added automated build process

2025-09-07 13:59:48 +00:00 · 2024-12-28 22:41:56 -06:00
parent 6e76de6884
commit 0b668eaeb7
5 changed files with 606 additions and 1 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,453 @@
+name: Release
+
+on:
+  workflow_run:
+    workflows: ["Autotag"]
+    types:
+      - completed
+
+jobs:
+  build:
+    runs-on: windows-latest
+
+    permissions:
+      id-token: write
+      contents: write
+      attestations: write
+
+    env:
+      GO_VERSION: 1.23
+      QUIKGO_VERSION: 1.2.6
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      AUTHOR_BRIDGE_TOKEN: ${{ secrets.AUTHOR_BRIDGE_TOKEN }}
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Extract Tag from Event
+      id: extract_tag
+      shell: pwsh
+      run: |
+        Write-Host "Event payload:"
+        Get-Content $env:GITHUB_EVENT_PATH
+
+        # Extract the commit SHA from the event payload
+        $COMMIT_SHA = (Get-Content -Raw $env:GITHUB_EVENT_PATH | ConvertFrom-Json).workflow_run.head_commit.id
+
+        if (-not $COMMIT_SHA) {
+          Write-Host "Error: No commit SHA found in the event payload."
+          exit 1
+        }
+
+        Write-Host "Commit SHA: $COMMIT_SHA"
+
+        # Fetch tags and find the tag associated with the commit
+        git fetch --tags
+        $TAG_REF = git tag --contains $COMMIT_SHA | ForEach-Object { $_.Trim() } | Select-Object -First 1
+
+        if (-not $TAG_REF) {
+          Write-Host "Error: No tag found for this commit."
+          exit 1
+        }
+
+        Write-Host "Extracted tag reference: $TAG_REF"
+        echo "TAG=$TAG_REF" | Out-File -Append -FilePath $env:GITHUB_ENV
+
+    - name: Display Tag
+      shell: pwsh
+      run: |
+        Write-Host "Identified Tag: $env:TAG"
+
+    - name: Set up Go
+      uses: actions/setup-go@v4
+      with:
+        go-version: '${{ env.GO_VERSION }}'
+
+    - name: Cache Go Modules
+      uses: actions/cache@v3
+      with:
+        path: |
+          ~/.cache/go-build
+          ~/go/pkg/mod
+        key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+        restore-keys: |
+          ${{ runner.os }}-go-
+
+    - name: Cache QuikGo
+      uses: actions/cache@v3
+      with:
+        path: |
+          ~/go/bin
+        key: ${{ runner.os }}-qgo-v${{ env.QUIKGO_VERSION }}
+        restore-keys: |
+          ${{ runner.os }}-qgo-
+
+    - name: Install QuikGo
+      run: |
+        if (-not (go list -m github.com/quikdev/go/cmd/qgo@v${{ env.QUIKGO_VERSION }})) {
+          if (-not (go list -m github.com/quikdev/go/cmd/qgo@v${{ env.QUIKGO_VERSION }})) {
+            go install github.com/quikdev/go/cmd/qgo@v${{ env.QUIKGO_VERSION }}
+          } else {
+            echo "QuikGo version ${{ env.QUIKGO_VERSION }} already installed."
+          }
+        } else {
+          echo "QuikGo version ${{ env.QUIKGO_VERSION }} already installed."
