Skip to content

Commit 156b6f5

Browse files
azchohfiazchohfi
authored
Merge pull request #57 from microsoft/alzollin/esrp
Added ESRP task for signing releases.
2 parents 4c45653 + 9ab9865 commit 156b6f5

File tree

4 files changed

+171
-54
lines changed

4 files changed

+171
-54
lines changed

.github/workflows/build-package.yml

Lines changed: 1 addition & 51 deletions
Original file line numberDiff line numberDiff line change
@@ -76,54 +76,4 @@ jobs:
7676
# uses: actions/upload-artifact@v4
7777
# with:
7878
# name: msix-layout
79-
# path: artifacts/msix-layout/
80-
81-
# Prepare release assets (only on push to main)
82-
- name: Prepare Release Assets
83-
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
84-
run: |
85-
$version = "${{ steps.build.outputs.version }}"
86-
87-
# # Create a zip of the MSIX bundle distribution folder
88-
# Compress-Archive -Path "artifacts\msix-bundle\*" -DestinationPath "artifacts\msix-$version.zip" -Force
89-
# Write-Host "Created msix-$version.zip"
90-
91-
# Create a zip of the CLI binaries (both x64 and arm64)
92-
Compress-Archive -Path "artifacts\cli\*" -DestinationPath "artifacts\binaries-$version.zip" -Force
93-
Write-Host "Created binaries-$version.zip"
94-
95-
# Create GitHub pre-release (only on push to main)
96-
- name: Create Pre-Release
97-
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
98-
uses: softprops/action-gh-release@v2
99-
with:
100-
tag_name: v${{ steps.build.outputs.version }}
101-
name: Pre-release v${{ steps.build.outputs.version }}
102-
prerelease: true
103-
generate_release_notes: true
104-
body: |
105-
🚀 **Automated Pre-release Build**
106-
107-
Version: `${{ steps.build.outputs.version }}`
108-
Base Version: `${{ steps.build.outputs.base_version }}`
109-
Build Number: `${{ steps.build.outputs.build_number }}`
110-
Commit: `${{ github.sha }}`
111-
112-
## Installation Options
113-
114-
### 📦 Standalone CLI Binaries
115-
1. Download `binaries-${{ steps.build.outputs.version }}.zip`
116-
2. Extract to your desired location
117-
3. Add to PATH or run directly: `win-x64\winapp.exe` or `win-arm64\winapp.exe`
118-
119-
### 📚 NPM Package (for Electron or NodeJS)
120-
```bash
121-
npm install microsoft-winappcli-${{ steps.build.outputs.version }}.tgz
122-
```
123-
124-
## What's Included
125-
- ✅ Standalone CLI binaries (x64 and ARM64)
126-
- ✅ NPM package for NodeJS/Electron integration
127-
files: |
128-
artifacts/binaries-*.zip
129-
artifacts/*.tgz
79+
# path: artifacts/msix-layout/

.pipelines/ci.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,4 +44,6 @@ extends:
4444
- task: NuGetAuthenticate@1
4545
- template: ./.pipelines/templates/build.yaml@self
4646
parameters:
47-
stable: 'false'
47+
stable: 'false'
48+
DoEsrp: false
49+
signingIdentity: {}

.pipelines/release.yml

Lines changed: 120 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
trigger:
1+
trigger:
22
branches:
33
include:
44
- rel/v*
@@ -11,6 +11,20 @@ resources:
1111
name: 1ESPipelineTemplates/1ESPipelineTemplates
1212
ref: refs/tags/release
1313

