: wireguard-go-${{ matrix.target }} | |
path: src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }} | |
- name: Unlock keychain | |
run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain | |
- name: Build app | |
uses: tauri-apps/tauri-action@v0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
APPLE_SIGNING_IDENTITY: 'Developer ID Application: TEONITE (6WD6W6WQNV)' | |
APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} | |
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} | |
APPLE_ID: '[email protected]' | |
APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} | |
APPLE_TEAM_ID: '6WD6W6WQNV' | |
with: | |
args: --target ${{ matrix.target }} -v | |
- name: Build installation package | |
run: | | |
bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts "Developer ID Installer: TEONITE (6WD6W6WQNV)" /Users/admin/Library/Keychains/login.keychain | |
xcrun notarytool submit --wait --apple-id [email protected] --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id 6WD6W6WQNV src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg | |
xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg | |
- name: Upload installation package | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg | |
asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg | |
asset_content_type: application/octet-stream | |
# Building signed windows bundle involves a few steps as described here: | |
# https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line | |
# 1. Build defguard & bundle the binaries (defguard & wireguard) using wix (windows) | |
# 2. Detach the burn engine from the bundle so that it can be signed (also windows) | |
# 3. Sign the burn engine (linux) | |
# 4. Reattach the burn engine back to the bundle (windows again) | |
# 5. Sign the whole bundle (linux) | |
build-windows: | |
needs: | |
- create-release | |
runs-on: windows-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
submodules: 'recursive' | |
- name: Write release version | |
run: | | |
$env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0] | |
echo Version: $env:VERSION | |
echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: '20' | |
- uses: pnpm/action-setup@v2 | |
with: | |
version: 9 | |
run_install: false | |
- name: Get pnpm store directory | |
shell: bash | |
run: echo "STORE_PATH=$(pnpm store path --silent)" >> $env:GITHUB_ENV | |
- uses: actions/cache@v3 | |
name: Setup pnpm cache | |
with: | |
path: ${{ env.STORE_PATH }} | |
key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
restore-keys: | | |
${{ runner.os }}-pnpm-build-store- | |
- name: Install deps | |
run: pnpm install --frozen-lockfile | |
- uses: dtolnay/rust-toolchain@stable | |
- name: Install Protoc | |
uses: arduino/setup-protoc@v2 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Remove "default-run" line from Cargo.toml | |
run: | | |
Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch) | |
- name: Build packages | |
uses: tauri-apps/tauri-action@v0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Bundle application | |
run: | | |
# prepare wix extension | |
dotnet tool install --global wix --version 4.0.5 | |
wix extension add WixToolset.Bal.wixext/4 | |
# bundle defguard & wireguard binaries together | |
wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll | |
# detach burn engine from the bundle to be signed | |
wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe | |
- name: Upload unsigned bundle and burn-engine | |
uses: actions/upload-artifact@v4 | |
with: | |
name: unsigned-bundle-and-burnengine | |
path: | | |
src-tauri/resources-windows/defguard-client.exe | |
src-tauri/resources-windows/burnengine.exe | |
sign-burn-engine: | |
needs: | |
- build-windows | |
runs-on: | |
- self-hosted | |
- Linux | |
- X64 | |
steps: | |
- name: Write release version | |
run: | | |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) | |
echo Version: $VERSION | |
echo "VERSION=$VERSION" >> $GITHUB_ENV | |
- name: Download unsigned bundle & burn-engine | |
uses: actions/download-artifact@v4 | |
with: | |
name: unsigned-bundle-and-burnengine | |
- name: Sign burn-engine | |
run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe | |
- name: Upload bundle and burn-engine artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: unsigned-bundle-and-signed-burnengine | |
path: | | |
defguard-client.exe | |
burnengine-signed.exe | |
reattach-burn-engine: | |
needs: | |
- sign-burn-engine | |
runs-on: windows-latest | |
steps: | |
- name: Download unsigned bundle and signed burn-engine | |
uses: actions/download-artifact@v4 | |
with: | |
name: unsigned-bundle-and-signed-burnengine | |
- name: Reattach burn-engine | |
run: | | |
# prepare wix extension | |
dotnet tool install --global wix --version 4.0.5 | |
wix extension add WixToolset.Bal.wixext/4 | |
# reattach burn engine to the bundle | |
wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe | |
- name: Upload bundle with reattached burn-engine | |
uses: actions/upload-artifact@v4 | |
with: | |
name: unsigned-bundle-with-reattached-signed-burn-engine | |
path: defguard-client-reattached.exe | |
sign-bundle: | |
needs: | |
- create-release | |
- reattach-burn-engine | |
runs-on: | |
- self-hosted | |
- Linux | |
- X64 | |
steps: | |
- name: Write release version | |
run: | | |
VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) | |
echo Version: $VERSION | |
echo "VERSION=$VERSION" >> $GITHUB_ENV | |
- name: Download unsigned bundle & signed burn-engine | |
uses: actions/download-artifact@v4 | |
with: | |
name: unsigned-bundle-with-reattached-signed-burn-engine | |
- name: Sign bundle | |
run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe | |
- name: Upload installer asset | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.create-release.outputs.upload_url }} | |
asset_path: defguard-client-signed.exe | |
asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe | |
asset_content_type: application/octet-stream |