Skip to content

Commit fedae8e

Browse files
drakkandrakkan
committed
CI: update workflows to use Azure Trusted Signing
Signed-off-by: Nicola Murino <[email protected]>
1 parent 3795faa commit fedae8e

File tree

3 files changed

+134
-36
lines changed

3 files changed

+134
-36
lines changed

.github/workflows/development.yml

+59-21
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@ on:
55
branches: [main]
66
pull_request:
77

8+
permissions:
9+
id-token: write
10+
contents: read
11+
812
env:
913
GO_VERSION: '1.23'
1014

@@ -25,10 +29,7 @@ jobs:
2529

2630
- name: Build
2731
run: |
28-
sudo apt-get update -q -y
29-
sudo apt-get install -q -y osslsigncode
3032
go install github.com/tc-hib/go-winres@latest
31-
3233
GIT_COMMIT=`git describe --always --dirty`
3334
LATEST_TAG=$(git describe --tags $(git rev-list --tags --max-count=1))
3435
NUM_COMMITS_FROM_TAG=$(git rev-list ${LATEST_TAG}.. --count)
@@ -37,36 +38,73 @@ jobs:
3738
3839
mkdir bin
3940
go-winres simply --arch amd64 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin pubsub" --product-name "SFTPGo plugin pubsub" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-pubsub-windows-x86_64.exe --icon res/icon.ico
40-
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o sftpgo-plugin-pubsub-windows-x86_64.exe
41+
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-windows-x86_64.exe
4142
go-winres simply --arch arm64 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin pubsub" --product-name "SFTPGo plugin pubsub" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-pubsub-windows-arm64.exe --icon res/icon.ico
42-
CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o sftpgo-plugin-pubsub-windows-arm64.exe
43+
CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-windows-arm64.exe
4344
go-winres simply --arch 386 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin pubsub" --product-name "SFTPGo plugin pubsub" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-pubsub-windows-x86.exe --icon res/icon.ico
44-
CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o sftpgo-plugin-pubsub-windows-x86.exe
45-
if [ "${{ github.event_name }}" = "pull_request" ]; then
46-
mv sftpgo-plugin-pubsub-windows-x86_64.exe bin/
47-
mv sftpgo-plugin-pubsub-windows-arm64.exe bin/
48-
mv sftpgo-plugin-pubsub-windows-x86.exe bin/
49-
else
50-
echo $CERT_DATA | base64 --decode > cert.pfx
51-
osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin pubsub" -i "https://github.com/sftpgo/sftpgo-plugin-pubsub" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-pubsub-windows-x86_64.exe -out bin/sftpgo-plugin-pubsub-windows-x86_64.exe
52-
osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin pubsub" -i "https://github.com/sftpgo/sftpgo-plugin-pubsub" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-pubsub-windows-arm64.exe -out bin/sftpgo-plugin-pubsub-windows-arm64.exe
53-
osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin pubsub" -i "https://github.com/sftpgo/sftpgo-plugin-pubsub" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-pubsub-windows-x86.exe -out bin/sftpgo-plugin-pubsub-windows-x86.exe
54-
rm -f cert.pfx
55-
fi
56-
45+
CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-windows-x86.exe
5746
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-linux-amd64
5847
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-linux-arm64
5948
CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-linux-armv7
6049
CGO_ENABLED=0 GOOS=linux GOARCH=ppc64le go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-linux-ppc64le
6150
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-darwin-amd64
6251
CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-darwin-arm64
6352
shell: bash
64-
env:
65-
CERT_DATA: ${{ secrets.CERT_DATA }}
66-
CERT_PASS: ${{ secrets.CERT_PASS }}
6753

