ptarmiganlabs · mountaindude · Mar 19, 2024 · Mar 19, 2024 · Mar 19, 2024
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,359 @@
+name: ci-pipeline
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+
+jobs:
+  release-please:
+    runs-on: ubuntu-latest
+    outputs:
+      releases_created: ${{ steps.release.outputs.releases_created }}
+      release_tag_name: ${{ steps.release.outputs.tag_name }}
+      release_upload_url: ${{ steps.release.outputs.upload_url }}
+    env:
+      GITHUB_REF: ${{ github.ref }}
+      GITHUB_TOKEN: ${{ secrets.PAT }}
+      DIST_FILE_NAME: qs-jwt
+    steps:
+      - name: Show github.ref
+        run: echo "$GITHUB_REF"
+
+      - uses: google-github-actions/release-please-action@v4
+        id: release
+        if: |
+          github.repository_owner == 'ptarmiganlabs' 
+        with:
+          token: ${{ secrets.RELEASE_PLEASE_PAT }}
+          # optional. customize path to release-please-config.json
+          config-file: release-please-config.json
+          # optional. customize path to .release-please-manifest.json
+          manifest-file: .release-please-manifest.json
+          target-branch: main
+
+
+      - name: Show output from Release-Please
+        if: always()
+        env:
+          RELEASE_PLEASE_OUTPUT: ${{ toJSON(steps.release.outputs) }}
+        run: echo "$RELEASE_PLEASE_OUTPUT"
+
+      - name: Show output from Release-Please
+        # if: ${{ steps.release.outputs.releases_created }}
+        run: |
+          echo "release_created : ${{ steps.release.outputs.release_created }}"
+          echo "releases_created: ${{ steps.release.outputs.releases_created }}"
+          echo "draft           : ${{ steps.release.outputs['draft'] }}"
+          echo "path            : ${{ steps.release.outputs['path'] }}"
+          echo "upload_url      : ${{ steps.release.outputs['upload_url'] }}"
+          echo "html_url        : ${{ steps.release.outputs['html_url'] }}"
+          echo "tag_name        : ${{ steps.release.outputs['tag_name'] }}"
+          echo "version         : ${{ steps.release.outputs['version'] }}"
+          echo "major           : ${{ steps.release.outputs['major'] }}"
+          echo "minor           : ${{ steps.release.outputs['minor'] }}"
+          echo "patch           : ${{ steps.release.outputs['patch'] }}"
+          echo "sha             : ${{ steps.release.outputs['sha'] }}"
+
+  release-macos:
+    needs: release-please
+    runs-on:
+      - self-hosted
+      - x64
+      - macos
+      - sp53
+    # timeout-minutes: 15
+
+    if: needs.release-please.outputs.releases_created == 'true'
+    env:
+      DIST_FILE_NAME: qs-jwt
+      GITHUB_TOKEN: ${{ secrets.PAT }}
+      MACOS_CERTIFICATE: ${{ secrets.PROD_MACOS_CERTIFICATE_BASE64_CODESIGN }}
+      MACOS_CERTIFICATE_PWD: ${{ secrets.PROD_MACOS_CERTIFICATE_CODESIGN_PWD }}
+      MACOS_CERTIFICATE_NAME: ${{ secrets.PROD_MACOS_CERTIFICATE_CODESIGN_NAME }}
+      MACOS_CI_KEYCHAIN_PWD: ${{ secrets.PROD_MACOS_CI_KEYCHAIN_PWD }}
+      PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_APPLE_ID }}
+      PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.PROD_MACOS_NOTARIZATION_TEAM_ID }}
+      PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.PROD_MACOS_NOTARIZATION_PWD }}    
+    steps:
+      - name: Release tag and upload url from previous job
+        run: |
+          echo "tag_name   : ${{ needs.release-please.outputs.release_tag_name }}"
+          echo "upload_url : ${{ needs.release-please.outputs.release_upload_url }}"
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+
+      - name: Install tool for creating stand-alone executables
+        run: |
+          npm install pkg --location=global
+          npm install --save-exact esbuild
+
+      - name: Install dependencies
+        run: |
+          pwd 
+          npm ci --include=prod
+
+      - name: Build binaries
+        run: |
+          pwd
+          ./node_modules/.bin/esbuild ./qs-jwt.js --bundle --outfile=qs-jwt.cjs --format=cjs --platform=node --target=node18 --minify
+          pkg --output "./${DIST_FILE_NAME}" -t node18-macos-x64 ./qs-jwt.cjs --config package.json --compress GZip
+
+          chmod +x "${DIST_FILE_NAME}"
+          security delete-keychain build.keychain || true
+
+          # Turn our base64-encoded certificate back to a regular .p12 file
+          echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
+
+          # We need to create a new keychain, otherwise using the certificate will prompt
+          # with a UI dialog asking for the certificate password, which we can't
+          # use in a headless CI environment
+
+          security create-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+          security list-keychains -d user -s build.keychain
+          security default-keychain -d user -s build.keychain
+          security unlock-keychain -p "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+          security import certificate.p12 -k build.keychain -P "$MACOS_CERTIFICATE_PWD" -T /usr/bin/codesign
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$MACOS_CI_KEYCHAIN_PWD" build.keychain
+
+          codesign --force -s "$MACOS_CERTIFICATE_NAME" -v "./${DIST_FILE_NAME}" --deep --strict --options=runtime --timestamp --entitlements ./release-config/${DIST_FILE_NAME}.entitlements
+
+          # We can't notarize an app bundle directly, but we need to compress it as an archive.
