Add Code signing and initial release worflow (#4)

* move to workflow folder

* uncomment signing cert

* debug

* more debug

* debug 3

* rm debug

* clean up code

* rename ported functions to their actual name

* more cleaning

* rename for testing

* debug rogue property

* create 2 separate release assets for M365 and GWS

* include the forgotten v

* final clean up

* remove invalid comment

Author: buidav

.github/workflows/release.yaml

@@ -0,0 +1,71 @@
+# Purpose:  Build, sign and draft release. This workflow is a port of ScubaGear's release workflow
+# This workflow's current main purpose is to sign specific PowerShell code for GearConnect
+# Then create release assets
+
+name: Build, Sign, and Draft Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Release Version (e.g. semver, 1.2.4)"
+        required: true
+        type: string
+
+permissions: read-all
+
+jobs:
+  build-and-draft:
+    name: Build and Draft Release
+    runs-on: windows-latest
+    environment: Development
+    permissions:
+      id-token: write
+      contents: write
+    defaults:
+      run:
+        shell: powershell
+    # This condition prevents duplicate runs.
+    if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          path: repo
+      - name: Install Azure Signing Tool
+        run: |
+          # Source the function
+          . repo/utils/workflow/Install-AzureSignTool.ps1
+          Install-AzureSignTool
+      # OpenID Connect (OIDC) login to Azure Public Cloud with AzPowershell
+      - name: Login to Azure
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          enable-AzPSSession: true
+      # Hardcoded to sign specifically named scripts in Build-SignRelease.ps1
+      # We don't need to sign every script
+      - name: Sign Scripts and Bundle Release Asset(s)
+        run: |
+          # Source the function.
+          . repo/utils/workflow/Build-SignRelease.ps1
+          New-ScubaReleaseAsset `
+            -AzureKeyVaultUrl ${{ secrets.AZURE_KEY_VAULT_URL }} `
+            -CertificateName ${{ secrets.AZURE_CERTIFICATE_NAME }} `
+            -ReleaseVersion ${{ inputs.version }} `
+            -RootFolderName "repo"
+        # Creates release assets
+      - name: Create Release
+        uses: softprops/action-gh-release@v1
+        id: create-release
+        with:
+          draft: true
+          prerelease: false
+          name: v${{ inputs.version }}
+          tag_name: v${{ inputs.version }}
+          files: |
+            GearConnect-${{ inputs.version }}.zip
+          generate_release_notes: true
+          fail_on_unmatched_files: true

.github/workflows/sign.yaml

@@ -1,22 +1,25 @@
 function Use-AzureSignTool {
   <#
     .SYNOPSIS
-      AzureSignTool is a utility for signing code that is used to secure ScubaGear.
+      AzureSignTool is a utility for signing code.
       https://github.com/vcsjones/AzureSignTool
-      Throws an error if there was an error signing the files.
+      Throws an error, if there was an error signing the files.
   #>
   param (
     [Parameter(Mandatory = $true)]
     [ValidateScript({ [uri]::IsWellFormedUriString($_, 'Absolute') -and ([uri] $_).Scheme -in 'https' })]
     [System.Uri]
     $AzureKeyVaultUrl,
+
     [Parameter(Mandatory = $true)]
     [ValidateNotNullOrEmpty()]
     [string]
     $CertificateName,
+
     [Parameter(Mandatory = $false)]
     [ValidateScript({ [uri]::IsWellFormedUriString($_, 'Absolute') -and ([uri] $_).Scheme -in 'http', 'https' })]
     $TimeStampServer = 'http://timestamp.digicert.com',
+
     [Parameter(Mandatory = $true)]
     [ValidateScript({ Test-Path -Path $_ -PathType Leaf })]
     $FileList
@@ -44,7 +47,9 @@ function Use-AzureSignTool {
     Write-Error = $ErrorMessage
     throw $ErrorMessage
   }
+
   $ToolPath = (Get-Command AzureSignTool).Path
+
   Write-Warning "The path to AzureSignTool is $ToolPath"
   # & is the call operator that executes a command, script, or function.
   $Results = & $ToolPath $SignArguments
@@ -55,11 +60,11 @@ function Use-AzureSignTool {
   $SuccessPattern = 'Failed operations: 0'
   $FoundNoFailures = $Results | Select-String -Pattern $SuccessPattern -Quiet
   if ($FoundNoFailures -eq $true) {
-    Write-Warning "Signed the filelist without errors."
+    Write-Warning "Signed the file list without errors."
   }
   else {
-    $ErrorMessage = "Failed to sign the filelist without errors."
-    Write-Error = $ErrorMessage
+    $ErrorMessage = "Failed to sign the file list without errors."
+    Write-Error $ErrorMessage
     throw $ErrorMessage
   }
 }
@@ -81,10 +86,14 @@ function New-ArrayOfFilePaths {
   $ArrayOfFilePaths = @()
   $ArrayOfFilePaths = Get-ChildItem -Recurse -Path $ModuleDestinationPath -Include $FileExtensions
 
