From 7ae669e5a5b58ed2402c07856f25a2446e11b416 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Wed, 11 Sep 2024 17:00:00 -0700 Subject: [PATCH 01/43] Build step to sign Windows binaries; expects a GH Secret called 'CERTIFICATE_PFX'. --- .github/workflows/ci.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 8fbc76b..c7e80b4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -133,6 +133,14 @@ jobs: BINARY_SUFFIX: ${{ matrix.os == 'windows' && '.exe' || '' }} run: make build + - name: Sign the Windows binary + if: matrix.os == 'windows' + run: | + choco install signtool + echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx + signtool sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe + del certificate.pfx + - name: Upload artifacts uses: actions/upload-artifact@v4 with: From 8d00f4f8ad5f35168962f6e93f126a0e6177232f Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 12:31:50 -0700 Subject: [PATCH 02/43] Added code signing certificate automatic renewal. --- .github/workflows/cert-renewal.yaml | 36 +++++++++++++++++++++++++++++ terraform/acme.tf | 18 +++++++++++++++ terraform/github.tf | 5 ++++ terraform/main.tf | 34 +++++++++++++++++++++++++++ terraform/versions.tf | 13 +++++++++++ 5 files changed, 106 insertions(+) create mode 100644 .github/workflows/cert-renewal.yaml create mode 100644 terraform/acme.tf create mode 100644 terraform/github.tf create mode 100644 terraform/main.tf create mode 100644 terraform/versions.tf diff --git a/.github/workflows/cert-renewal.yaml b/.github/workflows/cert-renewal.yaml new file mode 100644 index 0000000..83a4242 --- /dev/null +++ b/.github/workflows/cert-renewal.yaml @@ -0,0 +1,36 @@ +name: CI + +on: + schedule: + # Run at 10am PST / 5pm UTC weekdays + - cron: '0 17 * * 1-5' + +env: + AWS_ACCOUNT_ID: REPLACE_ME + TERRAFORM_PATH: terraform + +jobs: + + renewal: + name: Certificate Renewal + runs-on: ubuntu-latest + steps: + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.9.4" + + - name: Configure AWS Credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/ci-runner + aws-region: us-west-2 + + - name: Terraform Init + run: terraform init + working-directory: ${{ env.TERRAFORM_PATH }} + + - name: Terraform Apply + run: terraform apply -auto-approve + working-directory: ${{ env.TERRAFORM_PATH }} diff --git a/terraform/acme.tf b/terraform/acme.tf new file mode 100644 index 0000000..8887915 --- /dev/null +++ b/terraform/acme.tf @@ -0,0 +1,18 @@ +data "aws_region" "current" {} + +resource "acme_registration" "this" { + email_address = "info@geode.io" +} + +resource "acme_certificate" "certificate" { + account_key_pem = acme_registration.this.account_key_pem + common_name = "hathora.dev" + + dns_challenge { + provider = "route53" + config = { + AWS_REGION = "**REPLACE**" + AWS_HOSTED_ZONE_ID = "**REPLACE**" + } + } +} diff --git a/terraform/github.tf b/terraform/github.tf new file mode 100644 index 0000000..1cf1370 --- /dev/null +++ b/terraform/github.tf @@ -0,0 +1,5 @@ +resource "github_actions_secret" "certificate_pfx" { + repository = "hathora/ci" + secret_name = "CERTIFICATE_PFX" + encrypted_value = acme_certificate.certificate.certificate_p12 +} diff --git a/terraform/main.tf b/terraform/main.tf new file mode 100644 index 0000000..564e28a --- /dev/null +++ b/terraform/main.tf @@ -0,0 +1,34 @@ +terraform { + + backend "s3" { + bucket = "**REPLACE**" + key = "**REPLACE**" + region = "**REPLACE**" + dynamodb_table = "**REPLACE**" + } + + required_providers { + acme = { + source = "vancluever/acme" + version = "~> 2.0" + } + aws = { + source = "hashicorp/aws" + version = "~> 5.0" + } + github = { + source = "integrations/github" + version = "~> 6.0" + } + } +} + +provider "acme" { + server_url = "https://acme-v02.api.letsencrypt.org/directory" +} + +provider "aws" { + region = "us-east-1" +} + +provider "github" {} diff --git a/terraform/versions.tf b/terraform/versions.tf new file mode 100644 index 0000000..4c5eba0 --- /dev/null +++ b/terraform/versions.tf @@ -0,0 +1,13 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + } + acme = { + source = "vancluever/acme" + } + google = { + source = "hashicorp/google" + } + } +} From 3f42907f810824c6a2aa300226fe22ed0bfe7abd Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 12:40:01 -0700 Subject: [PATCH 03/43] Removed a vestigial Terraform config. --- terraform/versions.tf | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 terraform/versions.tf diff --git a/terraform/versions.tf b/terraform/versions.tf deleted file mode 100644 index 4c5eba0..0000000 --- a/terraform/versions.tf +++ /dev/null @@ -1,13 +0,0 @@ -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - } - acme = { - source = "vancluever/acme" - } - google = { - source = "hashicorp/google" - } - } -} From 61d9d60f2954c763a63b46208fa62d6aba5d5618 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 17:21:20 -0700 Subject: [PATCH 04/43] Moved signtool installation to its own step. --- .github/workflows/ci.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c7e80b4..62a33f3 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -133,10 +133,15 @@ jobs: BINARY_SUFFIX: ${{ matrix.os == 'windows' && '.exe' || '' }} run: make build + - name: Install signtool + if: matrix.os == 'windows' + uses: crazy-max/ghaction-chocolatey@v3 + with: + args: install signtool + - name: Sign the Windows binary if: matrix.os == 'windows' run: | - choco install signtool echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx signtool sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe del certificate.pfx From 13925ab094df2ec0a0d3205e8523a1061c1aa3ce Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 18:04:43 -0700 Subject: [PATCH 05/43] I'm reading that signtool is included in recent windows runners. --- .github/workflows/ci.