+          # Therefore, we create a zip file containing our app bundle, so that we can send it to the
+          # notarization service
+
+          # Notarize release binary
+          echo "Creating temp notarization archive for release binary"
+          zip -r "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-macos.zip" "./${DIST_FILE_NAME}" -x "*.DS_Store"
+
+          # Add additional files to the zip file, if any
+
+          # Here we send the notarization request to the Apple's Notarization service, waiting for the result.
+          # This typically takes a few seconds inside a CI environment, but it might take more depending on the App
+          # characteristics. Visit the Notarization docs for more information and strategies on how to optimize it if
+          # you're curious
+          echo "Notarize release app"
+          xcrun notarytool submit "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-macos.zip" --keychain-profile "notarytool-profile" --wait
+
+          # Delete build keychain
+          security delete-keychain build.keychain
+
+      - name: Upload to existing release
+        uses: ncipollo/release-action@v1
+        with:
+          allowUpdates: true
+          omitBodyDuringUpdate: true
+          omitNameDuringUpdate: true
+          artifactContentType: raw
+          # artifactContentType: application/zip
+          draft: true
+          tag: ${{ needs.release-please.outputs.release_tag_name }}
+          artifacts: ./qs-jwt-${{ needs.release-please.outputs.release_tag_name }}-macos.zip
+          token: ${{ github.token }}
+
+      - name: Tidy up before existing
+        run: |
+          pwd
+          ls -la 
+          rm qs-jwt.cjs
+          rm "./${DIST_FILE_NAME}"
+          rm "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-macos.zip"
+
+  release-win64:
+    needs: release-please
+    runs-on:
+      - self-hosted
+      - x64
+      - windows
+      - sp53
+      - win-code-sign
+    # timeout-minutes: 15
+    if: needs.release-please.outputs.releases_created == 'true'
+    env:
+      DIST_FILE_NAME: qs-jwt
+      GITHUB_TOKEN: ${{ secrets.PAT }}
+      CODESIGN_WIN_THUMBPRINT: ${{ secrets.WIN_CODESIGN_THUMBPRINT}}
+    steps:
+      - name: Release tag and upload url from previous job
+        run: |
+          Write-Output 'tag_name        : ${{ needs.release-please.outputs.release_tag_name }}'
+          Write-Output 'upload_url      : ${{ needs.release-please.outputs.release_upload_url }}'
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+
+      - name: Install tool for creating stand-alone executables
+        run: |
+          npm install pkg --location=global
+          npm install --save-exact esbuild
+
+      - name: Install dependencies
+        run: |
+          pwd 
+          npm ci --include=prod
+
+      - name: Build binaries
+        run: |
+          ./node_modules/.bin/esbuild ./qs-jwt.js --bundle --external:axios --external:xdg-open --external:enigma.js --outfile=qs-jwt.cjs --format=cjs --platform=node --target=node18 --minify
+          pkg --output "./${env:DIST_FILE_NAME}.exe" -t node18-win-x64 ./qs-jwt.cjs --config package.json --compress GZip
+
+          # # Extract signing certificate to files on disk
+          # New-Item -ItemType directory -Path certificate
+          # Set-Content -Path certificate\certificate.txt -Value $env:CODESIGN_BASE64
+          # certutil -decode certificate\certificate.txt certificate\certificate.pfx
+          # Set-Content -Path certificate\intermediate.txt -Value $env:CODESIGN_INTERMEDIATE_BASE64
+          # certutil -decode certificate\intermediate.txt certificate\intermediate.crt
+
+          # $processOptions = @{
+          #   FilePath = "C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe"
+          #   Wait = $true
+          #   ArgumentList = "sign", "/fd", "SHA256", "/p", "$env:CODESIGN_PWD", "/ac", "certificate\intermediate.crt", "/f", "certificate\certificate.pfx", "/tr", "http://timestamp.sectigo.com/rfc3161", "/td", "sha256", "./${env:DIST_FILE_NAME}.exe"
+          #   WorkingDirectory = "."
