From c99a543030148ff7d0647007971ca4271730f46f Mon Sep 17 00:00:00 2001 From: Joseph Flinn <58369717+joseph-flinn@users.noreply.github.com> Date: Thu, 16 Sep 2021 10:15:05 -0700 Subject: [PATCH] Pinning ast version (#1080) * Pinning version of AST instead of using latest * adding the pinned version of the commit * adding an array join * pinning version of dotnet * trying the AST pin of the version we started using * disabling jobs and adding test step to window job * adding dotnet 2.1.x to see if that fixes the issue * removing the test code and testing the addition of .net 2.1.x * repinning to last successful sign * trying the newest version of AST * disabling the non-windows jobs again * disabling the windows build job and added a test job * removing stray comma * changing the multiline delimiter * pivoting away from our EV cert and testing with a test one * switching back to the EV cert and adding a verbose flag * disabling some steps that are breaking * swithing back to the test cert * testing new format for the ast command * removing the node portions of the test since they are not needed * trying AST without the tenat-id * rolling back to original commit * switching to custom AST for better troubleshooting * removing the ast commit logic and forcing latest * fixing up the pwsh sign command * fixing the AST verison * making sure that the secrets are not blank * trying the EV cert for signing * Using pinned commit from AST instead of custom code * fixing env * building the actually pinned commit instead of whatever the other thing was... * testing the windows job * removing the dotnet 2.1.x dependency since the older AST version shouldn't need it * reenabling the test ast job since something is failing * moving the git switch command * testing new gh-action * fixing the gh-action path * updating the hash of the new action * enabling the build jobs again * updating the hash for the new Install AST action * fixing linter issues --- .github/workflows/build.yml | 40 +++++++++-------------------------- .github/workflows/deploy.yml | 13 ++++++------ .github/workflows/release.yml | 36 ++++++------------------------- sign.js | 2 +- 4 files changed, 25 insertions(+), 66 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 19f523c2..d4754aaa 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,7 +10,7 @@ on: jobs: cloc: name: CLOC - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 steps: - name: Checkout repo uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 @@ -23,9 +23,10 @@ jobs: - name: Print lines of code run: cloc --include-lang TypeScript,JavaScript,HTML,Sass,CSS --vcs git + linux: name: Linux Build - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 steps: - name: Checkout repo uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 @@ -115,18 +116,14 @@ jobs: path: ./dist/Bitwarden-${{ env.PACKAGE_VERSION }}-x86_64.AppImage if-no-files-found: error + windows: name: Windows Build - runs-on: windows-latest + runs-on: windows-2019 steps: - name: Checkout repo uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 - - name: Set up dotnet - uses: actions/setup-dotnet@a71d1eb2c86af85faa8c772c03fb365e377e45ea # v1.8.0 - with: - dotnet-version: "3.1.x" - - name: Set up Node uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea # v2.1.5 with: @@ -150,24 +147,7 @@ jobs: node-gyp install $(node -v) - name: Install AST - shell: pwsh - run: | - cd $HOME - - git clone https://github.com/vcsjones/AzureSignTool.git - cd AzureSignTool - $latest_head = $(git rev-parse HEAD)[0..9] -join "" - $latest_version = "0.0.0-g$latest_head" - - Write-Host "--------" - Write-Host "git commit - $(git rev-parse HEAD)" - Write-Host "latest_head - $latest_head" - Write-Host "PACKAGE VERSION TO BUILD - $latest_version" - Write-Host "--------" - - dotnet restore - dotnet pack --output ./nupkg - dotnet tool install --global --ignore-failed-sources --add-source ./nupkg --version $latest_version azuresigntool + uses: bitwarden/gh-actions/install-ast@f135c42c8596cb535c5bcb7523c0b2eef89709ac - name: Set up environment shell: pwsh @@ -267,7 +247,7 @@ jobs: macos-build: name: MacOS Build - runs-on: macos-latest + runs-on: macos-11 steps: - name: Checkout repo uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 @@ -368,7 +348,7 @@ jobs: macos-package-github: name: MacOS Package GitHub Release Assets - runs-on: macos-latest + runs-on: macos-11 needs: macos-build if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' steps: @@ -498,7 +478,7 @@ jobs: macos-package-mas: name: MacOS Package