Fix various issues with build-git-installers.yml #741
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
This fixes "Error: path is not defined" issues in the workflow run. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Use a buffer rather than a string when handling the output from the `az` command. Handling of binary data (that was base64 encoded) requires that we use a buffer and not a string, or else we will end up writing invalid data to files/output variables. Introduce several new helper functions for working with buffers, including trimming the EOL bytes (CR, LF), and fix up some of the output functions to correctly validate the value passed - it must be something printable (UTF-8-ish). Finally ensure that we correctly mask multi-line secret values by emitting a `::add-mask` command for each line. Co-authored-by: Johannes Schindelin <johannes.schindelin@gmx.de> Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Don't mask empty lines since this isn't possible! Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Since the Azure Portal supports only single-line secrets (but those lines can be _very_ long), the convention is to store GPG keys (which _are_ multi-line) as base64-encoded values. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
We need to log into Azure, and check out the custom Action, before we can download secrets from the KeyVault via `akv-secret`. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Ensure that we don't clobber existing directory with the checkout, which in this instance contains downloaded artifacts! Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Use the global `DO_WIN_CODESIGN` environment variable rather than re-compute this for the verification of codesigning step. Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Replace Bash script (using `signtool`) for validating executables are code-signed correctly with a PowerShell script (which instead uses the `Get-AuthenticodeSignature` cmdlet). The `signtool` is only available in the Windows SDK, which isn't always installed on self-hosted runners (e.g., for ARM64), but PowerShell is always available on our images. Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
The custom Action is checked out at a different location than `.github/`... Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
We need to log into Azure before we can access the KeyVault. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
We also need to quote the Apple App identity (because it contains a parenthesis). Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
We're not using quotes around simple string values like 'git' in other places.. let's be consistent. Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
The `akv-secret` Action must be checked out before it can be used. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Ensure that we don't clobber existing directory with the checkout, which in this instance contains downloaded artifacts! Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
The `akv-secret` Action must be checked out before it can be used. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Ensure that we don't clobber existing directory with the checkout, which in this instance contains downloaded artifacts! Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com>
Add semi-colon to the `require('buffer')` line to stay consistent with the rest of the index.js file. Signed-off-by: Matthew John Cheetham <mjcheetham@outlook.com> 
dscho approved these changes Apr 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
There are several issues that have been uncovered with the changes made in #738. Let's fix them!
akv-secretaction before it is used.require('path')statement.