fix: sign windows exe (#218) #717
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| release: | |
| types: | |
| - created | |
| jobs: | |
| build_ubuntu: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out Git repository | |
| uses: actions/checkout@v3 | |
| - name: Install Node.js, NPM and Yarn | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: 18 | |
| - name: Install | |
| run: npm install | |
| - name: Test | |
| run: npm run test | |
| - name: Build Ubuntu (AppImage) | |
| if: ${{github.ref != 'refs/heads/main'}} | |
| env: | |
| MODE: production | |
| run: | | |
| npm run build:installer | |
| - name: Build and Release Ubuntu (AppImage) | |
| if: ${{github.ref == 'refs/heads/main'}} | |
| env: | |
| GITHUB_TOKEN: ${{secrets.github_token}} | |
| EP_PRE_RELEASE: true | |
| run: | | |
| npm run publish | |
| - name: Upload artifacts | |
| env: | |
| AWS_DEFAULT_REGION: us-east-1 | |
| AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} | |
| AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} | |
| AWS_BUCKET: ${{secrets.S3_BUCKET}} | |
| if: ${{env.AWS_BUCKET != ''}} | |
| run: | | |
| node scripts/prepare-artifacts.cjs AppImage | |
| npx @dcl/cdn-uploader@next --bucket ${{secrets.S3_BUCKET}} --local-folder output --bucket-folder "launcher-branch/${{github.ref_name}}" | |
| build_macos: | |
| runs-on: macos-latest | |
| steps: | |
| - name: Check out Git repository | |
| uses: actions/checkout@v3 | |
| - name: Install Node.js, NPM and Yarn | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: 18 | |
| - name: Install | |
| run: npm install | |
| - name: Test | |
| run: npm run test | |
| - name: Build MacOS (dmg) | |
| if: ${{github.ref != 'refs/heads/main'}} | |
| env: | |
| MODE: production | |
| run: | | |
| npm run build:installer | |
| - name: Build and Release MacOS (dmg) | |
| if: ${{github.ref == 'refs/heads/main'}} | |
| env: | |
| GITHUB_TOKEN: ${{secrets.github_token}} | |
| CSC_LINK: ${{secrets.MACOS_CSC_LINK}} | |
| CSC_KEY_PASSWORD: ${{secrets.MACOS_CSC_KEY_PASSWORD}} | |
| EP_PRE_RELEASE: true | |
| run: | | |
| npm run publish | |
| - name: Notarize MacOS (dmg) | |
| if: ${{github.ref == 'refs/heads/main'}} | |
| env: | |
| MACOS_NOTARIZATION_APPLE_ID: ${{secrets.MACOS_NOTARIZATION_APPLE_ID}} | |
| MACOS_NOTARIZATION_TEAM_ID: ${{secrets.MACOS_NOTARIZATION_TEAM_ID}} | |
| MACOS_NOTARIZATION_PWD: ${{secrets.MACOS_NOTARIZATION_PWD}} | |
| run: | | |
| # Store the notarization credentials to prevent the UI password dialog for blocking the CI | |
| echo "Create keychain profile" | |
| xcrun notarytool store-credentials "notary-profile" --apple-id "$MACOS_NOTARIZATION_APPLE_ID" --team-id "$MACOS_NOTARIZATION_TEAM_ID" --password "$MACOS_NOTARIZATION_PWD" | |
| # Send the notarization request to the Apple's Notarization service and wait for the result. | |
| echo "Notarize app" | |
| xcrun notarytool submit "dist/Decentraland.dmg" --keychain-profile "notary-profile" --wait | |
| # Attach the staple to the executable, this allow the app to be validated by macOS | |
| # even when an internet connection is not available. | |
| echo "Attach staple" | |
| xcrun stapler staple "dist/Decentraland.dmg" | |
| # Validate the staple attached to the executable. | |
| echo "Validate staple" | |
| xcrun stapler validate "dist/Decentraland.dmg" | |
| - name: Upload artifacts | |
| env: | |
| AWS_DEFAULT_REGION: us-east-1 | |
| AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} | |
| AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} | |
| AWS_BUCKET: ${{secrets.S3_BUCKET}} | |
| if: ${{env.AWS_BUCKET != ''}} | |
| run: | | |
| node scripts/prepare-artifacts.cjs dmg | |
| npx @dcl/cdn-uploader@next --bucket ${{secrets.S3_BUCKET}} --local-folder output --bucket-folder "launcher-branch/${{github.ref_name}}" | |
| build_windows: | |
| runs-on: windows-latest | |
| steps: | |
| - name: Check out Git repository | |
| uses: actions/checkout@v3 | |
| - name: Install Node.js, NPM and Yarn | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: 18 | |
| - name: Install | |
| run: npm install | |
| - name: Test | |
| run: npm run test | |
| - name: Build Windows (exe) | |
| run: npm run build | |
| env: | |
| MODE: production | |
| # Download 'SSLcom/esigner-codesign' to a folder called 'esigner-codesign' in the root of the project | |