6854
- name: Upload build artifact
6955
uses: actions/upload-artifact@v4
7056
with:
7157
name: sftpgo-plugin-pubsub
7258
path: bin
59+
60+
sign-windows-binaries:
61+
name: Sign Windows binaries
62+
if: ${{ github.event_name != 'pull_request' }}
63+
environment: signing
64+
needs: [build]
65+
runs-on: windows-latest
66+
67+
steps:
68+
- name: Download artifact
69+
uses: actions/download-artifact@v4
70+
with:
71+
name: sftpgo-plugin-pubsub
72+
path: ${{ github.workspace }}/bin
73+
74+
- name: Azure login
75+
uses: azure/login@v2
76+
with:
77+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
78+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
79+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
80+
81+
- name: Sign
82+
uses: azure/[email protected]
83+
with:
84+
endpoint: https://eus.codesigning.azure.net/
85+
trusted-signing-account-name: nicola
86+
certificate-profile-name: SFTPGo
87+
files: |
88+
${{ github.workspace }}\bin\sftpgo-plugin-pubsub-windows-x86_64.exe
89+
${{ github.workspace }}\bin\sftpgo-plugin-pubsub-windows-arm64.exe
90+
${{ github.workspace }}\bin\sftpgo-plugin-pubsub-windows-x86.exe
91+
file-digest: SHA256
92+
timestamp-rfc3161: http://timestamp.acs.microsoft.com
93+
timestamp-digest: SHA256
94+
exclude-environment-credential: true
95+
exclude-workload-identity-credential: true
96+
exclude-managed-identity-credential: true
97+
exclude-shared-token-cache-credential: true
98+
exclude-visual-studio-credential: true
99+
exclude-visual-studio-code-credential: true
100+
exclude-azure-cli-credential: false
101+
exclude-azure-powershell-credential: true
102+
exclude-azure-developer-cli-credential: true
103+
exclude-interactive-browser-credential: true
104+
105+
- name: Upload build artifact
106+
uses: actions/upload-artifact@v4
107+
with:
108+
name: sftpgo-plugin-pubsub
109+
path: bin
110+
overwrite: true

.github/workflows/release.yml

+74-14
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ on:
44
push:
55
tags: 'v*'
66

7+
permissions:
8+
id-token: write
9+
contents: write
10+
711
env:
812
GO_VERSION: 1.23.3
913

@@ -24,26 +28,20 @@ jobs:
2428

2529
- name: Build
2630
run: |
27-
sudo apt-get update -q -y
28-
sudo apt-get install -q -y osslsigncode
2931
go install github.com/tc-hib/go-winres@latest
3032
3133
VERSION=${GITHUB_REF/refs\/tags\//}
3234
GIT_COMMIT=`git describe --always --dirty`
3335
FILE_VERSION=${VERSION:1}.0
3436
3537
mkdir bin
38+
mkdir win
3639
go-winres simply --arch amd64 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin pubsub" --product-name "SFTPGo plugin pubsub" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-pubsub-windows-x86_64.exe --icon res/icon.ico
37-
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o sftpgo-plugin-pubsub-windows-x86_64.exe
40+
CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o win/sftpgo-plugin-pubsub-windows-x86_64.exe
3841
go-winres simply --arch arm64 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin pubsub" --product-name "SFTPGo plugin pubsub" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-pubsub-windows-arm64.exe --icon res/icon.ico
39-
CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o sftpgo-plugin-pubsub-windows-arm64.exe
42+
CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o win/sftpgo-plugin-pubsub-windows-arm64.exe
4043
go-winres simply --arch 386 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin pubsub" --product-name "SFTPGo plugin pubsub" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-pubsub-windows-x86.exe --icon res/icon.ico
41-
CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o sftpgo-plugin-pubsub-windows-x86.exe
42-
echo $CERT_DATA | base64 --decode > cert.pfx
43-
osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin pubsub" -i "https://github.com/sftpgo/sftpgo-plugin-pubsub" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-pubsub-windows-x86_64.exe -out bin/sftpgo-plugin-pubsub-windows-x86_64.exe
44-
osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin pubsub" -i "https://github.com/sftpgo/sftpgo-plugin-pubsub" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-pubsub-windows-arm64.exe -out bin/sftpgo-plugin-pubsub-windows-arm64.exe
45-
osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin pubsub" -i "https://github.com/sftpgo/sftpgo-plugin-pubsub" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-pubsub-windows-x86.exe -out bin/sftpgo-plugin-pubsub-windows-x86.exe
46-
rm -f cert.pfx *.exe *.syso
44+
CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o win/sftpgo-plugin-pubsub-windows-x86.exe
4745
4846
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-linux-amd64
4947
CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-linux-arm64
@@ -52,16 +50,20 @@ jobs:
5250
CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-darwin-amd64
5351
CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-pubsub-darwin-arm64
5452
shell: bash
55-
env:
56-
CERT_DATA: ${{ secrets.CERT_DATA }}
57-
CERT_PASS: ${{ secrets.CERT_PASS }}
53+
54+
- name: Upload Windows artifact
55+
uses: actions/upload-artifact@v4
56+
with:
57+
name: win
58+
path: win
59+
retention-days: 1
5860

