PKG: Microsoft Software Installer (MSI) #231
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'PKG: Microsoft Software Installer (MSI)' | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: 'Package Version' | |
| required: true | |
| default: '0.0.1' | |
| name: | |
| description: 'Package Name' | |
| required: false | |
| default: 'mondoo' | |
| skip-publish: | |
| description: 'Skip publish?' | |
| required: false | |
| default: false | |
| type: boolean | |
| release: | |
| types: [published] | |
| jobs: | |
| setup: | |
| name: 'Setup' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.version.outputs.version }} | |
| trimmed-version: ${{ steps.version.outputs.trimmed_version }} | |
| name: ${{ steps.version.outputs.name }} | |
| steps: | |
| - name: Set Version (Workflow Dispatch) | |
| if: github.event_name == 'workflow_dispatch' | |
| run: | | |
| echo VERSION=${{ inputs.version }} >> $GITHUB_ENV | |
| - name: Set Version (Release Event) | |
| if: github.event_name == 'release' | |
| run: | | |
| echo VERSION=${{ github.event.release.tag_name }} >> $GITHUB_ENV | |
| - name: Unified Version | |
| id: version | |
| run: | | |
| INPUT_NAME=${{ inputs.name }} | |
| if [[ ${INPUT_NAME} == '' ]]; then | |
| echo "Name is empty, using default" | |
| echo "name=mondoo" >> $GITHUB_OUTPUT | |
| else | |
| echo "Name: ${INPUT_NAME}" | |
| echo "name=${INPUT_NAME}" >> $GITHUB_OUTPUT | |
| fi | |
| V=$(echo $VERSION | sed 's/v//') | |
| echo "Version: $V" | |
| echo "version=${V}" >> $GITHUB_OUTPUT | |
| echo "trimmed_version=$(echo ${V} | sed 's/-.*//')" >> $GITHUB_OUTPUT | |
| - name: Ensure version of cnquery and cnspec are available | |
| run: | | |
| curl -sL --head --fail https://github.com/mondoohq/cnquery/releases/download/v${{ steps.version.outputs.version }}/cnquery_${{ steps.version.outputs.version }}_windows_amd64.zip \ | |
| https://github.com/mondoohq/cnspec/releases/download/v${{ steps.version.outputs.version }}/cnspec_${{ steps.version.outputs.version }}_windows_amd64.zip \ | |
| https://github.com/mondoohq/cnquery/releases/download/v${{ steps.version.outputs.version }}/cnquery_${{ steps.version.outputs.version }}_windows_arm64.zip \ | |
| https://github.com/mondoohq/cnspec/releases/download/v${{ steps.version.outputs.version }}/cnspec_${{ steps.version.outputs.version }}_windows_arm64.zip | |
| dist-prepare: | |
| name: Prepare Distribution for Packaging | |
| strategy: | |
| matrix: | |
| arch: | |
| - amd64 | |
| - arm64 | |
| runs-on: ubuntu-latest | |
| needs: setup | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Download Binaries | |
| env: | |
| VERSION: ${{ needs.setup.outputs.version }} | |
| run: | | |
| # TODO: We should check the sums here | |
| mkdir -p dist/${{ matrix.arch }} && cd dist/${{ matrix.arch }} | |
| curl -sSL -O https://github.com/mondoohq/cnspec/releases/download/v${VERSION}/cnspec_${VERSION}_windows_${{ matrix.arch }}.zip | |
| unzip cnspec_${VERSION}_windows_${{ matrix.arch }}.zip | |
| rm cnspec_${VERSION}_windows_${{ matrix.arch }}.zip | |
| curl -sSL -O https://github.com/mondoohq/cnquery/releases/download/v${VERSION}/cnquery_${VERSION}_windows_${{ matrix.arch }}.zip | |
| unzip cnquery_${VERSION}_windows_${{ matrix.arch }}.zip | |
| rm cnquery_${VERSION}_windows_${{ matrix.arch }}.zip | |
| ls -lh | |
| - name: Upload Distribution | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist-${{ matrix.arch }} | |
| path: dist/${{ matrix.arch }} | |
| msi-build: | |
| name: 'Packaging: Windows MSI' | |
| runs-on: windows-latest | |
| strategy: | |
| matrix: | |
| arch: | |
| - amd64 | |
| - arm64 | |
| needs: | |
