name: ci on: push: branches: [ main, release-* ] tags: 'v*' pull_request: branches: [ main ] env: QT_VERSION: 6.5.2 jobs: # This is a super hacky way to get this into a place that can actually be # used by downstream jobs because YAML values don't allow shell # interpolation, only github expression interpolation run-info: name: Gather Run Info runs-on: ubuntu-latest outputs: sha8: ${{ steps.calc-info.outputs.sha8 }} isRelease: ${{ steps.calc-info.outputs.isRelease }} signMacRelease: ${{ steps.calc-info.outputs.signMacRelease }} signWinRelease: ${{ steps.calc-info.outputs.signWinRelease }} steps: - name: CheckRun Info env: MCERT: ${{secrets.MACOS_CERT}} WCERT: ${{ secrets.WINDOWS_CERT }} id: calc-info run: | MSIGN="false" WSIGN="false" RELEASE="false" if [[ "$GITHUB_REF" == *"tags/v"* || "$GITHUB_REF" == *"refs/heads/release" ]]; then RELEASE="true" NAME="$GITHUB_REF_NAME" fi if [[ "$MCERT" != "" ]]; then MSIGN="true" fi if [[ "$WCERT" != "" ]]; then WSIGN="true" fi if [[ "$NAME" == "" ]]; then NAME="continuous" fi echo "signMacRelease=$MSIGN" >> $GITHUB_OUTPUT echo "signWinRelease=$WSIGN" >> $GITHUB_OUTPUT echo "sha8=$NAME" >> $GITHUB_OUTPUT echo "isRelease=$RELEASE" >> $GITHUB_OUTPUT build: name: ${{ matrix.config.name }} runs-on: ${{ matrix.config.os }} needs: run-info strategy: fail-fast: false matrix: config: - { name: "Linux" , os: ubuntu-20.04 , QT_INST_DIR: /opt , extraCMakeConfig: "-DCMAKE_INSTALL_PREFIX=/usr" } - { name: "Mac" , os: macos-latest , QT_INST_DIR: /Users/runner , extraCMakeConfig: "-DCMAKE_OSX_ARCHITECTURES=\"arm64;x86_64\"" , cmakeSigning: "-DNOTARIZE_AS=\"John Kennedy\"" , buildTarget: "--target package" } - { name: "Windows", WIN_ARCH: "x64" , os: windows-2019 , QT_INST_DIR: "C:/", QT_ARCH: win64_msvc2019_64 , extraCMakeConfig: "-G Ninja" , buildTarget: "--target package" } steps: - name: Setup env shell: bash run: | echo "name=ashirt-${{ needs.run-info.outputs.sha8 }}" >> $GITHUB_ENV echo "githash=${{ needs.run-info.outputs.sha8 }}" >> $GITHUB_ENV echo "signMacRelease=${{ needs.run-info.outputs.signMacRelease }}" >> $GITHUB_ENV echo "signWinRelease=${{ needs.run-info.outputs.signWinRelease }}" >> $GITHUB_ENV - name: Check out code uses: actions/checkout@v4 with: submodules: true fetch-depth: 0 - run: git fetch --tags --force - name: Env Script (windows) uses: ilammy/msvc-dev-cmd@v1 if: runner.os == 'Windows' with: arch: ${{matrix.config.WIN_ARCH}} - name: Import Signing Certificate ( windows ) if: runner.os == 'Windows' && env.signWinRelease == 'true' run: | New-Item -ItemType directory -Path build\certificate Set-Content -Path build\certificate\certificate.txt -Value '${{ secrets.WINDOWS_CERT }}' certutil -decode build\certificate\certificate.txt build\certificate\certificate.pfx - name: Import Signing Certificate ( macos ) if: runner.os == 'macOS' && env.signMacRelease == 'true' uses: Apple-Actions/import-codesign-certs@v2 with: p12-file-base64: ${{ secrets.MACOS_CERT }} p12-password: ${{ secrets.MACOS_PASS }} - name: Install Qt uses: jurplel/install-qt-action@v3.3.0 with: aqtversion: ==2.0.0 py7zrversion: ==0.16.2 dir: ${{matrix.config.QT_INST_DIR}} arch: ${{ matrix.config.QT_ARCH }} version: ${{ env.QT_VERSION }} - name: Install Dependencies shell: bash run: | if [ "$RUNNER_OS" == "Linux" ]; then sudo apt-get update > /dev/null && sudo apt-get install -qqq libxcb-keysyms1-dev libxkbcommon-dev libxkbcommon-x11-dev libxcb-cursor0 > /dev/null elif [ "$RUNNER_OS" == "Windows" ]; then choco install ninja --ignore-checksums fi - name: Build shell: bash run: | if [[ "${{ env.signMacRelease }}" == "true" ]]; then cmake -S. -Bbuild -DCMAKE_BUILD_TYPE=Release -DCPACK_PACKAGE_VERSION="${{env.githash}}" ${{matrix.config.extraCMakeConfig}} ${{matrix.config.cmakeSigning}} else cmake -S. -Bbuild -DCMAKE_BUILD_TYPE=Release -DCPACK_PACKAGE_VERSION="${{env.githash}}" ${{matrix.config.extraCMakeConfig}} fi cmake --build build ${{ matrix.config.buildTarget }} cd build mkdir -p dist if [ "$RUNNER_OS" == "Linux" ]; then wget -qc "https://github.com/linuxdeploy/linuxdeploy/releases/download/continuous/linuxdeploy-x86_64.AppImage" wget -qc "https://github.com/linuxdeploy/linuxdeploy-plugin-qt/releases/download/continuous/linuxdeploy-plugin-qt-x86_64.AppImage" chmod a+x linuxdeploy*.AppImage export VERSION=${{ env.githash }} export PATH=$PATH:/opt/Qt/${{env.QT_VERSION}}/gcc_64/libexec ./linuxdeploy-x86_64.AppImage --appdir=appdir --output appimage \ -e src/ashirt \ -d ../deploy/ashirt.desktop \ -i ../deploy/hicolor/128x128/apps/ashirt.png \ --plugin=qt elif [[ "$RUNNER_OS" == "macOS" && "${{ env.signMacRelease }}" == "true" ]]; then brew tap mitchellh/gon brew install mitchellh/gon/gon jq export ID=${{ env.name }}.dmg echo "${{ secrets.GON_CONF }}" | base64 -D -i - | jq '.notarize[0].path = env.ID' > notarize.json gon notarize.json elif [[ "$RUNNER_OS" == "Windows" && "${{ env.signWinRelease }}" == "true" ]]; then signtool sign -f certificate\\certificate.pfx -fd certHash -p '${{ secrets.WIN_CERT_PASS }}' -t http://timestamp.digicert.com ${{env.name}}.exe fi mv ashirt*.* dist/ - name: Archive production artifacts uses: actions/upload-artifact@v3 with: name: ${{env.name}} path: build/dist/ashirt*.* release: name: Release needs: [run-info, build] runs-on: ubuntu-latest steps: - name: Download Files uses: actions/download-artifact@v3 - name: Deploy Continuous if: github.ref == 'refs/heads/main' uses: "marvinpinto/action-automatic-releases@latest" with: repo_token: "${{ secrets.GITHUB_TOKEN }}" automatic_release_tag: "continuous" prerelease: false title: "Continuous Build" files: ashirt-*/ashirt-*.* - name: Deploy Tag if: contains(github.ref, 'tags/v') || github.ref == 'refs/heads/release' uses: "marvinpinto/action-automatic-releases@latest" with: repo_token: "${{ secrets.GITHUB_TOKEN }}" automatic_release_tag: ${{ github.ref_name }} prerelease: false title: ${{ github.ref }} files: ashirt-*/ashirt-*.*