14+
parameters:
15+
- name: DoEsrp
16+
type: boolean
17+
default: true
18+
- name: signingIdentity
19+
type: object
20+
default:
21+
serviceName: $(SigningServiceName)
22+
appId: $(SigningAppId)
23+
tenantId: $(SigningTenantId)
24+
akvName: $(SigningAKVName)
25+
authCertName: $(SigningAuthCertName)
26+
signCertName: $(SigningSignCertName)
27+
1428
extends:
1529
template: v1/1ES.Official.PipelineTemplate.yml@1esPipelines
1630
parameters:
@@ -34,6 +48,12 @@ extends:
3448
displayName: Setup .NET 9
3549
inputs:
3650
version: 9.0.x
51+
- ${{ if eq(parameters.DoEsrp, 'true') }}:
52+
- task: UseDotNet@2
53+
displayName: Setup .NET 6.0 (For ESRP Task)
54+
inputs:
55+
packageType: runtime
56+
version: 6.0.x
3757
- task: UseNode@1
3858
displayName: Setup Node.js 24
3959
inputs:
@@ -47,4 +67,102 @@ extends:
4767
filePath: '.pipelines/Unstub.ps1'
4868
- template: ./.pipelines/templates/build.yaml@self
4969
parameters:
50-
stable: 'true'
70+
stable: 'true'
71+
DoEsrp: ${{ parameters.DoEsrp }}
72+
signingIdentity: ${{ parameters.signingIdentity }}
73+
- task: PowerShell@2
74+
name: SetMeta
75+
displayName: Build + compute versions
76+
inputs:
77+
targetType: inline
78+
script: |
79+
# Get version info
80+
$versionJson = Get-Content "version.json" | ConvertFrom-Json
81+
$baseVersion = $versionJson.version
82+
$buildNumber = & ".\scripts\get-build-number.ps1"
83+
$fullVersion = "$baseVersion-prerelease.$buildNumber"
84+
85+
Write-Host "BaseVersion: $baseVersion"
86+
Write-Host "BuildNumber: $buildNumber"
87+
Write-Host "FullVersion: $fullVersion"
88+
89+
# Export as **output variables** for other stages/jobs
90+
Write-Host "##vso[task.setvariable variable=version;isOutput=true]$fullVersion"
91+
Write-Host "##vso[task.setvariable variable=base_version;isOutput=true]$baseVersion"
92+
Write-Host "##vso[task.setvariable variable=build_number;isOutput=true]$buildNumber"
93+
94+
- stage: Release
95+
displayName: Create GitHub Pre-release
96+
dependsOn: Build
97+
variables:
98+
version: $[ stageDependencies.Build.Build.outputs['SetMeta.version'] ]
99+
base_version: $[ stageDependencies.Build.Build.outputs['SetMeta.base_version'] ]
100+
build_number: $[ stageDependencies.Build.Build.outputs['SetMeta.build_number'] ]
101+
jobs:
102+
- job: create_release
103+
displayName: GitHub Pre-release
104+
templateContext:
105+
type: releaseJob
106+
inputs:
107+
- input: pipelineArtifact
108+
artifactName: cli-binaries
109+
targetPath: $(Pipeline.Workspace)/cli-binaries
110+
- input: pipelineArtifact
111+
artifactName: npm-package
112+
targetPath: $(Pipeline.Workspace)/npm-package
113+
steps:
114+
- task: ArchiveFiles@2
115+
displayName: Archive CLI binaries - x64
116+
inputs:
117+
rootFolderOrFile: $(Pipeline.Workspace)/cli-binaries/win-x64
118+
includeRootFolder: false
119+
archiveFile: $(Pipeline.Workspace)/winappcli-x64.zip
120+
121+
- task: ArchiveFiles@2
122+
displayName: Archive CLI binaries - arm64
123+
inputs:
124+
rootFolderOrFile: $(Pipeline.Workspace)/cli-binaries/arm64
125+
includeRootFolder: false
126+
archiveFile: $(Pipeline.Workspace)/winappcli-arm64.zip
127+
128+
- task: GitHubRelease@1
129+
displayName: "Create GitHub Pre-release"
130+
inputs:
131+
gitHubConnection: 'github-service-connection'
132+
repositoryName: 'microsoft/winappcli'
133+
action: 'create'
134+
target: '$(Build.SourceVersion)'
135+
tagSource: 'manual'
136+
tag: 'v$(version)'
137+
title: 'Pre-release v$(version)'
138+
isPreRelease: true
139+
assets: |
140+
$(Pipeline.Workspace)/winappcli-x64.zip
141+
$(Pipeline.Workspace)/winappcli-arm64.zip
142+
$(Pipeline.Workspace)/npm-package/*.tgz
143+
assetUploadMode: 'delete'
144+
addChangeLog: false
145+
releaseNotesSource: 'inline'
146+
releaseNotesInline: |
147+
🚀 **Automated Pre-release Build**
148+
149+
Version: `$(version)`
150+
Base Version: `$(base_version)`
151+
Build Number: `$(build_number)`
152+
Commit: `$(Build.SourceVersion)`
153+
154+
## Installation Options
155+
156+
### 📦 Standalone CLI Binaries
157+
1. Download `winappcli-x64.zip` for x64 or `winappcli-arm64.zip` for ARM64
158+
2. Extract to your desired location
159+
3. Add to PATH or run directly: `winapp.exe`
160+
161+
### 📚 NPM Package (for Electron or NodeJS)
162+
```bash
163+
npm install microsoft-winappcli-$(version).tgz
164+
```
165+
166+
## What's Included
167+
- ✅ Standalone CLI binaries (x64 and ARM64)
168+
- ✅ NPM package for NodeJS/Electron integration

