fix: test repackaging with shell prompt #10
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test Windows certificate setup | |
| on: | |
| push: | |
| branches: SRE-1219/windows | |
| env: | |
| UBUNTU_VERSION: '24.04' | |
| STATIC_LIBRARIES_IMAGE_TAG: 'rust-1.82_ghc-9.6.6-0' | |
| RUST_VERSION: '1.82' | |
| STACK_VERSION: '3.1.1' | |
| FLATBUFFERS_VERSION: '23.5.26' | |
| GHC_VERSION: '9.6.6' | |
| PROTOC_VERSION: '28.3' | |
| STATIC_NODE_BINARY_IMAGE_NAME: 'static-node-binaries' | |
| DOCKER_ARTIFACT_NAME: 'image' | |
| AWS_ROLE_TO_ASSUME: 'arn:aws:iam::192549843005:role/github_concordium-node' | |
| S3_ARN_TEMPLATES: '{ | |
| \"database-exporter\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"tools/linux\", \"name\": \"database-exporter_${VERSION}.deb\"}, | |
| \"p2p-bootstrapper\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"tools/linux\", \"name\": \"p2p-bootstrapper_${VERSION}.deb\"}, | |
| \"node-stagenet-linux\": {\"bucket\": \"distribution.stagenet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-stagenet-node_${VERSION}_amd64.deb\"}, | |
| \"node-flynet-linux\": {\"bucket\": \"distribution.flynet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-flynet-node_${VERSION}_amd64.deb\"}, | |
| \"node-testnet-linux\": {\"bucket\": \"distribution.testnet.concordium.com\", \"dir\": \"deb\", \"name\": \"concordium-testnet-node_${VERSION}_amd64.deb\"}, | |
| \"node-mainnet-linux\": {\"bucket\": \"distribution.mainnet.concordium.software\", \"dir\": \"deb\", \"name\": \"concordium-mainnet-node_${VERSION}_amd64.deb\"}, | |
| \"node-macos\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"macos\", \"name\": \"concordium-node-${VERSION}.pkg\"}, | |
| \"node-windows\": {\"bucket\": \"distribution.concordium.software\", \"dir\": \"windows\", \"name\": \"Node-${VERSION}.msi\"} | |
| }' | |
| DOCKER_TAGS_TEMPLATES: '{ | |
| \"docker-stagenet\": \"concordium/stagenet-node:${VERSION}\", | |
| \"docker-testnet\": \"concordium/testnet-node:${VERSION}\", | |
| \"docker-mainnet\": \"concordium/mainnet-node:${VERSION}\", | |
| \"docker-bootstrapper\": \"concordium/bootstrapper:${VERSION}\" | |
| }' | |
| REGISTRY: docker.io | |
| SERVICE: "node-windows" | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| validate-preconditions: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| s3_arns: ${{ steps.render.outputs.s3_arns }} | |
| docker_tags: ${{ steps.render.outputs.docker_tags }} | |
| release_type: ${{ steps.versions_derivation.outputs.release_type }} | |
| base_version: ${{ steps.versions_derivation.outputs.base_version }} | |
| version: ${{ steps.versions_derivation.outputs.version }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - name: Validate version | |
| id: versions_derivation | |
| run: | | |
| CARGO_VERSION=$(yq .package.version concordium-node/Cargo.toml) | |
| if [ -z "${{ env.SERVICE }}" ]; then | |
| IFS='-' read -r VERSION BUILD RELEASE_TYPE <<< "${{ github.ref_name }}" | |
| if [ ! "$VERSION" = "$CARGO_VERSION" ]; then | |
| echo "::error::${CARGO_VERSION} does not match ${VERSION}." | |
| exit 1 | |
| fi | |
| else | |
| RELEASE_TYPE="${{ env.SERVICE }}" | |
| BUILD=4 # this needs to be an integer or wix build fails. should be $(git rev-parse --short HEAD) | |
| fi | |
| echo "::notice::RELEASE_TYPE=${RELEASE_TYPE}" | |
| echo "release_type=${RELEASE_TYPE}" >> "$GITHUB_OUTPUT" | |
| echo "version=${CARGO_VERSION}-${BUILD}" >> "$GITHUB_OUTPUT" | |
| echo "base_version=${CARGO_VERSION}" >> "$GITHUB_OUTPUT" | |
| - name: Templates rendering | |
| id: render | |
| run: | | |
| export VERSION="${{ steps.versions_derivation.outputs.version }}" | |
