mirror/obs-studio
0
0
Fork 0
mirror of https://github.com/obsproject/obs-studio.git synced 2024-09-20 04:42:18 +02:00
Code

CI: Move Windows signing to reusable workflow

Browse Source
This commit is contained in:
derrod 2024-02-02 15:34:04 +01:00 committed by Ryan Foster
parent d3291eb983
commit ffd5879ec9
2 changed files with 90 additions and 83 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
.github/workflows/push.yaml vendored
View File

@ -205,94 +205,15 @@ jobs:
pattern: macos-sparkle-update-*
delete-merged: true
create-windows-update:
name: Create Windows Update 🥩
sign-windows-build:
name: Windows Signing ✍️
uses: ./.github/workflows/sign-windows.yaml
if: github.repository_owner == 'obsproject' && github.ref_type == 'tag'
runs-on: windows-2022
needs: build-project
permissions:
contents: 'read'
id-token: 'write'
defaults:
run:
shell: pwsh
environment:
name: bouf
steps:
- uses: actions/checkout@v4
with:
path: "repo"
fetch-depth: 0
ref: ${{ github.ref }}
- name: Set Up Environment 🔧
id: setup
env:
BOUF_ACTION_HASH: 'f9fdc601d0da8c3f18e0135d3f0ffbfba6544ff1742906ccfa9fdbe4bdea4bf9'
run: |
$channel = if ($env:GITHUB_REF_NAME -match "(beta|rc)") { "beta" } else { "stable" }
$shortHash = $env:GITHUB_SHA.Substring(0,9)
"channel=${channel}" >> $env:GITHUB_OUTPUT
"commitHash=${shortHash}" >> $env:GITHUB_OUTPUT
# Ensure files in action haven't been modified
$folderHash = ''
$files = Get-ChildItem "${{ github.workspace }}\repo\.github\actions\bouf"
foreach ($file in $files) {
$folderHash += (Get-FileHash $file -Algorithm SHA256).Hash
}
# This is stupid but so is powershell
$stream = [IO.MemoryStream]::new([byte[]][char[]]$folderHash)
if ((Get-FileHash -InputStream $stream -Algorithm SHA256).Hash -ne "$env:BOUF_ACTION_HASH") {
throw "bouf action folder hash does not match."
}
- name: Download Artifact 📥
uses: actions/download-artifact@v4
with:
name: obs-studio-windows-x64-${{ steps.setup.outputs.commitHash }}
path: ${{ github.workspace }}/build
- name: Run bouf 🥩
uses: ./repo/.github/actions/bouf
with:
gcpWorkloadIdentityProvider: ${{ secrets.GCP_IDENTITY_POOL }}
gcpServiceAccountName: ${{ secrets.GCP_SERVICE_ACCOUNT_NAME }}
version: ${{ github.ref_name }}
channel: ${{ steps.setup.outputs.channel }}
- name: Upload Signed Build
uses: actions/upload-artifact@v4
with:
name: obs-studio-windows-x64-${{ github.ref_name }}-signed
compression-level: 6
path: ${{ github.workspace }}/output/install
- name: Upload PDBs
uses: actions/upload-artifact@v4
with:
name: obs-studio-windows-x64-${{ github.ref_name }}-pdbs
compression-level: 9
path: ${{ github.workspace }}/output/pdbs
- name: Upload Installer
uses: actions/upload-artifact@v4
with:
name: obs-studio-windows-x64-${{ github.ref_name }}-installer
compression-level: 0
path: ${{ github.workspace }}/output/*.exe
- name: Upload Updater Files
uses: actions/upload-artifact@v4
with:
name: obs-studio-windows-x64-${{ github.ref_name }}-patches
compression-level: 0
path: |
${{ github.workspace }}/output/updater
${{ github.workspace }}/output/*.json
${{ github.workspace }}/output/*.sig
${{ github.workspace }}/output/*.txt
${{ github.workspace }}/output/*.rst
secrets: inherit
create-release:
name: Create Release 🛫

86
.github/workflows/sign-windows.yaml vendored Normal file
View File

@ -0,0 +1,86 @@
name: Sign Windows Project
on:
workflow_call:
jobs:
create-windows-update:
name: Create Windows Update 🥩
runs-on: windows-2022
environment:
name: bouf
defaults:
run:
shell: pwsh
steps:
- name: Parse JWT
id: jwt
run: |
$token = ConvertTo-SecureString -String ${env:ACTIONS_ID_TOKEN_REQUEST_TOKEN} -AsPlainText
$jwt = Invoke-WebRequest -Uri "${env:ACTIONS_ID_TOKEN_REQUEST_URL}&audience=ignore" -Authentication Bearer -Token $token
$claim_b64 = (($jwt.Content | ConvertFrom-Json -AsHashtable).value -split '\.')[1]
$mod = $claim_b64.Length % 4
if ($mod -gt 0) {$claim_b64 += '=' * (4 - $mod)}
$claim = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($claim_b64)) | ConvertFrom-Json -AsHashtable
$sha = ${claim}.job_workflow_sha
Write-Output "Workflow SHA: ${sha}"
"workflow_sha=${sha}" >> $env:GITHUB_OUTPUT
- uses: actions/checkout@v4
with:
path: "repo"
fetch-depth: 0
ref: ${{ steps.jwt.outputs.workflow_sha }}
- name: Set Up Environment 🔧
id: setup
run: |
$channel = if ($env:GITHUB_REF_NAME -match "(beta|rc)") { "beta" } else { "stable" }
$shortHash = $env:GITHUB_SHA.Substring(0,9)
"channel=${channel}" >> $env:GITHUB_OUTPUT
"commitHash=${shortHash}" >> $env:GITHUB_OUTPUT
- name: Download Artifact 📥
uses: actions/download-artifact@v4
with:
name: obs-studio-windows-x64-${{ steps.setup.outputs.commitHash }}
path: ${{ github.workspace }}/build
- name: Run bouf 🥩
uses: ./repo/.github/actions/bouf
with:
gcpWorkloadIdentityProvider: ${{ secrets.GCP_IDENTITY_POOL }}
gcpServiceAccountName: ${{ secrets.GCP_SERVICE_ACCOUNT_NAME }}
version: ${{ github.ref_name }}
channel: ${{ steps.setup.outputs.channel }}
- name: Upload Signed Build
uses: actions/upload-artifact@v4
with:
name: obs-studio-windows-x64-${{ github.ref_name }}-signed
compression-level: 6
path: ${{ github.workspace }}/output/install
- name: Upload PDBs
uses: actions/upload-artifact@v4
with:
name: obs-studio-windows-x64-${{ github.ref_name }}-pdbs
compression-level: 9
path: ${{ github.workspace }}/output/pdbs
- name: Upload Installer
uses: actions/upload-artifact@v4
with:
name: obs-studio-windows-x64-${{ github.ref_name }}-installer
compression-level: 0
path: ${{ github.workspace }}/output/*.exe
- name: Upload Updater Files
uses: actions/upload-artifact@v4
with:
name: obs-studio-windows-x64-${{ github.ref_name }}-patches
compression-level: 0
path: |
${{ github.workspace }}/output/updater
${{ github.workspace }}/output/*.json
${{ github.workspace }}/output/*.sig
${{ github.workspace }}/output/*.txt
${{ github.workspace }}/output/*.rst