-
-
Notifications
You must be signed in to change notification settings - Fork 66
175 lines (149 loc) · 7.77 KB
/
lf-build-windows-x86_64.yml
File metadata and controls
175 lines (149 loc) · 7.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
name: 'Linuxfabrik: Build Windows (x86_64)'
on:
workflow_dispatch:
inputs:
compile-plugins:
description: 'Space-separated list of check plugins to compile and package, for example "cpu-usage feed scanrootkit". Leave empty to build all plugins.'
required: false
default: ''
# target-distros:
# description: 'Space-separated list of operating systems to compile on and build packages for. Supported: `windows`. Cannot be empty.'
# required: true
# default: 'windows'
version:
description: 'Package Version'
required: true
package-iteration:
description: 'The iteration number for the package (usually "1").'
required: true
default: '1'
# modify the default permissions granted to the GITHUB_TOKEN
permissions:
contents: 'read'
jobs:
build-windows-x86_64:
runs-on:
- 'windows-2025' # https://github.com/actions/runner-images/blob/main/images/windows/Windows2025-Readme.md
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: 'Set environment variables for the build scripts'
shell: 'bash'
run: |
echo "LFMP_ARCH=x86_64" >> $GITHUB_ENV
PLUGS="${{ github.event.inputs.compile-plugins }}"
# accept either "a b c" or "a,b,c"
PLUGS="${PLUGS//,/ }"
echo "LFMP_COMPILE_PLUGINS=$PLUGS" >> $GITHUB_ENV
echo "LFMP_PACKAGE_ITERATION=${{ github.event.inputs.package-iteration }}" >> $GITHUB_ENV
echo "LFMP_VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
# echo "LFMP_TARGET_DISTROS=${{ github.event.inputs.target-distros }}" >> $GITHUB_ENV
echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
echo "LFMP_DIR_REPOS=$GITHUB_WORKSPACE/repos" >> $GITHUB_ENV
echo "LFMP_DIR_COMPILED=$RUNNER_TEMP/lfmp/compiled" >> $GITHUB_ENV
echo "LFMP_DIR_PACKAGED=$RUNNER_TEMP/lfmp/packaged" >> $GITHUB_ENV
- name: 'Create working directories'
shell: 'bash'
run: |
mkdir -p $LFMP_DIR_REPOS
mkdir -p $LFMP_DIR_COMPILED
mkdir -p $LFMP_DIR_PACKAGED/{in,out}
- name: 'git clone https://github.com/Linuxfabrik/THIS-REPO'
uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # v5.0.0
with:
path: '${{ env.LFMP_DIR_REPOS }}/monitoring-plugins'
- name: 'Debug'
shell: 'bash'
run: >
/bin/bash
$LFMP_DIR_REPOS/monitoring-plugins/build/debug.sh
- name: 'Install python3.13'
uses: 'actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c' # v6.0.0
with:
python-version: '3.13'
- name: 'python.exe -m pip install --upgrade pip wheel setuptools'
run: 'python.exe -m pip install --upgrade pip wheel setuptools'
# ordered-set is for nuitka: "Nuitka:WARNING: Using very slow fallback for ordered sets, please install 'ordered-set' or 'orderedset' PyPI packages for best Python compile time performance."
