From 1db7beed67db01748c02970f150ed458d6f8cece Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Tue, 5 Jul 2022 01:45:59 +0900 Subject: [PATCH 01/11] =?UTF-8?q?=E3=82=B3=E3=83=BC=E3=83=89=E7=BD=B2?= =?UTF-8?q?=E5=90=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/build.yml | 25 +++++++++++++++++-- build_util/codesign.bash | 49 +++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 2 deletions(-) create mode 100644 build_util/codesign.bash diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 923f14940..ae00e62eb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -7,6 +7,17 @@ on: types: - created workflow_dispatch: + inputs: + version: + description: "バージョン情報(A.BB.C / A.BB.C-preview.D)" + required: true + prerelease: + description: "プレリリースかどうか" + type: boolean + default: true + code_signing: + description: "コード署名する" + type: boolean env: IMAGE_NAME: ${{ secrets.DOCKERHUB_USERNAME }}/voicevox_engine @@ -14,8 +25,8 @@ env: VOICEVOX_RESOURCE_VERSION: "0.13.0-preview.2" VOICEVOX_CORE_VERSION: "0.12.2" VOICEVOX_ENGINE_VERSION: - |- # releaseのときはタグが、それ以外はlatestがバージョン名に - ${{ github.event.release.tag_name != '' && github.event.release.tag_name || 'latest' }} + |- # releaseタグ名か、workflow_dispatchでのバージョン名か、latestが入る + ${{ github.event.release.tag_name || github.event.inputs.version || 'latest' }} jobs: # Build Mac binary (x64 arch only) @@ -798,6 +809,15 @@ jobs: # pysoundfile ln -sf "${{ env.PYTHON_SITE_PACKAGES_DIR }}/_soundfile_data" artifact/ + - name: Code signing + if: github.event.inputs.code_signing + shell: bash + run: | + bash build_util/codesign.bash "artifact/run.exe" + env: + CERT_BASE64: ${{ secrets.CERT_BASE64 }} + CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }} + # FIXME: versioned name may be useful; but # actions/download-artifact and dawidd6/download-artifact do not support # wildcard / forward-matching yet. @@ -855,6 +875,7 @@ jobs: with: repo_token: ${{ secrets.GITHUB_TOKEN }} tag: ${{ github.ref }} # == github.event.release.tag_name + prelease: ${{ github.event.inputs.prerelease }} file_glob: true file: ${{ matrix.artifact_name }}.7z.* diff --git a/build_util/codesign.bash b/build_util/codesign.bash new file mode 100644 index 000000000..72ea0f5b5 --- /dev/null +++ b/build_util/codesign.bash @@ -0,0 +1,49 @@ +# !!! コードサイニング証明書を取り扱うので取り扱い注意 !!! + +set -eu + +if [ -v "${CERT_BASE64}" ]; then + echo "CERT_BASE64が未定義です" + exit 1 +fi +if [ -v "${CERT_PASSWORD}" ]; then + echo "CERT_PASSWORDが未定義です" + exit 1 +fi + +if [ $# -ne 1 ]; then + echo "引数の数が一致しません" + exit 1 +fi +target_file_glob="$1" + +# 証明書 +CERT_PATH=cert.pfx +echo -n "$CERT_BASE64" | base64 -d - > $CERT_PATH + +# 指定ファイルに署名する +function codesign() { + TARGET="$1" + SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1) + powershell "& '$SIGNTOOL' sign /fd SHA256 /td SHA256 /tr http://timestamp.digicert.com /f $CERT_PATH /p $CERT_PASSWORD '$TARGET'" +} + +# 指定ファイルが署名されているか +function is_signed() { + TARGET="$1" + SIGNTOOL=$(find "C:/Program Files (x86)/Windows Kits/10/App Certification Kit" -name "signtool.exe" | sort -V | tail -n 1) + powershell "& '$SIGNTOOL' verify /pa '$TARGET'" || return 1 +} + +# 署名されていなければ署名 +ls $target_file_glob | while read target_file; do + if is_signed "$target_file"; then + echo "署名済み: $target_file" + else + echo "署名: $target_file" + codesign "$target_file" + fi +done + +# 証明書を消去 +rm $CERT_PATH From 15d5963ba28a3cb9bd659b3bc4a77e901c54b15b Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Tue, 5 Jul 2022 01:47:29 +0900 Subject: [PATCH 02/11] add environment --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ae00e62eb..ead18a1e5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -400,6 +400,7 @@ jobs: path: build/run.dist/ build-windows: + environment: ${{ github.event.inputs.code_signing && 'code_signing' }} # コード署名用のenvironment strategy: matrix: include: From f8f9fb821635d58ad6a03785c9ed19aeeb5142eb Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Tue, 5 Jul 2022 23:07:02 +0900 Subject: [PATCH 03/11] =?UTF-8?q?release=E3=81=AE=E3=83=AD=E3=82=B8?= =?UTF-8?q?=E3=83=83=E3=82=AF=E3=82=92=E5=A4=89=E6=9B=B4?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/build.yml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index ead18a1e5..f0c3e67ec 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -250,7 +250,7 @@ jobs: - uses: actions/upload-artifact@v2 # env: # VERSIONED_ARTIFACT_NAME: | - # ${{ format('{0}-{1}', matrix.artifact_name, (github.event.release.tag_name != '' && github.event.release.tag_name) || github.sha) }} + # ${{ format('{0}-{1}', matrix.artifact_name, (env.VOICEVOX_ENGINE_VERSION != 'latest' && env.VOICEVOX_ENGINE_VERSION) || github.sha) }} with: name: ${{ matrix.artifact_name }} path: build/run.dist/ @@ -394,7 +394,7 @@ jobs: - uses: actions/upload-artifact@v2 # env: # VERSIONED_ARTIFACT_NAME: | - # ${{ format('{0}-{1}', matrix.artifact_name, (github.event.release.tag_name != '' && github.event.release.tag_name) || github.sha) }} + # ${{ format('{0}-{1}', matrix.artifact_name, (env.VOICEVOX_ENGINE_VERSION != 'latest' && env.VOICEVOX_ENGINE_VERSION) || github.sha) }} with: name: ${{ matrix.artifact_name }} path: build/run.dist/ @@ -819,6 +819,13 @@ jobs: CERT_BASE64: ${{ secrets.CERT_BASE64 }} CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }} + # ブランチのデフォルト戻した??? + # ブランチのデフォルト戻した??? + # ブランチのデフォルト戻した??? + # ブランチのデフォルト戻した??? + # ブランチのデフォルト戻した??? + # ブランチのデフォルト戻した??? + # FIXME: versioned name may be useful; but # actions/download-artifact and dawidd6/download-artifact do not support # wildcard / forward-matching yet. @@ -828,14 +835,14 @@ jobs: - uses: actions/upload-artifact@v2 # env: # VERSIONED_ARTIFACT_NAME: | - # ${{ format('{0}-{1}', matrix.artifact_name, (github.event.release.tag_name != '' && github.event.release.tag_name) || github.sha) }} + # ${{ format('{0}-{1}', matrix.artifact_name, (env.VOICEVOX_ENGINE_VERSION != 'latest' && env.VOICEVOX_ENGINE_VERSION) || github.sha) }} with: name: ${{ matrix.artifact_name }} path: | artifact/ upload-to-release: - if: github.event.release.tag_name != '' + if: env.VOICEVOX_ENGINE_VERSION != 'latest' needs: [build-mac, build-linux, build-windows] runs-on: ubuntu-latest strategy: @@ -875,15 +882,15 @@ jobs: uses: svenstaro/upload-release-action@v2 with: repo_token: ${{ secrets.GITHUB_TOKEN }} - tag: ${{ github.ref }} # == github.event.release.tag_name + tag: ${{ env.VOICEVOX_ENGINE_VERSION }} prelease: ${{ github.event.inputs.prerelease }} file_glob: true file: ${{ matrix.artifact_name }}.7z.