Compare commits

...

42 Commits

Author SHA1 Message Date
Brendan Allan
d9fdccbccb no but like actually 2026-02-14 15:18:00 +08:00
Brendan Allan
17d428abd3 try doing build on github runner 2026-02-14 15:14:44 +08:00
Brendan Allan
65fa8185f0 sign windows cli in separate job 2026-02-14 14:59:18 +08:00
Brendan Allan
4614929313 Merge branch 'dev' into brendan/desktop-signpath 2026-02-14 14:48:11 +08:00
Brendan Allan
9dca214331 Merge branch 'dev' into brendan/desktop-signpath 2026-02-14 14:40:29 +08:00
Brendan Allan
9db27ca32d Merge branch 'dev' into brendan/desktop-signpath 2026-02-14 14:39:47 +08:00
Brendan Allan
83a5a1a692 ci: test-signing signpath policy 2026-02-14 14:38:52 +08:00
Brendan Allan
1bf6328036 add blacksmith runners to allowed group 2026-02-14 14:38:26 +08:00
Brendan Allan
6aa4c12bdd remove adm-zip 2026-02-14 14:37:37 +08:00
Brendan Allan
2fe97672d2 remove unnecessary stuff 2026-02-14 14:36:25 +08:00
Brendan Allan
7869f9eff3 add cli code signing to beta publish 2026-02-14 14:31:50 +08:00
Brendan Allan
e6832c483c baseline 2026-02-14 14:23:46 +08:00
Brendan Allan
7a677dca13 fix workflow 2026-02-14 14:11:46 +08:00
Brendan Allan
a1fbea4c26 use signpath action again 2026-02-14 14:08:32 +08:00
Brendan Allan
70e564cabd dirname 2026-02-14 13:58:15 +08:00
Brendan Allan
dbaae8e426 relative 2026-02-13 15:01:01 +08:00
Brendan Allan
dae04b9b42 json 2026-02-13 14:58:02 +08:00
Brendan Allan
052da113dd copy artifacts after signing 2026-02-13 14:56:27 +08:00
Brendan Allan
c945dad5fe filter artifacts 2026-02-13 13:59:34 +08:00
Brendan Allan
1796eb5218 sign multiple artifacts 2026-02-13 13:56:36 +08:00
Brendan Allan
ac51387f10 try multiline again 2026-02-13 13:50:43 +08:00
Brendan Allan
b36cf8a096 fix executable 2026-02-13 13:50:28 +08:00
Brendan Allan
f2d3d25ca2 no multiline 2026-02-13 13:48:06 +08:00
Brendan Allan
2676cc0920 -_- 2026-02-13 13:45:13 +08:00
Brendan Allan
c4a314e534 print artifacts 2026-02-13 13:43:32 +08:00
Brendan Allan
c6219d3ce8 rewrite 2026-02-13 13:24:15 +08:00
Brendan Allan
aaf8bc7a30 more log 2026-02-13 13:07:35 +08:00
Brendan Allan
9efff51557 logs 2026-02-13 13:06:03 +08:00
Brendan Allan
73f15b4a30 -_- 2026-02-13 12:56:52 +08:00
Brendan Allan
ac8ceb58cc try using bun script 2026-02-13 12:55:28 +08:00
Brendan Allan
cf2ba0afea use vars instead of secrets for most things 2026-02-13 12:11:51 +08:00
Brendan Allan
9c5a0d9f0e Modify test-signing policy 2026-02-13 10:44:55 +08:00
Brendan Allan
660aeed351 update token perms 2026-02-13 10:28:59 +08:00
Brendan Allan
7ef54c3c96 fix runs-on 2026-02-12 19:22:36 +08:00
Brendan Allan
ac34194e7c remove branch_rulesets 2026-02-12 19:17:03 +08:00
Brendan Allan
376e357e0f only sticky disk on blacksmith runners 2026-02-12 19:16:22 +08:00
Brendan Allan
2ae4f387c0 pass through github token 2026-02-12 19:11:57 +08:00
Brendan Allan
4ee4d9ede0 use github actions runner 2026-02-12 19:09:32 +08:00
Brendan Allan
c9913ce72c signpath signing policy 2026-02-12 18:45:00 +08:00
Brendan Allan
4a410b3499 SIGNPATH_API_KEY 2026-02-12 18:39:07 +08:00
Brendan Allan
7a8d58cf42 push trigger 2026-02-12 18:37:24 +08:00
Brendan Allan
8841702b15 sign-cli workflow 2026-02-12 18:35:28 +08:00
3 changed files with 67 additions and 56 deletions

