From ba66f8d3f8256181fc107317e20d75bd563138b2 Mon Sep 17 00:00:00 2001 From: Chen Yu Date: Mon, 30 Oct 2023 10:20:30 +0900 Subject: [PATCH 1/3] ci: use key locker to sign neuron for windows (#2913) --- .github/workflows/package.yml | 35 ++++++++++++++- .github/workflows/package_for_test.yml | 47 ++++++++++++++------ packages/neuron-wallet/electron-builder.yml | 3 ++ packages/neuron-wallet/scripts/customSign.js | 16 +++++++ 4 files changed, 86 insertions(+), 15 deletions(-) create mode 100644 packages/neuron-wallet/scripts/customSign.js diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml index 04fdd175e4..b10ba13461 100644 --- a/.github/workflows/package.yml +++ b/.github/workflows/package.yml @@ -51,6 +51,39 @@ jobs: env: ACTIONS_ALLOW_UNSECURE_COMMANDS: "true" + - name: Setup Certificate + if: matrix.os == 'windows-2019' + run: | + echo "${{ secrets.SM_CLIENT_CERT_FILE_BASE64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 + shell: bash + + - name: Set variables + if: matrix.os == 'windows-2019' + run: | + echo "SM_KEYPAIR_NAME=${{ secrets.SM_KEYPAIR_ALIAS }}" >> "$GITHUB_ENV" + echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" + echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" + echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH + echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH + echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH + shell: bash + + - name: Setting up the client tools + if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }} + run: | + curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi + msiexec /i smtools-windows-x64.msi /quiet /qn + C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user + shell: cmd + + - name: Certificates Sync + if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }} + run: | + smctl windows certsync + shell: cmd + - name: Install libudev if: matrix.os == 'ubuntu-20.04' run: | @@ -88,8 +121,6 @@ jobs: bash ./scripts/release.sh win env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CSC_LINK: ${{ secrets.WIN_CERTIFICATE_BASE64 }} - CSC_KEY_PASSWORD: ${{ secrets.WIN_CERTIFICATE_PASSWORD }} - name: Package for Linux if: matrix.os == 'ubuntu-20.04' diff --git a/.github/workflows/package_for_test.yml b/.github/workflows/package_for_test.yml index 1a014d36c8..4b446bbf54 100644 --- a/.github/workflows/package_for_test.yml +++ b/.github/workflows/package_for_test.yml @@ -62,6 +62,39 @@ jobs: env: ACTIONS_ALLOW_UNSECURE_COMMANDS: "true" + - name: Setup Certificate + if: matrix.os == 'windows-2019' + run: | + echo "${{ secrets.SM_CLIENT_CERT_FILE_BASE64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 + shell: bash + + - name: Set variables + if: matrix.os == 'windows-2019' + run: | + echo "SM_KEYPAIR_NAME=${{ secrets.SM_KEYPAIR_ALIAS }}" >> "$GITHUB_ENV" + echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" + echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" + echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" + echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH + echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH + echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH + shell: bash + + - name: Setting up the client tools + if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }} + run: | + curl -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi + msiexec /i smtools-windows-x64.msi /quiet /qn + C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user + shell: cmd + + - name: Certificates Sync + if: ${{ matrix.os == 'windows-2019' && env.SM_API_KEY != '' }} + run: | + smctl windows certsync + shell: cmd + - name: Install libudev if: matrix.os == 'ubuntu-20.04' run: | @@ -101,19 +134,7 @@ jobs: SKIP_NOTARIZE: true - name: Package for Windows - if: ${{ matrix.os == 'windows-2019' && env.WIN_CERTIFICATE_BASE64 != '' }} - run: | - bash ./scripts/download-ckb.sh win - yarn build - bash ./scripts/copy-ui-files.sh - bash ./scripts/package-for-test.sh win - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - CSC_LINK: ${{ secrets.WIN_CERTIFICATE_BASE64 }} - CSC_KEY_PASSWORD: ${{ secrets.WIN_CERTIFICATE_PASSWORD }} - - - name: Package for Windows for skip code sign - if: ${{ matrix.os == 'windows-2019' && env.WIN_CERTIFICATE_BASE64 == '' }} + if: matrix.os == 'windows-2019' run: | bash ./scripts/download-ckb.sh win yarn build diff --git a/packages/neuron-wallet/electron-builder.yml b/packages/neuron-wallet/electron-builder.yml index 6318166a0c..629d6abcb4 100644 --- a/packages/neuron-wallet/electron-builder.yml +++ b/packages/neuron-wallet/electron-builder.yml @@ -49,6 +49,9 @@ win: - target: nsis arch: - x64 + sign: scripts/customSign.js + signingHashAlgorithms: + - sha256 mac: artifactName: "${productName}-v${version}-${os}-${arch}.${ext}" diff --git a/packages/neuron-wallet/scripts/customSign.js b/packages/neuron-wallet/scripts/customSign.js new file mode 100644 index 0000000000..e2288b578e --- /dev/null +++ b/packages/neuron-wallet/scripts/customSign.js @@ -0,0 +1,16 @@ +const { execSync } = require('node:child_process') + +exports.default = async configuration => { + if (!process.env.SM_API_KEY) { + console.info(`Skip signing because SM_API_KEY and not configured`) + return + } + + if (!configuration.path) { + throw new Error(`Path of application is not found`) + } + + execSync(`smctl sign --keypair-alias="${process.env.SM_KEYPAIR_NAME}" --input "${String(configuration.path)}"`, { + stdio: 'inherit', + }) +} From a89b06f49e0997ffa820e99cc9cbae324d6af76e Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 30 Oct 2023 14:49:34 +0900 Subject: [PATCH 2/3] chore(deps): bump undici from 5.22.1 to 5.26.2 (#2879) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Keith --- packages/neuron-wallet/package.json | 2 +- packages/neuron-wallet/src/utils/ckb-rpc.ts | 4 ++ .../neuron-wallet/src/utils/rpc-request.ts | 12 +++-- yarn.lock | 52 +++++++------------ 4 files changed, 32 insertions(+), 38 deletions(-) diff --git a/packages/neuron-wallet/package.json b/packages/neuron-wallet/package.json index 0038035ff3..d6aa6252de 100644 --- a/packages/neuron-wallet/package.json +++ b/packages/neuron-wallet/package.json @@ -71,7 +71,7 @@ "sqlite3": "5.1.6", "subleveldown": "4.1.4", "typeorm": "0.2.45", - "undici": "5.22.1", + "undici": "5.26.2", "uuid": "8.3.2" }, "devDependencies": { diff --git a/packages/neuron-wallet/src/utils/ckb-rpc.ts b/packages/neuron-wallet/src/utils/ckb-rpc.ts index f23e2bebda..a1abfb8eb8 100644 --- a/packages/neuron-wallet/src/utils/ckb-rpc.ts +++ b/packages/neuron-wallet/src/utils/ckb-rpc.ts @@ -335,6 +335,10 @@ export class LightRPC extends Base { }) const batchRes = await res.body.json() + if (!Array.isArray(batchRes)) { + return [] + } + return batchRes.map((res: any, i: number) => { if (res.id !== payload[i].id) { return new IdNotMatchedInBatchException(i, payload[i].id, res.id) diff --git a/packages/neuron-wallet/src/utils/rpc-request.ts b/packages/neuron-wallet/src/utils/rpc-request.ts index 2ed650a0e5..56bbd7babc 100644 --- a/packages/neuron-wallet/src/utils/rpc-request.ts +++ b/packages/neuron-wallet/src/utils/rpc-request.ts @@ -23,7 +23,10 @@ export const rpcRequest = async ( throw new Error(`indexer request failed with HTTP code ${res.statusCode}`) } const body = await res.body.json() - return body?.result as T + if (body !