| echo "s3_arns=${{ env.S3_ARN_TEMPLATES }}" >> $GITHUB_OUTPUT | |
| echo "docker_tags=${{ env.DOCKER_TAGS_TEMPLATES }}" >> $GITHUB_OUTPUT | |
| node-windows: | |
| runs-on: windows-latest | |
| # environment: release # This step needs to use the release context to access credentials for code signing. | |
| needs: [validate-preconditions] | |
| if: contains(fromJSON('["rc", "alpha", "node-windows"]'), needs.validate-preconditions.outputs.release_type) | |
| defaults: | |
| run: | |
| shell: pwsh | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: recursive | |
| - name: Extrapolate artifact name | |
| run: | | |
| ARTIFACT_NAME=$(echo '${{ needs.validate-preconditions.outputs.s3_arns }}' | jq -r '.["${{ github.job }}"].name') | |
| echo "ARTIFACT_NAME=${ARTIFACT_NAME}" >> $GITHUB_ENV | |
| shell: bash | |
| # - name: Install DigiCert Client tools (Windows only) | |
| # id: digicert_client | |
| # uses: digicert/ssm-code-signing@v1.0.0 | |
| # # - name: Import Windows certificate (Windows only) | |
| # # id: windows_certificate | |
| # # env: | |
| # # # Base64 encoding of the pfx/p12 certificate for Windows code signing. | |
| # # SM_CLIENT_CERT_FILE_B64: ${{ secrets.WINDOWS_SM_CLIENT_CERT_FILE_B64 }} | |
| # # run: | | |
| # # $CERTIFICATE_PATH_BASE64="$env:RUNNER_TEMP\cert-b64.txt" | |
| # # $CERTIFICATE_PATH="$env:RUNNER_TEMP\cert.pfx" | |
| # # Set-Content -Path $CERTIFICATE_PATH_BASE64 -Value $env:SM_CLIENT_CERT_FILE_B64 | |
| # # certutil -decode $CERTIFICATE_PATH_BASE64 $CERTIFICATE_PATH | |
| # # echo "CERTIFICATE_PATH=$CERTIFICATE_PATH" >> $env:GITHUB_OUTPUT | |
| # - name: Run smctl healthcheck to confirm if the tool is configured properly. | |
| # working-directory: ${{steps.build.outputs.bin_dir}} | |
| # env: | |
| # WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }} | |
| # WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }} | |
| # SM_HOST: ${{ vars.WINDOWS_SM_HOST }} | |
| # SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }} | |
| # SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }} | |
| # SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }} | |
| # run: | | |
| # smctl healthcheck --all | |
| # shell: cmd | |
| # - name: Install dependencies | |
| # run: | | |
| # choco install yq jq -y | |
| # shell: bash | |
| # - name: Install Rust | |
| # uses: actions-rust-lang/setup-rust-toolchain@v1 | |
| # with: | |
| # toolchain: ${{ env.RUST_VERSION }}-x86_64-pc-windows-msvc | |
| # - name: Install Rust | |
| # uses: actions-rust-lang/setup-rust-toolchain@v1 | |
| # with: | |
| # toolchain: ${{ env.RUST_VERSION }}-x86_64-pc-windows-gnu | |
| # - name: Setup node folder | |
| # run: | | |
| # mkdir -p "C:/Program Files/node/include" | |
| # Add-Content -Path $env:GITHUB_PATH -Value "C:/Program Files/node" | |
| # - name: Install flatbuffers | |
| # run: | | |
| # curl -L -O https://github.com/google/flatbuffers/releases/download/v${{ env.FLATBUFFERS_VERSION }}/Windows.flatc.binary.zip | |
| # unzip Windows.flatc.binary.zip | |
| # mv flatc.exe "C:/Program Files/node/" | |
| # - name: Install protobuf (protoc) | |
| # run: | | |
| # curl -L -O https://github.com/protocolbuffers/protobuf/releases/download/v${{ env.PROTOC_VERSION }}/protoc-${{ env.PROTOC_VERSION }}-win64.zip | |
| # unzip protoc-${{ env.PROTOC_VERSION }}-win64.zip | |
| # mv bin/protoc.exe "C:/Program Files/node/" | |
| # mv include/* "C:/Program Files/node/include" | |
| # - name: Setup Haskell | |
| # uses: haskell-actions/setup@v2 | |
| # with: | |
| # ghc-version: ${{ env.GHC_VERSION }} | |
| # enable-stack: true | |
| # stack-version: ${{ env.STACK_VERSION }} | |