View File

@@ -5,6 +5,7 @@ runs:
steps:
- name: Mount Bun Cache
uses: useblacksmith/stickydisk@v1
if: ${{ contains(runner.labels, 'blacksmith') }}
with:
key: ${{ github.repository }}-bun-cache-${{ runner.os }}
path: ~/.bun

View File

@@ -32,7 +32,7 @@ permissions:
jobs:
version:
runs-on: blacksmith-4vcpu-ubuntu-2404
runs-on: ubuntu-latest # blacksmith-4vcpu-ubuntu-2404
if: github.repository == 'anomalyco/opencode'
steps:
- uses: actions/checkout@v3
@@ -60,7 +60,7 @@ jobs:
build-cli:
needs: version
runs-on: blacksmith-4vcpu-ubuntu-2404
runs-on: ubuntu-latest # blacksmith-4vcpu-ubuntu-2404
if: github.repository == 'anomalyco/opencode'
steps:
- uses: actions/checkout@v3
@@ -86,6 +86,70 @@ jobs:
outputs:
version: ${{ needs.version.outputs.version }}
sign-windows-cli:
needs: build-cli
runs-on: ubuntu-latest
if: ${{ github.repository == 'anomalyco/opencode' && github.ref_name == 'beta' }}
steps:
- uses: actions/download-artifact@v4
with:
name: opencode-cli
path: dist
- name: Upload unsigned Windows CLI
id: upload_unsigned_windows_cli
uses: actions/upload-artifact@v4
with:
name: unsigned-opencode-windows-cli
path: dist/opencode-windows-x64/bin/opencode.exe
if-no-files-found: error
- name: Submit SignPath signing request
uses: signpath/github-action-submit-signing-request@v1
with:
api-token: ${{ secrets.SIGNPATH_API_KEY }}
organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}
github-artifact-id: ${{ steps.upload_unsigned_windows_cli.outputs.artifact-id }}
wait-for-completion: true
output-artifact-directory: signed-opencode-cli
- name: Upload signed Windows CLI
uses: actions/upload-artifact@v4
with:
name: signed-opencode-windows-cli
path: signed-opencode-cli/*.exe
if-no-files-found: error
- name: Upload unsigned Windows baseline CLI
id: upload_unsigned_windows_baseline_cli
uses: actions/upload-artifact@v4
with:
name: unsigned-opencode-windows-baseline-cli
path: dist/opencode-windows-x64-baseline/bin/opencode.exe
if-no-files-found: error
- name: Submit SignPath signing request
uses: signpath/github-action-submit-signing-request@v1
with:
api-token: ${{ secrets.SIGNPATH_API_KEY }}
organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}
github-artifact-id: ${{ steps.upload_unsigned_windows_baseline_cli.outputs.artifact-id }}
wait-for-completion: true
output-artifact-directory: signed-opencode-baseline-cli
- name: Upload signed Windows baseline CLI
uses: actions/upload-artifact@v4
with:
name: signed-opencode-windows-baseline-cli
path: signed-opencode-baseline-cli/*.exe
if-no-files-found: error
build-tauri:
needs:
- build-cli

View File

@@ -1,54 +0,0 @@
name: sign-cli
on:
push:
branches:
- brendan/desktop-signpath
workflow_dispatch:
permissions:
contents: read
actions: read
jobs:
sign-cli:
runs-on: blacksmith-4vcpu-ubuntu-2404
if: github.repository == 'anomalyco/opencode'
steps:
- uses: actions/checkout@v3
with:
fetch-tags: true
- uses: ./.github/actions/setup-bun
- name: Build
run: |
./packages/opencode/script/build.ts
- name: Upload unsigned Windows CLI
id: upload_unsigned_windows_cli
uses: actions/upload-artifact@v4
with:
name: unsigned-opencode-windows-cli
path: packages/opencode/dist/opencode-windows-x64/bin/opencode.exe
if-no-files-found: error
- name: Submit SignPath signing request
id: submit_signpath_signing_request
uses: signpath/github-action-submit-signing-request@v1
with:
api-token: ${{ secrets.SIGNPATH_API_KEY }}
organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}
github-artifact-id: ${{ steps.upload_unsigned_windows_cli.outputs.artifact-id }}
wait-for-completion: true
output-artifact-directory: signed-opencode-cli
- name: Upload signed Windows CLI
uses: actions/upload-artifact@v4
with:
name: signed-opencode-windows-cli
path: signed-opencode-cli/*.exe
if-no-files-found: error