admin/DeskClaw
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(ci): update SignPath configuration for Windows signing (#516)

Browse Source
This commit is contained in:
DigHuang
2026-03-16 13:33:35 +08:00
committed by GitHub
Unverified
parent 9ec23174c0
commit 75789b9947
4 changed files with 138 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

78
.github/workflows/release.yml vendored
View File

@@ -15,6 +15,7 @@ on:
permissions:
contents: write
actions: read
jobs:
release:
@@ -32,30 +33,18 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Setup pnpm
uses: pnpm/action-setup@v4
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: '24'
- name: Setup pnpm
uses: pnpm/action-setup@v4
- name: Get pnpm store directory
shell: bash
run: |
echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
- name: Setup pnpm cache
uses: actions/cache@v4
with:
path: ${{ env.STORE_PATH }}
key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
restore-keys: |
${{ runner.os }}-pnpm-store-
cache: 'pnpm'
- name: Install dependencies
run: pnpm install
@@ -87,21 +76,52 @@ jobs:
run: |
ulimit -n 65536
echo "File descriptor limit: $(ulimit -n)"
pnpm run build:vite && pnpm exec zx scripts/bundle-openclaw.mjs && pnpm exec electron-builder --mac --publish never
pnpm run package:mac
# Windows specific steps
- name: Build Windows
if: matrix.platform == 'win'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: pnpm run build:vite && pnpm exec zx scripts/bundle-openclaw.mjs && pnpm exec electron-builder --win --publish never
run: pnpm run package:win
- name: Upload unsigned Windows artifacts for SignPath
if: matrix.platform == 'win'
id: upload-unsigned-windows-artifact
uses: actions/upload-artifact@v4
with:
name: unsigned-win-exe-${{ github.run_id }}-${{ github.run_attempt }}
path: release/*.exe
retention-days: 1
- name: Sign Windows artifacts via SignPath
if: matrix.platform == 'win'
id: signpath-sign-windows
uses: signpath/github-action-submit-signing-request@v2
with:
api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
organization-id: "78e37079-23df-4800-b41c-33312ad7c1e3"
project-slug: "ValueCell"
signing-policy-slug: "ValueCell-sign"
github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}
wait-for-completion: true
output-artifact-directory: release/signed
- name: Replace unsigned executables with signed ones
if: matrix.platform == 'win'
shell: pwsh
run: |
$signedExeFiles = Get-ChildItem -Path "release/signed" -Filter *.exe -File -Recurse
if (-not $signedExeFiles) {
throw "No signed .exe files found in release/signed"
}
foreach ($file in $signedExeFiles) {
Copy-Item -Path $file.FullName -Destination "release/$($file.Name)" -Force
}
Write-Host "Signed executables copied to release/"
# Linux specific steps
- name: Build Linux
if: matrix.platform == 'linux'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: pnpm run build:vite && pnpm exec zx scripts/bundle-openclaw.mjs && pnpm exec electron-builder --linux --publish never
run: pnpm run package:linux
- name: Upload artifacts
uses: actions/upload-artifact@v4
@@ -127,10 +147,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download all artifacts
- name: Download release artifacts only
uses: actions/download-artifact@v4
with:
path: release-artifacts
@@ -222,10 +239,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download all artifacts
- name: Download release artifacts only
uses: actions/download-artifact@v4
with:
path: release-artifacts

83
.github/workflows/win-build-test.yml vendored Normal file
View File

@@ -0,0 +1,83 @@
name: Windows Build Test
on:
workflow_dispatch:
inputs:
version:
description: "Version for SignPath parameter (e.g., 1.0.0-test.1)"
required: false
default: "dev"
permissions:
contents: read
actions: read
jobs:
windows-build-sign:
runs-on: windows-latest
steps:
- name: Checkout code
uses: actions/checkout@v6
with:
fetch-depth: 0
- name: Setup pnpm
uses: pnpm/action-setup@v4
- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: "24"
cache: "pnpm"
- name: Install dependencies
run: pnpm install
- name: Download uv binaries for Windows
run: pnpm run uv:download:win
- name: Build Windows
run: pnpm run package:win
# Required by SignPath Trusted Build: artifact must exist on GitHub first.
- name: Upload unsigned Windows artifacts for SignPath
id: upload-unsigned-windows-artifact
uses: actions/upload-artifact@v4
with:
name: unsigned-win-exe-${{ github.run_id }}-${{ github.run_attempt }}
path: release/*.exe
retention-days: 1
- name: Sign Windows artifacts via SignPath
id: signpath-sign-windows
uses: signpath/github-action-submit-signing-request@v2
with:
api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
organization-id: "78e37079-23df-4800-b41c-33312ad7c1e3"
project-slug: "ValueCell"
signing-policy-slug: "ValueCell-sign"
github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}
wait-for-completion: true
output-artifact-directory: release/signed
- name: Replace unsigned executables with signed ones
shell: pwsh
run: |
$signedExeFiles = Get-ChildItem -Path "release/signed" -Filter *.exe -File -Recurse
if (-not $signedExeFiles) {
throw "No signed .exe files found in release/signed"
}
foreach ($file in $signedExeFiles) {
Copy-Item -Path $file.FullName -Destination "release/$($file.Name)" -Force
}
Write-Host "Signed executables copied to release/"
- name: Upload signed Windows artifacts
uses: actions/upload-artifact@v4
with:
name: signed-win-exe-${{ github.run_id }}-${{ github.run_attempt }}
path: |
release/*.exe
release/latest*.yml
retention-days: 7