+        }
+
+    - name: Confirm QuikGo Installation
+      run: qgo --version
+
+    - name: Build NVM for Windows
+      run: |
+        cd src
+        qgo build --profile=release
+        echo ${{ github.workspace }}\bin
+        dir ${{ github.workspace }}\bin
+        cd ..\
+
+    # - name: Compress Executables
+    #   uses: crazy-max/ghaction-upx@v3
+    #   with:
+    #     version: latest
+    #     files: |
+    #       ${{ github.workspace }}/bin/*.exe
+    #     args: --brute
+
+    - name: Download Resource Hacker
+      run: |
+        Invoke-WebRequest -Uri "https://www.angusj.com/resourcehacker/resource_hacker.zip" -OutFile "resource_hacker.zip"
+        Expand-Archive -Path "resource_hacker.zip" -DestinationPath "$env:USERPROFILE\resource_hacker"
+
+    - name: Apply icon to executable
+      run: |
+        $resourceHackerPath = "$env:USERPROFILE\resource_hacker\ResourceHacker.exe"
+        $exe = "${{ github.workspace }}\bin\nvm.exe"
+        $iconFile = "${{ github.workspace }}\assets\nvm.ico"
+        & $resourceHackerPath -open $exe -save $exe -action add -res $iconFile -mask ICONGROUP,MAINICON
+
+    - name: Sign Executables
+      uses: azure/trusted-signing-action@v0.5.0
+      with:
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+        endpoint: ${{ secrets.AZURE_ENDPOINT }}
+        trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
+        certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
+        files-folder: ${{ github.workspace }}\bin
+        files-folder-filter: exe,dll
+        file-digest: SHA256
+        timestamp-rfc3161: http://timestamp.acs.microsoft.com
+        timestamp-digest: SHA256
+
+    - name: Identify & Download Latest Author-NVM Bridge App (Using GitHub API)
+      id: get_release
+      run: |
+        $repoOwner = "author"
+        $repoName = "author-nvm"
+        $token = $env:AUTHOR_BRIDGE_TOKEN # Ensure the token is provided as a secret
+
+        # Fetch the latest release information
+        Write-Host "GET https://api.github.com/repos/$repoOwner/$repoName/releases"
+        $response = Invoke-RestMethod -Uri "https://api.github.com/repos/$repoOwner/$repoName/releases" `
+                                      -Headers @{ Authorization = "token $token"; Accept = "application/vnd.github.v3+json"; }
+
+        if ($response -and $response[0].tag_name) {
+            $releaseTag = $response[0].tag_name
+            Write-Host "Latest release tag identified: $releaseTag"
+
+            # Fetch the release details for the identified tag
+            Write-Host "GET https://api.github.com/repos/$repoOwner/$repoName/releases/tags/$releaseTag"
+            $releaseDetails = Invoke-RestMethod -Uri "https://api.github.com/repos/$repoOwner/$repoName/releases/tags/$releaseTag" `
+                                                -Headers @{ Authorization = "token $token"; Accept = "application/vnd.github.v3+json"; }
+
+            # Extract asset ID for author-nvm.exe
+            $asset = $releaseDetails.assets | Where-Object { $_.name -eq 'author-nvm.exe' } | Select-Object -First 1
+
+            if ($asset -and $asset.id) {
+                $assetId = $asset.id
+                Write-Host "Asset ID for author-nvm.exe: $assetId"
+                "ASSET_ID=$assetId" | Out-File -Append -FilePath $env:GITHUB_ENV
+
+                # Download asset
+                $assetDownloadUrl = "https://api.github.com/repos/$repoOwner/$repoName/releases/assets/$assetId"
+                Write-Host "GET $assetDownloadUrl"
+                Invoke-WebRequest -Uri $assetDownloadUrl `
+                                  -Headers @{ Authorization = "token $token"; Accept = "application/octet-stream"; } `
+                                  -OutFile "$env:GITHUB_WORKSPACE\bin\author-nvm.exe"
+            } else {
+                Write-Error "author-nvm.exe not found in the latest release."
+                exit 1
+            }
+        } else {
+            Write-Error "No release tags found in the repository."