+          #   NoNewWindow = $true
+          # }
+          # Start-Process @processOptions
+
+          # Sign the executable
+          # 1st signing
+          $processOptions1 = @{
+            FilePath = "C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe"
+            Wait = $true
+            ArgumentList = "sign", "/sha1", "$env:CODESIGN_WIN_THUMBPRINT", "/tr", "http://time.certum.pl", "/td", "sha256", "/fd", "sha1", "/v", "./${env:DIST_FILE_NAME}.exe"
+            WorkingDirectory = "."
+            NoNewWindow = $true
+          }
+          Start-Process @processOptions1
+
+          # 2nd signing
+          $processOptions2 = @{
+            FilePath = "C:\Program Files (x86)/Windows Kits/10/bin/10.0.22621.0/x64/signtool.exe"
+            Wait = $true
+            ArgumentList = "sign", "/sha1", "$env:CODESIGN_WIN_THUMBPRINT", "/tr", "http://time.certum.pl", "/td", "sha256", "/fd", "sha256", "/v", "./${env:DIST_FILE_NAME}.exe"
+            WorkingDirectory = "."
+            NoNewWindow = $true
+          }
+          Start-Process @processOptions2
+
+          # Create release binary zip
+          $compress = @{
+            Path = "./${env:DIST_FILE_NAME}.exe"
+            CompressionLevel = "Fastest"
+            DestinationPath = "${env:DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-win.zip"
+          }
+          Compress-Archive @compress
+
+          # Add additional directories & files to the created zip file, if any
+
+          Compress-Archive -Path "./config" -Update -DestinationPath "./${env:DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-win.zip"
+
+      - name: Upload to existing release
+        uses: ncipollo/release-action@v1
+        with:
+          allowUpdates: true
+          omitBodyDuringUpdate: true
+          omitNameDuringUpdate: true
+          artifactContentType: raw
+          # artifactContentType: application/zip
+          draft: true
+          tag: ${{ needs.release-please.outputs.release_tag_name }}
+          artifacts: ./qs-jwt-${{ needs.release-please.outputs.release_tag_name }}-win.zip
+          token: ${{ github.token }}
+
+      - name: Tidy up before existing
+        run: |
+          dir
+          del qs-jwt.cjs
+          del "./${env:DIST_FILE_NAME}.exe"
+          del "./${env:DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-win.zip"
+
+  release-linux:
+    needs: release-please
+    runs-on: ubuntu-latest
+    # timeout-minutes: 15
+
+    if: needs.release-please.outputs.releases_created == 'true'
+    env:
+      DIST_FILE_NAME: qs-jwt
+      GITHUB_TOKEN: ${{ secrets.PAT }}
+    steps:
+      - name: Release tag and upload url from previous job
+        run: |
+          echo "tag_name   : ${{ needs.release-please.outputs.release_tag_name }}"
+          echo "upload_url : ${{ needs.release-please.outputs.release_upload_url }}"
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+
+      - name: Install tool for creating stand-alone executables
+        run: |
+          npm install pkg --location=global
+          npm install --save-exact esbuild
+
+      - name: Install dependencies
+        run: |
+          pwd 
+          npm ci --include=prod
+
+      - name: Build binaries
+        run: |
+          ./node_modules/.bin/esbuild ./qs-jwt.js --bundle --external:axios --external:xdg-open --external:enigma.js --outfile=qs-jwt.cjs --format=cjs --platform=node --target=node18 --minify
+          pkg --output "./${DIST_FILE_NAME}" -t node18-linux-x64 ./qs-jwt.cjs --config package.json --compress GZip
+
+          chmod +x ${DIST_FILE_NAME}
+
+      - name: Make binary executable
+        run: |
+          chmod +x ./${DIST_FILE_NAME}
+
+      - name: Compress release binary
+        run: |
+          # Compress insider's build
+          # Include following directories & files in the created archive file.
+          # - ./src/config/log_appender_xml
+          # - ./src/config⁄production_template.yaml
+
+          ls -la
+          zip -9 -r ./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-linux.zip ${DIST_FILE_NAME}
+
+
+      - name: Debug
+        run: |
+          ls -la
+
+      - name: Upload to existing release
+        uses: ncipollo/release-action@v1
+        with:
+          allowUpdates: true
+          omitBodyDuringUpdate: true
+          omitNameDuringUpdate: true
+          artifactContentType: raw
+          # artifactContentType: application/zip
+          draft: true
+          tag: ${{ needs.release-please.outputs.release_tag_name }}
+          artifacts: ./qs-jwt-${{ needs.release-please.outputs.release_tag_name }}-linux.zip
+          token: ${{ github.token }}
+
+      - name: Tidy up before existing
+        run: |
+          pwd
+          ls -la
+          rm qs-jwt.cjs
+          rm "./${DIST_FILE_NAME}"
+          rm "./${DIST_FILE_NAME}-${{ needs.release-please.outputs.release_tag_name }}-linux.zip"
diff --git a/.github/workflows/codeql-analysis.yml → .github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yml → .github/workflows/codeql-analysis.yaml