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 62a33f3..114147b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -133,12 +133,6 @@ jobs: BINARY_SUFFIX: ${{ matrix.os == 'windows' && '.exe' || '' }} run: make build - - name: Install signtool - if: matrix.os == 'windows' - uses: crazy-max/ghaction-chocolatey@v3 - with: - args: install signtool - - name: Sign the Windows binary if: matrix.os == 'windows' run: | From 80aba0cf20ba48cf4519d57be3fb3bd7ebf653bf Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 18:08:23 -0700 Subject: [PATCH 06/43] Provide a manual trigger. --- .github/workflows/cert-renewal.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cert-renewal.yaml b/.github/workflows/cert-renewal.yaml index 83a4242..0316337 100644 --- a/.github/workflows/cert-renewal.yaml +++ b/.github/workflows/cert-renewal.yaml @@ -4,6 +4,7 @@ on: schedule: # Run at 10am PST / 5pm UTC weekdays - cron: '0 17 * * 1-5' + workflow_dispatch: env: AWS_ACCOUNT_ID: REPLACE_ME From 89a01a3126997db39a396f9f316a3f855f2e9689 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 18:24:07 -0700 Subject: [PATCH 07/43] Find signtool and add it to the PATH --- .github/workflows/ci.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 114147b..59d1f0e 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -133,6 +133,17 @@ jobs: BINARY_SUFFIX: ${{ matrix.os == 'windows' && '.exe' || '' }} run: make build + - name: Add signtool to the PATH + if: matrix.os == 'windows' + run: | + $signtoolPath = Get-ChildItem -Path C:\ -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName + if ($signtoolPath) { + Write-Output "::set-output name=path::$signtoolPath" + } else { + Write-Output "::error::signtool.exe not found!" + } + echo "${{ steps.find-signtool.outputs.path }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append + - name: Sign the Windows binary if: matrix.os == 'windows' run: | From 623e0bb367e3d7cd7692a2b0a45af45d4c524dc8 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 18:25:44 -0700 Subject: [PATCH 08/43] Temporarily allow during PRs. --- .github/workflows/cert-renewal.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/cert-renewal.yaml b/.github/workflows/cert-renewal.yaml index 0316337..782ebb8 100644 --- a/.github/workflows/cert-renewal.yaml +++ b/.github/workflows/cert-renewal.yaml @@ -5,6 +5,9 @@ on: # Run at 10am PST / 5pm UTC weekdays - cron: '0 17 * * 1-5' workflow_dispatch: + pull_request: + branches: + - main env: AWS_ACCOUNT_ID: REPLACE_ME From d979047b28952a6c8ae6545620c0f022d81b70a9 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 18:26:57 -0700 Subject: [PATCH 09/43] Fixed the workflow name. --- .github/workflows/cert-renewal.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/cert-renewal.yaml b/.github/workflows/cert-renewal.yaml index 782ebb8..be3f840 100644 --- a/.github/workflows/cert-renewal.yaml +++ b/.github/workflows/cert-renewal.yaml @@ -1,4 +1,4 @@ -name: CI +name: Certificate Renewal on: schedule: From 5e4a1d7c3b6237a54d137dd8fbeeae6084b791b8 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 18:42:34 -0700 Subject: [PATCH 10/43] Explicity specify PowerShell --- .github/workflows/ci.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 59d1f0e..3301faf 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -135,6 +135,7 @@ jobs: - name: Add signtool to the PATH if: matrix.os == 'windows' + shell: pwsh run: | $signtoolPath = Get-ChildItem -Path C:\ -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName if ($signtoolPath) { From 78d0bfb33df6dc436d23afa74b29e73d632a0089 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 18:45:29 -0700 Subject: [PATCH 11/43] Removed temporary trigger. --- .github/workflows/cert-renewal.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/cert-renewal.yaml b/.github/workflows/cert-renewal.yaml index be3f840..449f6fa 100644 --- a/.github/workflows/cert-renewal.yaml +++ b/.github/workflows/cert-renewal.yaml @@ -5,9 +5,6 @@ on: # Run at 10am PST / 5pm UTC weekdays - cron: '0 17 * * 1-5' workflow_dispatch: - pull_request: - branches: - - main env: AWS_ACCOUNT_ID: REPLACE_ME From 58d28787650c9255f06bc81bdd100261e1f525dd Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 18:54:24 -0700 Subject: [PATCH 12/43] Try using a marketplace Action to find signtool.exe --- .github/workflows/ci.yaml | 30 +++++++++++++++++++----------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3301faf..7df8b21 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -133,23 +133,31 @@ jobs: BINARY_SUFFIX: ${{ matrix.os == 'windows' && '.exe' || '' }} run: make build - - name: Add signtool to the PATH - if: matrix.os == 'windows' +# - name: Add signtool to the PATH +# if: matrix.os == 'windows' +# shell: pwsh +# run: | +# $signtoolPath = Get-ChildItem -Path C:\ -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName +# if ($signtoolPath) { +# Write-Output "::set-output name=path::$signtoolPath" +# } else { +# Write-Output "::error::signtool.exe not found!" +# } +# echo "${{ steps.find-signtool.outputs.path }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append + + - uses: KamaranL/add-signtool-action@v1 + id: signtool + + - run: Write-Output "$env:SIGNTOOL_DIR" shell: pwsh - run: | - $signtoolPath = Get-ChildItem -Path C:\ -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName - if ($signtoolPath) { - Write-Output "::set-output name=path::$signtoolPath" - } else { - Write-Output "::error::signtool.exe not found!" - } - echo "${{ steps.find-signtool.outputs.path }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append + env: + SIGNTOOL_DIR: ${{ steps.signtool.outputs.signtool-x64 }} - name: Sign the Windows binary if: matrix.os == 'windows' run: | echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx - signtool sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe + "${{ env.SIGNTOOL_DIR }}\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe del certificate.pfx - name: Upload artifacts From 034674aff3477df230e4191d45045c71080e40aa Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 19:06:41 -0700 Subject: [PATCH 13/43] Added some names and isolated new steps to Windows only. --- .github/workflows/ci.