+            exit 1
+        }
+
+    - name: Generate Core Assets
+      run: |
+        $bin = "${{ github.workspace }}\bin"
+        $license = "${{ github.workspace }}\LICENSE"
+        $source = "${{ github.workspace }}\assets"
+        $target = "${{ github.workspace }}\.tmp"
+        $distros = "${{ github.workspace }}\.dist"
+
+        if (!(Test-Path -Path $target)) {
+          New-Item -ItemType Directory -Path $target
+        }
+
+        # Copy binaries to distribution
+        Get-ChildItem -Path $bin -File | ForEach-Object {
+          Copy-Item -Path $_.FullName -Destination $target
+        }
+
+        # Copy assets to distribution
+        Get-ChildItem -Path $source -File | ForEach-Object {
+          Copy-Item -Path $_.FullName -Destination $target
+        }
+
+        # Copy license to distribution
+        Copy-Item -Path $license -Destination $target
+      shell: pwsh
+
+    - name: Generate Asset Distribution
+      run: |
+        $source = "${{ github.workspace }}\.tmp"
+        $manual = "${{ github.workspace }}\.dist\nvm-noinstall.zip"
+        $checksum = "${{ github.workspace }}\.dist\nvm-noinstall.zip.checksum.txt"
+
+        if (Test-Path -Path $manual) {
+          Remove-Item -Path $manual -Force
+        }
+
+        & "C:\Program Files\7-Zip\7z.exe" a -tzip $manual "$source\*" -mx=9
+
+        $hash = Get-FileHash -Path $manual -Algorithm MD5
+        $hash.Hash | Out-File -FilePath $checksum -Encoding utf8
+      shell: pwsh
+
+    # - name: Install Inno Setup
+    #   run: |
+    #     choco install innosetup -y
+
+    #     # Verify installation
+    #     if (!(Test-Path "C:\Program Files (x86)\Inno Setup 6\ISCC.exe")) {
+    #       Write-Error "Inno Setup installation failed."
+    #       exit 1
+    #     }
+
+    - name: Generate Installer
+      run: |
+        $iss = "${{ github.workspace }}\nvm.iss"
+        $distros = "${{ github.workspace }}\.dist"
+
+        if (!(Test-Path -Path $iss)) {
+          Write-Error "Inno Setup Script file not found: $iss"
+          exit 1
+        }
+
+        # Replace version placeholder in the .iss file
+        $version = $env:TAG -replace "^v", ""
+        (Get-Content -Path $iss) -replace "{{VERSION}}", $version | Set-Content -Path $iss
+
+        # Output the file to assure replacements worked
+        Get-Content $iss
+
+        # Get the files and directories in the source directory
+        $items = Get-ChildItem -Path $source -Recurse
+        $source = "${{ github.workspace }}\.tmp"
+        $destination = "${{ github.workspace }}\bin"
+
+        foreach ($item in $items) {
+            # Construct the target path
+            $target = $item.FullName -replace [regex]::Escape($source), [regex]::Escape($destination)
+
+            if ($item.PSIsContainer) {
+                # Create directories if they don't exist
+                if (-not (Test-Path -Path $target)) {
+                    New-Item -ItemType Directory -Path $target
+                }
+            } else {
+                # Copy files if they don't already exist
+                if (-not (Test-Path -Path $target)) {
+                    Copy-Item -Path $item.FullName -Destination $target
+                }
+            }
+        }
+
+        Write-Host "Available assets in bin directory:"
+        dir ${{ github.workspace }}\bin
+
+        Write-Host "Available assets in .tmp directory:"
+        dir ${{ github.workspace }}\.tmp
+
+        Write-Host "Available build tools:"
+        dir ${{ github.workspace }}\assets\buildtools
+
+        ${{ github.workspace }}\assets\buildtools\iscc.exe "$iss" "/o$distros"
+        # iscc "$iss" "/o$distros"
+      shell: pwsh
+
+    - name: Sign Installer
+      uses: azure/trusted-signing-action@v0.5.0
+      with:
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+        endpoint: ${{ secrets.AZURE_ENDPOINT }}
+        trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
+        certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
+        files-folder: ${{ github.workspace }}\.dist
+        files-folder-filter: exe,dll
+        file-digest: SHA256
+        timestamp-rfc3161: http://timestamp.acs.microsoft.com
+        timestamp-digest: SHA256
+
+    - name: Generate Official Distribution
+      run: |
+        $source = "${{ github.workspace }}\.dist\nvm-setup.exe"
+        $distro = "${{ github.workspace }}\.dist\nvm-setup.zip"
+        $checksum = "${{ github.workspace }}\.dist\nvm-setup.zip.checksum.txt"
+
+        if (!(Test-Path -Path $source)) {
+          Write-Error "Source file for ZIP not found: $source"
+          exit 1
+        }
+
+        & "C:\Program Files\7-Zip\7z.exe" a -tzip $distro "$source" -mx=9
+
+        if (!(Test-Path -Path $distro)) {
+          Write-Error "ZIP file generation failed."