-  # Write-Warning "Verifying array of file paths..."
-  # ForEach ($FilePath in $ArrayOfFilePaths) {
-  #     Write-Warning ">>> File path is $FilePath"
-  # }
+  #
+  # Files to sign. Hardcoded as the number of files to sign is 1 to few.
+  # Since we don't need to sign every PowerShell file.
+  #
+  $FilesToSign = @("Install-GearConnect.ps1")
+
+  # Filter files to the scripts we want to sign
+  $ArrayOfFilePaths = $ArrayOfFilePaths | Where-Object { $FilesToSign -contains $_.name }
 
   if ($ArrayOfFilePaths.Length -gt 0) {
     Write-Warning "Found $($ArrayOfFilePaths.Count) files to sign"
@@ -127,7 +136,7 @@ function New-FileList {
   return $FileListFileName
 }
 
-function New-ModuleSignature {
+function New-ScubaReleaseAsset {
   <#
   .SYNOPSIS
   Sign the module.
@@ -148,12 +157,15 @@ function New-ModuleSignature {
     [Parameter(Mandatory = $true)]
     [string]
     $AzureKeyVaultUrl,
+
     [Parameter(Mandatory = $true)]
     [string]
     $CertificateName,
+
     [Parameter(Mandatory = $true)]
     [string]
     $ReleaseVersion,
+
     [Parameter(Mandatory = $true)]
     [string]
     $RootFolderName
@@ -186,7 +198,18 @@ function New-ModuleSignature {
     -AzureKeyVaultUrl $AzureKeyVaultUrl `
     -CertificateName $CertificateName `
     -FileList $FileListFileName
-  $ReleaseName = "ScubaConnect"
-  Move-Item -Path $RootFolderName -Destination "$ReleaseName-$ReleaseVersion" -Force
-  Compress-Archive -Path "$ReleaseName-$ReleaseVersion" -DestinationPath "$ReleaseName-$ReleaseVersion.zip"
+
+  # create the M365 GearConnect zip asset
+  $GearConnectAsset = "GearConnect-$ReleaseVersion"
+  Move-Item -Path "$RootFolderName/m365" -Destination $GearConnectAsset -Force
+  Compress-Archive -Path $GearConnectAsset -DestinationPath "$GearConnectAsset.zip"
+
+  # Commented out block below until GogglesConnect is release ready
+  # Remember to also add: GogglesConnect-${{ inputs.version }}.zip
+  # under `files` in the release action
+
+  # create the GWS GogglesConnect zip asset
+  # $GogglesConnectAsset = "GogglesConnect-$ReleaseVersion"
+  # Move-Item -Path "$RootFolderName/gws" -Destination $GogglesConnectAsset -Force
+  # Compress-Archive -Path $GogglesConnectAsset -DestinationPath "$GogglesConnectAsset.zip"
 }