Skip to content

V3

V3 #105

Workflow file for this run

name: PR Tests
on:
pull_request:
jobs:
default-signtool-tests:
runs-on: ${{ matrix.os }}
env:
term: xterm
strategy:
fail-fast: false
matrix:
include:
- os: macos-14
file: dist/@lando/code-sign-action
node-version: '20'
- os: windows-2022
file: dist/@lando/code-sign-action.exe
node-version: '20'
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install node ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: npm
- name: Install dependencies
shell: bash
run: npm clean-install --prefer-offline --frozen-lockfile
- name: Package node binary
shell: bash
run: npm run build
- name: Trust test certs
if: runner.os == 'macOS'
shell: bash
run: |
# dump
echo "${{ secrets.DEFAULT_CERT_DATA }}" | base64 --decode > /tmp/LandoCodeSigningTest.p12
# extract
openssl pkcs12 -in /tmp/LandoCodeSigningTest.p12 -clcerts -nokeys -out /tmp/LandoCodeSigningTest.pem -password pass:${{ secrets.DEFAULT_CERT_PASSWORD }}
# trust
sudo security authorizationdb write com.apple.trust-settings.user allow
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/LandoCodeSigningTest.pem
sudo security find-certificate -a -c "Lando System Code Signing Test Certificate" -p /Library/Keychains/System.keychain
- name: Trust test certs
if: runner.os == 'Windows'
shell: powershell
run: |
# vars
$temp_dir = "$env:TMP"
$cert_data = "${{ secrets.DEFAULT_CERT_DATA }}"
$cert_path = "$temp_dir\LandoCodeSigningTest.p12"
$cert_password = "${{ secrets.DEFAULT_CERT_PASSWORD }}"
$cert_secure_password = ConvertTo-SecureString -String $cert_password -Force -AsPlainText
$cert_store = "Cert:\LocalMachine\Root"
# dump
If (!(Test-Path $cert_path)) {
Write-Output "Dumping cert to $cert_path..."
$bytes = [Convert]::FromBase64String($cert_data)
[IO.File]::WriteAllBytes($cert_path, $bytes)
}
# trust
Import-PfxCertificate -FilePath $cert_path -CertStoreLocation $cert_store -Password $cert_secure_password
- name: Codesign
id: code-sign-action
uses: ./
with:
file: ${{ matrix.file }}
certificate-data: ${{ secrets.DEFAULT_CERT_DATA }}
certificate-id: LSL337X6
certificate-password: ${{ secrets.DEFAULT_CERT_PASSWORD }}
- name: Test output
shell: bash
run: |
echo "${{ steps.code-sign-action.outputs.file }}"
stat "${{ steps.code-sign-action.outputs.file }}"
- name: Execute file
shell: bash
run: chmod +x "${{ steps.code-sign-action.outputs.file }}" && "${{ steps.code-sign-action.outputs.file }}"
keylocker-tests:
runs-on: windows-2022
env:
term: xterm
strategy:
fail-fast: false
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install node ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: npm
- name: Install dependencies
shell: bash
run: npm clean-install --prefer-offline --frozen-lockfile
- name: Package node binary
shell: bash
run: npm run build
- name: Codesign
id: code-sign-action
uses: ./
with:
file: dist/@lando/code-sign-action.exe
certificate-data: ${{ secrets.KEYLOCKER_CLIENT_CERT }}
certificate-password: ${{ secrets.KEYLOCKER_CLIENT_CERT_PASSWORD }}
keylocker-host: https://clientauth.one.digicert.com
keylocker-api-key: ${{ secrets.KEYLOCKER_API_KEY }}
keylocker-cert-sha1-hash: ${{ secrets.KEYLOCKER_CERT_SHA1_HASH }}
keylocker-keypair-alias: ${{ secrets.KEYLOCKER_KEYPAIR_ALIAS }}
- name: Test output
shell: bash
run: |
echo "${{ steps.code-sign-action.outputs.file }}"
stat "${{ steps.code-sign-action.outputs.file }}"
- name: Execute file
shell: bash
run: chmod +x "${{ steps.code-sign-action.outputs.file }}" && "${{ steps.code-sign-action.outputs.file }}"
notarize-tests:
runs-on: macos-14
env:
term: xterm
strategy:
fail-fast: false
matrix:
node-version:
- '20'
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install node ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: npm
- name: Install dependencies
shell: bash
run: npm clean-install --prefer-offline --frozen-lockfile
- name: Package node binary
shell: bash
run: npm run build
- name: Codesign
id: code-sign-action
uses: ./
with:
file: dist/@lando/code-sign-action
certificate-data: ${{ secrets.APPLE_CERT_DATA }}
certificate-password: ${{ secrets.APPLE_CERT_PASSWORD }}
apple-notary-user: ${{ secrets.APPLE_NOTARY_USER }}
apple-notary-password: ${{ secrets.APPLE_NOTARY_PASSWORD }}
apple-team-id: FY8GAUX282
apple-product-id: dev.lando.code-sign-action
options: --options runtime --entitlements entitlements.xml
- name: Test output
shell: bash
run: |
echo "${{ steps.code-sign-action.outputs.file }}"
stat "${{ steps.code-sign-action.outputs.file }}"
- name: Execute file
shell: bash
run: chmod +x "${{ steps.code-sign-action.outputs.file }}" && "${{ steps.code-sign-action.outputs.file }}"