5961
- name: Prepare vendored sources
6062
run: |
6163
VERSION=${GITHUB_REF/refs\/tags\//}
6264
go mod vendor
6365
echo "${VERSION}" > VERSION.txt
64-
tar --exclude=bin -cJvf sftpgo-plugin-pubsub_${VERSION}_src_with_deps.tar.xz *
66+
tar --exclude=bin --exclude=win -cJvf sftpgo-plugin-pubsub_${VERSION}_src_with_deps.tar.xz *
6567
6668
- name: Create release
6769
run: |
@@ -72,3 +74,61 @@ jobs:
7274
gh release view "${VERSION}"
7375
env:
7476
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
77+
78+
release-windows-binaries:
79+
name: Release Windows binaries
80+
environment: signing
81+
needs: [build]
82+
runs-on: windows-latest
83+
84+
steps:
85+
- uses: actions/checkout@v4
86+
with:
87+
fetch-depth: 0
88+
89+
- name: Download artifact
90+
uses: actions/download-artifact@v4
91+
with:
92+
name: win
93+
94+
- name: Azure login
95+
uses: azure/login@v2
96+
with:
97+
client-id: ${{ secrets.AZURE_CLIENT_ID }}
98+
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
99+
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
100+
101+
- name: Sign
102+
uses: azure/[email protected]
103+
with:
104+
endpoint: https://eus.codesigning.azure.net/
105+
trusted-signing-account-name: nicola
106+
certificate-profile-name: SFTPGo
107+
files: |
108+
${{ github.workspace }}\sftpgo-plugin-pubsub-windows-x86_64.exe
109+
${{ github.workspace }}\sftpgo-plugin-pubsub-windows-arm64.exe
110+
${{ github.workspace }}\sftpgo-plugin-pubsub-windows-x86.exe
111+
file-digest: SHA256
112+
timestamp-rfc3161: http://timestamp.acs.microsoft.com
113+
timestamp-digest: SHA256
114+
exclude-environment-credential: true
115+
exclude-workload-identity-credential: true
116+
exclude-managed-identity-credential: true
117+
exclude-shared-token-cache-credential: true
118+
exclude-visual-studio-credential: true
119+
exclude-visual-studio-code-credential: true
120+
exclude-azure-cli-credential: false
121+
exclude-azure-powershell-credential: true
122+
exclude-azure-developer-cli-credential: true
123+
exclude-interactive-browser-credential: true
124+
125+
- name: Upload to release
126+
run: |
127+
VERSION=${GITHUB_REF/refs\/tags\//}
128+
gh release upload "${VERSION}" sftpgo-plugin-pubsub-windows-x86_64.exe
129+
gh release upload "${VERSION}" sftpgo-plugin-pubsub-windows-arm64.exe
130+
gh release upload "${VERSION}" sftpgo-plugin-pubsub-windows-x86.exe
131+
gh release view "${VERSION}"
132+
shell: bash
133+
env:
134+
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
# SFTPGo Pub/Sub plugin
22

3-
![Build](https://github.com/sftpgo/sftpgo-plugin-pubsub/workflows/Build/badge.svg?branch=main&event=push)
3+
![Build](https://github.com/sftpgo/sftpgo-plugin-pubsub/workflows/Build/badge.svg)
44
[![License: AGPL v3](https://img.shields.io/badge/License-AGPLv3-blue.svg)](https://www.gnu.org/licenses/agpl-3.0)
55

66
This plugin allows to send [SFTPGo](https://github.com/drakkan/sftpgo/) filesystem and provider events to publish/subscribe systems. It is not meant to react to `pre-*` events. It simply forwards the configured events to an external pub/sub system.

0 commit comments

Comments
 (0)