Skip to content

Create Release (Windows) #108

Create Release (Windows)

Create Release (Windows) #108

Workflow file for this run

name: Create Release
on:
workflow_dispatch:
permissions:
contents: read
actions: read # Required by SignPath action to read job details
id-token: write # Optional: For OIDC authentication (future enhancement)
attestations: write # Optional: For build provenance attestations (future enhancement)
jobs:
build:
runs-on: windows-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: '9.0.x'
- name: Extract Version
run: |
$content = Get-Content "CHANGELOG.md" -Raw
if ($content -match "#### Version\s+([\d.]+)") {
$version = $matches[1]
Write-Host "Version: $version"
echo "VERSION=$version" >> $env:GITHUB_ENV
} else {
Write-Error "Could not find version in CHANGELOG.md"
exit 1
}
- name: Clean
run: dotnet clean
- name: Publish WPF App
run: |
dotnet publish Wabbajack.App.Wpf\Wabbajack.App.Wpf.csproj `
--framework "net9.0-windows" `
--runtime win-x64 `
--configuration Release `
/p:Platform=x64 `
-o publish\app `
/p:IncludeNativeLibrariesForSelfExtract=true `
--self-contained `
/p:DebugType=embedded
- name: Publish Launcher
run: |
dotnet publish Wabbajack.Launcher\Wabbajack.Launcher.csproj `
--framework "net9.0-windows" `
--runtime win-x64 `
--configuration Release `
/p:Platform=x64 `
-o publish\launcher `
/p:PublishSingleFile=true `
/p:IncludeNativeLibrariesForSelfExtract=true `
--self-contained `
/p:DebugType=embedded
- name: Publish CLI
run: |
dotnet publish Wabbajack.CLI\Wabbajack.CLI.csproj `
--framework "net9.0" `
--runtime win-x64 `
--configuration Release `
/p:Platform=x64 `
-o publish\app\cli `
/p:IncludeNativeLibrariesForSelfExtract=true `
--self-contained `
/p:DebugType=embedded
# Sign the executables using SignPath GitHub Action
# Main App Signing: Upload → Sign → Verify
- name: Upload Unsigned Main App for Signing
id: upload-main-app
uses: actions/upload-artifact@v4
with:
name: unsigned-main-app
path: publish\app\Wabbajack.exe
retention-days: 1
- name: Sign Main App with SignPath
id: sign-main-app
uses: signpath/github-action-submit-signing-request@v2
with:
api-token: ${{ secrets.SIGNPATH_API_KEY }}
organization-id: ${{ secrets.SIGNPATH_ORG_ID }}
project-slug: wabbajack
signing-policy-slug: test-signing
artifact-configuration-slug: wabbajack-app
github-artifact-id: ${{ steps.upload-main-app.outputs.artifact-id }}
wait-for-completion: true
wait-for-completion-timeout-in-seconds: 1800
output-artifact-directory: publish\app
- name: Verify Main App Signature
shell: pwsh
run: |
Write-Host "Verifying Main App signature..."
$sig = Get-AuthenticodeSignature "publish\app\Wabbajack.exe"
if ($sig.Status -ne 'Valid') {
Write-Error "Main App signature verification failed: $($sig.Status)"
exit 1
}
$sig | Format-List
# CLI Signing: Upload → Sign → Verify
- name: Upload Unsigned CLI for Signing
id: upload-cli
uses: actions/upload-artifact@v4
with:
name: unsigned-cli
path: publish\app\cli\wabbajack-cli.exe
retention-days: 1
- name: Sign CLI with SignPath
id: sign-cli
uses: signpath/github-action-submit-signing-request@v2
with:
api-token: ${{ secrets.SIGNPATH_API_KEY }}
organization-id: ${{ secrets.SIGNPATH_ORG_ID }}
project-slug: wabbajack
signing-policy-slug: test-signing
artifact-configuration-slug: wabbajack-cli
github-artifact-id: ${{ steps.upload-cli.outputs.artifact-id }}
wait-for-completion: true
wait-for-completion-timeout-in-seconds: 1800
output-artifact-directory: publish\app\cli
- name: Verify CLI Signature
shell: pwsh
run: |
Write-Host "Verifying CLI signature..."
$sig = Get-AuthenticodeSignature "publish\app\cli\wabbajack-cli.exe"
if ($sig.Status -ne 'Valid') {
Write-Error "CLI signature verification failed: $($sig.Status)"
exit 1
}
$sig | Format-List
# Launcher Signing: Upload → Sign → Verify
- name: Upload Unsigned Launcher for Signing
id: upload-launcher
uses: actions/upload-artifact@v4
with:
name: unsigned-launcher
path: publish\launcher\Wabbajack.exe
retention-days: 1
- name: Sign Launcher with SignPath
id: sign-launcher
uses: signpath/github-action-submit-signing-request@v2
with:
api-token: ${{ secrets.SIGNPATH_API_KEY }}
organization-id: ${{ secrets.SIGNPATH_ORG_ID }}
project-slug: wabbajack
signing-policy-slug: test-signing
artifact-configuration-slug: wabbajack-launcher
github-artifact-id: ${{ steps.upload-launcher.outputs.artifact-id }}
wait-for-completion: true
wait-for-completion-timeout-in-seconds: 1800
output-artifact-directory: publish\launcher
- name: Verify Launcher Signature
shell: pwsh
run: |
Write-Host "Verifying Launcher signature..."
$sig = Get-AuthenticodeSignature "publish\launcher\Wabbajack.exe"
if ($sig.Status -ne 'Valid') {
Write-Error "Launcher signature verification failed: $($sig.Status)"
exit 1
}
$sig | Format-List
- name: Create App ZIP
run: |
& "C:\Program Files\7-Zip\7z.exe" a publish\wabbajack-${{ env.VERSION }}.zip publish\app\*
- name: Create Launcher ZIP
run: |
& "C:\Program Files\7-Zip\7z.exe" a publish\wabbajack-launcher-${{ env.VERSION }}.zip publish\launcher\*
- name: Upload App Artifact
uses: actions/upload-artifact@v4
with:
name: wabbajack-app
path: publish\wabbajack-${{ env.VERSION }}.zip
retention-days: 30
- name: Upload Launcher Artifact
uses: actions/upload-artifact@v4
with:
name: wabbajack-launcher
path: publish\wabbajack-launcher-${{ env.VERSION }}.zip
retention-days: 30