signPathTest #93
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build for Windows | ||
| on: workflow_dispatch | ||
| # SignPath needs access to artifacts; set minimal permissions. | ||
| permissions: | ||
| contents: read | ||
| actions: read | ||
| jobs: | ||
| build-x86: | ||
| runs-on: windows-latest | ||
| env: | ||
| WOLFRAM_SYSTEM_ID: Windows-x86-64-v7 | ||
| WOLFRAMENGINE_INSTALL_MSI_DOWNLOAD_URL: https://files.wolframcdn.com/packages/winget/14.0.0.0/WolframEngine_14.0.0_WIN.msi | ||
| WOLFRAMENGINE_CACHE_KEY: WolframEngine-B | ||
| WOLFRAMENGINE_INSTALLATION_SUBDIRECTORY: WolframEngine | ||
| # Adjust this if your build outputs to a different pattern/name. | ||
| # Common electron-builder outputs: dist/*.exe, dist/*.msi | ||
| unsigned_glob: dist/*.exe | ||
| # Where the SignPath action will drop the signed artifact(s) | ||
| SIGNED_OUT_DIR: '${{ runner.temp }}\signed-artifacts' | ||
| steps: | ||
| - name: Check out repository | ||
| uses: actions/checkout@v2 | ||
| with: | ||
| token: ${{ secrets.GH_TOKEN }} | ||
| - name: Patch specific dependencies from package.json | ||
| shell: pwsh | ||
| run: | | ||
| $pkgPath = "package.json" | ||
| $json = Get-Content $pkgPath -Raw | ConvertFrom-Json | ||
| $dependenciesToRemove = @( | ||
| "dmg-license", | ||
| "electron-trackpad-utils" | ||
| ) | ||
| foreach ($dep in $dependenciesToRemove) { | ||
| if ($json.dependencies.$dep) { | ||
| $json.dependencies.PSObject.Properties.Remove($dep) | ||
| } | ||
| if ($json.devDependencies.$dep) { | ||
| $json.devDependencies.PSObject.Properties.Remove($dep) | ||
| } | ||
| } | ||
| $json | ConvertTo-Json -Depth 10 | Out-File -Encoding UTF8 $pkgPath | ||
| - name: Install Node.js manually | ||
| run: | | ||
| Invoke-WebRequest https://nodejs.org/dist/v23.9.0/node-v23.9.0-x64.msi -OutFile nodejs.msi | ||
| Start-Process msiexec.exe -Wait -ArgumentList '/quiet', '/i', 'nodejs.msi' | ||
| shell: powershell | ||
| - name: Check Node version | ||
| run: | | ||
| node -v | ||
| npm -v | ||
| shell: powershell | ||
| - name: Install Node.js dependencies | ||
| run: | | ||
| npm install | ||
| - name: Cache/restore Wolfram Engine install | ||
| id: cache-restore | ||
| uses: actions/cache@v4 | ||
| env: | ||
| WOLFRAMENGINE_INSTALLATION_DIRECTORY: '${{ runner.temp }}\${{ env.WOLFRAMENGINE_INSTALLATION_SUBDIRECTORY }}' | ||
| with: | ||
| path: ${{ env.WOLFRAMENGINE_INSTALLATION_DIRECTORY }} | ||
| key: wolframengine-${{ env.WOLFRAM_SYSTEM_ID }}-${{ env.WOLFRAMENGINE_CACHE_KEY }} | ||
| - name: Download and install Wolfram Engine | ||
| if: steps.cache-restore.outputs.cache-hit != 'true' | ||
| env: | ||
| WOLFRAMENGINE_INSTALLATION_DIRECTORY: '${{ runner.temp }}\${{ env.WOLFRAMENGINE_INSTALLATION_SUBDIRECTORY }}' | ||
| WOLFRAMENGINE_INSTALL_MSI_PATH: '${{ runner.temp }}\WolframEngine-Install.msi' | ||
| WOLFRAMENGINE_INSTALL_LOG_PATH: '${{ runner.temp }}\WolframEngine-Install.log' | ||