- name: 'python.exe -m pip install --upgrade ordered-set Nuitka'
run: 'python.exe -m pip install --upgrade ordered-set Nuitka'
# install 3rd party libraries for all check plugins
- name: 'python.exe -m pip install --requirement ${{ github.workspace }}\repos\monitoring-plugins\requirements-windows.txt --require-hashes'
run: 'python.exe -m pip install --requirement ${{ github.workspace }}\repos\monitoring-plugins\requirements-windows.txt --require-hashes'
- name: 'Verify Python installation'
run: 'python.exe -m pip list'
- name: 'Compile the check plugins'
shell: 'bash'
run: >
/bin/bash
$LFMP_DIR_REPOS/monitoring-plugins/build/compile-multiple.sh
- name: 'Upload the unsigned compiled plugins'
uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # v4.6.2
id: 'upload-unsigned-compiled'
with:
path: '${{ env.LFMP_DIR_COMPILED }}/check-plugins/*'
name: "lfmp-${{ env.LFMP_VERSION }}-${{ env.LFMP_PACKAGE_ITERATION }}.unsigned-compiled.windows.${{ env.LFMP_ARCH }}"
if-no-files-found: 'error'
# https://github.com/SignPath/github-actions/tree/main/actions/submit-signing-request
# https://about.signpath.io/documentation/trusted-build-systems/github
- name: 'Sign the compiled plugins'
uses: 'signpath/github-action-submit-signing-request@ced31329c0317e779dad2eec2a7c3bb46ea1343e' # v1.3
with:
api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
organization-id: '35067665-5434-42c5-9fa2-4c750069f161'
project-slug: 'monitoring-plugins'
signing-policy-slug: 'release-signing'
artifact-configuration-slug: 'compiled'
github-artifact-id: '${{ steps.upload-unsigned-compiled.outputs.artifact-id }}'
wait-for-completion: true
# note: the path is always relative to GITHUB_WORKSPACE (hardcoded in the signpath action)
# and will be created if it does not exist
output-artifact-directory: 'signed-compiled/'
- name: 'Upload the signed compiled plugins'
uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # v4.6.2
with:
path: '${{ github.workspace }}/signed-compiled/*'
name: "lfmp-${{ env.LFMP_VERSION }}-${{ env.LFMP_PACKAGE_ITERATION }}.signed-compiled.windows.${{ env.LFMP_ARCH }}"
- name: 'Configure MSBuild in the workflow PATH for building .NET Framework applications'
uses: 'microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce' # v2.0.0
- name: 'Install WiX toolset, the packaging tool'
run: 'dotnet tool install --global wix'
- name: 'Verify WiX installation'
run: 'wix --version'
- name: 'Create the wxs file for WiX'
shell: 'bash'
run: >
/bin/bash
$LFMP_DIR_REPOS/monitoring-plugins/build/create-wxs.sh
- name: 'Create the package for Windows'
run: >
wix.exe build
-arch x64
-defaultcompressionlevel high
${{ env.LFMP_DIR_PACKAGED }}\in\lfmp.wxs
-out ${{ env.LFMP_DIR_PACKAGED }}\out\linuxfabrik-monitoring-plugins.msi
- name: 'Upload the unsigned package (msi)'
uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # v4.6.2
id: 'upload-unsigned-packaged'
with:
path: '${{ env.LFMP_DIR_PACKAGED }}/out/*'
name: "lfmp-${{ env.LFMP_VERSION }}-${{ env.LFMP_PACKAGE_ITERATION }}.unsigned-packaged.windows.${{ env.LFMP_ARCH }}"
- name: 'Sign the package'
uses: 'signpath/github-action-submit-signing-request@ced31329c0317e779dad2eec2a7c3bb46ea1343e' # v1.3
with:
api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
organization-id: '35067665-5434-42c5-9fa2-4c750069f161'
project-slug: 'monitoring-plugins'
signing-policy-slug: 'release-signing'
artifact-configuration-slug: 'packaged'
github-artifact-id: '${{ steps.upload-unsigned-packaged.outputs.artifact-id }}'
wait-for-completion: true
# note: the path is always relative to GITHUB_WORKSPACE (hardcoded in the signpath action)
# and will be created if it does not exist
output-artifact-directory: 'signed-packaged/'
- name: 'Upload the signed package (msi)'
uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # v4.6.2
with:
path: '${{ github.workspace }}/signed-packaged/*'
name: "lfmp-${{ env.LFMP_VERSION }}-${{ env.LFMP_PACKAGE_ITERATION }}.signed-packaged.windows.${{ env.LFMP_ARCH }}"