From ffd5879ec95f09e4e551b839f5fe6738058231c1 Mon Sep 17 00:00:00 2001
From: derrod <dennis@obsproject.com>
Date: Fri, 2 Feb 2024 15:34:04 +0100
Subject: [PATCH] CI: Move Windows signing to reusable workflow

---
 .github/workflows/push.yaml         | 87 ++---------------------------
 .github/workflows/sign-windows.yaml | 86 ++++++++++++++++++++++++++++
 2 files changed, 90 insertions(+), 83 deletions(-)
 create mode 100644 .github/workflows/sign-windows.yaml

diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
index 4b502a96b..44fb3f4db 100644
--- a/.github/workflows/push.yaml
+++ b/.github/workflows/push.yaml
@@ -205,94 +205,15 @@ jobs:
           pattern: macos-sparkle-update-*
           delete-merged: true
 
-  create-windows-update:
-    name: Create Windows Update 🥩
+  sign-windows-build:
+    name: Windows Signing ✍️
+    uses: ./.github/workflows/sign-windows.yaml
     if: github.repository_owner == 'obsproject' && github.ref_type == 'tag'
-    runs-on: windows-2022
     needs: build-project
     permissions:
       contents: 'read'
       id-token: 'write'
-    defaults:
-      run:
-        shell: pwsh
-    environment:
-      name: bouf
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          path: "repo"
-          fetch-depth: 0
-          ref: ${{ github.ref }}
-
-      - name: Set Up Environment 🔧
-        id: setup
-        env:
-          BOUF_ACTION_HASH: 'f9fdc601d0da8c3f18e0135d3f0ffbfba6544ff1742906ccfa9fdbe4bdea4bf9'
-        run: |
-          $channel = if ($env:GITHUB_REF_NAME -match "(beta|rc)") { "beta" } else { "stable" }
-          $shortHash = $env:GITHUB_SHA.Substring(0,9)
-          "channel=${channel}" >> $env:GITHUB_OUTPUT
-          "commitHash=${shortHash}" >> $env:GITHUB_OUTPUT
-
-          # Ensure files in action haven't been modified
-          $folderHash = ''
-          $files = Get-ChildItem "${{ github.workspace }}\repo\.github\actions\bouf"
-          foreach ($file in $files) {
-            $folderHash += (Get-FileHash $file -Algorithm SHA256).Hash
-          }
-          # This is stupid but so is powershell
-          $stream = [IO.MemoryStream]::new([byte[]][char[]]$folderHash)
-          if ((Get-FileHash -InputStream $stream -Algorithm SHA256).Hash -ne "$env:BOUF_ACTION_HASH") {
-            throw "bouf action folder hash does not match."
-          }
-
-      - name: Download Artifact 📥
-        uses: actions/download-artifact@v4
-        with:
-          name: obs-studio-windows-x64-${{ steps.setup.outputs.commitHash }}
-          path: ${{ github.workspace }}/build
-
-      - name: Run bouf 🥩
-        uses: ./repo/.github/actions/bouf
-        with:
-          gcpWorkloadIdentityProvider: ${{ secrets.GCP_IDENTITY_POOL }}
-          gcpServiceAccountName: ${{ secrets.GCP_SERVICE_ACCOUNT_NAME }}
-          version: ${{ github.ref_name }}
-          channel: ${{ steps.setup.outputs.channel }}
-
-      - name: Upload Signed Build
-        uses: actions/upload-artifact@v4
-        with:
-          name: obs-studio-windows-x64-${{ github.ref_name }}-signed
-          compression-level: 6
-          path: ${{ github.workspace }}/output/install
-
-      - name: Upload PDBs
-        uses: actions/upload-artifact@v4
-        with:
-          name: obs-studio-windows-x64-${{ github.ref_name }}-pdbs
-          compression-level: 9
-          path: ${{ github.workspace }}/output/pdbs
-
-      - name: Upload Installer
-        uses: actions/upload-artifact@v4
-        with:
-          name: obs-studio-windows-x64-${{ github.ref_name }}-installer
-          compression-level: 0
-          path: ${{ github.workspace }}/output/*.exe
-
-      - name: Upload Updater Files
-        uses: actions/upload-artifact@v4
-        with:
-          name: obs-studio-windows-x64-${{ github.ref_name }}-patches
-          compression-level: 0
-          path: |
-            ${{ github.workspace }}/output/updater
-            ${{ github.workspace }}/output/*.json
-            ${{ github.workspace }}/output/*.sig
-            ${{ github.workspace }}/output/*.txt
-            ${{ github.workspace }}/output/*.rst
+    secrets: inherit
 
