diff --git a/.github/workflows/development.yml b/.github/workflows/development.yml index 53c393e..f301121 100644 --- a/.github/workflows/development.yml +++ b/.github/workflows/development.yml @@ -5,6 +5,10 @@ on: branches: [main] pull_request: +permissions: + id-token: write + contents: read + env: GO_VERSION: '1.23' @@ -25,10 +29,7 @@ jobs: - name: Build run: | - sudo apt-get update -q -y - sudo apt-get install -q -y osslsigncode go install github.com/tc-hib/go-winres@latest - GIT_COMMIT=`git describe --always --dirty` LATEST_TAG=$(git describe --tags $(git rev-list --tags --max-count=1)) NUM_COMMITS_FROM_TAG=$(git rev-list ${LATEST_TAG}.. --count) @@ -37,23 +38,11 @@ jobs: mkdir bin go-winres simply --arch amd64 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin KMS" --product-name "SFTPGo plugin KMS" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-kms-windows-x86_64.exe --icon res/icon.ico - CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o sftpgo-plugin-kms-windows-x86_64.exe + CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-windows-x86_64.exe go-winres simply --arch arm64 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin KMS" --product-name "SFTPGo plugin KMS" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-kms-windows-arm64.exe --icon res/icon.ico - CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o sftpgo-plugin-kms-windows-arm64.exe + CGO_ENABLED=0 GOOS=windows GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-windows-arm64.exe go-winres simply --arch 386 --product-version $VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo plugin KMS" --product-name "SFTPGo plugin KMS" --copyright "AGPL-3.0" --original-filename sftpgo-plugin-kms-windows-x86.exe --icon res/icon.ico CGO_ENABLED=0 GOOS=windows GOARCH=386 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o sftpgo-plugin-kms-windows-x86.exe - if [ "${{ github.event_name }}" = "pull_request" ]; then - mv sftpgo-plugin-kms-windows-x86_64.exe bin/ - mv sftpgo-plugin-kms-windows-arm64.exe bin/ - mv sftpgo-plugin-kms-windows-x86.exe bin/ - else - echo $CERT_DATA | base64 --decode > cert.pfx - osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin kms" -i "https://github.com/sftpgo/sftpgo-plugin-kms" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-kms-windows-x86_64.exe -out bin/sftpgo-plugin-kms-windows-x86_64.exe - osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin kms" -i "https://github.com/sftpgo/sftpgo-plugin-kms" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-kms-windows-arm64.exe -out bin/sftpgo-plugin-kms-windows-arm64.exe - osslsigncode sign -pkcs12 cert.pfx -pass $CERT_PASS -n "SFTPGo plugin kms" -i "https://github.com/sftpgo/sftpgo-plugin-kms" -ts "http://timestamp.sectigo.com" -h sha2 -in sftpgo-plugin-kms-windows-x86.exe -out bin/sftpgo-plugin-kms-windows-x86.exe - rm -f cert.pfx - fi - CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-linux-amd64 CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-linux-arm64 CGO_ENABLED=0 GOOS=linux GOARCH=arm GOARM=7 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-linux-armv7 @@ -61,9 +50,58 @@ jobs: CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-darwin-amd64 CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build -trimpath -ldflags "-s -w -X main.commitHash=`git describe --always --dirty` -X main.date=`date -u +%FT%TZ`" -o bin/sftpgo-plugin-kms-darwin-arm64 shell: bash - env: - CERT_DATA: ${{ secrets.CERT_DATA }} - CERT_PASS: ${{ secrets.CERT_PASS }} + + - name: Upload build artifact + uses: actions/upload-artifact@v4 + with: + name: sftpgo-plugin-kms + path: bin + + sign-windows-binaries: + name: Sign Windows binaries + if: ${{ github.event_name != 'pull_request' }} + environment: signing + needs: [build] + runs-on: windows-latest + + steps: + - name: Download artifact + uses: actions/download-artifact@v4 + with: + name: sftpgo-plugin-kms + path: ${{ github.workspace }}/bin + + - name: Azure login + uses: azure/login@v2 + with: + client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ secrets.AZURE_TENANT_ID }} + subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} + + - name: Sign + uses: azure/trusted-signing-action@v0.5.0 + with: + endpoint: https://eus.codesigning.azure.net/ + trusted-signing-account-name: nicola + certificate-profile-name: SFTPGo + files: | + ${{ github.workspace }}\bin\sftpgo-plugin-kms-windows-x86_64.exe + ${{ github.workspace }}\bin\sftpgo-plugin-kms-windows-arm64.exe + ${{ github.workspace }}\bin\sftpgo-plugin-kms-windows-x86.exe + files-folder-filter: exe,dll + file-digest: SHA256 + timestamp-rfc3161: http://timestamp.acs.microsoft.com + timestamp-digest: SHA256 + exclude-environment-credential: true + exclude-workload-identity-credential: true + exclude-managed-identity-credential: true + exclude-shared-token-cache-credential: true + exclude-visual-studio-credential: true + exclude-visual-studio-code-credential: true + exclude-azure-cli-credential: false + exclude-azure-powershell-credential: true + exclude-azure-developer-cli-credential: true + exclude-interactive-browser-credential: true - name: Upload build artifact uses: actions/upload-artifact@v4 diff --git a/README.md b/README.md index 3ace2e7..63a4a4a 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # SFTPGo KMS plugin -![Build](https://github.com/sftpgo/sftpgo-plugin-kms/workflows/Build/badge.svg?branch=main&event=push) +![Build](https://github.com/sftpgo/sftpgo-plugin-kms/workflows/Build/badge.svg) [![License: AGPL v3](https://img.shields.io/badge/License-AGPLv3-blue.svg)](https://www.gnu.org/licenses/agpl-3.0) This plugin adds support for additional KMS secret providers to [SFTPGo](https://github.com/drakkan/sftpgo/).