From 8d7e679c2c6a3b815f96285439ffad67b9ab240c Mon Sep 17 00:00:00 2001 From: Kamil Chudy Date: Tue, 10 Jun 2025 10:28:27 +0200 Subject: [PATCH 01/12] Refactor GitHub Actions workflow: remove Linux build job and streamline macOS build steps --- .github/workflows/release.yaml | 320 ++------------------------------- 1 file changed, 13 insertions(+), 307 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6c7cb7cd..bed4b10a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -3,6 +3,8 @@ on: push: tags: - v*.*.* + branches: + - '*' jobs: build-wireguard-go: @@ -52,167 +54,6 @@ jobs: draft: true generate_release_notes: true - build-linux: - needs: - - create-release - runs-on: - - self-hosted - - Linux - - ${{ matrix.architecture }} - strategy: - fail-fast: false - matrix: - architecture: [ARM64, X64] - include: - - architecture: ARM64 - deb_arch: arm64 - binary_arch: aarch64 - - architecture: X64 - deb_arch: amd64 - binary_arch: x86_64 - steps: - - uses: actions/checkout@v4 - with: - submodules: 'recursive' - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV - - uses: actions/setup-node@v3 - with: - node-version: '20' - - uses: pnpm/action-setup@v2 - with: - version: 9 - run_install: false - - name: Get pnpm store directory - shell: bash - run: | - echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV - - uses: actions/cache@v3 - name: Setup pnpm cache - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-build-store- - - name: Install Node dependencies - run: pnpm install --frozen-lockfile - - uses: dtolnay/rust-toolchain@stable - - name: Install Linux dependencies - run: | - sudo apt-get update - sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libappindicator3-dev librsvg2-dev patchelf libssl-dev unzip protobuf-compiler libprotobuf-dev rpm - - name: Build packages - uses: tauri-apps/tauri-action@v0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Create RPM - run: | - rpmbuild --build-in-place --define "_topdir $(pwd)" --define "version ${{ env.VERSION }}" -bb resources-linux/defguard-client.spec - - name: Upload RPM - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: RPMS/${{ matrix.binary_arch }}/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm - asset_content_type: application/octet-stream - - name: Upload DEB - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb - asset_content_type: application/octet-stream - - name: Rename client binary - run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - - name: Tar client binary - uses: a7ul/tar-action@v1.2.0 - with: - command: c - files: | - defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - - name: Upload client archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_content_type: application/octet-stream - - name: Rename daemon binary - run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - - name: Tar daemon binary - uses: a7ul/tar-action@v1.2.0 - with: - command: c - files: | - defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - - name: Upload daemon archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_content_type: application/octet-stream - - - name: Rename dg binary - run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - - name: Tar dg binary - uses: a7ul/tar-action@v1.2.0 - with: - command: c - files: | - dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} - outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - - name: Upload dg archive - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz - asset_content_type: application/octet-stream - - name: Build dg deb - uses: defGuard/fpm-action@main - with: - fpm_args: 'dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf' - fpm_opts: '--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb' - - name: Upload DEB - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb - asset_content_type: application/octet-stream - - name: Build dg rpm - uses: defGuard/fpm-action@main - with: - fpm_args: 'dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf' - fpm_opts: '--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm' - - name: Upload RPM - uses: actions/upload-release-asset@v1.0.2 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm - asset_content_type: application/octet-stream - build-macos: needs: - create-release @@ -224,6 +65,10 @@ jobs: runs-on: - self-hosted - macOS + env: + APPLE_SIGNING_IDENTITY: 'Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)' + APPLE_ID: 'kamil@defguard.net' + APPLE_TEAM_ID: '82GZ7KN29J' steps: - uses: actions/checkout@v4 with: @@ -262,24 +107,24 @@ jobs: with: name: wireguard-go-${{ matrix.target }} path: src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }} - - name: Unlock keychain - run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain + # - name: Unlock keychain + # run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain - name: Build app uses: tauri-apps/tauri-action@v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - APPLE_SIGNING_IDENTITY: 'Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)' + APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY }} APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} - APPLE_ID: 'kamil@defguard.net' + APPLE_ID: ${{ env.APPLE_ID }} APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} - APPLE_TEAM_ID: '82GZ7KN29J' + APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} with: args: --target ${{ matrix.target }} -v - name: Build installation package run: | - bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts "Developer ID Installer: TEONITE (6WD6W6WQNV)" /Users/admin/Library/Keychains/login.keychain - xcrun notarytool submit --wait --apple-id admin@teonite.com --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id 6WD6W6WQNV src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg + bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts ${{ env.APPLE_SIGNING_IDENTITY }} /Users/admin/Library/Keychains/login.keychain + xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - name: Upload installation package uses: actions/upload-release-asset@v1 @@ -290,142 +135,3 @@ jobs: asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg asset_content_type: application/octet-stream - - # Building signed Windows bundle involves a few steps as described here: - # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line - # 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows) - # 2. Detach the burn engine from the bundle so that it can be signed (also Windows) - # 3. Sign the burn engine (Linux) - # 4. Reattach the burn engine back to the bundle (Windows again) - # 5. Sign the whole bundle (Linux) - build-windows: - needs: - - create-release - runs-on: windows-latest - steps: - - uses: actions/checkout@v4 - with: - submodules: 'recursive' - - name: Write release version - run: | - $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0] - echo Version: $env:VERSION - echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV - - uses: actions/setup-node@v3 - with: - node-version: '20' - - uses: pnpm/action-setup@v2 - with: - version: 9 - run_install: false - - name: Get pnpm store directory - shell: bash - run: echo "STORE_PATH=$(pnpm store path --silent)" >> $env:GITHUB_ENV - - uses: actions/cache@v3 - name: Setup pnpm cache - with: - path: ${{ env.STORE_PATH }} - key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} - restore-keys: | - ${{ runner.os }}-pnpm-build-store- - - name: Install deps - run: pnpm install --frozen-lockfile - - uses: dtolnay/rust-toolchain@stable - - name: Install Protoc - uses: arduino/setup-protoc@v2 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - - name: Remove "default-run" line from Cargo.toml - run: | - Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch) - - name: Build packages - uses: tauri-apps/tauri-action@v0 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Bundle application - run: | - dotnet tool install --global wix --version 4.0.5 - wix extension add WixToolset.Bal.wixext/4 - wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll - wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe - - name: Upload unsigned bundle and burn-engine - uses: actions/upload-artifact@v4 - with: - name: unsigned-bundle-and-burnengine - path: | - src-tauri/resources-windows/defguard-client.exe - src-tauri/resources-windows/burnengine.exe - sign-burn-engine: - needs: - - build-windows - runs-on: - - self-hosted - - Linux - - X64 - steps: - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV - - name: Download unsigned bundle & burn-engine - uses: actions/download-artifact@v4 - with: - name: unsigned-bundle-and-burnengine - - name: Sign burn-engine - run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe - - name: Upload bundle and burn-engine artifact - uses: actions/upload-artifact@v4 - with: - name: unsigned-bundle-and-signed-burnengine - path: | - defguard-client.exe - burnengine-signed.exe - reattach-burn-engine: - needs: - - sign-burn-engine - runs-on: windows-latest - steps: - - name: Download unsigned bundle and signed burn-engine - uses: actions/download-artifact@v4 - with: - name: unsigned-bundle-and-signed-burnengine - - name: Reattach burn-engine - run: | - dotnet tool install --global wix --version 4.0.5 - wix extension add WixToolset.Bal.wixext/4 - wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe - - name: Upload bundle with reattached burn-engine - uses: actions/upload-artifact@v4 - with: - name: unsigned-bundle-with-reattached-signed-burn-engine - path: defguard-client-reattached.exe - sign-bundle: - needs: - - create-release - - reattach-burn-engine - runs-on: - - self-hosted - - Linux - - X64 - steps: - - name: Write release version - run: | - VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) - echo Version: $VERSION - echo "VERSION=$VERSION" >> $GITHUB_ENV - - name: Download unsigned bundle & signed burn-engine - uses: actions/download-artifact@v4 - with: - name: unsigned-bundle-with-reattached-signed-burn-engine - - name: Sign bundle - run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe - - name: Upload installer asset - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ needs.create-release.outputs.upload_url }} - asset_path: defguard-client-signed.exe - asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe - asset_content_type: application/octet-stream From e0a815c28e2b3ee993c3b351be997361eafb6f84 Mon Sep 17 00:00:00 2001 From: Kamil Chudy Date: Tue, 10 Jun 2025 10:30:39 +0200 Subject: [PATCH 02/12] Update release workflow: allow all branches and remove tag trigger --- .github/workflows/release.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index bed4b10a..d2c1b9d2 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,10 +1,8 @@ name: 'Build app and create release' on: push: - tags: - - v*.*.* branches: - - '*' + - '**' jobs: build-wireguard-go: From b75803b98dee112d347e03b141cc8dc56e953ac5 Mon Sep 17 00:00:00 2001 From: Kamil Chudy Date: Tue, 10 Jun 2025 11:12:57 +0200 Subject: [PATCH 03/12] Add keychain unlock step and use environment variable for password in release workflow --- .github/workflows/release.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d2c1b9d2..8d1ac7e8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -67,6 +67,7 @@ jobs: APPLE_SIGNING_IDENTITY: 'Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)' APPLE_ID: 'kamil@defguard.net' APPLE_TEAM_ID: '82GZ7KN29J' + TAURI_BUILD_KEYCHAIN_PASSWORD: 'tauri-build' steps: - uses: actions/checkout@v4 with: @@ -105,8 +106,8 @@ jobs: with: name: wireguard-go-${{ matrix.target }} path: src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }} - # - name: Unlock keychain - # run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain + - name: Unlock keychain + run: security -v unlock-keychain -p "${{ env.TAURI_BUILD_KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/tauri-build.keychain - name: Build app uses: tauri-apps/tauri-action@v0 env: From f8e12ec15053f7dab8e45d2d905961fc835e0e88 Mon Sep 17 00:00:00 2001 From: Kamil Chudy Date: Tue, 10 Jun 2025 11:28:43 +0200 Subject: [PATCH 04/12] Update keychain unlock step to use secret for password and correct keychain path --- .github/workflows/release.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8d1ac7e8..3c72ca85 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -67,7 +67,6 @@ jobs: APPLE_SIGNING_IDENTITY: 'Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)' APPLE_ID: 'kamil@defguard.net' APPLE_TEAM_ID: '82GZ7KN29J' - TAURI_BUILD_KEYCHAIN_PASSWORD: 'tauri-build' steps: - uses: actions/checkout@v4 with: @@ -107,7 +106,7 @@ jobs: name: wireguard-go-${{ matrix.target }} path: src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }} - name: Unlock keychain - run: security -v unlock-keychain -p "${{ env.TAURI_BUILD_KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/tauri-build.keychain + run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain - name: Build app uses: tauri-apps/tauri-action@v0 env: From 5c8e57b54ee71d4692cca146d5cec31b755c32bb Mon Sep 17 00:00:00 2001 From: Kamil Chudy Date: Tue, 10 Jun 2025 11:35:31 +0200 Subject: [PATCH 05/12] Add certificate import step to keychain unlock process in release workflow --- .github/workflows/release.yaml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3c72ca85..046031e3 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -107,13 +107,20 @@ jobs: path: src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }} - name: Unlock keychain run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain + - name: Import certificate to login keychain + run: | + echo "${{ secrets.APPLE_CERTIFICATE }}" | base64 --decode > certificate.p12 + security import certificate.p12 -k /Users/admin/Library/Keychains/login.keychain -P "${{ secrets.APPLE_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign -T /usr/bin/pkgbuild -T /usr/bin/productbuild + security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain + rm certificate.p12 - name: Build app uses: tauri-apps/tauri-action@v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY }} - APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} - APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + # Remove these certificate environment variables to prevent Tauri from creating its own keychain + # APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} + # APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} APPLE_ID: ${{ env.APPLE_ID }} APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} From 017ab22039a7b29f7e54f6f7f860b5c90eca4972 Mon Sep 17 00:00:00 2001 From: Kamil Chudy Date: Tue, 10 Jun 2025 11:59:01 +0200 Subject: [PATCH 06/12] Revert "Add certificate import step to keychain unlock process in release workflow" This reverts commit 5c8e57b54ee71d4692cca146d5cec31b755c32bb. --- .github/workflows/release.yaml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 046031e3..3c72ca85 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -107,20 +107,13 @@ jobs: path: src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }} - name: Unlock keychain run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain - - name: Import certificate to login keychain - run: | - echo "${{ secrets.APPLE_CERTIFICATE }}" | base64 --decode > certificate.p12 - security import certificate.p12 -k /Users/admin/Library/Keychains/login.keychain -P "${{ secrets.APPLE_CERTIFICATE_PASSWORD }}" -T /usr/bin/codesign -T /usr/bin/pkgbuild -T /usr/bin/productbuild - security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain - rm certificate.p12 - name: Build app uses: tauri-apps/tauri-action@v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY }} - # Remove these certificate environment variables to prevent Tauri from creating its own keychain - # APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} - # APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} + APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} + APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} APPLE_ID: ${{ env.APPLE_ID }} APPLE_PASSWORD: ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} APPLE_TEAM_ID: ${{ env.APPLE_TEAM_ID }} From ae6027a786dd5e401e6de3e0413505ce2284fb4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adam=20Ciarcin=CC=81ski?= Date: Tue, 10 Jun 2025 12:36:51 +0200 Subject: [PATCH 07/12] Update go version --- .github/workflows/release.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3c72ca85..b09ef4ce 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,8 +8,8 @@ jobs: build-wireguard-go: strategy: fail-fast: false - matrix: - architecture: [arm64, amd64] + matrix: + architecture: [arm64, amd64] runs-on: [self-hosted, macOS] steps: - uses: actions/checkout@v4 @@ -20,7 +20,7 @@ jobs: - name: Set up Go uses: actions/setup-go@v5 with: - go-version: '1.22' + go-version: '1.24' - name: Build wireguard-go binary run: make env: From 4098a738535d88c8505c554852b7bd104fa6f21a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adam=20Ciarcin=CC=81ski?= Date: Tue, 10 Jun 2025 12:37:22 +0200 Subject: [PATCH 08/12] Update go version --- .github/workflows/release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index b09ef4ce..3687a44a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,8 +8,8 @@ jobs: build-wireguard-go: strategy: fail-fast: false - matrix: - architecture: [arm64, amd64] + matrix: + architecture: [arm64, amd64] runs-on: [self-hosted, macOS] steps: - uses: actions/checkout@v4 From ac35c5a3e2fb4bc2e7b1e2ab1afe0c6cc6d31b5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Adam=20Ciarcin=CC=81ski?= Date: Tue, 10 Jun 2025 13:01:37 +0200 Subject: [PATCH 09/12] Try to fix binary name --- .github/workflows/release.