.pipelines/templates/build.yaml

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,13 @@
11
parameters:
22
stable: 'false'
3+
DoEsrp: false
4+
signingIdentity:
5+
serviceName: ''
6+
appId: ''
7+
tenantId: ''
8+
akvName: ''
9+
authCertName: ''
10+
signCertName: ''
311

412
steps:
513
- task: PowerShell@2
@@ -8,6 +16,45 @@ steps:
816
pwsh: true
917
filePath: $(System.DefaultWorkingDirectory)\scripts\build-cli.ps1
1018
arguments: '-Stable ${{ parameters.stable }}'
19+
- ${{ if eq(parameters['DoEsrp'], 'true') }}:
20+
- task: EsrpCodeSigning@5
21+
displayName: Code Sign ESRP - CLI
22+
inputs:
23+
ConnectedServiceName: ${{ parameters.signingIdentity.serviceName }}
24+
AppRegistrationClientId: ${{ parameters.signingIdentity.appId }}
25+
AppRegistrationTenantId: ${{ parameters.signingIdentity.tenantId }}
26+
AuthAKVName: ${{ parameters.signingIdentity.akvName }}
27+
AuthCertName: ${{ parameters.signingIdentity.authCertName }}
28+
AuthSignCertName: ${{ parameters.signingIdentity.signCertName }}
29+
FolderPath: '$(System.DefaultWorkingDirectory)/artifacts/cli/'
30+
Pattern: |
31+
win-arm64/winapp.exe
32+
win-x64/winapp.exe
33+
UseMinimatch: true
34+
signConfigType: inlineSignParams
35+
inlineOperation: |
36+
[
37+
{
38+
"KeyCode": "CP-230012",
39+
"OperationCode": "SigntoolSign",
40+
"Parameters": {
41+
"OpusName": "Microsoft Windows Developer SDK CLI",
42+
"OpusInfo": "https://github.com/Microsoft/WinAppCli",
43+
"FileDigest": "/fd \"SHA256\"",
44+
"PageHash": "/PH",
45+
"TimeStamp": "/tr \"http://rfc3161.gtm.corp.microsoft.com/TSS/HttpTspServer\" /td sha256"
46+
},
47+
"ToolName": "sign",
48+
"ToolVersion": "1.0"
49+
},
50+
{
51+
"KeyCode": "CP-230012",
52+
"OperationCode": "SigntoolVerify",
53+
"Parameters": {},
54+
"ToolName": "sign",
55+
"ToolVersion": "1.0"
56+
}
57+
]
1158
- task: CopyFiles@2
1259
displayName: Copy Artifacts - Test Results
1360
inputs:

0 commit comments

Comments
 (0)