* run-release-test-workflow: - if: github.event.release.tag_name != '' + if: env.VOICEVOX_ENGINE_VERSION != 'latest' needs: [upload-to-release] uses: ./.github/workflows/release-test.yml with: - version: ${{ github.event.release.tag_name }} + version: ${{ env.VOICEVOX_ENGINE_VERSION }} repo_url: ${{ format('{0}/{1}', github.server_url, github.repository) }} # このリポジトリのURL From cf4adbae266c112d0198cc2b31b52968e1b0bb70 Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Tue, 5 Jul 2022 23:16:41 +0900 Subject: [PATCH 04/11] =?UTF-8?q?env.VOICEVOX=5FENGINE=5FVERSION=E3=81=8C?= =?UTF-8?q?=E4=BD=BF=E3=81=88=E3=81=AA=E3=81=84?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f0c3e67ec..18984c1a9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -842,7 +842,7 @@ jobs: artifact/ upload-to-release: - if: env.VOICEVOX_ENGINE_VERSION != 'latest' + if: (github.event.release.tag_name || github.event.inputs.version) != '' needs: [build-mac, build-linux, build-windows] runs-on: ubuntu-latest strategy: @@ -888,7 +888,7 @@ jobs: file: ${{ matrix.artifact_name }}.7z.* run-release-test-workflow: - if: env.VOICEVOX_ENGINE_VERSION != 'latest' + if: (github.event.release.tag_name || github.event.inputs.version) != '' needs: [upload-to-release] uses: ./.github/workflows/release-test.yml with: From 0ad70d294e9e51822df4d265270388fe0e05d9bf Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Tue, 5 Jul 2022 23:18:05 +0900 Subject: [PATCH 05/11] github.event.release.tag_name || github.event.inputs.version --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 18984c1a9..4ab136a0c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -892,5 +892,5 @@ jobs: needs: [upload-to-release] uses: ./.github/workflows/release-test.yml with: - version: ${{ env.VOICEVOX_ENGINE_VERSION }} + version: ${{ github.event.release.tag_name || github.event.inputs.version }} repo_url: ${{ format('{0}/{1}', github.server_url, github.repository) }} # このリポジトリのURL From 73a76eec4a5ee3791e70a368f5d5af3a57fc7786 Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Tue, 5 Jul 2022 23:19:26 +0900 Subject: [PATCH 06/11] =?UTF-8?q?=E3=82=B3=E3=83=A1=E3=83=B3=E3=83=88?= =?UTF-8?q?=E3=82=92=E6=B6=88=E3=81=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/build.yml | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 4ab136a0c..129541232 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -819,13 +819,6 @@ jobs: CERT_BASE64: ${{ secrets.CERT_BASE64 }} CERT_PASSWORD: ${{ secrets.CERT_PASSWORD }} - # ブランチのデフォルト戻した??? - # ブランチのデフォルト戻した??? - # ブランチのデフォルト戻した??? - # ブランチのデフォルト戻した??? - # ブランチのデフォルト戻した??? - # ブランチのデフォルト戻した??? - # FIXME: versioned name may be useful; but # actions/download-artifact and dawidd6/download-artifact do not support # wildcard / forward-matching yet. @@ -892,5 +885,5 @@ jobs: needs: [upload-to-release] uses: ./.github/workflows/release-test.yml with: - version: ${{ github.event.release.tag_name || github.event.inputs.version }} + version: ${{ github.event.release.tag_name || github.event.inputs.version }} # env.VOICEVOX_ENGINE_VERSIONが使えない repo_url: ${{ format('{0}/{1}', github.server_url, github.repository) }} # このリポジトリのURL From a922fd3a99d33ab84985e3d31b3e218a3ae64644 Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Thu, 7 Jul 2022 06:33:37 +0900 Subject: [PATCH 07/11] github.event.inputs.code_signing == 'true' --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 129541232..8993ed20b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -400,7 +400,7 @@ jobs: path: build/run.dist/ build-windows: - environment: ${{ github.event.inputs.code_signing && 'code_signing' }} # コード署名用のenvironment + environment: ${{ github.event.inputs.code_signing == 'true' && 'code_signing' }} # コード署名用のenvironment strategy: matrix: include: From b291abee2d7eaeb7f9749c78add44be1acd17dcb Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Sun, 10 Jul 2022 18:15:53 +0900 Subject: [PATCH 08/11] Update .github/workflows/build.yml Co-authored-by: Gray Suitcase <41382894+PickledChair@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8993ed20b..cccdf0cb0 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -876,7 +876,7 @@ jobs: with: repo_token: ${{ secrets.GITHUB_TOKEN }} tag: ${{ env.VOICEVOX_ENGINE_VERSION }} - prelease: ${{ github.event.inputs.prerelease }} + prerelease: ${{ github.event.inputs.prerelease }} file_glob: true file: ${{ matrix.artifact_name }}.7z.* From 9a9558378dc1710c624173d5d3fc726f21d42b62 Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Sun, 10 Jul 2022 19:02:13 +0900 Subject: [PATCH 09/11] Update .github/workflows/build.yml --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index cccdf0cb0..47be56176 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -400,7 +400,7 @@ jobs: path: build/run.dist/ build-windows: - environment: ${{ github.event.inputs.code_signing == 'true' && 'code_signing' }} # コード署名用のenvironment + environment: ${{ github.event.inputs.code_signing == 'true' && 'code_signing' }} # コード署名用のenvironment(false時の挙動は2022年7月10日時点で未定義動作) strategy: matrix: include: From 22c1015c540256bf2e25a8a35bb0e96248b4065e Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Sun, 10 Jul 2022 19:08:07 +0900 Subject: [PATCH 10/11] =?UTF-8?q?false=E6=99=82=E3=81=AE=E6=8C=99=E5=8B=95?= =?UTF-8?q?=E3=81=AF2022=E5=B9=B47=E6=9C=8810=E6=97=A5=E6=99=82=E7=82=B9?= =?UTF-8?q?=E3=81=A7=E6=9C=AA=E5=AE=9A=E7=BE=A9=E5=8B=95=E4=BD=9C?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/build.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 47be56176..8993ed20b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -400,7 +400,7 @@ jobs: path: build/run.dist/ build-windows: - environment: ${{ github.event.inputs.code_signing == 'true' && 'code_signing' }} # コード署名用のenvironment(false時の挙動は2022年7月10日時点で未定義動作) + environment: ${{ github.event.inputs.code_signing == 'true' && 'code_signing' }} # コード署名用のenvironment strategy: matrix: include: @@ -876,7 +876,7 @@ jobs: with: repo_token: ${{ secrets.GITHUB_TOKEN }} tag: ${{ env.VOICEVOX_ENGINE_VERSION }} - prerelease: ${{ github.event.inputs.prerelease }} + prelease: ${{ github.event.inputs.prerelease }} file_glob: true file: ${{ matrix.artifact_name }}.7z.* From 5c33ebe71c1dd5055eb4f371d0f5818be9b6a079 Mon Sep 17 00:00:00 2001 From: Hiroshiba Date: Sun, 10 Jul 2022 19:08:47 +0900 Subject: [PATCH 11/11] Update .github/workflows/build.yml Co-authored-by: Gray Suitcase <41382894+PickledChair@users.noreply.github.com> --- .github/workflows/build.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 8993ed20b..65d4b7f95 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -811,7 +811,7 @@ jobs: ln -sf "${{ env.PYTHON_SITE_PACKAGES_DIR }}/_soundfile_data" artifact/ - name: Code signing - if: github.event.inputs.code_signing + if: github.event.inputs.code_signing == 'true' shell: bash run: | bash build_util/codesign.bash "artifact/run.exe"