Release v0.4.10 — Windows builds code-signed via Azure Trusted Signing #21
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Windows | |
| on: | |
| push: | |
| tags: ['v*'] | |
| workflow_dispatch: | |
| permissions: | |
| contents: write | |
| jobs: | |
| build: | |
| name: Build Windows .exe installer + zip | |
| runs-on: windows-latest | |
| # The 'release' environment binds this job's OIDC token subject to | |
| # `repo:VonHoltenCodes/EasyAmp:environment:release`, which is what the | |
| # Azure Trusted Signing federated credential is configured to trust. | |
| environment: release | |
| permissions: | |
| contents: write | |
| id-token: write # required for federated OIDC → Azure login | |
| defaults: | |
| run: | |
| shell: msys2 {0} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up MSYS2 (MINGW64 GTK4 + GStreamer) | |
| uses: msys2/setup-msys2@v2 | |
| with: | |
| msystem: MINGW64 | |
| update: true | |
| install: >- | |
| mingw-w64-x86_64-gtk4 | |
| mingw-w64-x86_64-python-gobject | |
| mingw-w64-x86_64-python-cairo | |
| mingw-w64-x86_64-gstreamer | |
| mingw-w64-x86_64-gst-plugins-base | |
| mingw-w64-x86_64-gst-plugins-good | |
| mingw-w64-x86_64-gst-plugins-bad | |
| mingw-w64-x86_64-soundtouch | |
| mingw-w64-x86_64-adwaita-icon-theme | |
| mingw-w64-x86_64-hicolor-icon-theme | |
| mingw-w64-x86_64-librsvg | |
| mingw-w64-x86_64-python-numpy | |
| mingw-w64-x86_64-python-pillow | |
| mingw-w64-x86_64-python-pip | |
| - name: Install EasyAmp + PyInstaller | |
| run: | | |
| python -c "import gi; gi.require_version('Gtk','4.0'); from gi.repository import Gtk, Gst; print('gi OK')" | |
| pip install --upgrade pip | |
| pip install pyinstaller pyinstaller-hooks-contrib | |
| pip install --no-deps . | |
| - name: Build the .ico from the logo | |
| run: | | |
| python -c "from PIL import Image; Image.open('assets/icons/easyamp-256.png').save('packaging/windows/easyamp.ico', sizes=[(16,16),(32,32),(48,48),(64,64),(128,128),(256,256)])" | |
| - name: Build the .exe (PyInstaller) | |
| run: | | |
| cd packaging/windows | |
| pyinstaller --noconfirm --clean EasyAmp.spec | |
| - name: Harden the bundle (GTK schemas, icon themes) | |
| run: | | |
| # PyInstaller 6 onedir keeps everything in _internal/, which is what | |
| # sys._MEIPASS points to at runtime. | |
| DEST=packaging/windows/dist/EasyAmp/_internal | |
| mkdir -p "$DEST/share/glib-2.0/schemas" "$DEST/share/icons" | |
| glib-compile-schemas /mingw64/share/glib-2.0/schemas --targetdir "$DEST/share/glib-2.0/schemas" || \ | |
| cp -f /mingw64/share/glib-2.0/schemas/gschemas.compiled "$DEST/share/glib-2.0/schemas/" | |
| cp -rf /mingw64/share/icons/Adwaita "$DEST/share/icons/" || true | |
| cp -rf /mingw64/share/icons/hicolor "$DEST/share/icons/" || true | |
| echo "schemas: $(ls -1 "$DEST/share/glib-2.0/schemas/")" | |
| echo "Gtk typelib present in bundle: $(ls packaging/windows/dist/EasyAmp/_internal/gi_typelibs/ | grep -i gtk || echo MISSING)" | |
| echo "libgtk dll present: $(find packaging/windows/dist/EasyAmp -iname 'libgtk-4*' | head -1 || echo MISSING)" | |
| echo "soundtouch (pitch) plugin: $(find packaging/windows/dist/EasyAmp -iname '*soundtouch*' | head -1 || echo MISSING)" | |
| # Sign EasyAmp.exe BEFORE zipping so the portable archive contains the | |
| # signed binary. Azure login uses GitHub OIDC; no client secret stored. | |
| - name: Azure login (OIDC for Trusted Signing) | |
| uses: azure/login@v2 | |
| with: | |
| client-id: ${{ secrets.AZURE_CLIENT_ID }} | |
| tenant-id: ${{ secrets.AZURE_TENANT_ID }} | |
| subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| - name: Sign portable EasyAmp.exe (Trusted Signing) | |
| uses: azure/trusted-signing-action@v0.5.1 | |
| with: | |
| endpoint: https://cus.codesigning.azure.net/ | |
| trusted-signing-account-name: easyamp-signing | |
| certificate-profile-name: easyamp-public-trust | |
| files-folder: ${{ github.workspace }}/packaging/windows/dist/EasyAmp | |
| files-folder-filter: exe | |
| file-digest: SHA256 | |
| timestamp-rfc3161: http://timestamp.acs.microsoft.com/ | |
| timestamp-digest: SHA256 | |
| - name: Package the portable .zip | |
| shell: pwsh | |
| run: | | |
| Compress-Archive -Path packaging/windows/dist/EasyAmp/* -DestinationPath EasyAmp-windows-x64.zip -Force | |
| - name: Build the installer (Inno Setup) | |
| shell: pwsh | |
| run: | | |
| $ver = (Select-String -Path easyamp/__init__.py -Pattern '__version__ = "(.+)"').Matches.Groups[1].Value | |
| Write-Host "Version: $ver" | |
| $iscc = "C:\Program Files (x86)\Inno Setup 6\ISCC.exe" | |
| if (-not (Test-Path $iscc)) { choco install innosetup -y --no-progress; $iscc = "C:\Program Files (x86)\Inno Setup 6\ISCC.exe" } | |
| & $iscc "/DAppVersion=$ver" packaging\windows\EasyAmp.iss | |
| Copy-Item packaging\windows\EasyAmp-Setup-x64.exe .\EasyAmp-Setup-x64.exe | |
| - name: Sign installer EasyAmp-Setup-x64.exe (Trusted Signing) | |
| uses: azure/trusted-signing-action@v0.5.1 | |
| with: | |
| endpoint: https://cus.codesigning.azure.net/ | |
| trusted-signing-account-name: easyamp-signing | |
| certificate-profile-name: easyamp-public-trust | |
| files-folder: ${{ github.workspace }} | |
| files-folder-filter: exe | |
| file-digest: SHA256 | |
| timestamp-rfc3161: http://timestamp.acs.microsoft.com/ | |
| timestamp-digest: SHA256 | |
| - name: Upload artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: EasyAmp-windows-x64 | |
| path: | | |
| EasyAmp-windows-x64.zip | |
| EasyAmp-Setup-x64.exe | |
| - name: Attach to release | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| files: | | |
| EasyAmp-windows-x64.zip | |
| EasyAmp-Setup-x64.exe |