== null && typeof body === 'object' && 'result' in body) { + return body?.result as T + } + return [] as T } export const rpcBatchRequest = async ( @@ -50,8 +53,11 @@ export const rpcBatchRequest = async ( if (res.statusCode !== 200) { throw new Error(`indexer request failed with HTTP code ${res.statusCode}`) } - const responseBody: { id: number; error?: any; result: any }[] = await res.body.json() - return responseBody.sort((a, b) => a.id - b.id) + const responseBody = await res.body.json() + if (Array.isArray(responseBody) && responseBody.every(i => 'id' in i)) { + return responseBody.sort((a, b) => a.id - b.id) + } + return [] } export default { diff --git a/yarn.lock b/yarn.lock index 97b1acf864..e2a6d28b10 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1373,7 +1373,7 @@ dependencies: regenerator-runtime "^0.13.11" -"@babel/runtime@^7.20.6": +"@babel/runtime@^7.22.5": version "7.23.2" resolved "https://registry.yarnpkg.com/@babel/runtime/-/runtime-7.23.2.tgz#062b0ac103261d68a966c4c7baf2ae3e62ec3885" integrity sha512-mM8eg4yl5D6i3lu2QKPuPH4FArvJ8KhTofbE7jwMUv9KX5mBvwPAqnV3MlyBNqdp9RyRKP6Yck8TrfYrPvX3bg== @@ -1875,6 +1875,11 @@ resolved "https://registry.yarnpkg.com/@fal-works/esbuild-plugin-global-externals/-/esbuild-plugin-global-externals-2.1.2.tgz#c05ed35ad82df8e6ac616c68b92c2282bd083ba4" integrity sha512-cEee/Z+I12mZcFJshKcCqC8tuX5hG3s+d+9nZ3LabqKF1vKdF41B92pJVCBggjAGORAeOzyyDDKrZwIkLffeOQ== +"@fastify/busboy@^2.0.0": + version "2.0.0" + resolved "https://registry.yarnpkg.com/@fastify/busboy/-/busboy-2.0.0.tgz#f22824caff3ae506b18207bad4126dbc6ccdb6b8" + integrity sha512-JUFJad5lv7jxj926GPgymrWQxxjPYuJNiNjNMzqT+HiuP6Vl3dk5xzG+8sTX96np0ZAluvaMzPsjhHZ5rNuNQQ== + "@fluentui/date-time-utilities@^7.9.1": version "7.9.1" resolved "https://registry.yarnpkg.com/@fluentui/date-time-utilities/-/date-time-utilities-7.9.1.tgz#bb486dc0a0fff33ef5803adabbf95e2cbf4be7be" @@ -4567,7 +4572,7 @@ "@types/history" "^4.7.11" "@types/react" "*" -"@types/react@*", "@types/react@17.0.62", "@types/react@>=16", "@types/react@^17": +"@types/react@*", "@types/react@17.0.62", "@types/react@>=16", "@types/react@^16", "@types/react@^17": version "17.0.62" resolved "https://registry.yarnpkg.com/@types/react/-/react-17.0.62.tgz#2efe8ddf8533500ec44b1334dd1a97caa2f860e3" integrity sha512-eANCyz9DG8p/Vdhr0ZKST8JV12PhH2ACCDYlFw6DIO+D+ca+uP4jtEDEpVqXZrh/uZdXQGwk7whJa3ah5DtyLw== @@ -4576,15 +4581,6 @@ "@types/scheduler" "*" csstype "^3.0.2" -"@types/react@^16": - version "16.14.49" - resolved "https://registry.yarnpkg.com/@types/react/-/react-16.14.49.tgz#79347898927bf72b758237b2da1c11efce50894d" - integrity sha512-WHKMS4fIlDpeLVKCGDs5k1MTCyqh1tyFhGqouSFgpPsCsWNDTtiMpTYUcJnHg66kp03ubqb4BFjd5+7gS3MyHw== - dependencies: - "@types/prop-types" "*" - "@types/scheduler" "*" - csstype "^3.0.2" - "@types/resolve@1.17.1": version "1.17.1" resolved "https://registry.yarnpkg.com/@types/resolve/-/resolve-1.17.1.tgz#3afd6ad8967c77e4376c598a82ddd58f46ec45d6" @@ -6383,13 +6379,6 @@ builtins@^5.0.0: dependencies: semver "^7.0.0" -busboy@^1.6.0: - version "1.6.0" - resolved "https://registry.yarnpkg.com/busboy/-/busboy-1.6.0.tgz#966ea36a9502e43cdb9146962523b92f531f6893" - integrity sha512-8SFQbg/0hQ9xy3UNTB0YEnsNBbWfhf7RtnzpL7TkBiTBRfrQ9Fxcnz7VJsleJpyp6rVLvXiuORqjlHi5q+PYuA== - dependencies: - streamsearch "^1.1.0" - byte-size@8.1.1: version "8.1.1" resolved "https://registry.yarnpkg.com/byte-size/-/byte-size-8.1.1.tgz#3424608c62d59de5bfda05d31e0313c6174842ae" @@ -15275,12 +15264,12 @@ react-error-overlay@^6.0.11: resolved "https://registry.yarnpkg.com/react-error-overlay/-/react-error-overlay-6.0.11.tgz#92835de5841c5cf08ba00ddd2d677b6d17ff9adb" integrity sha512-/6UZ2qgEyH2aqzYZgQPxEnz33NJ2gNsnHA2o5+o4wW9bLM/JYQitNP9xPhsXwC08hMMovfGe/8retsdDsczPRg== -react-i18next@12.1.5: - version "12.1.5" - resolved "https://registry.yarnpkg.com/react-i18next/-/react-i18next-12.1.5.tgz#b65f5733dd2f96188a9359c009b7dbe27443f009" - integrity sha512-7PQAv6DA0TcStG96fle+8RfTwxVbHVlZZJPoEszwUNvDuWpGldJmNWa3ZPesEsZQZGF6GkzwvEh6p57qpFD2gQ== +react-i18next@12.1.5, react-i18next@>=11.16.4: + version "13.3.1" + resolved "https://registry.yarnpkg.com/react-i18next/-/react-i18next-13.3.1.tgz#9b072bf4dd4cafb028e92315a8a1415f8034bdca" + integrity sha512-JAtYREK879JXaN9GdzfBI4yJeo/XyLeXWUsRABvYXiFUakhZJ40l+kaTo+i+A/3cKIED41kS/HAbZ5BzFtq/Og== dependencies: - "@babel/runtime" "^7.20.6" + "@babel/runtime" "^7.22.5" html-parse-stringify "^3.0.1" react-inspector@^6.0.0, react-inspector@^6.0.1: @@ -16751,11 +16740,6 @@ stream-shift@^1.0.0: resolved "https://registry.yarnpkg.com/stream-shift/-/stream-shift-1.0.1.tgz#d7088281559ab2778424279b0877da3c392d5a3d" integrity sha512-AiisoFqQ0vbGcZgQPY1cdP2I76glaVA/RauYR4G4thNFgkTqr90yXTo4LYX60Jl+sIlPNHHdGSwo01AvbKUSVQ== -streamsearch@^1.1.0: - version "1.1.0" - resolved "https://registry.yarnpkg.com/streamsearch/-/streamsearch-1.1.0.tgz#404dd1e2247ca94af554e841a8ef0eaa238da764" - integrity sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg== - string-argv@^0.3.1: version "0.3.2" resolved "https://registry.yarnpkg.com/string-argv/-/string-argv-0.3.2.tgz#2b6d0ef24b656274d957d54e0a4bbf6153dc02b6" @@ -17628,12 +17612,12 @@ unbox-primitive@^1.0.2: has-symbols "^1.0.3" which-boxed-primitive "^1.0.2" -undici@5.22.1: - version "5.22.1" - resolved "https://registry.yarnpkg.com/undici/-/undici-5.22.1.tgz#877d512effef2ac8be65e695f3586922e1a57d7b" - integrity sha512-Ji2IJhFXZY0x/0tVBXeQwgPlLWw13GVzpsWPQ3rV50IFMMof2I55PZZxtm4P6iNq+L5znYN9nSTAq0ZyE6lSJw== +undici@5.26.2: + version "5.26.2" + resolved "https://registry.yarnpkg.com/undici/-/undici-5.26.2.tgz#fa61bfe40f732540d15e58b0c1271872d8e3c995" + integrity sha512-a4PDLQgLTPHVzOK+x3F79/M4GtyYPl+aX9AAK7aQxpwxDwCqkeZCScy7Gk5kWT3JtdFq1uhO3uZJdLtHI4dK9A== dependencies: - busboy "^1.6.0" + "@fastify/busboy" "^2.0.0" unfetch@^4.2.0: version "4.2.0" @@ -17830,7 +17814,7 @@ url-parse@^1.5.3: querystringify "^2.1.1" requires-port "^1.0.0" -usb@^1.7.0: +usb@1.8.8, usb@^1.7.0: version "1.8.8" resolved "https://registry.yarnpkg.com/usb/-/usb-1.8.8.tgz#54de33f9e57dc4efc1b5b5f72b6624a275775e80" integrity sha512-xpRAoek268RE3ATqK8l6LjrF4ADHn/A3V3cXEFbYo3/D83ZCLSO0A5tFKO093F4w5IbDfBVlB9VsYzoGz6EJGw== From f31c4057b053c84168bbf5515fdd7a7dcf954db4 Mon Sep 17 00:00:00 2001 From: devchenyan Date: Mon, 30 Oct 2023 13:49:51 +0800 Subject: [PATCH 3/3] feat: upgrade "Compare checksums" action (#2917) --- .github/workflows/check_checksums.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check_checksums.yml b/.github/workflows/check_checksums.yml index 3a8558ffd7..a0ab07480c 100644 --- a/.github/workflows/check_checksums.yml +++ b/.github/workflows/check_checksums.yml @@ -31,7 +31,7 @@ jobs: body="${body//'%'/'%25'}" body="${body//$'\n'/'%0A'}" body="${body//$'\r'/'%0D'}" - echo ::set-output name=body::$body + echo "body=$body" >> $GITHUB_OUTPUT - uses: peter-evans/commit-comment@v2 with: