From d7bf65a80b40bec6446dcb4a2f03629fb74cc3f9 Mon Sep 17 00:00:00 2001 From: derrod Date: Sun, 28 Apr 2024 06:20:05 +0200 Subject: [PATCH] CI: Rename and update windows-signing action --- .../Ensure-Location.ps1 | 0 .../Invoke-External.ps1 | 0 .../{bouf => windows-signing}/Logger.ps1 | 0 .../{bouf => windows-signing}/action.yaml | 71 +++++++++---------- .../cng-release-signing-key.pem | 0 .../{bouf => windows-signing}/config.toml | 7 +- .../{bouf => windows-signing}/prod.crt | 0 .../{bouf => windows-signing}/test.crt | 0 .github/workflows/sign-windows.yaml | 22 ++---- 9 files changed, 43 insertions(+), 57 deletions(-) rename .github/actions/{bouf => windows-signing}/Ensure-Location.ps1 (100%) rename .github/actions/{bouf => windows-signing}/Invoke-External.ps1 (100%) rename .github/actions/{bouf => windows-signing}/Logger.ps1 (100%) rename .github/actions/{bouf => windows-signing}/action.yaml (67%) rename .github/actions/{bouf => windows-signing}/cng-release-signing-key.pem (100%) rename .github/actions/{bouf => windows-signing}/config.toml (87%) rename .github/actions/{bouf => windows-signing}/prod.crt (100%) rename .github/actions/{bouf => windows-signing}/test.crt (100%) diff --git a/.github/actions/bouf/Ensure-Location.ps1 b/.github/actions/windows-signing/Ensure-Location.ps1 similarity index 100% rename from .github/actions/bouf/Ensure-Location.ps1 rename to .github/actions/windows-signing/Ensure-Location.ps1 diff --git a/.github/actions/bouf/Invoke-External.ps1 b/.github/actions/windows-signing/Invoke-External.ps1 similarity index 100% rename from .github/actions/bouf/Invoke-External.ps1 rename to .github/actions/windows-signing/Invoke-External.ps1 diff --git a/.github/actions/bouf/Logger.ps1 b/.github/actions/windows-signing/Logger.ps1 similarity index 100% rename from .github/actions/bouf/Logger.ps1 rename to .github/actions/windows-signing/Logger.ps1 diff --git a/.github/actions/bouf/action.yaml b/.github/actions/windows-signing/action.yaml similarity index 67% rename from .github/actions/bouf/action.yaml rename to .github/actions/windows-signing/action.yaml index 2183152c3..e7b175c99 100644 --- a/.github/actions/bouf/action.yaml +++ b/.github/actions/windows-signing/action.yaml @@ -1,5 +1,5 @@ -name: Run bouf -description: Generates signed OBS install files and updater files +name: Run bouf Packaging +description: Generates signed OBS install files inputs: gcpWorkloadIdentityProvider: description: GCP Identity Provider Pool ID @@ -7,9 +7,6 @@ inputs: gcpServiceAccountName: description: Google service account name required: true - gcpManifestSigningKeyName: - description: Name of the manifest signing key in GCP KMS - required: false version: description: Version string (e.g., 30.0.0-rc1) required: true @@ -30,9 +27,9 @@ runs: - name: Setup bouf shell: pwsh env: - BOUF_TAG: 'v0.6.2' - BOUF_HASH: '40ca34457a8ac60b9710a41b4cde2a0fc36d8740ab21b01d702069be2e1c5fb9' - BOUF_NSIS_HASH: '88958a9e4e0f3cb6f78e8359fdfa3343d050d5c2158e3ee77cb2cc4a8785ac61' + BOUF_TAG: 'v0.6.3' + BOUF_HASH: '7f1d266467620aa553a705391ee06128e8ee14af66129a0e64a282997fb6fd83' + BOUF_NSIS_HASH: 'a234126de89f122b6a552df3416de3eabcb4195217626c7f4eaec71b20fe36eb' GH_TOKEN: ${{ github.token }} run: | # Download bouf release @@ -53,10 +50,10 @@ runs: Expand-Archive -Path $windows_zip -DestinationPath bin Expand-Archive -Path $nsis_zip -DestinationPath nsis - - name: Download Google CNG Provider + - name: Setup Google CNG Provider shell: pwsh env: - CNG_TAG: 'cng-v1.0' + CNG_TAG: 'cng-v1.1' GH_TOKEN: ${{ github.token }} run: | # Download Google CNG provider release from github @@ -73,18 +70,10 @@ runs: # Finally, install the CNG provider Invoke-External msiexec /i $msiPath /qn /norestart - - name: Install pandoc and rclone + - name: Install rclone shell: pwsh run: | choco install rclone --version=1.64.2 -y --no-progress - choco install pandoc --version=3.1.9 -y --no-progress - - - name: Prepare Release Notes - shell: pwsh - run: | - # Release notes are just the tag body on Windows - Set-Location repo - git tag -l --format='%(contents:body)' ${{ inputs.version }} > "${{ github.workspace }}/notes.rst" - name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363' @@ -92,15 +81,21 @@ runs: workload_identity_provider: ${{ inputs.gcpWorkloadIdentityProvider }} service_account: ${{ inputs.gcpServiceAccountName }} - - name: 'Set up Cloud SDK' - uses: 'google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200' - - - name: Download Old Builds + - name: Download Previous Build shell: pwsh env: RCLONE_GCS_ENV_AUTH: 'true' run: | - rclone copy --transfers 100 :gcs:obs-builds "${{ github.workspace }}/old_builds" + . ${env:GITHUB_ACTION_PATH}\Ensure-Location.ps1 + Ensure-Location "${{ github.workspace }}/old_builds" + rclone copy --transfers 100 ":gcs:obs-latest/${{ inputs.channel }}" . + + - name: Download Presigned Game Capture Files (REMOVE AFTER 30.2!!) + shell: pwsh + env: + RCLONE_GCS_ENV_AUTH: 'true' + run: | + rclone copy :gcs:obs-game-capture "${{ github.workspace }}/build/data/obs-plugins/win-capture" - name: Run bouf shell: pwsh @@ -110,24 +105,26 @@ runs: "--config", "${env:GITHUB_ACTION_PATH}/config.toml", "--version", "${{ inputs.version }}" "--branch", "${{ inputs.channel }}" - "--notes-file", "${{ github.workspace }}/notes.rst" "-i", "${{ github.workspace }}/build" "-p", "${{ github.workspace }}/old_builds" "-o", "${{ github.workspace }}/output" + "--packaging-only" ) Invoke-External "${{ github.workspace }}\bouf\bin\bouf.exe" @boufArgs - - name: Sign Updater Manifest + - name: Sync Latest Build shell: pwsh - if: inputs.gcpManifestSigningKeyName != '' + env: + RCLONE_INCLUDE: '**/${{ inputs.version }}/**' + RCLONE_GCS_ENV_AUTH: 'true' + RCLONE_GCS_BUCKET_POLICY_ONLY: 'true' run: | - $gcloudArgs = @( - "--input-file", "${{ github.workspace }}/output/manifest.json" - "--signature-file", "${{ github.workspace }}/output/manifest.json.sig" - "--digest-algorithm", "sha512" - "--location", "global" - "--keyring", "production" - "--key", "${{ inputs.gcpManifestSigningKeyName }}" - "--version", "1" - ) - gcloud kms asymmetric-sign @gcloudArgs + rclone sync --delete-excluded --transfers 100 "${{ github.workspace }}/old_builds" ":gcs:obs-latest/${{ inputs.channel }}" + + - name: Upload Build to Archive + shell: pwsh + env: + RCLONE_GCS_ENV_AUTH: 'true' + RCLONE_GCS_BUCKET_POLICY_ONLY: 'true' + run: | + rclone copy --transfers 100 "${{ github.workspace }}/old_builds" ":gcs:obs-builds" diff --git a/.github/actions/bouf/cng-release-signing-key.pem