12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879 |
- name: Sign Windows Project
- on:
- workflow_call:
- jobs:
- create-windows-update:
- name: Create Windows Update 🥩
- runs-on: windows-2022
- environment:
- name: bouf
- defaults:
- run:
- shell: pwsh
- steps:
- - name: Parse JWT
- id: jwt
- run: |
- $token = ConvertTo-SecureString -String ${env:ACTIONS_ID_TOKEN_REQUEST_TOKEN} -AsPlainText
- $jwt = Invoke-WebRequest -Uri "${env:ACTIONS_ID_TOKEN_REQUEST_URL}&audience=ignore" -Authentication Bearer -Token $token
- $claim_b64 = (($jwt.Content | ConvertFrom-Json -AsHashtable).value -split '\.')[1]
- $mod = $claim_b64.Length % 4
- if ($mod -gt 0) {$claim_b64 += '=' * (4 - $mod)}
- $claim = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String($claim_b64)) | ConvertFrom-Json -AsHashtable
- $sha = ${claim}.job_workflow_sha
- Write-Output "Workflow SHA: ${sha}"
- "workflow_sha=${sha}" >> $env:GITHUB_OUTPUT
- - uses: actions/checkout@v4
- with:
- path: "repo"
- fetch-depth: 0
- ref: ${{ steps.jwt.outputs.workflow_sha }}
- - name: Set Up Environment 🔧
- id: setup
- run: |
- $channel = if ($env:GITHUB_REF_NAME -match "(beta|rc)") { "beta" } else { "stable" }
- $shortHash = $env:GITHUB_SHA.Substring(0,9)
- "channel=${channel}" >> $env:GITHUB_OUTPUT
- "commitHash=${shortHash}" >> $env:GITHUB_OUTPUT
- - name: Download Artifact 📥
- uses: actions/download-artifact@v4
- with:
- name: obs-studio-windows-x64-${{ steps.setup.outputs.commitHash }}
- path: ${{ github.workspace }}/build
- - name: Run bouf 🥩
- uses: ./repo/.github/actions/windows-signing
- with:
- gcpWorkloadIdentityProvider: ${{ secrets.GCP_IDENTITY_POOL }}
- gcpServiceAccountName: ${{ secrets.GCP_SERVICE_ACCOUNT_NAME }}
- version: ${{ github.ref_name }}
- channel: ${{ steps.setup.outputs.channel }}
- - name: Generate artifact attestation
- uses: actions/attest-build-provenance@v1
- with:
- subject-path: ${{ github.workspace }}/output/*-x64.zip
- - name: Upload Signed Build
- uses: actions/upload-artifact@v4
- with:
- name: obs-studio-windows-x64-${{ github.ref_name }}-signed
- compression-level: 0
- path: ${{ github.workspace }}/output/*-x64.zip
- - name: Upload PDBs
- uses: actions/upload-artifact@v4
- with:
- name: obs-studio-windows-x64-${{ github.ref_name }}-pdbs
- compression-level: 0
- path: ${{ github.workspace }}/output/*-pdbs.zip
- - name: Upload Installer
- uses: actions/upload-artifact@v4
- with:
- name: obs-studio-windows-x64-${{ github.ref_name }}-installer
- compression-level: 0
- path: ${{ github.workspace }}/output/*.exe
|