| run: | | ||
| echo 'Downloading Wolfram Engine installer...' | ||
| $msiFile = '${{ env.WOLFRAMENGINE_INSTALL_MSI_PATH }}' | ||
| $logFile = '${{ env.WOLFRAMENGINE_INSTALL_LOG_PATH }}' | ||
| Import-Module BitsTransfer | ||
| Start-BitsTransfer '${{ env.WOLFRAMENGINE_INSTALL_MSI_DOWNLOAD_URL }}' $msiFile | ||
| echo 'Downloaded Wolfram Engine installer.' | ||
| $DataStamp = get-date -Format yyyyMMddTHHmmss | ||
| $MSIArguments = @( | ||
| "/i" | ||
| ('"{0}"' -f $msiFile) | ||
| 'INSTALLLOCATION="${{ env.WOLFRAMENGINE_INSTALLATION_DIRECTORY }}"' | ||
| "/qn" | ||
| "/norestart" | ||
| "/L*v" | ||
| $logFile | ||
| ) | ||
| echo 'Installing Wolfram Engine...' | ||
| Start-Process "msiexec.exe" -ArgumentList $MSIArguments -Wait -NoNewWindow | ||
| echo 'Installed Wolfram Engine.' | ||
| - name: Bundle files | ||
| env: | ||
| WOLFRAMENGINE_INSTALLATION_DIRECTORY: '${{ runner.temp }}\${{ env.WOLFRAMENGINE_INSTALLATION_SUBDIRECTORY }}' | ||
| WOLFRAMINIT: "-pwfile !cloudlm.wolfram.com -entitlement ${{ secrets.WOLFRAM_LICENSE_ENTITLEMENT_ID }}" | ||
| run: | | ||
| $env:Path += ';${{ env.WOLFRAMENGINE_INSTALLATION_DIRECTORY }}\' | ||
| wolfram -script ./Scripts/bundle.wls | ||
| - name: Build Electron (no publish) | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | ||
| run: | | ||
| npx electron-builder --win --x64 --publish never | ||
| # ───────────────────────────── | ||
| # SignPath integration starts | ||
| # ───────────────────────────── | ||
| - name: Upload unsigned artifact (for SignPath) | ||
| id: upload-unsigned-artifact | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: unsigned-windows-artifact | ||
| # Adjust if needed to match your build output | ||
| path: ${{ env.unsigned_glob }} | ||
| if-no-files-found: error | ||
| compression-level: 0 | ||
| - name: Submit signing request to SignPath | ||
| id: sign-with-signpath | ||
| uses: signpath/github-action-submit-signing-request@v1 | ||
| with: | ||
| api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' | ||
| organization-id: 'a11e9ec9-516b-42a1-97d7-8a62e7508a48' | ||
| github-artifact-id: '${{ steps.upload-unsigned-artifact.outputs.artifact-id }}' | ||
| wait-for-completion: true | ||
| output-artifact-directory: '${{ env.SIGNED_OUT_DIR }}' | ||
| # Optional: grab version from package.json for a nice tag | ||
| - name: Read app version | ||
| id: appver | ||
| shell: bash | ||
| run: echo "version=$(node -p \"require('./package.json').version\")" >> $GITHUB_OUTPUT | ||
| # Create/Update a GitHub release and upload the SIGNED files | ||
| - name: Publish signed artifacts to GitHub Release | ||
| uses: softprops/action-gh-release@v2 | ||
| with: | ||
| tag_name: v${{ steps.appver.outputs.version }} | ||
| name: v${{ steps.appver.outputs.version }} | ||
| draft: false | ||
| prerelease: false | ||
| files: | | ||
| ${{ env.SIGNED_OUT_DIR }}\*.exe | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | ||