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 7df8b21..577f168 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -145,10 +145,14 @@ jobs: # } # echo "${{ steps.find-signtool.outputs.path }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - - uses: KamaranL/add-signtool-action@v1 + - name: Add signtool.exe + if: matrix.os == 'windows' + uses: KamaranL/add-signtool-action@v1 id: signtool - - run: Write-Output "$env:SIGNTOOL_DIR" + - name: Set SIGNTOOL_DIR to signtool.exe path + if: matrix.os == 'windows' + run: Write-Output "$env:SIGNTOOL_DIR" shell: pwsh env: SIGNTOOL_DIR: ${{ steps.signtool.outputs.signtool-x64 }} From 4e369b5f0af31b862c191e4c49fa0d1e21d47f52 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 19:18:57 -0700 Subject: [PATCH 14/43] Select runs-on based on matrix.os --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 577f168..7beb64f 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -110,12 +110,12 @@ jobs: publish-binaries: name: Publish binary for ${{ matrix.os }} ${{ matrix.arch }} - runs-on: ubuntu-latest needs: [prepare, test] strategy: matrix: os: [linux, darwin, windows] arch: [amd64, arm64] + runs-on: ${{ matrix.os }} steps: - name: Checkout uses: actions/checkout@v4 From a2272f487f5563090d7d69fdcccf6ba849422230 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 19:29:07 -0700 Subject: [PATCH 15/43] Need a version along with the OS to find a valid runner. --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 7beb64f..3782559 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -115,7 +115,7 @@ jobs: matrix: os: [linux, darwin, windows] arch: [amd64, arm64] - runs-on: ${{ matrix.os }} + runs-on: ${{ matrix.os }}-latest steps: - name: Checkout uses: actions/checkout@v4 From add83fb6008d38067dedc1f34e8e63ba85b7b59f Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 20:38:43 -0700 Subject: [PATCH 16/43] Fixed the matrix to provide Go OS and GHA runner OS. --- .github/workflows/ci.yaml | 61 ++++++++++++++++++++------------------- 1 file changed, 32 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3782559..4905512 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -109,13 +109,17 @@ jobs: default.args.BUILD_VERSION=${{ needs.prepare.outputs.version }} publish-binaries: - name: Publish binary for ${{ matrix.os }} ${{ matrix.arch }} + name: Publish binary for ${{ matrix.platform.os }} ${{ matrix.arch }} needs: [prepare, test] strategy: matrix: - os: [linux, darwin, windows] + platform: [ + { os: 'linux', runner: 'ubuntu-latest' }, + { os: 'darwin', runner: 'macos-latest' }, + { os: 'windows', runner: 'windows-latest' } + ] arch: [amd64, arm64] - runs-on: ${{ matrix.os }}-latest + runs-on: ${{ matrix.platform.runner }} steps: - name: Checkout uses: actions/checkout@v4 @@ -127,47 +131,46 @@ jobs: - name: Build binaries env: - TARGETOS: ${{ matrix.os }} + TARGETOS: ${{ matrix.platform.os }} TARGETARCH: ${{ matrix.arch }} BUILD_VERSION: ${{ needs.prepare.outputs.version }} - BINARY_SUFFIX: ${{ matrix.os == 'windows' && '.exe' || '' }} + BINARY_SUFFIX: ${{ matrix.platform.os == 'windows' && '.exe' || '' }} run: make build -# - name: Add signtool to the PATH + - name: Add signtool to the PATH + if: matrix.platform.os == 'windows' + run: | + $signtoolPath = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits" -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName + if ($signtoolPath) { + Write-Output "::set-output name=path::$signtoolPath" + } else { + Write-Output "::error::signtool.exe not found!" + } + echo "${{ steps.find-signtool.outputs.path }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append + +# - name: Add signtool.exe +# if: matrix.os == 'windows' +# uses: KamaranL/add-signtool-action@v1 +# id: signtool + +# - name: Set SIGNTOOL_DIR to signtool.exe path # if: matrix.os == 'windows' +# run: Write-Output "$env:SIGNTOOL_DIR" # shell: pwsh -# run: | -# $signtoolPath = Get-ChildItem -Path C:\ -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName -# if ($signtoolPath) { -# Write-Output "::set-output name=path::$signtoolPath" -# } else { -# Write-Output "::error::signtool.exe not found!" -# } -# echo "${{ steps.find-signtool.outputs.path }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - - - name: Add signtool.exe - if: matrix.os == 'windows' - uses: KamaranL/add-signtool-action@v1 - id: signtool - - - name: Set SIGNTOOL_DIR to signtool.exe path - if: matrix.os == 'windows' - run: Write-Output "$env:SIGNTOOL_DIR" - shell: pwsh - env: - SIGNTOOL_DIR: ${{ steps.signtool.outputs.signtool-x64 }} +# env: +# SIGNTOOL_DIR: ${{ steps.signtool.outputs.signtool-x64 }} - name: Sign the Windows binary - if: matrix.os == 'windows' + if: matrix.platform.os == 'windows' run: | echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx - "${{ env.SIGNTOOL_DIR }}\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe + signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe del certificate.pfx - name: Upload artifacts uses: actions/upload-artifact@v4 with: - name: hathora-${{ matrix.os }}-${{ matrix.arch }}${{ matrix.os == 'windows' && '.exe' || '' }} + name: