PKG: Microsoft Software Installer (MSI) #14

Workflow file for this run

.github/workflows/pkg_msi.yaml at 75116ac

	name: 'PKG: Microsoft Software Installer (MSI)'

	on:
	workflow_dispatch:
	inputs:
	version:
	description: 'Package Version'
	required: true
	default: '0.0.1'
	name:
	description: 'Package Name'
	required: false
	default: 'mondoo'
	skip-publish:
	description: 'Skip publish?'
	required: false
	default: false
	type: boolean
	# release:
	# types: [published]

	jobs:
	setup:
	name: 'Setup'
	runs-on: ubuntu-latest
	outputs:
	version: ${{ steps.version.outputs.version }}
	name: ${{ steps.version.outputs.name }}
	steps:
	- name: Set Version (Workflow Dispatch)
	if: github.event_name == 'workflow_dispatch'
	run: \|
	echo VERSION=${{ inputs.version }} >> $GITHUB_ENV
	- name: Set Version (Release Event)
	if: github.event_name == 'release'
	run: \|
	echo VERSION=${{ github.event.release.tag_name }} >> $GITHUB_ENV
	- name: Unified Version
	id: version
	run: \|
	INPUT_NAME=${{ inputs.name }}
	if [[ ${INPUT_NAME} == '' ]]; then
	echo "Name is empty, using default"
	echo "name=mondoo" >> $GITHUB_OUTPUT
	else
	echo "Name: ${INPUT_NAME}"
	echo "name=${INPUT_NAME}" >> $GITHUB_OUTPUT
	fi
	echo "Version: $VERSION"
	echo "version=${VERSION}" >> $GITHUB_OUTPUT

	dist-prepare:
	name: 'Prepare Distribution for Packaging'
	runs-on: ubuntu-latest
	needs: setup
	steps:
	- name: Checkout repository
	uses: actions/checkout@v3
	- name: Download Binaries
	env:
	VERSION: ${{ needs.setup.outputs.version }}
	run: \|
	# TODO: We should check the sums here
	mkdir -p dist && cd dist
	curl -sSL -O https://releases.mondoo.com/cnspec/${VERSION}/cnspec_${VERSION}_windows_amd64.zip
	unzip cnspec_${VERSION}_windows_amd64.zip
	rm cnspec_${VERSION}_windows_amd64.zip
	curl -sSL -O https://releases.mondoo.com/cnquery/${VERSION}/cnquery_${VERSION}_windows_amd64.zip
	unzip cnquery_${VERSION}_windows_amd64.zip
	rm cnquery_${VERSION}_windows_amd64.zip
	ls -lh
	- name: Upload Distribution
	uses: actions/upload-artifact@v3
	with:
	name: dist
	path: dist


	msi-build:
	name: 'Packaging: Windows MSI'
	runs-on: windows-latest
	needs: [ setup, dist-prepare ]
	# For Version: ${{ needs.setup.outputs.version }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@v3
	- name: Download Distribution
	uses: actions/download-artifact@v3
	with:
	name: dist
	path: dist

	- name: Setup Certificate
	shell: bash
	run: \|
	echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" \| base64 --decode > /d/Certificate_pkcs12.p12

	- name: Set signing variables
	shell: bash
	run: \|
	echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
	echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
	echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
	echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
	echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
	echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
	echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
	echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH

	- name: Setup SSM KSP on windows latest
	shell: cmd
	run: \|
	curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
	msiexec /i smtools-windows-x64.msi /quiet /qn
	smksp_registrar.exe list
	smctl.exe keypair ls
	C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
	smksp_cert_sync.exe

	- name: Build and Sign MSI
	env:
	VERSION: ${{ needs.setup.outputs.version }}
	run: \|
	$mondooVersion = ${env:VERSION}
	echo "Running build job for version ${mondooVersion}"
	Copy-Item .\dist\cnquery.exe .\packages\msi\msi\
	Copy-Item .\dist\cnspec.exe .\packages\msi\msi\
	Copy-Item .\dist\cnquery.exe .\packages\msi\appx\
	Copy-Item .\dist\cnspec.exe .\packages\msi\appx\
	# build msi package
	echo " - Packaging MSI..."
	Set-Location -Path '.\packages\msi\'
	./package.ps1 -version $mondooVersion
	# sign msi package
	echo " - Signing MSI..."
	Set-Location -Path '.\..'
	signtool.exe sign /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 .\packages\msi\mondoo.msi
	Copy-Item '.\packages\msi\mondoo.msi' '.\dist\'

	- name: Cleanup dist before upload
	run: \|
	Remove-Item -Path .\dist\cnquery.exe -Force
	Remove-Item -Path .\dist\cnspec.exe -Force

	- name: Upload Distribution
	uses: actions/upload-artifact@v3
	with:
	name: msi
	path: dist/

	publish:
	name: 'Publish: Releases'
	needs: [setup,msi-build]
	if: ${{ ! inputs.skip-publish }}
	runs-on: ubuntu-latest
	steps:
	- name: Checkout repository
	uses: actions/checkout@v3
	- name: Download MSI Package
	uses: actions/download-artifact@v3
	with:
	name: msi
	path: dist
	- name: Authenticate with Google Cloud
	id: gauth
	uses: 'google-github-actions/auth@v1'
	with:
	credentials_json: '${{secrets.GCP_CREDENTIALS}}'
	- name: 'Set up Cloud SDK'
	uses: 'google-github-actions/setup-gcloud@v1'
	- name: Verify access to release bucket
	env:
	VERSION: ${{ needs.setup.outputs.version }}
	run: \|
	gsutil ls gs://releases-us.mondoo.io/mondoo/${VERSION}/checksums.windows.txt
	- name: Upload static content to buckets
	env:
	VERSION: ${{ needs.setup.outputs.version }}
	run: \|
	cd dist
	# Download and re-write the checksum file
	gsutil cp gs://releases-us.mondoo.io/mondoo/${VERSION}/checksums.windows.txt checksums.windows.txt
	mv mondoo.zip mondoo_${VERSION}_windows_amd64.zip
	mv mondoo.msi mondoo_${VERSION}_windows_amd64.msi
	sha256sum mondoo_${VERSION}_windows_amd64.zip >> checksums.windows.txt
	sha256sum mondoo_${VERSION}_windows_amd64.msi >> checksums.windows.txt
	gsutil cp checksums.windows.txt gs://releases-us.mondoo.io/mondoo/${VERSION}/checksums.windows.txt
	gsutil cp mondoo_${VERSION}_windows_amd64.zip gs://releases-us.mondoo.io/mondoo/${VERSION}/mondoo_${VERSION}_windows_amd64.zip
	gsutil cp mondoo_${VERSION}_windows_amd64.msi gs://releases-us.mondoo.io/mondoo/${VERSION}/mondoo_${VERSION}_windows_amd64.msi
	- name: Reindex folder on releaser.mondoo.com
	uses: peter-evans/repository-dispatch@v2
	env:
	VERSION: ${{ needs.setup.outputs.version }}
	with:
	token: ${{ secrets.RELEASR_ACTION_TOKEN }}
	repository: "mondoohq/releasr"
	event-type: reindex
	client-payload: '{
	"reindex-path": "mondoo/${{ env.VERSION }}",
	"bucket": "releases-us.mondoo.io"
	}'
	- name: Cleanup
	run: \|
	rm -f "${{ steps.gauth.outputs.credentials_file_path }}"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PKG: Microsoft Software Installer (MSI) #14

Workflow file

PKG: Microsoft Software Installer (MSI) #14

Jobs

Run details

Workflow file for this run