From 75789b99479e6955a9e4e5a55a82d805b7adde65 Mon Sep 17 00:00:00 2001 From: DigHuang <114602213+DigHuang@users.noreply.github.com> Date: Mon, 16 Mar 2026 13:33:35 +0800 Subject: [PATCH] chore(ci): update SignPath configuration for Windows signing (#516) --- .github/workflows/release.yml | 78 +++++++++++++++----------- .github/workflows/win-build-test.yml | 83 ++++++++++++++++++++++++++++ electron-builder.yml | 6 +- package.json | 12 ++-- 4 files changed, 138 insertions(+), 41 deletions(-) create mode 100644 .github/workflows/win-build-test.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5984fd843..f04c3af0d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,6 +15,7 @@ on: permissions: contents: write + actions: read jobs: release: @@ -32,30 +33,18 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: fetch-depth: 0 + - name: Setup pnpm + uses: pnpm/action-setup@v4 + - name: Setup Node.js uses: actions/setup-node@v6 with: node-version: '24' - - - name: Setup pnpm - uses: pnpm/action-setup@v4 - - - name: Get pnpm store directory - shell: bash - run: | - echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - - - name: Setup pnpm cache - uses: actions/cache@v4 - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-store- + cache: 'pnpm' - name: Install dependencies run: pnpm install @@ -87,21 +76,52 @@ jobs: run: | ulimit -n 65536 echo "File descriptor limit: $(ulimit -n)" - pnpm run build:vite && pnpm exec zx scripts/bundle-openclaw.mjs && pnpm exec electron-builder --mac --publish never + pnpm run package:mac # Windows specific steps - name: Build Windows if: matrix.platform == 'win' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: pnpm run build:vite && pnpm exec zx scripts/bundle-openclaw.mjs && pnpm exec electron-builder --win --publish never + run: pnpm run package:win + + - name: Upload unsigned Windows artifacts for SignPath + if: matrix.platform == 'win' + id: upload-unsigned-windows-artifact + uses: actions/upload-artifact@v4 + with: + name: unsigned-win-exe-${{ github.run_id }}-${{ github.run_attempt }} + path: release/*.exe + retention-days: 1 + + - name: Sign Windows artifacts via SignPath + if: matrix.platform == 'win' + id: signpath-sign-windows + uses: signpath/github-action-submit-signing-request@v2 + with: + api-token: ${{ secrets.SIGNPATH_API_TOKEN }} + organization-id: "78e37079-23df-4800-b41c-33312ad7c1e3" + project-slug: "ValueCell" + signing-policy-slug: "ValueCell-sign" + github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }} + wait-for-completion: true + output-artifact-directory: release/signed + + - name: Replace unsigned executables with signed ones + if: matrix.platform == 'win' + shell: pwsh + run: | + $signedExeFiles = Get-ChildItem -Path "release/signed" -Filter *.exe -File -Recurse + if (-not $signedExeFiles) { + throw "No signed .exe files found in release/signed" + } + foreach ($file in $signedExeFiles) { + Copy-Item -Path $file.FullName -Destination "release/$($file.Name)" -Force + } + Write-Host "Signed executables copied to release/" # Linux specific steps - name: Build Linux if: matrix.platform == 'linux' - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: pnpm run build:vite && pnpm exec zx scripts/bundle-openclaw.mjs && pnpm exec electron-builder --linux --publish never + run: pnpm run package:linux - name: Upload artifacts uses: actions/upload-artifact@v4 @@ -127,10 +147,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Download all artifacts + - name: Download release artifacts only uses: actions/download-artifact@v4 with: path: release-artifacts @@ -222,10 +239,7 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Download all artifacts + - name: Download release artifacts only uses: actions/download-artifact@v4 with: path: release-artifacts diff --git a/.github/workflows/win-build-test.yml b/.github/workflows/win-build-test.yml new file mode 100644 index 000000000..eaf2437bd --- /dev/null +++ b/.github/workflows/win-build-test.yml @@ -0,0 +1,83 @@ +name: Windows Build Test + +on: + workflow_dispatch: + inputs: + version: + description: "Version for SignPath parameter (e.g., 1.0.0-test.1)" + required: false + default: "dev" + +permissions: + contents: read + actions: read + +jobs: + windows-build-sign: + runs-on: windows-latest + + steps: + - name: Checkout code + uses: actions/checkout@v6 + with: + fetch-depth: 0 + + - name: Setup pnpm + uses: pnpm/action-setup@v4 + + - name: Setup Node.js + uses: actions/setup-node@v6 + with: + node-version: "24" + cache: "pnpm" + + - name: Install dependencies + run: pnpm install + + - name: Download uv binaries for Windows + run: pnpm run uv:download:win + + - name: Build Windows + run: pnpm run package:win + + # Required by SignPath Trusted Build: artifact must exist on GitHub first. + - name: Upload unsigned Windows artifacts for SignPath + id: upload-unsigned-windows-artifact + uses: actions/upload-artifact@v4 + with: + name: unsigned-win-exe-${{ github.run_id }}-${{ github.run_attempt }} + path: release/*.exe + retention-days: 1 + + - name: Sign Windows artifacts via SignPath + id: signpath-sign-windows + uses: signpath/github-action-submit-signing-request@v2 + with: + api-token: ${{ secrets.SIGNPATH_API_TOKEN }} + organization-id: "78e37079-23df-4800-b41c-33312ad7c1e3" + project-slug: "ValueCell" + signing-policy-slug: "ValueCell-sign" + github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }} + wait-for-completion: true + output-artifact-directory: release/signed + + - name: Replace unsigned executables with signed ones + shell: pwsh + run: | + $signedExeFiles = Get-ChildItem -Path "release/signed" -Filter *.exe -File -Recurse + if (-not $signedExeFiles) { + throw "No signed .exe files found in release/signed" + } + foreach ($file in $signedExeFiles) { + Copy-Item -Path $file.FullName -Destination "release/$($file.Name)" -Force + } + Write-Host "Signed executables copied to release/" + + - name: Upload signed Windows artifacts + uses: actions/upload-artifact@v4 + with: + name: signed-win-exe-${{ github.run_id }}-${{ github.run_attempt }} + path: | + release/*.exe + release/latest*.yml + retention-days: 7 diff --git a/electron-builder.yml b/electron-builder.yml index 24c6ad368..a034c9bc0 100644 --- a/electron-builder.yml +++ b/electron-builder.yml @@ -114,9 +114,9 @@ win: icon: resources/icons/icon.ico target: - target: nsis - arch: - - x64 - - arm64 + arch: x64 + - target: nsis + arch: arm64 nsis: oneClick: false diff --git a/package.json b/package.json index 4a6131fef..93b6a50dc 100644 --- a/package.json +++ b/package.json @@ -40,11 +40,11 @@ "uv:download:linux": "zx scripts/download-bundled-uv.mjs --platform=linux", "uv:download:all": "zx scripts/download-bundled-uv.mjs --all", "icons": "zx scripts/generate-icons.mjs", - "package": "vite build && zx scripts/bundle-openclaw.mjs && zx scripts/bundle-openclaw-plugins.mjs && zx scripts/bundle-preinstalled-skills.mjs && electron-builder", - "package:mac": "vite build && zx scripts/bundle-openclaw.mjs && zx scripts/bundle-openclaw-plugins.mjs && zx scripts/bundle-preinstalled-skills.mjs && electron-builder --mac", - "package:win": "vite build && zx scripts/bundle-openclaw.mjs && zx scripts/bundle-openclaw-plugins.mjs && zx scripts/bundle-preinstalled-skills.mjs && electron-builder --win", - "package:linux": "vite build && zx scripts/bundle-openclaw.mjs && zx scripts/bundle-openclaw-plugins.mjs && zx scripts/bundle-preinstalled-skills.mjs && electron-builder --linux", - "release": "pnpm run uv:download && vite build && zx scripts/bundle-openclaw.mjs && zx scripts/bundle-openclaw-plugins.mjs && zx scripts/bundle-preinstalled-skills.mjs && electron-builder --publish always", + "package": "vite build && zx scripts/bundle-openclaw.mjs && zx scripts/bundle-openclaw-plugins.mjs", + "package:mac": "pnpm run package && electron-builder --mac --publish never", + "package:win": "pnpm run package && electron-builder --win --publish never", + "package:linux": "pnpm run package && electron-builder --linux --publish never", + "release": "pnpm run uv:download && pnpm run package && electron-builder --publish always", "version:patch": "pnpm version patch", "version:minor": "pnpm version minor", "version:major": "pnpm version major", @@ -123,4 +123,4 @@ "zx": "^8.8.5" }, "packageManager": "pnpm@10.31.0+sha512.e3927388bfaa8078ceb79b748ffc1e8274e84d75163e67bc22e06c0d3aed43dd153151cbf11d7f8301ff4acb98c68bdc5cadf6989532801ffafe3b3e4a63c268" -} +} \ No newline at end of file