hathora-${{ matrix.platform.os }}-${{ matrix.arch }}${{ matrix.platform.os == 'windows' && '.exe' || '' }} path: bin/hathora-* release: From b4586a1607369510672e07f57609a54e4e618dd5 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 20:49:56 -0700 Subject: [PATCH 17/43] Removed an errant double quote. --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4905512..2f02234 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -164,7 +164,7 @@ jobs: if: matrix.platform.os == 'windows' run: | echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx - signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe + signtool.exe sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe del certificate.pfx - name: Upload artifacts From fb4a8af10d74dd8b510ab9c6dc38129932b43273 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 21:00:18 -0700 Subject: [PATCH 18/43] Is signtool.exe even on this Windows runner? --- .github/workflows/ci.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2f02234..dc8fd45 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -124,6 +124,10 @@ jobs: - name: Checkout uses: actions/checkout@v4 + - name: Check signtool + if: matrix.platform.os == 'windows' + run: where signtool.exe + - name: Set up Go uses: actions/setup-go@v5 with: From 413eaa59b53a626740d2c3546c224573351e71f0 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 21:18:38 -0700 Subject: [PATCH 19/43] Now that we've sorted the runner OS, let's try the add-signtool-action again. --- .github/workflows/ci.yaml | 60 +++++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index dc8fd45..ee99bec 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -124,9 +124,21 @@ jobs: - name: Checkout uses: actions/checkout@v4 - - name: Check signtool +# - name: Check signtool +# if: matrix.platform.os == 'windows' +# run: where signtool.exe + + - name: Add signtool.exe + if: matrix.platform.os == 'windows' + uses: KamaranL/add-signtool-action@v1 + id: signtool + + - name: Set SIGNTOOL_DIR to signtool.exe path if: matrix.platform.os == 'windows' - run: where signtool.exe + run: Write-Output "$env:SIGNTOOL_DIR" + shell: pwsh + env: + SIGNTOOL_DIR: ${{ steps.signtool.outputs.signtool-x64 }} - name: Set up Go uses: actions/setup-go@v5 @@ -141,34 +153,34 @@ jobs: BINARY_SUFFIX: ${{ matrix.platform.os == 'windows' && '.exe' || '' }} run: make build - - name: Add signtool to the PATH +# - name: Add signtool to the PATH +# if: matrix.platform.os == 'windows' +# run: | +# $signtoolPath = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits" -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName +# if ($signtoolPath) { +# Write-Output "::set-output name=path::$signtoolPath" +# } else { +# Write-Output "::error::signtool.exe not found!" +# } +# echo "${{ steps.find-signtool.outputs.path }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append + + - name: Add signtool.exe if: matrix.platform.os == 'windows' - run: | - $signtoolPath = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits" -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName - if ($signtoolPath) { - Write-Output "::set-output name=path::$signtoolPath" - } else { - Write-Output "::error::signtool.exe not found!" - } - echo "${{ steps.find-signtool.outputs.path }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - -# - name: Add signtool.exe -# if: matrix.os == 'windows' -# uses: KamaranL/add-signtool-action@v1 -# id: signtool - -# - name: Set SIGNTOOL_DIR to signtool.exe path -# if: matrix.os == 'windows' -# run: Write-Output "$env:SIGNTOOL_DIR" -# shell: pwsh -# env: -# SIGNTOOL_DIR: ${{ steps.signtool.outputs.signtool-x64 }} + uses: KamaranL/add-signtool-action@v1 + id: signtool + + - name: Set SIGNTOOL_DIR to signtool.exe path + if: matrix.platform.os == 'windows' + run: Write-Output "$env:SIGNTOOL_DIR" + shell: pwsh + env: + SIGNTOOL_DIR: ${{ steps.signtool.outputs.signtool-x64 }} - name: Sign the Windows binary if: matrix.platform.os == 'windows' run: | echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx - signtool.exe sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe + "${{ env.SIGNTOOL_DIR }}\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe del certificate.pfx - name: Upload artifacts From b06acec287a52e837d09c8a9d1f45745eee36bea Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 21:19:35 -0700 Subject: [PATCH 20/43] Typo --- .github/workflows/ci.yaml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ee99bec..b95ed50 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -164,17 +164,17 @@ jobs: # } # echo "${{ steps.find-signtool.outputs.path }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - - name: Add signtool.exe - if: matrix.platform.os == 'windows' - uses: KamaranL/add-signtool-action@v1 - id: signtool - - - name: Set SIGNTOOL_DIR to signtool.exe path - if: matrix.platform.os == 'windows' - run: Write-Output "$env:SIGNTOOL_DIR" - shell: pwsh - env: - SIGNTOOL_DIR: ${{ steps.signtool.outputs.signtool-x64 }} +# - name: Add signtool.exe +# if: matrix.platform.os == 'windows' +# uses: KamaranL/add-signtool-action@v1 +# id: signtool +# +# - name: Set SIGNTOOL_DIR to signtool.exe path +# if: matrix.platform.os == 'windows' +# run: Write-Output "$env:SIGNTOOL_DIR" +# shell: pwsh +# env: +# SIGNTOOL_DIR: ${{ steps.signtool.outputs.signtool-x64 }} - name: Sign the Windows binary if: matrix.platform.os == 'windows' From 60929b9a4a244f134fd385076f53d1172e35250f Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 21:26:25 -0700 Subject: [PATCH 21/43] signtool is definitely available. Hardcoding for now while I research a more robust replacement. --- .github/workflows/ci.yaml | 43 +++------------------------------------ 