ci: integrate signpath #421

Workflow file for this run

	name: ci/gh-actions/guix

	on: [push, pull_request]

	jobs:
	cache-sources:
	runs-on: ubuntu-24.04
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: depends sources cache
	id: cache
	uses: actions/cache@v4
	with:
	path: contrib/depends/sources
	key: sources-${{ hashFiles('contrib/depends/packages/*') }}
	- name: download depends sources
	if: steps.cache.outputs.cache-hit != 'true'
	run: make -C contrib/depends download

	build-guix:
	runs-on: ubuntu-24.04
	needs: [cache-sources]
	strategy:
	fail-fast: false
	matrix:
	toolchain:
	- target: "x86_64-linux-gnu"
	- target: "x86_64-linux-gnu.no-tor-bundle"
	- target: "x86_64-linux-gnu.pack"
	- target: "aarch64-linux-gnu"
	- target: "arm-linux-gnueabihf"
	- target: "riscv64-linux-gnu"
	- target: "x86_64-w64-mingw32"
	- target: "x86_64-w64-mingw32.installer"
	- target: "x86_64-apple-darwin"
	- target: "arm64-apple-darwin"
	outputs:
	WIN_INSTALLER_ARTIFACT_ID: ${{ steps.win-installer.outputs.WIN_INSTALLER_ARTIFACT_ID }}
	WIN_EXECUTABLE_ARTIFACT_ID: ${{ steps.win-executable.outputs.WIN_EXECUTABLE_ARTIFACT_ID }}
	name: ${{ matrix.toolchain.target }}
	steps:
	- uses: actions/checkout@v4
	with:
	fetch-depth: 0
	ref: ${{ github.ref }}
	submodules: recursive
	# https://github.com/actions/checkout/issues/1467
	- name: git fetch tags
	run: git fetch --tags
	- name: remove bundled packages
	run: sudo rm -rf /usr/local
	- name: depends sources cache
	uses: actions/cache/restore@v4
	with:
	path: contrib/depends/sources
	key: sources-${{ hashFiles('contrib/depends/packages/*') }}
	- name: install dependencies
	run: sudo apt update; sudo apt -y install guix git ca-certificates apparmor-utils osslsigncode
	- name: fix apparmor
	run: sudo cp .github/workflows/guix /etc/apparmor.d/guix; sudo /etc/init.d/apparmor reload; sudo aa-enforce guix \|\| echo "failed"
	- name: purge apparmor
	run: sudo apt purge apparmor
	- name: build
	run: SUBSTITUTE_URLS='http://bordeaux.guix.gnu.org' HOSTS="${{ matrix.toolchain.target }}" ./contrib/guix/guix-build
	- name: virustotal scan
	env:
	VT_API_KEY: ${{ secrets.VT_API_KEY }}
	if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32' && env.VT_API_KEY != '' }}
	uses: crazy-max/ghaction-virustotal@v4
	with:
	vt_api_key: ${{ secrets.VT_API_KEY }}
	files: \|
	guix/guix-build-/build/distsrc-/build/bin/feather.exe
	- uses: actions/upload-artifact@v4
	id: upload-artifact
	with:
	name: ${{ matrix.toolchain.target }}
	path: \|
	guix/guix-build-/output/${{ matrix.toolchain.target }}/
	guix/guix-build-/logs/${{ matrix.toolchain.target }}/
	- if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32.installer' }}
	id: win-installer
	run: echo "WIN_INSTALLER_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT"
	- if: ${{ matrix.toolchain.target == 'x86_64-w64-mingw32' }}
	id: win-executable
	run: echo "WIN_EXECUTABLE_ARTIFACT_ID=${{ steps.upload-artifact.outputs.artifact-id }}" >> "$GITHUB_OUTPUT"

	bundle-logs:
	runs-on: ubuntu-24.04
	needs: [build-guix]
	steps:
	- uses: actions/download-artifact@v4
	with:
	merge-multiple: true
	- name: print hashes
	run: \|
	echo '```' >> $GITHUB_STEP_SUMMARY
	uname --machine && find **/output/ -type f -print0 \| env LC_ALL=C sort -z \| xargs -r0 sha256sum >> $GITHUB_STEP_SUMMARY
	echo '```' >> $GITHUB_STEP_SUMMARY
	- uses: actions/upload-artifact@v4
	with:
	name: "logs"
	path: '/logs/'
	- uses: ncipollo/release-action@v1
	if: startsWith(github.ref, 'refs/tags/')
	with:
	artifacts: "*/.AppImage,*/-linux-arm.zip,*/-linux-arm64.zip,*/-linux-riscv64.zip,*/-linux.zip,*/-mac-arm64.zip,*/-mac.zip,*/-win.zip,*/FeatherWalletSetup-.exe,**/feather-${{github.ref_name}}.tar.gz"
	draft: true
	name: v${{github.ref_name}}

	codesigning:
	runs-on: ubuntu-24.04
	needs: [build-guix, bundle-logs]
	if: startsWith(github.ref, 'refs/tags/')
	strategy:
	fail-fast: false
	matrix:
	toolchain:
	- target: "x86_64-w64-mingw32"
	- target: "x86_64-w64-mingw32.installer"
	steps:
	- name: install dependencies
	run: sudo apt update; sudo apt -y install osslsigncode
	- name: "set artifact id"
	run: \|
	if [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32" ]; then
	echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_EXECUTABLE_ARTIFACT_ID }}" >> $GITHUB_ENV
	echo "ARTIFACT_SLUG=executable" >> $GITHUB_ENV
	elif [ "${{ matrix.toolchain.target }}" == "x86_64-w64-mingw32.installer" ]; then
	echo "ARTIFACT_ID=${{ needs.build-guix.outputs.WIN_INSTALLER_ARTIFACT_ID }}" >> $GITHUB_ENV
	echo "ARTIFACT_SLUG=installer" >> $GITHUB_ENV
	fi
	- uses: signpath/github-action-submit-signing-request@v1
	name: "request signature"
	with:
	api-token: '${{ secrets.SIGNPATH_API_KEY }}'
	organization-id: 'd3e94749-9c69-44e9-82de-c65cb3832869'
	project-slug: 'feather'
	signing-policy-slug: 'test-signing'
	artifact-configuration-slug: ${{ env.ARTIFACT_SLUG }}
	github-artifact-id: ${{ env.ARTIFACT_ID }}
	wait-for-completion: true
	output-artifact-directory: codesigning/
	- name: "extract signature"
	run: osslsigncode extract-signature -in codesigning/guix-build-/output/${{ matrix.toolchain.target }}/-unsigned.exe -out codesigning/${{ matrix.toolchain.target }}-${{github.ref_name}}.pem
	- uses: actions/upload-artifact@v4
	name: "upload signature"
	with:
	name: ${{ matrix.toolchain.target }}.pem
	path: \|
	codesigning/${{ matrix.toolchain.target }}-${{github.ref_name}}.pem

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: integrate signpath #421

Workflow file

ci: integrate signpath #421

Jobs

Run details

Workflow file for this run