Upload Windows Installer #165
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Upload Windows Installer | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'Release version to build and upload (e.g. "v9.8.7")' | |
| required: true | |
| dryrun: | |
| description: 'Perform all the steps except uploading to the release page' | |
| required: true | |
| default: "true" # 'choice' type requires string value | |
| type: choice | |
| options: | |
| - "true" # Must be quoted string, boolean value not supported. | |
| - "false" | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| runs-on: windows-latest | |
| env: | |
| FETCH_BASE_URL: ${{ github.server_url }}/${{ github.repository }} | |
| steps: | |
| - name: Consolidate dryrun setting to always be true or false | |
| id: actual_dryrun | |
| run: | | |
| # The 'release' trigger will not have a 'dryrun' input set. Handle | |
| # this case in a readable/maintainable way. | |
| $inputs_dryrun = "${{ inputs.dryrun }}" | |
| if ($inputs_dryrun.Length -lt 1) { | |
| Write-Output "dryrun=false" | Out-File -FilePath $env:GITHUB_OUTPUT -Append | |
| } else { | |
| Write-Output "dryrun=${{ inputs.dryrun }}" | Out-File -FilePath $env:GITHUB_OUTPUT -Append | |
| } | |
| - name: Dry Run Status | |
| run: | | |
| Write-Output "::notice::This workflow execution will be a dry-run: ${{ steps.actual_dryrun.outputs.dryrun }}" | |
| - name: Determine version | |
| id: getversion | |
| run: | | |
| $version = "${{ inputs.version }}" | |
| if ($version.Length -lt 1) { | |
| $version = "${{ github.event.release.tag_name }}" | |
| if ($version.Length -lt 1) { | |
| Write-Host "::error::Could not determine version!" | |
| Exit 1 | |
| } | |
| } | |
| Write-Output "version=$version" | Out-File -FilePath $env:GITHUB_OUTPUT -Append | |
| # Note this purposefully checks out the same branch the action runs in, as the | |
| # installer build script is designed to support older releases (uses the archives | |
| # on the release tag). | |
| - uses: actions/checkout@v4 | |
| # This step is super-duper critical for the built/signed windows installer .exe file. | |
| # It ensures the referenced $version github release page does NOT already contain | |
| # this file. Windows assigns a UUID to the installer at build time, it's assumed | |
| # by windows that one release version == one UUID (always). Breaking this assumption | |
| # has some rather nasty side-effects in windows, such as possibly breaking 'uninstall' | |
| # functionality. For dry-runs, the .exe is saved in the workflow artifacts for a human | |
| # to judge w/n (i.e. in some extreme case) it should be uploaded to the release page. | |
| - name: Check | |
| id: check | |
| run: | | |
| Push-Location contrib\win-installer | |
| .\check.ps1 ${{steps.getversion.outputs.version}} | |
| $code = $LASTEXITCODE | |
| if ($code -eq 2) { | |
| Write-Output "already-exists=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append | |
| Pop-Location | |
| Exit 0 | |
| } | |
| Write-Output "upload_asset_name=$env:UPLOAD_ASSET_NAME" | Out-File -FilePath $env:GITHUB_OUTPUT -Append | |
| Pop-Location | |
| Exit $code | |
| # The podman release process requires a cross-compile of the windows binaries be uploaded to | |
| # the release page as a hard-coded filename. If non-existent, this workflow will fail in | |
| # non-obvious ways with a non-obvious error message. Address that here. | |
| - name: Confirm upload_asset_name is non-empty | |
| if: steps.check.outputs.upload_asset_name == '' | |
| run: | | |
| Write-Output "::error::check.ps1 script failed to find manually uploaded podman-remote-release-windows_amd64.zip github release asset for version ${{steps.getversion.outputs.version}}." | |
| Exit 1 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| # N/B: already-exists may be an empty-string or "false", handle both cases. | |
| if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' | |
| with: | |
| go-version: stable | |
| - name: Set up WiX | |
| run: dotnet tool install --global wix | |
| - name: Setup Signature Tooling | |
| if: steps.Check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' | |
| run: | | |
| dotnet tool install --global AzureSignTool --version 3.0.0 | |
| echo "CERT_NAME=${{secrets.AZ_CERT_NAME}}" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| echo "VAULT_ID=${{secrets.AZ_VAULT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| echo "APP_ID=${{secrets.AZ_APP_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| echo "TENANT_ID=${{secrets.AZ_TENANT_ID}}" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| echo "CLIENT_SECRET=${{secrets.AZ_CLIENT_SECRET}}" | Out-File -FilePath $env:GITHUB_ENV -Append | |
| - name: Pandoc Setup | |
| uses: r-lib/actions/setup-pandoc@v2 | |
| with: | |
| pandoc-version: '3.1.11' | |
| - name: Build | |
| id: build | |
| if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' | |
| run: | | |
| Push-Location contrib\win-installer | |
| .\build.ps1 ${{steps.getversion.outputs.version}} prod | |
| $code = $LASTEXITCODE | |
| if ($code -eq 2) { | |
| Write-Output "artifact-missing=true" | Out-File -FilePath $env:GITHUB_OUTPUT -Append | |
| Pop-Location | |
| Exit 0 | |
| } | |
| Pop-Location | |
| Exit $code | |
| - name: Artifact | |
| if: steps.check.outputs.already-exists != 'true' || steps.actual_dryrun.outputs.dryrun == 'true' | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: installer | |
| path: | | |
| ${{ steps.check.outputs.upload_asset_name }} | |
| .\contrib\win-installer\shasums | |
| - name: Upload | |
| if: >- | |
| steps.actual_dryrun.outputs.dryrun == 'false' && | |
| steps.check.outputs.already-exists != 'true' && | |
| steps.build.outputs.artifact-missing != 'true' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| Push-Location contrib\win-installer | |
| $version = "${{ steps.getversion.outputs.version }}" | |
| if ($version[0] -ne "v") { | |
| $version = "v$version" | |
| } | |
| gh release upload $version ${{ steps.check.outputs.upload_asset_name }} | |
| if ($LASTEXITCODE -ne 0) { | |
| .\check.ps1 $version | |
| if ($LASTEXITCODE -eq 2) { | |
| Write-Host "Another job uploaded before us, skipping" | |
| Pop-Location | |
| Exit 0 | |
| } | |
| Pop-Location | |
| Exit 1 | |
| } | |
| if (Test-Path -Path shasums) { | |
| gh release upload --clobber $version shasums | |
| } | |
| Pop-Location |