1 file changed, 3 insertions(+), 40 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b95ed50..c805c3c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -124,22 +124,6 @@ jobs: - name: Checkout uses: actions/checkout@v4 -# - name: Check signtool -# if: matrix.platform.os == 'windows' -# run: where signtool.exe - - - name: Add signtool.exe - if: matrix.platform.os == 'windows' - uses: KamaranL/add-signtool-action@v1 - id: signtool - - - name: Set SIGNTOOL_DIR to signtool.exe path - if: matrix.platform.os == 'windows' - run: Write-Output "$env:SIGNTOOL_DIR" - shell: pwsh - env: - SIGNTOOL_DIR: ${{ steps.signtool.outputs.signtool-x64 }} - - name: Set up Go uses: actions/setup-go@v5 with: @@ -153,34 +137,13 @@ jobs: BINARY_SUFFIX: ${{ matrix.platform.os == 'windows' && '.exe' || '' }} run: make build -# - name: Add signtool to the PATH -# if: matrix.platform.os == 'windows' -# run: | -# $signtoolPath = Get-ChildItem -Path "C:\Program Files (x86)\Windows Kits" -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue | Select-Object -ExpandProperty FullName -# if ($signtoolPath) { -# Write-Output "::set-output name=path::$signtoolPath" -# } else { -# Write-Output "::error::signtool.exe not found!" -# } -# echo "${{ steps.find-signtool.outputs.path }}" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - -# - name: Add signtool.exe -# if: matrix.platform.os == 'windows' -# uses: KamaranL/add-signtool-action@v1 -# id: signtool -# -# - name: Set SIGNTOOL_DIR to signtool.exe path -# if: matrix.platform.os == 'windows' -# run: Write-Output "$env:SIGNTOOL_DIR" -# shell: pwsh -# env: -# SIGNTOOL_DIR: ${{ steps.signtool.outputs.signtool-x64 }} - - name: Sign the Windows binary if: matrix.platform.os == 'windows' + env: + SIGNTOOL: "C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe" run: | echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx - "${{ env.SIGNTOOL_DIR }}\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe + "${{ env.SIGNTOOL }}" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe del certificate.pfx - name: Upload artifacts From d767d21f6b76e2cb9296140a17c6a01805c8bf12 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 21:27:56 -0700 Subject: [PATCH 22/43] Environmental variables need to be before the "if" apparently. --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index c805c3c..e803cc4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -138,9 +138,9 @@ jobs: run: make build - name: Sign the Windows binary - if: matrix.platform.os == 'windows' env: SIGNTOOL: "C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe" + if: matrix.platform.os == 'windows' run: | echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx "${{ env.SIGNTOOL }}" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe From 0c9c98ef70dd090571ab6550c1fd588ced8095f0 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 21:29:07 -0700 Subject: [PATCH 23/43] Don't use an environmental variable. --- .github/workflows/ci.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e803cc4..ea69b59 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -138,12 +138,10 @@ jobs: run: make build - name: Sign the Windows binary - env: - SIGNTOOL: "C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe" if: matrix.platform.os == 'windows' run: | echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx - "${{ env.SIGNTOOL }}" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe + "C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe del certificate.pfx - name: Upload artifacts From 1ba1e2214c67a9b73fe7ca20ddf540a7def8f561 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 21:41:15 -0700 Subject: [PATCH 24/43] Force Windows cmd shell. --- .github/workflows/ci.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index ea69b59..e32ea64 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -139,9 +139,10 @@ jobs: - name: Sign the Windows binary if: matrix.platform.os == 'windows' + shell: cmd run: | echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx - "C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin/hathora-windows-${{ matrix.arch }}.exe + "C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin\hathora-windows-${{ matrix.arch }}.exe del certificate.pfx - name: Upload artifacts From d037dd33e54fddd5ace8591188db3ea34e332215 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 22:00:53 -0700 Subject: [PATCH 25/43] Maybe remove the quotes? --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e32ea64..6cf4257 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -142,7 +142,7 @@ jobs: shell: cmd run: | echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx - "C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin\hathora-windows-${{ matrix.arch }}.exe + C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin\hathora-windows-${{ matrix.arch }}.exe del certificate.pfx - name: Upload artifacts From a786baf0f95a3e525861bbd3d387c6189f2f502f Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 22:11:50 -0700 Subject: [PATCH 26/43] debug; show me everything under Windows Kits\10 --- .github/workflows/ci.