| # - uses: milliewalky/setup-7-zip@v1 | |
| # - name: Install GCC | |
| # run: | | |
| # curl -L -O https://github.com/brechtsanders/winlibs_mingw/releases/download/14.2.0posix-19.1.1-12.0.0-msvcrt-r2/winlibs-x86_64-posix-seh-gcc-14.2.0-llvm-19.1.1-mingw-w64msvcrt-12.0.0-r2.7z | |
| # 7z x winlibs-x86_64-posix-seh-gcc-14.2.0-llvm-19.1.1-mingw-w64msvcrt-12.0.0-r2.7z -oC:/gcc | |
| # Add-Content -Path $env:GITHUB_PATH -Value "C:/gcc/mingw64/bin" | |
| # - name: Install LMDB | |
| # run: stack exec -- pacman -S --noconfirm mingw-w64-x86_64-lmdb | |
| # - name: Build Windows Node | |
| # run: | | |
| # ./scripts/distribution/windows/build-all.ps1 -nodeVersion ${{ needs.validate-preconditions.outputs.version }} -rustVersion ${{ env.RUST_VERSION }} | |
| - name: Download existing Windows build | |
| run: | | |
| curl -o ./service/windows/installer/Node.msi "https://s3.eu-west-1.amazonaws.com/distribution.concordium.software/windows/Node-9.0.5-0.msi?response-content-disposition=inline&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEIj%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCWV1LXdlc3QtMSJHMEUCIFLVMKqXHik1LLHdDuExKV84GJHJ%2BnFkVVu41nW7B02UAiEAuxIvUrWt95nkpc1QqBZ052WLVIqBEWCX%2FlH6AY1tm14qxQQIkf%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FARAFGgwxOTI1NDk4NDMwMDUiDLVWMQZwOuxIWJeQECqZBMIzXXy28hjXBirUMy4m01sbE0GVshLZUV339K9iknyNicQH29wE7lAZ32fOAh53jdgSDdF4%2Fuyn6njW1md0G5fYoZjU63JGeJabFZhEadZhz6QHuJNO1fdlLLMtbvuyEiaEDReL7e65CUCRoOyhWbUQYzrCoDk4nr87DkyvkXhBiY5CQRmO1g8fA%2FXqfORh4w9%2B48G6Zyf5nTbUEZB7HD4E1EjiNF7%2FBl89iZmEZvj3REyy1%2FdGe%2FuldF9H9sJZ3dHpZjfVXwjkr6ZXpy6I9SLZnQv0zvn6s2wzzAvpVB3yJdDCErunBqWedlKVW3%2F%2B95l2TO8s%2BiWqbwUFmzKVS13ArFBOCDOsf%2BGNTlvOC6P30qd6jzLmqsi2s4K44o%2BfXPAw0FJoRKUtKe84beEnSh33CLjJgAqMAVLaBxjj0p%2FG1i3CNBeBp9vWcUPv3AtmDecfuuRZF7v0jDb0xn8gPUnJ8jEHXqUP7kpNMiwyv%2BYgZzUIC6xWqBSEr%2B9cVfdsqXCEyBjTG3PmQCqc88bwhO82GG4JMX2iDys9JchDvbSRHYotEJdaUUaKPqNvUDi5KU3L%2BAGPnJP8ZrvKOxMnaSWNcOzV1Fwq%2FiK%2Fr7N8TeXsSgv4NOmMzS8BaZoPJf%2B%2FBI%2FEp4K9%2B0bFM%2BIRxSIdgtU11V7ZvpgLcHiKIPAIBsk2JB7%2F1p0QQWwPhDqrnW0k%2FYdeJUcBkcsv7zCL%2BrTDBjrFAl25RK67HUoTYb537roZWnKMoRAUrgbsLUall0xs0usTlrOu9xNkIKroV74LZyyHFIx145IVYpq4Pzn6HGnlz2gBJrl1e%2FVRYxXw%2Fm7wgeuOdCbrAqkeQqd49tmuVuOgaefjbA3wtO%2FYYe%2BWZR0AloZR5KIuBED7XzR39qffYOx3xfp%2BZZFOPYGO9cvX5Riipc3pmz3ZneUBCkjQiICad48HHuiYnwaEa%2F3d31fhjIiq7AwJfSPigI06WjBELuJzkpsox%2B33Rzn0Ra3vKWModoehhc30gbAmwBMuSb7aijikB0g3mums2pVTKgrz7wB%2B5OL%2FwyZp3ybbND%2FXIbXHGnJUb8s1a1069d1ZU7wVoS6OIjJLkPK%2F1xkmDpwYQCPu3k3Vb1GUt26SBq%2F%2Bzldg7t6BZT8snPkvhEbikaT%2F2Zv66uJf2qI%3D&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIASZVG5OA66WXXADA7%2F20250708%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20250708T154545Z&X-Amz-Expires=7200&X-Amz-SignedHeaders=host&X-Amz-Signature=717af1bdef8acbbcba7e06fc893a1428de6563bfd53ff37761541c54ebc36359" | |
| shell: cmd | |
| - name: Extract files to prepare for signing | |
| run: | | |
| dir | |
| MsiDb.exe -d ./service/windows/installer/Node.msi -x Node.cab | |
| mkdir Node | |
| dir | |
| expand -d Node.cab | |
| expand -F:* Node.cab ./Node | |
| dir Node | |
| shell: cmd | |
| - name: Rename files to prepare for signing | |
| run: | | |
| mv ./Node/ConcordiumConsensusDLL ./Node/ConcordiumConsensusDLL.dll | |
| mv ./Node/ConcordiumBaseDLL ./Node/ConcordiumBaseDLL.dll | |
| mv ./Node/ConcordiumSmartContractEngineDLL ./Node/ConcordiumSmartContractEngineDLL.dll | |
| mv ./Node/Sha2DLL ./Node/Sha2DLL.dll | |
| mv ./Node/NodeRunnerService ./Node/NodeRunnerService.exe | |
| mv ./Node/NodeCollector ./Node/NodeCollector.exe | |
| mv ./Node/ConcordiumNode ./Node/ConcordiumNode.exe | |