Prod Release Asset - runs-on: macos-latest + runs-on: macos-11 needs: macos-build if: github.ref == 'refs/heads/master' || github.ref == 'refs/heads/rc' steps: @@ -624,7 +604,7 @@ jobs: macos-package-dev: name: MacOS Package Dev Release Asset if: false # We need to look into how code signing works for dev - runs-on: macos-latest + runs-on: macos-11 needs: macos-build steps: - name: Checkout repo diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 2d166027..9febedad 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -11,7 +11,7 @@ on: jobs: setup: name: Setup - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 outputs: package_version: ${{ steps.create_tags.outputs.package_version }} tag_version: ${{ steps.create_tags.outputs.tag_version }} @@ -45,7 +45,7 @@ jobs: snap: name: Deploy Snap - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 needs: setup env: _PKG_VERSION: ${{ needs.setup.outputs.package_version }} @@ -81,7 +81,7 @@ jobs: choco: name: Deploy Choco - runs-on: windows-latest + runs-on: windows-2019 needs: setup env: _PKG_VERSION: ${{ needs.setup.outputs.package_version }} @@ -124,7 +124,7 @@ jobs: macos: name: Deploy MacOS - runs-on: macos-latest + runs-on: macos-11 needs: setup env: _PKG_VERSION: ${{ needs.setup.outputs.package_version }} @@ -153,7 +153,7 @@ jobs: auto-updater-deploy: name: Release auto-updater files - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 needs: - setup - snap @@ -178,7 +178,8 @@ jobs: #cat release.json RELEASE_UPLOAD_URL=$(cat release.json | jq -r ' .upload_url ' | cut -d { -f 1) - cat release.json | jq -rc ' .assets[] | select( .name | test("prerelease-latest.*[yml|json]")) | {name: .name, url: .url, content_type: .content_type}' > release_assets.jsonl + cat release.json \ + | jq -rc ' .assets[] | select( .name | test("prerelease-latest.*[yml|json]")) | {name: .name, url: .url, content_type: .content_type}' > release_assets.jsonl echo "=====ASSETS=====" echo Release Upload URL: $RELEASE_UPLOAD_URL diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 78874f2a..1ddff1cd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,7 +14,7 @@ on: jobs: setup: name: Setup - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 outputs: release_upload_url: ${{ steps.create_release.outputs.upload_url }} steps: @@ -62,7 +62,7 @@ jobs: linux: name: Linux - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 needs: setup steps: - name: Checkout repo @@ -117,17 +117,12 @@ jobs: windows-signed: name: Windows Signed - runs-on: windows-latest + runs-on: windows-2019 needs: setup steps: - name: Checkout repo uses: actions/checkout@5a4ac9002d0be2fb38bd78e4b4dbde5606d7042f # v2.3.4 - - name: Set up dotnet - uses: actions/setup-dotnet@a71d1eb2c86af85faa8c772c03fb365e377e45ea # v1.8.0 - with: - dotnet-version: "3.1.x" - - name: Set up Node uses: actions/setup-node@46071b5c7a2e0c34e49c3cb8a0e792e86e18d5ea # v2.1.5 with: @@ -151,24 +146,7 @@ jobs: node-gyp install $(node -v) - name: Install AST - shell: pwsh - run: | - cd $HOME - - git clone https://github.com/vcsjones/AzureSignTool.git - cd AzureSignTool - $latest_head = $(git rev-parse HEAD)[0..9] -join "" - $latest_version = "0.0.0-g$latest_head" - - Write-Host "--------" - Write-Host "git commit - $(git rev-parse HEAD)" - Write-Host "latest_head - $latest_head" - Write-Host "PACKAGE VERSION TO BUILD - $latest_version" - Write-Host "--------" - - dotnet restore - dotnet pack --output ./nupkg - dotnet tool install --global --ignore-failed-sources --add-source ./nupkg --version $latest_version azuresigntool + uses: bitwarden/gh-actions/install-ast@f135c42c8596cb535c5bcb7523c0b2eef89709ac - name: Set up environment shell: pwsh @@ -231,7 +209,7 @@ jobs: windows-store: name: Windows Store - runs-on: windows-latest + runs-on: windows-2019 needs: setup steps: - name: Checkout repo @@ -316,7 +294,7 @@ jobs: macos: name: MacOS - runs-on: macos-latest + runs-on: macos-11 needs: setup steps: - name: Checkout repo @@ -437,7 +415,7 @@ jobs: update-release-assets: name: Update Release Assets - runs-on: ubuntu-latest + runs-on: ubuntu-20.04 needs: - setup - linux diff --git a/sign.js b/sign.js index 9f8277c0..448ff705 100644 --- a/sign.js +++ b/sign.js @@ -5,7 +5,7 @@ exports.default = async function(configuration) { ) { console.log(`[*] Signing file: ${configuration.path}`) require("child_process").execSync( - `azuresigntool sign ` + + `azuresigntool sign -v ` + `-kvu ${process.env.SIGNING_VAULT_URL} ` + `-kvi ${process.env.SIGNING_CLIENT_ID} ` + `-kvt ${process.env.SIGNING_TENANT_ID} ` +