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 6cf4257..0e24449 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -139,11 +139,11 @@ jobs: - name: Sign the Windows binary if: matrix.platform.os == 'windows' - shell: cmd run: | - echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx - C:\Program Files (x86)\Windows Kits\10\bin\signtool.exe sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx bin\hathora-windows-${{ matrix.arch }}.exe - del certificate.pfx + Get-ChildItem "C:\Program Files (x86)\Windows Kits\10" -Recurse +# echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx +# & "C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" +# del certificate.pfx - name: Upload artifacts uses: actions/upload-artifact@v4 From 5f9207f81fb8a35b0caa770cb0a6a2be6fbaf7cd Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 22:21:19 -0700 Subject: [PATCH 27/43] Let's use the one without a version in the path. --- .github/workflows/ci.yaml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 0e24449..a22d812 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -140,10 +140,9 @@ jobs: - name: Sign the Windows binary if: matrix.platform.os == 'windows' run: | - Get-ChildItem "C:\Program Files (x86)\Windows Kits\10" -Recurse -# echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx -# & "C:\Program Files (x86)\Windows Kits\10\bin\x64\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" -# del certificate.pfx + echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx + & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" + del certificate.pfx - name: Upload artifacts uses: actions/upload-artifact@v4 From 9ef79be04acadc9f124e348b054b6049545ccb73 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 19 Sep 2024 22:33:21 -0700 Subject: [PATCH 28/43] Removed Geode's role. --- .github/workflows/cert-renewal.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/cert-renewal.yaml b/.github/workflows/cert-renewal.yaml index 449f6fa..91d4587 100644 --- a/.github/workflows/cert-renewal.yaml +++ b/.github/workflows/cert-renewal.yaml @@ -8,6 +8,7 @@ on: env: AWS_ACCOUNT_ID: REPLACE_ME + AWS_ROLE_ARN: REPLACE_ME TERRAFORM_PATH: terraform jobs: @@ -25,7 +26,7 @@ jobs: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/ci-runner + role-to-assume: ${{ env.AWS_ROLE_ARN }} aws-region: us-west-2 - name: Terraform Init From 6af7315f3fd66b9133cbb7e1cb73cce1aadfb458 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Thu, 3 Oct 2024 16:44:21 -0700 Subject: [PATCH 29/43] Removed the certificate renewal artifacts. --- .github/workflows/cert-renewal.yaml | 38 ----------------------------- terraform/acme.tf | 18 -------------- terraform/github.tf | 5 ---- terraform/main.tf | 34 -------------------------- 4 files changed, 95 deletions(-) delete mode 100644 .github/workflows/cert-renewal.yaml delete mode 100644 terraform/acme.tf delete mode 100644 terraform/github.tf delete mode 100644 terraform/main.tf diff --git a/.github/workflows/cert-renewal.yaml b/.github/workflows/cert-renewal.yaml deleted file mode 100644 index 91d4587..0000000 --- a/.github/workflows/cert-renewal.yaml +++ /dev/null @@ -1,38 +0,0 @@ -name: Certificate Renewal - -on: - schedule: - # Run at 10am PST / 5pm UTC weekdays - - cron: '0 17 * * 1-5' - workflow_dispatch: - -env: - AWS_ACCOUNT_ID: REPLACE_ME - AWS_ROLE_ARN: REPLACE_ME - TERRAFORM_PATH: terraform - -jobs: - - renewal: - name: Certificate Renewal - runs-on: ubuntu-latest - steps: - - - name: Setup Terraform - uses: hashicorp/setup-terraform@v3 - with: - terraform_version: "1.9.4" - - - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@v4 - with: - role-to-assume: ${{ env.AWS_ROLE_ARN }} - aws-region: us-west-2 - - - name: Terraform Init - run: terraform init - working-directory: ${{ env.TERRAFORM_PATH }} - - - name: Terraform Apply - run: terraform apply -auto-approve - working-directory: ${{ env.TERRAFORM_PATH }} diff --git a/terraform/acme.tf b/terraform/acme.tf deleted file mode 100644 index 8887915..0000000 --- a/terraform/acme.tf +++ /dev/null @@ -1,18 +0,0 @@ -data "aws_region" "current" {} - -resource "acme_registration" "this" { - email_address = "info@geode.io" -} - -resource "acme_certificate" "certificate" { - account_key_pem = acme_registration.this.account_key_pem - common_name = "hathora.dev" - - dns_challenge { - provider = "route53" - config = { - AWS_REGION = "**REPLACE**" - AWS_HOSTED_ZONE_ID = "**REPLACE**" - } - } -} diff --git a/terraform/github.tf b/terraform/github.tf deleted file mode 100644 index 1cf1370..0000000 --- a/terraform/github.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "github_actions_secret" "certificate_pfx" { - repository = "hathora/ci" - secret_name = "CERTIFICATE_PFX" - encrypted_value = acme_certificate.certificate.certificate_p12 -} diff --git a/terraform/main.tf b/terraform/main.tf deleted file mode 100644 index 564e28a..0000000 --- a/terraform/main.tf +++ /dev/null @@ -1,34 +0,0 @@ -terraform { - - backend "s3" { - bucket = "**REPLACE**" - key = "**REPLACE**" - region = "**REPLACE**" - dynamodb_table = "**REPLACE**" - } - - required_providers { - acme = { - source = "vancluever/acme" - version = "~> 2.0" - } - aws = { - source = "hashicorp/aws" - version = "~> 5.0" - } - github = { - source = "integrations/github" - version = "~> 6.0" - } - } -} - -provider "acme" { - server_url = "https://acme-v02.api.letsencrypt.org/directory" -} - -provider "aws" { - region = "us-east-1" -} - -provider "github" {} From 396800c25ec8e3db331cb7930c49b2fce6e13b5a Mon Sep 17 00:00:00 2001 From: George Price Date: Thu, 17 Oct 2024 10:47:33 -0400 Subject: [PATCH 30/43] rename secret --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a22d812..75b06cc 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -140,7 +140,7 @@ jobs: - name: Sign the Windows binary if: matrix.platform.os == 'windows' run: | - echo "${{ secrets.CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx + echo "${{ secrets.SIGNING_CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx From b3d5e480bd9b28fabbbbe3a051bea45c8f9c7066 Mon Sep 17 00:00:00 2001 From: George Price Date: Fri, 18 Oct 2024 12:25:32 -0400 Subject: [PATCH 31/43] remove base64 decode --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 