| - name: Checkout esigner-codesign repository (Windows) | |
| uses: actions/checkout@v3 | |
| with: | |
| repository: 'SSLcom/esigner-codesign' | |
| path: esigner-codesign | |
| - name: Publish | |
| # I use this action because it is capable of retrying multiple times if there are any issues with the distribution server | |
| uses: nick-fields/retry@v3 | |
| with: | |
| timeout_minutes: 15 | |
| max_attempts: 6 | |
| retry_wait_seconds: 15 | |
| retry_on: error | |
| shell: 'bash' | |
| command: npx electron-builder --config electron-builder.cjs --publish always | |
| env: | |
| # Code Signing params | |
| # See https://www.electron.build/code-signing | |
| CSC_LINK: ${{ secrets.MACOS_CSC_LINK }} | |
| CSC_KEY_PASSWORD: ${{ secrets.MACOS_CSC_KEY_PASSWORD }} | |
| # Publishing artifacts | |
| GH_TOKEN: ${{ secrets.github_token }} # GitHub token, automatically provided (No need to define this secret in the repo settings) | |
| EP_PRE_RELEASE: true # Publish as pre-release | |
| # The following are the parameters required by the esigner-codesign action to work, we must explicitly pass in even the optional ones since we're not using the action directly, but from the checked out repo | |
| CODE_SIGN_SCRIPT_PATH: "${{ github.workspace }}\\esigner-codesign\\dist\\index.js" | |
| INPUT_COMMAND: 'sign' | |
| INPUT_FILE_PATH: "${{ github.workspace }}\\dist\\Decentraland Launcher-win-x64.exe" | |
| INPUT_OVERRIDE: 'true' | |
| INPUT_MALWARE_BLOCK: 'false' | |
| INPUT_CLEAN_LOGS: 'false' | |
| INPUT_JVM_MAX_MEMORY: '1024M' | |
| INPUT_ENVIRONMENT_NAME: 'PROD' | |
| INPUT_USERNAME: ${{ secrets.ES_USERNAME }} | |
| INPUT_PASSWORD: ${{ secrets.ES_PASSWORD }} | |
| INPUT_TOTP_SECRET: ${{ secrets.ES_TOTP_SECRET }} | |
| INPUT_CREDENTIAL_ID: ${{ secrets.WINDOWS_CREDENTIAL_ID_SIGNER }} | |
| - name: Upload artifacts exe | |
| env: | |
| AWS_DEFAULT_REGION: us-east-1 | |
| AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} | |
| AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} | |
| AWS_BUCKET: ${{secrets.S3_BUCKET}} | |
| if: ${{env.AWS_BUCKET != ''}} | |
| run: | | |
| node scripts/prepare-artifacts.cjs exe | |
| npx @dcl/cdn-uploader@next --bucket ${{secrets.S3_BUCKET}} --local-folder output --bucket-folder "launcher-branch/${{github.ref_name}}" | |
| - name: Build Windows (appx) | |
| if: ${{github.ref != 'refs/heads/main'}} | |
| env: | |
| MODE: production | |
| run: | | |
| npm run build:appx | |
| - name: Build and Publish Windows (appx) | |
| if: ${{github.ref == 'refs/heads/main'}} | |
| env: | |
| GITHUB_TOKEN: ${{secrets.github_token}} | |
| EP_PRE_RELEASE: true | |
| run: | | |
| npm run publish:appx | |
| - name: Upload artifacts appx | |
| env: | |
| AWS_DEFAULT_REGION: us-east-1 | |
| AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} | |
| AWS_SECRET_ACCESS_KEY: ${{secrets.AWS_SECRET_ACCESS_KEY}} | |
| AWS_BUCKET: ${{secrets.S3_BUCKET}} | |
| if: ${{env.AWS_BUCKET != ''}} | |
| run: | | |
| node scripts/prepare-artifacts.cjs appx | |
| npx @dcl/cdn-uploader@next --bucket ${{secrets.S3_BUCKET}} --local-folder output --bucket-folder "launcher-branch/${{github.ref_name}}" | |
| deployment_notification: | |
| runs-on: ubuntu-latest | |
| name: Decentraland Unity-Renderer Deployment Notification | |
| needs: | |
| - build_macos | |
| - build_windows | |
| - build_ubuntu | |
| steps: | |
| - name: Comment PR | |
| env: | |
| AWS_BUCKET: ${{secrets.S3_BUCKET}} | |
| if: ${{env.AWS_BUCKET != '' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == 'decentraland/explorer-desktop-launcher'}} # Not a fork | |
| uses: thollander/actions-comment-pull-request@main | |
| with: | |
| message: | | |
| This branch can be downloaded with the following links: | |
| - [Windows](https://renderer-artifacts.decentraland.org/launcher-branch/${{github.ref_name}}/Install-Decentraland.exe) | |
| - [Windows AppX](https://renderer-artifacts.decentraland.org/launcher-branch/${{github.ref_name}}/Decentraland.appx) | |
| - [Linux](https://renderer-artifacts.decentraland.org/launcher-branch/${{github.ref_name}}/Decentraland.AppImage) | |
| - [Mac](https://renderer-artifacts.decentraland.org/launcher-branch/${{github.ref_name}}/Decentraland.dmg) | |
| > Mac: After installing the app, run the following command in your console: `sudo xattr -c /Applications/Decentraland.app` | |
| GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |