name: publish-nym-wallet-win11 on: workflow_dispatch: inputs: sign: description: "Sign this build using SSL.com. Signing is billed per signature so be careful" required: false type: boolean default: true release: types: [created] defaults: run: working-directory: nym-wallet jobs: publish-tauri: if: ${{ (startsWith(github.ref, 'refs/tags/nym-wallet-') && github.event_name == 'release') || github.event_name == 'workflow_dispatch' }} strategy: fail-fast: false matrix: platform: [custom-windows-11] runs-on: ${{ matrix.platform }} outputs: release_tag: ${{ github.ref_name }} env: SIGN_WINDOWS: ${{ github.event_name == 'release' || inputs.sign }} steps: - uses: actions/checkout@v6 - name: Install Rust toolchain uses: dtolnay/rust-toolchain@stable with: toolchain: ${{ vars.REQUIRED_RUSTC_VERSION }} - name: Setup MSBuild.exe uses: microsoft/setup-msbuild@v3 - name: Setup pnpm uses: pnpm/action-setup@v5.0.0 with: version: 11.1.2 - uses: actions/setup-node@v4 with: node-version: 24 - name: Strip Authenticode thumbprint (avoid signtool on runner) working-directory: nym-wallet/src-tauri if: ${{ env.SIGN_WINDOWS == 'true' || (github.event_name == 'workflow_dispatch' && !inputs.sign) }} shell: bash run: | set -euo pipefail if ! command -v yq >/dev/null 2>&1; then echo "yq is required on this runner to edit tauri.conf.json" exit 1 fi yq eval --inplace ' del(.bundle.windows.certificateThumbprint) | del(.bundle.windows.digestAlgorithm) | del(.bundle.windows.timestampUrl) ' tauri.conf.json - name: Download EV CodeSignTool from ssl.com working-directory: nym-wallet/src-tauri if: env.SIGN_WINDOWS == 'true' shell: bash run: | curl -L0 https://www.ssl.com/download/codesigntool-for-linux-and-macos/ -o codesigntool.zip unzip codesigntool.zip - name: Get EV certificate credential id working-directory: nym-wallet/src-tauri if: env.SIGN_WINDOWS == 'true' id: get_credential_ids shell: bash run: | echo "SSL_COM_CREDENTIAL_ID=$(./CodeSignTool.sh get_credential_ids -username=${{ secrets.SSL_COM_USERNAME }} -password=${{ secrets.SSL_COM_PASSWORD }} | sed -n '1!p' | sed 's/- //')" >> "$GITHUB_OUTPUT" - name: Add custom sign command to tauri.conf.json working-directory: nym-wallet/src-tauri if: env.SIGN_WINDOWS == 'true' shell: bash env: SSL_SIGN_USER: ${{ secrets.SSL_COM_USERNAME }} SSL_SIGN_PASS: ${{ secrets.SSL_COM_PASSWORD }} SSL_SIGN_CRED: ${{ steps.get_credential_ids.outputs.SSL_COM_CREDENTIAL_ID }} SSL_SIGN_TOTP: ${{ secrets.SSL_COM_TOTP_SECRET }} run: | set -euo pipefail if ! command -v cygpath >/dev/null 2>&1; then echo "cygpath not found; install Git for Windows or use bash from Git SDK" exit 1 fi export SCRIPT_UNIX="$(cygpath -u "$GITHUB_WORKSPACE/nym-wallet/src-tauri/CodeSignTool.sh")" yq eval --inplace ' .bundle.windows += { "signCommand": { "cmd": "C:/Program Files/Git/bin/bash.exe", "args": [ strenv(SCRIPT_UNIX), "sign", ("-username " + strenv(SSL_SIGN_USER)), ("-password " + strenv(SSL_SIGN_PASS)), ("-credential_id " + strenv(SSL_SIGN_CRED)), ("-totp_secret " + strenv(SSL_SIGN_TOTP)), "-program_name NymWallet", "-input_file_path", "%1", "-override" ] } } ' tauri.conf.json - name: Install project dependencies shell: bash run: cd .. && pnpm i - name: Install app dependencies shell: bash run: pnpm i - name: Build and sign it shell: bash env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }} TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }} SSL_COM_USERNAME: ${{ env.SIGN_WINDOWS == 'true' && secrets.SSL_COM_USERNAME }} SSL_COM_PASSWORD: ${{ env.SIGN_WINDOWS == 'true' && secrets.SSL_COM_PASSWORD }} SSL_COM_CREDENTIAL_ID: ${{ env.SIGN_WINDOWS == 'true' && steps.get_credential_ids.outputs.SSL_COM_CREDENTIAL_ID }} SSL_COM_TOTP_SECRET: ${{ env.SIGN_WINDOWS == 'true' && secrets.SSL_COM_TOTP_SECRET }} run: | echo "Starting build process..." pnpm build - name: Check bundle directory shell: bash run: | echo "Checking bundle directory structure" # Check standard location if [ -d "target/release/bundle" ]; then echo "Found bundle directory at standard location" ls -la target/release/bundle || echo "Failed to list bundle directory" fi # Check src-tauri location if [ -d "src-tauri/target/release/bundle" ]; then echo "Found bundle directory in src-tauri" ls -la src-tauri/target/release/bundle || echo "Failed to list src-tauri bundle directory" # Use this path for future steps echo "BUNDLE_PATH=src-tauri/target/release/bundle" >> $GITHUB_ENV else echo "Using standard bundle path" echo "BUNDLE_PATH=target/release/bundle" >> $GITHUB_ENV fi # Check for MSI files in any location find . -name "*.msi" -type f - name: Upload Artifact uses: actions/upload-artifact@v7 with: name: nym-wallet.msi path: | nym-wallet/${{ env.BUNDLE_PATH }}/msi/*.msi nym-wallet/${{ env.BUNDLE_PATH }}/*/nym-wallet*.msi nym-wallet/src-tauri/target/release/bundle/msi/*.msi retention-days: 30 - id: create-release name: Upload to release based on tag name uses: softprops/action-gh-release@v2 if: github.event_name == 'release' with: files: | nym-wallet/${{ env.BUNDLE_PATH }}/msi/*.msi nym-wallet/${{ env.BUNDLE_PATH }}/msi/*.msi.zip* nym-wallet/${{ env.BUNDLE_PATH }}/*/nym-wallet*.msi nym-wallet/src-tauri/target/release/bundle/msi/*.msi - name: Find MSI path for deployment id: find-msi shell: bash run: | MSI_FILE=$(find . -name "*.msi" -type f | head -n 1) if [ -n "$MSI_FILE" ]; then echo "Found MSI file: $MSI_FILE" echo "msi_path=$MSI_FILE" >> $GITHUB_OUTPUT else echo "WARNING: No MSI file found for deployment!" echo "msi_path=${{ env.BUNDLE_PATH }}/msi/nym-wallet*.msi" >> $GITHUB_OUTPUT fi push-release-data: if: ${{ (startsWith(github.ref, 'refs/tags/nym-wallet-') && github.event_name == 'release') || github.event_name == 'workflow_dispatch' }} uses: ./.github/workflows/release-calculate-hash.yml needs: publish-tauri with: release_tag: ${{ needs.publish-tauri.outputs.release_tag || github.ref_name }} secrets: inherit