75b06cc..09d3d5a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -140,7 +140,7 @@ jobs: - name: Sign the Windows binary if: matrix.platform.os == 'windows' run: | - echo "${{ secrets.SIGNING_CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx + echo "${{ secrets.SIGNING_CERTIFICATE_PFX }}" > certificate.pfx & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx From 31b30263e8cdcdfa29cfb46cd6cc7cba1bd8e5c3 Mon Sep 17 00:00:00 2001 From: George Price Date: Fri, 18 Oct 2024 12:37:01 -0400 Subject: [PATCH 32/43] add back base64 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 09d3d5a..75b06cc 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -140,7 +140,7 @@ jobs: - name: Sign the Windows binary if: matrix.platform.os == 'windows' run: | - echo "${{ secrets.SIGNING_CERTIFICATE_PFX }}" > certificate.pfx + echo "${{ secrets.SIGNING_CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx From 47e3d7d61caaff5f0e1e7aa781a4e71e20c8af87 Mon Sep 17 00:00:00 2001 From: George Price Date: Fri, 18 Oct 2024 12:37:43 -0400 Subject: [PATCH 33/43] add debug flag --- .github/workflows/ci.yaml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 75b06cc..3120aa4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -5,13 +5,12 @@ on: branches: - main tags: - - '*' + - "*" pull_request: branches: - main jobs: - prepare: name: Prepare runs-on: ubuntu-latest @@ -61,7 +60,6 @@ jobs: - name: Test run: make test - publish-container-images: name: Publish container images runs-on: ubuntu-latest @@ -113,11 +111,12 @@ jobs: needs: [prepare, test] strategy: matrix: - platform: [ - { os: 'linux', runner: 'ubuntu-latest' }, - { os: 'darwin', runner: 'macos-latest' }, - { os: 'windows', runner: 'windows-latest' } - ] + platform: + [ + { os: "linux", runner: "ubuntu-latest" }, + { os: "darwin", runner: "macos-latest" }, + { os: "windows", runner: "windows-latest" }, + ] arch: [amd64, arm64] runs-on: ${{ matrix.platform.runner }} steps: @@ -141,7 +140,7 @@ jobs: if: matrix.platform.os == 'windows' run: | echo "${{ secrets.SIGNING_CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx - & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" + & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx - name: Upload artifacts From 815693a6b6e54ec9c732a5c59d299229feedf731 Mon Sep 17 00:00:00 2001 From: George Price Date: Fri, 18 Oct 2024 12:51:46 -0400 Subject: [PATCH 34/43] re-remove base64 --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 3120aa4..1c560c7 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -139,7 +139,7 @@ jobs: - name: Sign the Windows binary if: matrix.platform.os == 'windows' run: | - echo "${{ secrets.SIGNING_CERTIFICATE_PFX }}" | base64 --decode > certificate.pfx + echo "${{ secrets.SIGNING_CERTIFICATE_PFX }}" > certificate.pfx & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx From 547e978b1ac41710446bc2178ffab91051713522 Mon Sep 17 00:00:00 2001 From: Zach Langbert Date: Mon, 21 Oct 2024 11:53:49 -0700 Subject: [PATCH 35/43] use powershell correctly? --- .github/workflows/ci.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1c560c7..a8da951 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -139,7 +139,8 @@ jobs: - name: Sign the Windows binary if: matrix.platform.os == 'windows' run: | - echo "${{ secrets.SIGNING_CERTIFICATE_PFX }}" > certificate.pfx + $decodedCertificate = [System.Convert]::FromBase64String("${{ secrets.SIGNING_CERTIFICATE_PFX }}") + [System.IO.File]::WriteAllBytes("certificate.pfx", $decodedCertificate) & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx From 7eadaf9119ce170b33fc5b548834d990feab1a11 Mon Sep 17 00:00:00 2001 From: Zach Langbert Date: Mon, 21 Oct 2024 12:20:19 -0700 Subject: [PATCH 36/43] try different signtool options --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a8da951..650a44d 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -141,7 +141,7 @@ jobs: run: | $decodedCertificate = [System.Convert]::FromBase64String("${{ secrets.SIGNING_CERTIFICATE_PFX }}") [System.IO.File]::WriteAllBytes("certificate.pfx", $decodedCertificate) - & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha256 /a /tr http://timestamp.digicert.com /td sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" + & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha384 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx - name: Upload artifacts From a92384d0da0360a8d0fb92a07115444ecc5e754f Mon Sep 17 00:00:00 2001 From: Zach Langbert Date: Mon, 21 Oct 2024 12:37:32 -0700 Subject: [PATCH 37/43] debug session --- .github/workflows/ci.yaml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 650a44d..18ea11a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -108,7 +108,7 @@ jobs: publish-binaries: name: Publish binary for ${{ matrix.platform.os }} ${{ matrix.arch }} - needs: [prepare, test] + # needs: [prepare, test] strategy: matrix: platform: @@ -136,12 +136,15 @@ jobs: BINARY_SUFFIX: ${{ matrix.platform.os == 'windows' && '.exe' || '' }} run: make build + - name: Setup tmate session + uses: mxschmitt/action-tmate@v3 + - name: Sign the Windows binary if: matrix.platform.os == 'windows' run: | $decodedCertificate = [System.Convert]::FromBase64String("${{ secrets.SIGNING_CERTIFICATE_PFX }}") [System.IO.File]::WriteAllBytes("certificate.pfx", $decodedCertificate) - & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha384 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" + & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx - name: Upload artifacts From 2fc7895e8cef6cb5ad501f887f8b7e34a3bd08c3 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Mon, 21 Oct 2024 13:39:32 -0700 Subject: [PATCH 38/43] Added an EKU check. --- .github/workflows/ci.