chore(ci): sign vsix file VSCODE-493 (#632)

* chore: sign vsix * only sign on linux * echo logout from artifactory * wip * list signatures
mongodb-js · Dec 28, 2023 · 9228ff0 · 9228ff0
1 parent ff5618c
commit 9228ff0
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 2 deletions.
diff --git a/.github/workflows/test-and-build.yaml b/.github/workflows/test-and-build.yaml
@@ -99,11 +99,26 @@ jobs:
         run: npm run check-vsix-size
         shell: bash
 
+      - name: Sign .vsix
+        if: runner.os == 'Linux'
+        env:
+          ARTIFACTORY_HOST: ${{ secrets.ARTIFACTORY_HOST }}
+          ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
+          ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
+          GARASIGN_PASSWORD: ${{ secrets.GARASIGN_PASSWORD }}
+          GARASIGN_USERNAME: ${{ secrets.GARASIGN_USERNAME }}
+        run: |
+          bash scripts/sign-vsix.sh
+          ls *.vsix.sig
+        shell: bash
+
       - name: Upload artifacts
         uses: actions/upload-artifact@v2
         with:
           name: VSIX built on ${{ runner.os }}
-          path: "*.vsix"
+          path: |
+            *.vsix
+            *.vsix.sig
 
       - name: Run Snyk Test
         if: runner.os == 'Linux'
@@ -149,7 +164,9 @@ jobs:
             --notes "Edit the release notes before publishing." \
             --target main \
             --draft \
-            *.vsix
+            *.vsix \
+            *.vsix.sig
+
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         if: ${{ startsWith(github.ref, 'refs/tags/') && runner.os == 'Linux' }}
diff --git a/scripts/sign-vsix.sh b/scripts/sign-vsix.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+
+FILE_TO_SIGN=$(find . -maxdepth 1 -name '*.vsix' -print -quit)
+
+if [ -z "$FILE_TO_SIGN" ]; then
+    echo "Error: No .vsix file found in the current directory." >&2
+    exit 1
+fi
+
+required_vars=("ARTIFACTORY_PASSWORD" "ARTIFACTORY_HOST" "ARTIFACTORY_USERNAME" "GARASIGN_USERNAME" "GARASIGN_PASSWORD")
+for var in "${required_vars[@]}"; do
+    if [ -z "${!var}" ]; then
+        echo "Error: Environment variable $var is not set." >&2
+        exit 1
+    fi
+done
+
+logout_artifactory() {
+    docker logout "${ARTIFACTORY_HOST}" > /dev/null 2>&1
+    echo "logged out from artifactory"
+}
+
+trap logout_artifactory EXIT
+
+
+echo "${ARTIFACTORY_PASSWORD}" | docker login "${ARTIFACTORY_HOST}" -u "${ARTIFACTORY_USERNAME}" --password-stdin > /dev/null 2>&1
+
+if [ $? -ne 0 ]; then
+    echo "Docker login failed" >&2
+    exit 1
+fi
+
+docker run \
+  --rm \
+  -e GRS_CONFIG_USER1_USERNAME="${GARASIGN_USERNAME}" \
+  -e GRS_CONFIG_USER1_PASSWORD="${GARASIGN_PASSWORD}" \
+  -v "$(pwd):/tmp/workdir" \
+  -w /tmp/workdir \
+  ${ARTIFACTORY_HOST}/release-tools-container-registry-local/garasign-gpg \
+  /bin/bash -c "gpgloader && gpg --yes -v --armor -o /tmp/workdir/${FILE_TO_SIGN}.sig --detach-sign /tmp/workdir/${FILE_TO_SIGN}"
+
+if [ $? -ne 0 ]; then
+    echo "Signing failed" >&2
+    exit 1
+fi