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 3687a44a..d18f64b0 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -104,7 +104,11 @@ jobs: uses: actions/download-artifact@v4 with: name: wireguard-go-${{ matrix.target }} - path: src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }} + path: src-tauri/resources-macos/binaries + - name: Rename wireguard-go binary + run: | + ls -l src-tauri/resources-macos/binaries + mv src-tauri/resources-macos/binaries/wireguard-go src-tauri/resources-macos/binaries/wireguard-go-${{ matrix.target }} - name: Unlock keychain run: security -v unlock-keychain -p "${{ secrets.KEYCHAIN_PASSWORD }}" /Users/admin/Library/Keychains/login.keychain - name: Build app From 7aba4bd53f652fbc79fda8d2565b40ec09a0d0f1 Mon Sep 17 00:00:00 2001 From: Kamil Chudy Date: Wed, 11 Jun 2025 08:49:42 +0200 Subject: [PATCH 10/12] Fix quoting for APPLE_SIGNING_IDENTITY in build-macos-package script --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d18f64b0..9f40efdf 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -125,7 +125,7 @@ jobs: args: --target ${{ matrix.target }} -v - name: Build installation package run: | - bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts ${{ env.APPLE_SIGNING_IDENTITY }} /Users/admin/Library/Keychains/login.keychain + bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY }}' /Users/admin/Library/Keychains/login.keychain xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - name: Upload installation package From 0ead0a67c473364bbc2e7b03c037180a7b6110b6 Mon Sep 17 00:00:00 2001 From: Kamil Chudy Date: Wed, 11 Jun 2025 10:19:25 +0200 Subject: [PATCH 11/12] Refactor signing identity variables in release workflow --- .github/workflows/release.yaml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9f40efdf..7cc1b42f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -64,7 +64,8 @@ jobs: - self-hosted - macOS env: - APPLE_SIGNING_IDENTITY: 'Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)' + APPLE_SIGNING_IDENTITY_APPLICATION: 'Developer ID Application: defguard sp. z o.o. (82GZ7KN29J)' + APPLE_SIGNING_IDENTITY_INSTALLER: 'Developer ID Installer: defguard sp. z o.o. (82GZ7KN29J)' APPLE_ID: 'kamil@defguard.net' APPLE_TEAM_ID: '82GZ7KN29J' steps: @@ -115,7 +116,7 @@ jobs: uses: tauri-apps/tauri-action@v0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY }} + APPLE_SIGNING_IDENTITY: ${{ env.APPLE_SIGNING_IDENTITY_APPLICATION }} APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }} APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }} APPLE_ID: ${{ env.APPLE_ID }} @@ -125,7 +126,7 @@ jobs: args: --target ${{ matrix.target }} -v - name: Build installation package run: | - bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY }}' /Users/admin/Library/Keychains/login.keychain + bash build-macos-package.sh src-tauri/target/${{ matrix.target }} src-tauri/resources-macos/scripts '${{ env.APPLE_SIGNING_IDENTITY_INSTALLER }}' /Users/admin/Library/Keychains/login.keychain xcrun notarytool submit --wait --apple-id ${{ env.APPLE_ID }} --password ${{ secrets.NOTARYTOOL_APP_SPECIFIC_PASSWORD }} --team-id ${{ env.APPLE_TEAM_ID }} src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg xcrun stapler staple src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg - name: Upload installation package From 25d75336c8d3be69e8d471d4fa3085a6512bf805 Mon Sep 17 00:00:00 2001 From: Kamil Chudy Date: Wed, 11 Jun 2025 11:29:58 +0200 Subject: [PATCH 12/12] Enabled Linux and Windows builds --- .github/workflows/release.yaml | 304 ++++++++++++++++++++++++++++++++- 1 file changed, 302 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7cc1b42f..53d62a5c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,8 +1,8 @@ name: 'Build app and create release' on: push: - branches: - - '**' + tags: + - v*.*.* jobs: build-wireguard-go: @@ -52,6 +52,167 @@ jobs: draft: true generate_release_notes: true + build-linux: + needs: + - create-release + runs-on: + - self-hosted + - Linux + - ${{ matrix.architecture }} + strategy: + fail-fast: false + matrix: + architecture: [ARM64, X64] + include: + - architecture: ARM64 + deb_arch: arm64 + binary_arch: aarch64 + - architecture: X64 + deb_arch: amd64 + binary_arch: x86_64 + steps: + - uses: actions/checkout@v4 + with: + submodules: 'recursive' + - name: Write release version + run: | + VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + - uses: actions/setup-node@v3 + with: + node-version: '20' + - uses: pnpm/action-setup@v2 + with: + version: 9 + run_install: false + - name: Get pnpm store directory + shell: bash + run: | + echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV + - uses: actions/cache@v3 + name: Setup pnpm cache + with: + path: ${{ env.STORE_PATH }} + key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + restore-keys: | + ${{ runner.os }}-pnpm-build-store- + - name: Install Node dependencies + run: pnpm install --frozen-lockfile + - uses: dtolnay/rust-toolchain@stable + - name: Install Linux dependencies + run: | + sudo apt-get update + sudo apt-get install -y libgtk-3-dev libwebkit2gtk-4.0-dev libappindicator3-dev librsvg2-dev patchelf libssl-dev unzip protobuf-compiler libprotobuf-dev rpm + - name: Build packages + uses: tauri-apps/tauri-action@v0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Create RPM + run: | + rpmbuild --build-in-place --define "_topdir $(pwd)" --define "version ${{ env.VERSION }}" -bb resources-linux/defguard-client.spec + - name: Upload RPM + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: RPMS/${{ matrix.binary_arch }}/defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + asset_name: defguard-client-${{ env.VERSION }}-1.${{ matrix.binary_arch }}.rpm + asset_content_type: application/octet-stream + - name: Upload DEB + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: src-tauri/target/release/bundle/deb/defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + asset_name: defguard-client_${{ env.VERSION }}_${{ matrix.deb_arch }}.deb + asset_content_type: application/octet-stream + - name: Rename client binary + run: mv src-tauri/target/release/defguard-client defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + - name: Tar client binary + uses: a7ul/tar-action@v1.2.0 + with: + command: c + files: | + defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + outPath: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + - name: Upload client archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_name: defguard-client-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_content_type: application/octet-stream + - name: Rename daemon binary + run: mv src-tauri/target/release/defguard-service defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + - name: Tar daemon binary + uses: a7ul/tar-action@v1.2.0 + with: + command: c + files: | + defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + outPath: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + - name: Upload daemon archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_name: defguard-service-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_content_type: application/octet-stream + + - name: Rename dg binary + run: mv src-tauri/target/release/dg dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + - name: Tar dg binary + uses: a7ul/tar-action@v1.2.0 + with: + command: c + files: | + dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }} + outPath: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + - name: Upload dg archive + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.tar.gz + asset_content_type: application/octet-stream + - name: Build dg deb + uses: defGuard/fpm-action@main + with: + fpm_args: 'dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf' + fpm_opts: '--architecture ${{ matrix.binary_arch }} --debug --output-type deb --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb' + - name: Upload DEB + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.deb + asset_content_type: application/octet-stream + - name: Build dg rpm + uses: defGuard/fpm-action@main + with: + fpm_args: 'dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}=/usr/sbin/dg dg.service=/usr/lib/systemd/system/dg.service src-tauri/cli/.env=/etc/defguard/dg.conf' + fpm_opts: '--architecture ${{ matrix.binary_arch }} --debug --output-type rpm --version ${{ env.VERSION }} --package dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm' + - name: Upload RPM + uses: actions/upload-release-asset@v1.0.2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + asset_name: dg-linux-${{ matrix.binary_arch }}-${{ github.ref_name }}.rpm + asset_content_type: application/octet-stream + build-macos: needs: - create-release @@ -138,3 +299,142 @@ jobs: asset_path: src-tauri/target/${{ matrix.target }}/product-signed/defguard.pkg asset_name: defguard-${{ matrix.target }}-${{ env.VERSION }}.pkg asset_content_type: application/octet-stream + + # Building signed Windows bundle involves a few steps as described here: + # https://wixtoolset.org/docs/tools/signing/#signing-bundles-at-the-command-line + # 1. Build Defguard and bundle the binaries (Defguard and WireGuard) using Wix (Windows) + # 2. Detach the burn engine from the bundle so that it can be signed (also Windows) + # 3. Sign the burn engine (Linux) + # 4. Reattach the burn engine back to the bundle (Windows again) + # 5. Sign the whole bundle (Linux) + build-windows: + needs: + - create-release + runs-on: windows-latest + steps: + - uses: actions/checkout@v4 + with: + submodules: 'recursive' + - name: Write release version + run: | + $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0] + echo Version: $env:VERSION + echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV + - uses: actions/setup-node@v3 + with: + node-version: '20' + - uses: pnpm/action-setup@v2 + with: + version: 9 + run_install: false + - name: Get pnpm store directory + shell: bash + run: echo "STORE_PATH=$(pnpm store path --silent)" >> $env:GITHUB_ENV + - uses: actions/cache@v3 + name: Setup pnpm cache + with: + path: ${{ env.STORE_PATH }} + key: ${{ runner.os }}-pnpm-build-store-${{ hashFiles('**/pnpm-lock.yaml') }} + restore-keys: | + ${{ runner.os }}-pnpm-build-store- + - name: Install deps + run: pnpm install --frozen-lockfile + - uses: dtolnay/rust-toolchain@stable + - name: Install Protoc + uses: arduino/setup-protoc@v2 + with: + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: Remove "default-run" line from Cargo.toml + run: | + Set-Content -Path ".\src-tauri\Cargo.toml" -Value (get-content -Path ".\src-tauri\Cargo.toml" | Select-String -Pattern 'default-run =' -NotMatch) + - name: Build packages + uses: tauri-apps/tauri-action@v0 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Bundle application + run: | + dotnet tool install --global wix --version 4.0.5 + wix extension add WixToolset.Bal.wixext/4 + wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll + wix burn detach .\src-tauri\resources-windows\defguard-client.exe -engine .\src-tauri\resources-windows\burnengine.exe + - name: Upload unsigned bundle and burn-engine + uses: actions/upload-artifact@v4 + with: + name: unsigned-bundle-and-burnengine + path: | + src-tauri/resources-windows/defguard-client.exe + src-tauri/resources-windows/burnengine.exe + sign-burn-engine: + needs: + - build-windows + runs-on: + - self-hosted + - Linux + - X64 + steps: + - name: Write release version + run: | + VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + - name: Download unsigned bundle & burn-engine + uses: actions/download-artifact@v4 + with: + name: unsigned-bundle-and-burnengine + - name: Sign burn-engine + run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in burnengine.exe -out burnengine-signed.exe + - name: Upload bundle and burn-engine artifact + uses: actions/upload-artifact@v4 + with: + name: unsigned-bundle-and-signed-burnengine + path: | + defguard-client.exe + burnengine-signed.exe + reattach-burn-engine: + needs: + - sign-burn-engine + runs-on: windows-latest + steps: + - name: Download unsigned bundle and signed burn-engine + uses: actions/download-artifact@v4 + with: + name: unsigned-bundle-and-signed-burnengine + - name: Reattach burn-engine + run: | + dotnet tool install --global wix --version 4.0.5 + wix extension add WixToolset.Bal.wixext/4 + wix burn reattach defguard-client.exe -engine burnengine-signed.exe -o defguard-client-reattached.exe + - name: Upload bundle with reattached burn-engine + uses: actions/upload-artifact@v4 + with: + name: unsigned-bundle-with-reattached-signed-burn-engine + path: defguard-client-reattached.exe + sign-bundle: + needs: + - create-release + - reattach-burn-engine + runs-on: + - self-hosted + - Linux + - X64 + steps: + - name: Write release version + run: | + VERSION=$(echo ${GITHUB_REF_NAME#v} | cut -d '-' -f1) + echo Version: $VERSION + echo "VERSION=$VERSION" >> $GITHUB_ENV + - name: Download unsigned bundle & signed burn-engine + uses: actions/download-artifact@v4 + with: + name: unsigned-bundle-with-reattached-signed-burn-engine + - name: Sign bundle + run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client-reattached.exe -out defguard-client-signed.exe + - name: Upload installer asset + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ needs.create-release.outputs.upload_url }} + asset_path: defguard-client-signed.exe + asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe + asset_content_type: application/octet-stream