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 18ea11a..f0a8fd1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -136,15 +136,15 @@ jobs: BINARY_SUFFIX: ${{ matrix.platform.os == 'windows' && '.exe' || '' }} run: make build - - name: Setup tmate session - uses: mxschmitt/action-tmate@v3 +# - name: Setup tmate session +# uses: mxschmitt/action-tmate@v3 - name: Sign the Windows binary if: matrix.platform.os == 'windows' run: | $decodedCertificate = [System.Convert]::FromBase64String("${{ secrets.SIGNING_CERTIFICATE_PFX }}") [System.IO.File]::WriteAllBytes("certificate.pfx", $decodedCertificate) - & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha256 /f certificate.pfx "bin\hathora-windows-${{ matrix.arch }}.exe" + & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha256 /f certificate.pfx /u 1.3.6.1.5.5.7.3.2 "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx - name: Upload artifacts From d0e112b96de910fc90c915692bc84c79a44e2fb9 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Mon, 21 Oct 2024 13:50:37 -0700 Subject: [PATCH 39/43] Check the binary after signing. --- .github/workflows/ci.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f0a8fd1..eac5785 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -146,6 +146,8 @@ jobs: [System.IO.File]::WriteAllBytes("certificate.pfx", $decodedCertificate) & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha256 /f certificate.pfx /u 1.3.6.1.5.5.7.3.2 "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx + Get-AuthenticodeSignature -FilePath "bin\hathora-windows-${{ matrix.arch }}.exe" + Start-MpScan -ScanType Custom -ScanPath "bin\hathora-windows-${{ matrix.arch }}.exe" - name: Upload artifacts uses: actions/upload-artifact@v4 From 7ce6f70b25fc4546300d6faaab447c26c3b66f8c Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Mon, 21 Oct 2024 14:03:54 -0700 Subject: [PATCH 40/43] Attempt to make Start-MpScan output readable. --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index eac5785..37d6eb1 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -147,7 +147,7 @@ jobs: & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha256 /f certificate.pfx /u 1.3.6.1.5.5.7.3.2 "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx Get-AuthenticodeSignature -FilePath "bin\hathora-windows-${{ matrix.arch }}.exe" - Start-MpScan -ScanType Custom -ScanPath "bin\hathora-windows-${{ matrix.arch }}.exe" + Start-MpScan -ScanType Custom -ScanPath "bin\hathora-windows-${{ matrix.arch }}.exe" | Format-List - name: Upload artifacts uses: actions/upload-artifact@v4 From 2965901ad27aeed7c393effcaaadc5ae97fe1516 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Mon, 21 Oct 2024 14:08:20 -0700 Subject: [PATCH 41/43] Apparently it's Get-AuthenticodeSignature that needed formatting. --- .github/workflows/ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 37d6eb1..52adf30 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -146,8 +146,8 @@ jobs: [System.IO.File]::WriteAllBytes("certificate.pfx", $decodedCertificate) & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha256 /f certificate.pfx /u 1.3.6.1.5.5.7.3.2 "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx - Get-AuthenticodeSignature -FilePath "bin\hathora-windows-${{ matrix.arch }}.exe" - Start-MpScan -ScanType Custom -ScanPath "bin\hathora-windows-${{ matrix.arch }}.exe" | Format-List + Get-AuthenticodeSignature -FilePath "bin\hathora-windows-${{ matrix.arch }}.exe" | Format-List + Start-MpScan -ScanType Custom -ScanPath "bin\hathora-windows-${{ matrix.arch }}.exe" - name: Upload artifacts uses: actions/upload-artifact@v4 From c74e12a85ed1be3a467f63c5b04a0e97f7ddd418 Mon Sep 17 00:00:00 2001 From: Ryan Zander Date: Mon, 21 Oct 2024 14:26:32 -0700 Subject: [PATCH 42/43] Cleaned up debug stuff --- .github/workflows/ci.yaml | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 52adf30..8e44b67 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -108,7 +108,7 @@ jobs: publish-binaries: name: Publish binary for ${{ matrix.platform.os }} ${{ matrix.arch }} - # needs: [prepare, test] + needs: [prepare, test] strategy: matrix: platform: @@ -136,9 +136,6 @@ jobs: BINARY_SUFFIX: ${{ matrix.platform.os == 'windows' && '.exe' || '' }} run: make build -# - name: Setup tmate session -# uses: mxschmitt/action-tmate@v3 - - name: Sign the Windows binary if: matrix.platform.os == 'windows' run: | @@ -146,8 +143,6 @@ jobs: [System.IO.File]::WriteAllBytes("certificate.pfx", $decodedCertificate) & "C:\Program Files (x86)\Windows Kits\10\App Certification Kit\signtool.exe" sign /debug /fd sha256 /f certificate.pfx /u 1.3.6.1.5.5.7.3.2 "bin\hathora-windows-${{ matrix.arch }}.exe" del certificate.pfx - Get-AuthenticodeSignature -FilePath "bin\hathora-windows-${{ matrix.arch }}.exe" | Format-List - Start-MpScan -ScanType Custom -ScanPath "bin\hathora-windows-${{ matrix.arch }}.exe" - name: Upload artifacts uses: actions/upload-artifact@v4 From 1441690087f030f656a9110d4d71216c93e54d1e Mon Sep 17 00:00:00 2001 From: George Price Date: Fri, 25 Oct 2024 16:38:21 -0400 Subject: [PATCH 43/43] debug success message --- internal/commands/build.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/commands/build.go b/internal/commands/build.go index dc3698e..1013f22 100644 --- a/internal/commands/build.go +++ b/internal/commands/build.go @@ -194,7 +194,7 @@ func doBuildCreate(ctx context.Context, hathora *sdk.SDK, buildTag, buildId, fil if resp.StatusCode != http.StatusOK { fmt.Printf("\nComplete multipart upload failed with status: %s\n", resp.Status) } else { - fmt.Println("\nComplete multipart upload succeeded.") + zap.L().Debug("Complete multiplart upload succeeded") } runRes, err := hathora.BuildsV3.RunBuild(