| - setup | |
| - dist-prepare | |
| # For Version: ${{ needs.setup.outputs.version }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Download Distribution | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dist-${{ matrix.arch }} | |
| path: dist/${{ matrix.arch }} | |
| - name: Setup Certificate | |
| shell: bash | |
| run: | | |
| echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 | |
| - name: Set signing variables | |
| shell: bash | |
| run: | | |
| echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" | |
| echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" | |
| echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" | |
| echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" | |
| echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV" | |
| echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH | |
| echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH | |
| echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH | |
| - name: Setup SSM KSP on windows latest | |
| shell: cmd | |
| run: | | |
| curl --retry 10 --retry-delay 60 -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi | |
| msiexec /i smtools-windows-x64.msi /quiet /qn | |
| smksp_registrar.exe list | |
| smctl.exe keypair ls | |
| C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user | |
| smksp_cert_sync.exe | |
| - name: Build and Sign MSI | |
| env: | |
| VERSION: ${{ needs.setup.outputs.trimmed-version }} | |
| run: | | |
| $mondooVersion = ${env:VERSION} | |
| echo "Running build job for version ${mondooVersion}" | |
| Copy-Item .\dist\${{ matrix.arch }}\cnquery.exe .\packages\msi\msi\ | |
| Copy-Item .\dist\${{ matrix.arch }}\cnspec.exe .\packages\msi\msi\ | |
| Copy-Item .\dist\${{ matrix.arch }}\cnquery.exe .\packages\msi\appx\ | |
| Copy-Item .\dist\${{ matrix.arch }}\cnspec.exe .\packages\msi\appx\ | |
| # build msi package | |
| echo " - Packaging MSI..." | |
| Set-Location -Path '.\packages\msi\' | |
| ./package.ps1 -version $mondooVersion -arch ${{ matrix.arch }} | |
| # sign msi package | |
| echo " - Signing MSI..." | |
| Set-Location -Path '.\..\..' | |
| signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 .\packages\msi\mondoo_${{ matrix.arch }}.msi | |
| Copy-Item '.\packages\msi\mondoo_${{ matrix.arch }}.msi' '.\dist\${{ matrix.arch }}' | |
| - name: Dump Signing Log on Failure | |
| if: failure() | |
| run: | | |
| echo "Dumping signing logs..." | |
| gc $home\AppData\Local\Temp\signtool.log | |
| echo "Dumping signing manager logs..." | |
| gc $home\.signingmanager\logs\smctl.log | |
| echo "Dumping signing manager KSP logs..." | |
| gc $home\.signinmanager\logs\smksp.log | |
| echo "Dumping signing manager KSP cert sync logs..." | |
| gc $home\.signingmanager\logs\smksp_cert_sync.log | |
| - name: Cleanup dist before upload | |
| run: | | |
| Remove-Item -Path .\dist\${{ matrix.arch }}\cnquery.exe -Force | |
| Remove-Item -Path .\dist\${{ matrix.arch }}\cnspec.exe -Force | |
| - name: Upload Distribution | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: msi-${{ matrix.arch }} | |
| path: dist/${{ matrix.arch }} | |
| test-msi-install: | |
| name: Test Signed Package | |
| strategy: | |
| matrix: | |
| arch: | |
| - amd64 | |
| # - arm64 # we currently don't have windows arm64 runners to test arm against | |
| needs: | |
| - setup | |
| - msi-build | |
| runs-on: windows-latest | |
| steps: | |
| - name: Download MSI Package | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: msi-${{ matrix.arch }} | |
| path: dist | |
| - name: Verify digital signature is valid | |
| run: | | |
| cd dist | |