+          exit 1
+        }
+
+        $hash = Get-FileHash -Path $distro -Algorithm MD5
+        $hash.Hash | Out-File -FilePath $checksum -Encoding utf8
+      shell: pwsh
+
+    - name: Attestation
+      uses: actions/attest-build-provenance@v2
+      id: attest
+      with:
+        subject-path: |
+          ${{ github.workspace }}/bin/*.exe
+          ${{ github.workspace }}/.dist/*.exe
+          ${{ github.workspace }}/.dist/*.zip
+          ${{ github.workspace }}/.dist/*.checksum.txt
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Release
+      uses: softprops/action-gh-release@v2
+      if: success()
+      with:
+        tag_name: ${{ env.TAG }}
+        files: |
+          ${{ github.workspace }}/.dist/*
+        fail_on_unmatched_files: true
+        generate_release_notes: true
+        prerelease: false
+        draft: false
+        make_latest: true
+
+    - name: Add Attestation Report to Release Notes
+      if: success()
+      uses: softprops/action-gh-release@v2
+      with:
+        tag_name: ${{ env.TAG }}
+        body: |
+          <br/>:office: **[Attestation Report](${{ steps.attest.outputs.attestation-url }})**
+        append_body: true
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  rollback:
+    runs-on: ubuntu-latest
+    needs: build
+    if: failure()
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0  # Ensures that all references, including tags, are fetched
+        ref: ${{ github.event.workflow_run.head_sha }}
+
+    - name: Show current commit
+      run: |
+        git log -1 --decorate
+        git tag --contains HEAD
+
+    - name: Get the commit associated with the trigger
+      id: get_commit
+      run: |
+        if [ -f "$GITHUB_EVENT_PATH" ]; then
+          # Try to get the head SHA from workflow_run
+          COMMIT_SHA=$(jq -r '.head_commit.id' < "$GITHUB_EVENT_PATH")
+          if [ "$COMMIT_SHA" = "null" ]; then
+            COMMIT_SHA=$(jq -r '.workflow_run.head_commit.id' < "$GITHUB_EVENT_PATH")
+          fi
+          if [ -z "$COMMIT_SHA" ] || [ "$COMMIT_SHA" = "null" ]; then
+            echo "Error: Unable to retrieve commit SHA from GITHUB_EVENT_PATH"
+            cat "$GITHUB_EVENT_PATH"
+            echo "HEAD: $(git rev-parse HEAD)"
+            exit 1
+          fi
+          echo "Commit SHA: $COMMIT_SHA"
+          echo "COMMIT_SHA=$COMMIT_SHA" >> $GITHUB_ENV
+        else
+          echo "Error: GITHUB_EVENT_PATH not found"
+          exit 1
+        fi
+
+    - name: Fetch the tag associated with the commit using git
+      id: fetch_tag
+      run: |
+        # Debugging: print all tags in the repository
+        git tag
+
+        # Get the tag associated with the commit
+        echo "Finding tag associated with the commit..."
+        TAG=$(git tag --contains "$COMMIT_SHA" | head -n 1)
+        echo "Tag associated with the commit is: $TAG"
+
+        # Debugging: Check if the tag is found
+        if [ -z "$TAG" ]; then
+          echo "No tag found for this commit."
+        else
+          echo "Found tag: $TAG"
+        fi
+
+        echo "TAG=$TAG" >> $GITHUB_ENV
+
+    - name: Delete release
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        # Use the TAG from the environment variable
+        if [ -z "$TAG" ]; then
+          echo "No tag to delete."
+          exit 1
+        fi
+
+        RELEASE_ID=$(gh release view "$TAG" --json id --jq '.id' || echo "")
+        if [ -n "$RELEASE_ID" ]; then
+          gh release delete "$TAG" --yes
+          echo "Release $TAG deleted successfully."
+        else
+          echo "Release $TAG not found."
+        fi
+
+    - name: Delete tag associated with release
+      run: |
+        # Use the TAG from the environment variable
+        if [ -z "$TAG" ]; then
+          echo "No tag to delete."
+          exit 1
+        fi
+
+        git tag -d "$TAG"
+        git push --delete origin "$TAG"
+
+    - name: Notify Rollback
+      run: echo "Rollback completed for release $TAG"