Skip to content

CI - Fix package job #4552

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bfops wants to merge 12 commits into
base: master
Choose a base branch
from
Open

CI - Fix package job #4552

Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
2692103
[bfops/package-ci]: CI - Reduce when package job runs
bfops Mar 3, 2026
ab2f922
[bfops/package-ci]: Merge remote-tracking branch 'origin/master' into…
bfops Mar 4, 2026
54bfc9a
[bfops/fix-package-job]: Fix package job
bfops Mar 4, 2026
3dc0e18
[bfops/fix-package-job]: updates
bfops Mar 4, 2026
081d555
[bfops/package-ci]: also do not run on release branches; only tags
bfops Mar 4, 2026
9b7d6ae
[bfops/fix-package-job]: Merge remote-tracking branch 'origin/bfops/p…
bfops Mar 4, 2026
a370de2
[bfops/fix-package-job]: Merge remote-tracking branch 'origin/master'…
bfops Mar 4, 2026
875aa0d
[bfops/fix-package-job]: add signtool to path
bfops Mar 4, 2026
59933aa
[bfops/fix-package-job]: windows
bfops Mar 4, 2026
9b4da96
[bfops/fix-package-job]: try fix?
bfops Mar 4, 2026
c180e18
[bfops/fix-package-job]: disable for now
bfops Mar 5, 2026
c993452
Merge branch 'master' into bfops/fix-package-job
bfops Mar 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
120 changes: 41 additions & 79 deletions .github/workflows/package.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ permissions:

jobs:
build-cli:
if: ${{ !(startsWith(github.ref, 'refs/tags/') && matrix.target == 'x86_64-pc-windows-msvc') }}
Copy link
Collaborator Author

@bfops bfops Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I merged the windows job into this one

strategy:
fail-fast: false
matrix:
Expand Down Expand Up @@ -51,81 +50,45 @@ jobs:
- name: Install rust target
run: rustup target add ${{ matrix.target }}

- name: Compile
run: |
cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update

- name: Package (unix)
Copy link
Collaborator Author

@bfops bfops Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the diff here is garbage. tl;dr I just moved the two code-signing-related blocks into the main job and added the "if windows" condition

if: ${{ runner.os != 'Windows' }}
shell: bash
run: |
mkdir build
cd target/${{matrix.target}}/release
cp spacetimedb-update ../../../build/spacetimedb-update-${{matrix.target}}
tar -czf ../../../build/spacetime-${{matrix.target}}.tar.gz spacetimedb-{cli,standalone}

- name: Package (windows)
- name: Add signtool.exe to PATH
if: ${{ runner.os == 'Windows' }}
shell: bash
shell: pwsh
run: |
mkdir build
cd target/${{matrix.target}}/release
cp spacetimedb-update.exe ../../../build/spacetimedb-update-${{matrix.target}}.exe
7z a ../../../build/spacetime-${{matrix.target}}.zip spacetimedb-cli.exe spacetimedb-standalone.exe

- name: Extract branch name
shell: bash
run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
id: extract_branch

- name: Upload to DO Spaces
uses: shallwefootball/s3-upload-action@master
with:
aws_key_id: ${{ secrets.AWS_KEY_ID }}
aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY}}
aws_bucket: ${{ vars.AWS_BUCKET }}
source_dir: build
endpoint: https://nyc3.digitaloceanspaces.com
destination_dir: ${{ steps.extract_branch.outputs.branch }}

build-cli-windows-signed:
if: ${{ startsWith(github.ref, 'refs/tags/') }}
name: Build and sign CLI for x86_64 Windows
runs-on: [self-hosted, windows, signing]
environment: codesign
concurrency:
group: codesign-${{ github.ref }}
cancel-in-progress: false

steps:
- name: Checkout
uses: actions/checkout@v3

- name: Install Rust
uses: dsherret/rust-toolchain-file@v1
$root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin"
$signtool = Get-ChildItem $root -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue |
Where-Object { $_.FullName -match '\\x64\\signtool\.exe$' } |
Sort-Object FullName -Descending |
Select-Object -First 1

- name: Install rust target
run: rustup target add x86_64-pc-windows-msvc
if (-not $signtool) { throw "signtool.exe not found under $root" }

- name: Compile
run: |
cargo build --release --target x86_64-pc-windows-msvc -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update
"Found: $($signtool.FullName)"
$dir = Split-Path $signtool.FullName
Add-Content -Path $env:GITHUB_PATH -Value $dir

- name: Write certificate file
- name: Write certificate file for signing
if: ${{ runner.os == 'Windows' }}
shell: powershell
env:
DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }}
run: |
[IO.File]::WriteAllBytes("digicert.crt", [Convert]::FromBase64String($env:DIGICERT_CERT_B64))
[IO.File]::WriteAllBytes("digicert.pfx", [Convert]::FromBase64String($env:DIGICERT_CERT_B64))

- name: Sign binaries
- name: Compile
run: |
cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update

- name: Sign binaries for Windows
# Disabled for now since the current flow isn't working.
if: false
Copy link
Collaborator Author

@bfops bfops Mar 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note that this step is disabled for now

#if: ${{ runner.os == 'Windows' }}
shell: powershell
env:
DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }}
run: |
$ErrorActionPreference = 'Stop'
$targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
$certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.crt'
$certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.pfx'

$signtool = Get-Command signtool.exe -ErrorAction Stop

Expand All @@ -136,32 +99,31 @@ jobs:
)

foreach ($file in $files) {
& $signtool.Path sign /csp "DigiCert Signing Manager KSP" /kc $env:DIGICERT_KEYPAIR_ALIAS /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file
& $signtool.Path sign /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file
& $signtool.Path verify /v /pa $file
}

- name: Package (windows)
shell: powershell
- name: Package (unix)
if: ${{ runner.os != 'Windows' }}
shell: bash
run: |
$ErrorActionPreference = 'Stop'
New-Item -ItemType Directory -Force -Path build | Out-Null
$releaseDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
mkdir build
cd target/${{matrix.target}}/release
cp spacetimedb-update ../../../build/spacetimedb-update-${{matrix.target}}
tar -czf ../../../build/spacetime-${{matrix.target}}.tar.gz spacetimedb-{cli,standalone}

Copy-Item (Join-Path $releaseDir 'spacetimedb-update.exe') (Join-Path $env:GITHUB_WORKSPACE 'build\spacetimedb-update-x86_64-pc-windows-msvc.exe')
Compress-Archive -Force -Path @(
(Join-Path $releaseDir 'spacetimedb-cli.exe'),
(Join-Path $releaseDir 'spacetimedb-standalone.exe')
) -DestinationPath (Join-Path $env:GITHUB_WORKSPACE 'build\spacetime-x86_64-pc-windows-msvc.zip')
- name: Package (windows)
if: ${{ runner.os == 'Windows' }}
shell: bash
run: |
mkdir build
cd target/${{matrix.target}}/release
cp spacetimedb-update.exe ../../../build/spacetimedb-update-${{matrix.target}}.exe
7z a ../../../build/spacetime-${{matrix.target}}.zip spacetimedb-cli.exe spacetimedb-standalone.exe

- name: Extract branch name
shell: powershell
run: |
$ErrorActionPreference = 'Stop'
$branch = $env:GITHUB_HEAD_REF
if ([string]::IsNullOrEmpty($branch)) {
$branch = $env:GITHUB_REF -replace '^refs/heads/', ''
}
"branch=$branch" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
shell: bash
run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
id: extract_branch

- name: Upload to DO Spaces
Expand Down
Loading