| Get-AuthenticodeSignature -FilePath .\\mondoo_${{ matrix.arch }}.msi | |
| - name: Install artifact | |
| run: | | |
| cd dist | |
| msiexec /qn /i mondoo_${{ matrix.arch }}.msi | |
| - name: Verify the correct cnquery version is installed | |
| run: | | |
| $version=& 'C:\Program Files\Mondoo\cnquery.exe' version | |
| $match=$version -like "*${{ needs.setup.outputs.version }}*" | |
| if (-not $match) { | |
| exit 1 | |
| } | |
| - name: Run a basic cnquery sanity check | |
| run: | | |
| & 'C:\Program Files\Mondoo\cnquery.exe' run -c "os.base.packages.where(name == 'Mondoo') { name }" | |
| - name: Verify the correct cnspec version is installed | |
| run: | | |
| $version=& 'C:\Program Files\Mondoo\cnspec.exe' version | |
| $match=$version -like "*${{ needs.setup.outputs.version }}*" | |
| if (-not $match) { | |
| exit 1 | |
| } | |
| - name: Run a basic cnspec sanity check | |
| run: | | |
| & 'C:\Program Files\Mondoo\cnspec.exe' run -c "os.base.packages.where(name == 'Mondoo') { name }" | |
| - name: Login to edge with cnspec | |
| run: | | |
| & 'C:\Program Files\Mondoo\cnspec.exe' login -t "${{ secrets.INSTALL_TEST_MONDOO_REGISTRATION_TOKEN }}" --config C:\ProgramData\Mondoo\mondoo.yml | |
| - name: Run a basic cnspec sanity check | |
| run: | | |
| & 'C:\Program Files\Mondoo\cnspec.exe' policy download mondoo-windows-installer -f mondoo-windows-installer.mql.yaml | |
| & 'C:\Program Files\Mondoo\cnspec.exe' scan local --detect-cicd --score-threshold 100 -o full --policy-bundle mondoo-windows-installer.mql.yaml | |
| - name: Logout from edge with cnspec | |
| run: | | |
| & 'C:\Program Files\Mondoo\cnspec.exe' logout --config C:\ProgramData\Mondoo\mondoo.yml --force | |
| publish: | |
| name: 'Publish: Releases' | |
| strategy: | |
| matrix: | |
| arch: | |
| - amd64 | |
| - arm64 | |
| needs: | |
| - setup | |
| - msi-build | |
| - test-msi-install | |
| if: ${{ ! inputs.skip-publish }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Download MSI Package | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: msi-${{ matrix.arch }} | |
| path: dist | |
| - name: Authenticate with Google Cloud | |
| id: gauth | |
| uses: google-github-actions/auth@v2 | |
| with: | |
| credentials_json: ${{secrets.GCP_CREDENTIALS}} | |
| - name: Set up Cloud SDK | |
| uses: google-github-actions/setup-gcloud@v2 | |
| - name: Verify access to release bucket | |
| env: | |
| VERSION: ${{ needs.setup.outputs.version }} | |
| run: | | |
| gsutil ls gs://releases-us.mondoo.io/mondoo | |
| - name: Upload static content to buckets | |
| env: | |
| VERSION: ${{ needs.setup.outputs.version }} | |
| run: | | |
| cd dist | |
| mv mondoo_${{ matrix.arch }}.msi mondoo_${VERSION}_windows_${{ matrix.arch }}.msi | |
| sha256sum mondoo_${VERSION}_windows_${{ matrix.arch }}.msi >> checksums.windows_${{ matrix.arch }}.txt | |
| gsutil cp checksums.windows_${{ matrix.arch }}.txt gs://releases-us.mondoo.io/mondoo/${VERSION}/checksums.windows_${{ matrix.arch }}.txt | |
| gsutil cp mondoo_${VERSION}_windows_${{ matrix.arch }}.msi gs://releases-us.mondoo.io/mondoo/${VERSION}/mondoo_${VERSION}_windows_${{ matrix.arch }}.msi | |
| - name: Reindex folder on releaser.mondoo.com | |
| uses: peter-evans/repository-dispatch@v3 | |
| env: | |
| VERSION: ${{ needs.setup.outputs.version }} | |
| with: | |
| token: ${{ secrets.RELEASR_ACTION_TOKEN }} | |
| repository: "mondoohq/releasr" | |
| event-type: reindex | |
| client-payload: '{ | |
| "reindex-path": "mondoo/${{ env.VERSION }}", | |
| "bucket": "releases-us.mondoo.io" | |
| }' | |
| - name: Cleanup | |
| run: | | |
| rm -f "${{ steps.gauth.outputs.credentials_file_path }}" |