| # - name: Sign files with smctl | |
| # working-directory: ${{steps.build.outputs.bin_dir}} | |
| # env: | |
| # WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }} | |
| # WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }} | |
| # SM_HOST: ${{ vars.WINDOWS_SM_HOST }} | |
| # SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }} | |
| # SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }} | |
| # SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }} | |
| # SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast" | |
| # run: | | |
| # smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumConsensusDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }} | |
| # smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumBaseDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }} | |
| # smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumSmartContractEngineDLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }} | |
| # smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/Sha2DLL.dll --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }} | |
| # smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/NodeRunnerService.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }} | |
| # smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/NodeCollector.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }} | |
| # smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./Node/ConcordiumNode.exe --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }} | |
| # shell: cmd | |
| - name: Rename files back to their original form without extension. | |
| run: | | |
| mv ./Node/ConcordiumConsensusDLL.dll ./Node/ConcordiumConsensusDLL | |
| mv ./Node/ConcordiumBaseDLL.dll ./Node/ConcordiumBaseDLL | |
| mv ./Node/ConcordiumSmartContractEngineDLL.dll ./Node/ConcordiumSmartContractEngineDLL | |
| mv ./Node/Sha2DLL.dll ./Node/Sha2DLL | |
| mv ./Node/NodeRunnerService.exe ./Node/NodeRunnerService | |
| mv ./Node/NodeCollector.exe ./Node/NodeCollector | |
| mv ./Node/ConcordiumNode.exe ./Node/ConcordiumNode | |
| - name: Recreate the cabinet file. | |
| run: | | |
| dir Node /b /a-d > cabfiles.txt | |
| makecab.exe /D MaxDiskSize=0 /D Cabinet=ON /D Compress=ON /D CabinetName1=Node.cab /D SourceDir=Node /f cabfiles.txt | |
| shell: cmd | |
| - name: Repackage the cabinet file. | |
| run: | | |
| del Node.cab | |
| move disk1\Node.cab . | |
| expand -d Node.cab | |
| MsiDb.exe -d service/windows/installer/Node.msi -k Node.cab | |
| MsiDb.exe -d service/windows/installer/Node.msi -a Node.cab | |
| shell: cmd | |
| # - name: Sign files with smctl | |
| # working-directory: ${{steps.build.outputs.bin_dir}} | |
| # env: | |
| # WINDOWS_PKCS11_CONFIG: ${{ steps.digicert_client.outputs.PKCS11_CONFIG }} | |
| # WINDOWS_SM_KEYPAIR_ALIAS: ${{ secrets.WINDOWS_SM_KEYPAIR_ALIAS }} | |
| # SM_HOST: ${{ vars.WINDOWS_SM_HOST }} | |
| # SM_API_KEY: ${{ secrets.WINDOWS_SM_API_KEY }} | |
| # SM_CLIENT_CERT_FILE: ${{ steps.windows_certificate.outputs.CERTIFICATE_PATH }} | |
| # SM_CLIENT_CERT_PASSWORD: ${{ secrets.WINDOWS_SM_CLIENT_CERT_PASSWORD }} | |
| # SM_ARGS: "--verbose --exit-non-zero-on-fail --failfast" | |
| # run: | | |
| # smctl sign --keypair-alias ${{ env.WINDOWS_SM_KEYPAIR_ALIAS }} --input ./service/windows/installer/Node.msi --config-file ${{ env.WINDOWS_PKCS11_CONFIG }} ${{ env.SM_ARGS }} | |
| # shell: cmd | |
| - name: Rename the package to target filename. | |
| run: | | |
| cp ./service/windows/installer/Node.msi ./${{ env.ARTIFACT_NAME }} | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: ${{ github.job }} | |
| path: ${{ env.ARTIFACT_NAME }} | |