   create-release:
     name: Create Release 🛫
diff --git a/.github/workflows/sign-windows.yaml b/.github/workflows/sign-windows.yaml
new file mode 100644
index 000000000..5ce98091b
--- /dev/null
+++ b/.github/workflows/sign-windows.yaml
@@ -0,0 +1,86 @@
+name: Sign Windows Project
+on:
+  workflow_call:
+jobs:
+  create-windows-update:
+    name: Create Windows Update 🥩
+    runs-on: windows-2022
+    environment:
+      name: bouf
+    defaults:
+      run:
+        shell: pwsh
+    steps:
+      - name: Parse JWT
+        id: jwt
+        run: |
+          $token = ConvertTo-SecureString -String ${env:ACTIONS_ID_TOKEN_REQUEST_TOKEN} -AsPlainText
+          $jwt = Invoke-WebRequest -Uri "${env:ACTIONS_ID_TOKEN_REQUEST_URL}&audience=ignore" -Authentication Bearer -Token $token
+          $claim_b64 = (($jwt.Content | ConvertFrom-Json -AsHashtable).value -split '\.')[1]
+          $mod = $claim_b64.Length % 4
+          if ($mod -gt 0) {$claim_b64 += '=' * (4 - $mod)}
+          $claim = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($claim_b64)) | ConvertFrom-Json -AsHashtable
+          $sha = ${claim}.job_workflow_sha
+          Write-Output "Workflow SHA: ${sha}"
+          "workflow_sha=${sha}" >> $env:GITHUB_OUTPUT
+
+      - uses: actions/checkout@v4
+        with:
+          path: "repo"
+          fetch-depth: 0
+          ref: ${{ steps.jwt.outputs.workflow_sha }}
+
+      - name: Set Up Environment 🔧
+        id: setup
+        run: |
+          $channel = if ($env:GITHUB_REF_NAME -match "(beta|rc)") { "beta" } else { "stable" }
+          $shortHash = $env:GITHUB_SHA.Substring(0,9)
+          "channel=${channel}" >> $env:GITHUB_OUTPUT
+          "commitHash=${shortHash}" >> $env:GITHUB_OUTPUT
+
+      - name: Download Artifact 📥
+        uses: actions/download-artifact@v4
+        with:
+          name: obs-studio-windows-x64-${{ steps.setup.outputs.commitHash }}
+          path: ${{ github.workspace }}/build
+
+      - name: Run bouf 🥩
+        uses: ./repo/.github/actions/bouf
+        with:
+          gcpWorkloadIdentityProvider: ${{ secrets.GCP_IDENTITY_POOL }}
+          gcpServiceAccountName: ${{ secrets.GCP_SERVICE_ACCOUNT_NAME }}
+          version: ${{ github.ref_name }}
+          channel: ${{ steps.setup.outputs.channel }}
+
+      - name: Upload Signed Build
+        uses: actions/upload-artifact@v4
+        with:
+          name: obs-studio-windows-x64-${{ github.ref_name }}-signed
+          compression-level: 6
+          path: ${{ github.workspace }}/output/install
+
+      - name: Upload PDBs
+        uses: actions/upload-artifact@v4
+        with:
+          name: obs-studio-windows-x64-${{ github.ref_name }}-pdbs
+          compression-level: 9
+          path: ${{ github.workspace }}/output/pdbs
+
+      - name: Upload Installer
+        uses: actions/upload-artifact@v4
+        with:
+          name: obs-studio-windows-x64-${{ github.ref_name }}-installer
+          compression-level: 0
+          path: ${{ github.workspace }}/output/*.exe
+
+      - name: Upload Updater Files
+        uses: actions/upload-artifact@v4
+        with:
+          name: obs-studio-windows-x64-${{ github.ref_name }}-patches
+          compression-level: 0
+          path: |
+            ${{ github.workspace }}/output/updater
+            ${{ github.workspace }}/output/*.json
+            ${{ github.workspace }}/output/*.sig
+            ${{ github.workspace }}/output/*.txt
+            ${{ github.workspace }}/output/*.rst