github-personal/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-01-27 10:18:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d26df944c07513673231bf52593e1a870aeadda8
firezone/.github/workflows/_tauri.yml
Thomas Eizinger d26df944c0 ci: reference GitHub actions by hash (#7724) 
To improve supply-chain security, reference all GitHub actions using the
hash of the released tag. GitHub recommends to do this for third-party
actions
(https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#using-third-party-actions).
In order to make our CI more deterministic, I opted to do it for all our
actions. This means any change to our workflow configuration requires a
source code change and thus passing CI on our end.

Dependabot will automatically issue PRs for these actions and update the
comment with the new version next to them.

Resolves: #2497.
2025-01-12 17:35:52 +00:00

134 lines
5.2 KiB
YAML
Raw Blame History

name: Tauri
on:
workflow_call:
inputs:
release_tag:
required: false
type: string
workflow_dispatch:
permissions:
# For saving to release
contents: write
id-token: write
defaults:
run:
working-directory: ./rust/gui-client
# Never tolerate warnings. Source of truth is `_rust.yml`
env:
RUSTFLAGS: "-Dwarnings"
RUSTDOCFLAGS: "-D warnings"
jobs:
build-gui:
name: build-gui-${{ matrix.runs-on }}
runs-on: ${{ matrix.runs-on }}
strategy:
fail-fast: false
matrix:
include:
- runs-on: ubuntu-22.04
arch: x86_64
os: linux
pkg-extension: deb
- runs-on: ubuntu-22.04-arm
arch: aarch64
os: linux
pkg-extension: deb
- runs-on: windows-2019
arch: x86_64
os: windows
pkg-extension: msi
env:
# mark:next-gui-version
ARTIFACT_SRC: ./rust/gui-client/firezone-client-gui-${{ matrix.os }}_1.4.1_${{ matrix.arch }}
# mark:next-gui-version
ARTIFACT_DST: firezone-client-gui-${{ matrix.os }}_1.4.1_${{ matrix.arch }}
AZURE_KEY_VAULT_URI: ${{ secrets.AZURE_KEY_VAULT_URI }}
AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
AZURE_CERT_NAME: ${{ secrets.AZURE_CERT_NAME }}
# mark:next-gui-version
BINARY_DEST_PATH: firezone-client-gui-${{ matrix.os }}_1.4.1_${{ matrix.arch }}
# Seems like there's no way to de-dupe env vars that depend on each other
# mark:next-gui-version
FIREZONE_GUI_VERSION: 1.4.1
RENAME_SCRIPT: ../../scripts/build/tauri-rename-${{ matrix.os }}.sh
TARGET_DIR: ../target
UPLOAD_SCRIPT: ../../scripts/build/tauri-upload-${{ matrix.os }}.sh
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-tags: true # Otherwise we cannot embed the correct version into the build.
- uses: ./.github/actions/setup-node
- uses: ./.github/actions/setup-rust
- uses: ./.github/actions/setup-tauri-v2
# Installing new packages can take time
timeout-minutes: 10
- uses: matbour/setup-sentry-cli@3e938c54b3018bdd019973689ef984e033b0454b #v2.0.0
with:
token: ${{ secrets.SENTRY_AUTH_TOKEN }}
organization: firezone-inc
- name: Install pnpm deps
run: pnpm install
- name: Install AzureSignTool
if: ${{ runner.os == 'Windows' }}
shell: bash
# AzureSignTool >= 5 needs .NET 8. windows-2019 runner only has .NET 7.
run: dotnet tool install --global AzureSignTool --version 4.0.1
- name: Check if swap needed
if: ${{ runner.os == 'Linux' }}
run: free -m
- name: Enable swap
if: ${{ runner.os == 'Linux' }}
run: sudo fallocate -l 8G /swapfile && sudo chmod 600 /swapfile && sudo mkswap /swapfile && sudo swapon /swapfile && free -m
- name: Build release exe and MSI / deb
env:
CARGO_PROFILE_RELEASE_LTO: thin # Fat LTO is getting too slow / RAM-hungry on Tauri builds
# Signs the exe before bundling it into the MSI
run: pnpm build
- name: Ensure unmodified Git workspace
run: git diff --exit-code
# We need to sign the exe inside the MSI. Currently
# we do this in a "beforeBundleCommand" hook in tauri.windows.conf.json.
# But this will soon be natively supported in Tauri.
# TODO: Use Tauri's native MSI signing with support for EV certs
# See https://github.com/tauri-apps/tauri/pull/8718
- name: Sign the MSI
if: ${{ runner.os == 'Windows' }}
shell: bash
run: ../../scripts/build/sign.sh ../target/release/bundle/msi/Firezone_${{ env.FIREZONE_GUI_VERSION }}_x64_en-US.msi
- name: Rename artifacts and compute SHA256
shell: bash
run: ${{ env.RENAME_SCRIPT }}
- name: Upload debug symbols to Sentry
if: ${{ github.ref_name == 'main' }}
run: |
sentry-cli debug-files upload --log-level info --project gui-client-gui --include-sources ../target
sentry-cli debug-files upload --log-level info --project gui-client-ipc-service --include-sources ../target
- name: Upload package
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: ${{ env.ARTIFACT_DST }}-pkg
path: ${{ env.ARTIFACT_SRC }}.${{ matrix.pkg-extension }}
if-no-files-found: error
- name: Upload rpm package
if: ${{ runner.os == 'Linux' }}
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: ${{ env.ARTIFACT_DST }}-rpm
path: ${{ env.ARTIFACT_SRC }}.rpm
if-no-files-found: error
- name: Upload Release Assets
# Only upload the GUI Client build to the drafted release on main builds
if: ${{ github.ref_name == 'main' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPOSITORY: ${{ github.repository }}
TAG_NAME: gui-client-${{ env.FIREZONE_GUI_VERSION }}
shell: bash
run: ${{ env.UPLOAD_SCRIPT }}
Reference in New Issue View Git Blame Copy Permalink