b/.github/actions/windows-signing/cng-release-signing-key.pem similarity index 100% rename from .github/actions/bouf/cng-release-signing-key.pem rename to .github/actions/windows-signing/cng-release-signing-key.pem diff --git a/.github/actions/bouf/config.toml b/.github/actions/windows-signing/config.toml similarity index 87% rename from .github/actions/bouf/config.toml rename to .github/actions/windows-signing/config.toml index 80da49a99..06b89ae65 100644 --- a/.github/actions/bouf/config.toml +++ b/.github/actions/windows-signing/config.toml @@ -19,11 +19,13 @@ never_copy = [ ] [prepare.codesign] -sign_cert_file = "repo/.github/actions/bouf/prod.crt" +sign_cert_file = "repo/.github/actions/windows-signing/prod.crt" sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/release-sign-hsm/cryptoKeyVersions/1" sign_digest = "sha384" sign_ts_serv = "http://timestamp.digicert.com" sign_exts = ['exe', 'dll', 'pyd'] +sign_append = true +sign_ts_algo = "sha256" [prepare.strip_pdbs] # PDBs to not strip @@ -47,8 +49,7 @@ exclude_from_parallel = [ nsis_script = "bouf/nsis/mp-installer.nsi" [package.zip] -skip = true -name = "OBS-Studio-{version}.zip" +name = "OBS-Studio-{version}-x64.zip" pdb_name = "OBS-Studio-{version}-pdbs.zip" [package.updater] diff --git a/.github/actions/bouf/prod.crt b/.github/actions/windows-signing/prod.crt similarity index 100% rename from .github/actions/bouf/prod.crt rename to .github/actions/windows-signing/prod.crt diff --git a/.github/actions/bouf/test.crt b/.github/actions/windows-signing/test.crt similarity index 100% rename from .github/actions/bouf/test.crt rename to .github/actions/windows-signing/test.crt diff --git a/.github/workflows/sign-windows.yaml b/.github/workflows/sign-windows.yaml index 5ce98091b..5003819c2 100644 --- a/.github/workflows/sign-windows.yaml +++ b/.github/workflows/sign-windows.yaml @@ -45,7 +45,7 @@ jobs: path: ${{ github.workspace }}/build - name: Run bouf 🥩 - uses: ./repo/.github/actions/bouf + uses: ./repo/.github/actions/windows-signing with: gcpWorkloadIdentityProvider: ${{ secrets.GCP_IDENTITY_POOL }} gcpServiceAccountName: ${{ secrets.GCP_SERVICE_ACCOUNT_NAME }} @@ -56,15 +56,15 @@ jobs: uses: actions/upload-artifact@v4 with: name: obs-studio-windows-x64-${{ github.ref_name }}-signed - compression-level: 6 - path: ${{ github.workspace }}/output/install + compression-level: 0 + path: ${{ github.workspace }}/output/*-x64.zip - name: Upload PDBs uses: actions/upload-artifact@v4 with: name: obs-studio-windows-x64-${{ github.ref_name }}-pdbs - compression-level: 9 - path: ${{ github.workspace }}/output/pdbs + compression-level: 0 + path: ${{ github.workspace }}/output/*-pdbs.zip - name: Upload Installer uses: actions/upload-artifact@v4 @@ -72,15 +72,3 @@ jobs: name: obs-studio-windows-x64-${{ github.ref_name }}-installer compression-level: 0 path: ${{ github.workspace }}/output/*.exe - - - name: Upload Updater Files - uses: actions/upload-artifact@v4 - with: - name: obs-studio-windows-x64-${{ github.ref_name }}-patches - compression-level: 0 - path: | - ${{ github.workspace }}/output/updater - ${{ github.workspace }}/output/*.json - ${{ github.workspace }}/output/*.sig - ${{ github.workspace }}/output/*.txt - ${{ github.workspace }}/output/*.rst