Skip to content

Workflow file for this run

name: 'PKG: Microsoft Software Installer (MSI)'
on:
workflow_dispatch:
inputs:
version:
description: 'Package Version'
required: true
default: '0.0.1'
name:
description: 'Package Name'
required: false
default: 'mondoo'
skip-publish:
description: 'Skip publish?'
required: false
default: false
type: boolean
release:
types: [published]
jobs:
setup:
name: 'Setup'
runs-on: ubuntu-latest
outputs:
version: ${{ steps.version.outputs.version }}
trimmed-version: ${{ steps.version.outputs.trimmed_version }}
name: ${{ steps.version.outputs.name }}
steps:
- name: Set Version (Workflow Dispatch)
if: github.event_name == 'workflow_dispatch'
run: |
echo VERSION=${{ inputs.version }} >> $GITHUB_ENV
- name: Set Version (Release Event)
if: github.event_name == 'release'
run: |
echo VERSION=${{ github.event.release.tag_name }} >> $GITHUB_ENV
- name: Unified Version
id: version
run: |
INPUT_NAME=${{ inputs.name }}
if [[ ${INPUT_NAME} == '' ]]; then
echo "Name is empty, using default"
echo "name=mondoo" >> $GITHUB_OUTPUT
else
echo "Name: ${INPUT_NAME}"
echo "name=${INPUT_NAME}" >> $GITHUB_OUTPUT
fi
V=$(echo $VERSION | sed 's/v//')
echo "Version: $V"
echo "version=${V}" >> $GITHUB_OUTPUT
echo "trimmed_version=$(echo ${V} | sed 's/-.*//')" >> $GITHUB_OUTPUT
- name: Ensure version of cnquery and cnspec are available
run: |
curl -sL --head --fail https://github.com/mondoohq/cnquery/releases/download/v${{ steps.version.outputs.version }}/cnquery_${{ steps.version.outputs.version }}_windows_amd64.zip \
https://github.com/mondoohq/cnspec/releases/download/v${{ steps.version.outputs.version }}/cnspec_${{ steps.version.outputs.version }}_windows_amd64.zip \
https://github.com/mondoohq/cnquery/releases/download/v${{ steps.version.outputs.version }}/cnquery_${{ steps.version.outputs.version }}_windows_arm64.zip \
https://github.com/mondoohq/cnspec/releases/download/v${{ steps.version.outputs.version }}/cnspec_${{ steps.version.outputs.version }}_windows_arm64.zip
dist-prepare:
name: Prepare Distribution for Packaging
strategy:
matrix:
arch:
- amd64
- arm64
runs-on: ubuntu-latest
needs: setup
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Download Binaries
env:
VERSION: ${{ needs.setup.outputs.version }}
run: |
# TODO: We should check the sums here
mkdir -p dist/${{ matrix.arch }} && cd dist/${{ matrix.arch }}
curl -sSL -O https://github.com/mondoohq/cnspec/releases/download/v${VERSION}/cnspec_${VERSION}_windows_${{ matrix.arch }}.zip
unzip cnspec_${VERSION}_windows_${{ matrix.arch }}.zip
rm cnspec_${VERSION}_windows_${{ matrix.arch }}.zip
curl -sSL -O https://github.com/mondoohq/cnquery/releases/download/v${VERSION}/cnquery_${VERSION}_windows_${{ matrix.arch }}.zip
unzip cnquery_${VERSION}_windows_${{ matrix.arch }}.zip
rm cnquery_${VERSION}_windows_${{ matrix.arch }}.zip
ls -lh
- name: Upload Distribution
uses: actions/upload-artifact@v4
with:
name: dist-${{ matrix.arch }}
path: dist/${{ matrix.arch }}
msi-build:
name: 'Packaging: Windows MSI'
runs-on: windows-latest
strategy:
matrix:
arch:
- amd64
- arm64
needs:
- setup
- dist-prepare
# For Version: ${{ needs.setup.outputs.version }}
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Download Distribution
uses: actions/download-artifact@v4
with:
name: dist-${{ matrix.arch }}
path: dist/${{ matrix.arch }}
- name: Setup Certificate
shell: bash
run: |
echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12
- name: Set signing variables
shell: bash
run: |
echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV"
echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV"
echo "SM_CODE_SIGNING_CERT_SHA1_HASH=${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }}" >> "$GITHUB_ENV"
echo "C:\Program Files (x86)\Windows Kits\10\App Certification Kit" >> $GITHUB_PATH
echo "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools" >> $GITHUB_PATH
echo "C:\Program Files\DigiCert\DigiCert One Signing Manager Tools" >> $GITHUB_PATH
- name: Setup SSM KSP on windows latest
shell: cmd
run: |
curl --retry 10 --retry-delay 60 -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:%SM_API_KEY%" -o smtools-windows-x64.msi
msiexec /i smtools-windows-x64.msi /quiet /qn
smksp_registrar.exe list
smctl.exe keypair ls
C:\Windows\System32\certutil.exe -csp "DigiCert Signing Manager KSP" -key -user
smksp_cert_sync.exe
- name: Build and Sign MSI
env:
VERSION: ${{ needs.setup.outputs.trimmed-version }}
run: |
$mondooVersion = ${env:VERSION}
echo "Running build job for version ${mondooVersion}"
Copy-Item .\dist\${{ matrix.arch }}\cnquery.exe .\packages\msi\msi\
Copy-Item .\dist\${{ matrix.arch }}\cnspec.exe .\packages\msi\msi\
Copy-Item .\dist\${{ matrix.arch }}\cnquery.exe .\packages\msi\appx\
Copy-Item .\dist\${{ matrix.arch }}\cnspec.exe .\packages\msi\appx\
# build msi package
echo " - Packaging MSI..."
Set-Location -Path '.\packages\msi\'
./package.ps1 -version $mondooVersion -arch ${{ matrix.arch }}
# sign msi package
echo " - Signing MSI..."
Set-Location -Path '.\..\..'
signtool.exe sign /debug /sha1 ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 .\packages\msi\mondoo_${{ matrix.arch }}.msi
Copy-Item '.\packages\msi\mondoo_${{ matrix.arch }}.msi' '.\dist\${{ matrix.arch }}'
- name: Dump Signing Log on Failure
if: failure()
run: |
echo "Dumping signing logs..."
gc $home\AppData\Local\Temp\signtool.log
echo "Dumping signing manager logs..."
gc $home\.signingmanager\logs\smctl.log
echo "Dumping signing manager KSP logs..."
gc $home\.signinmanager\logs\smksp.log
echo "Dumping signing manager KSP cert sync logs..."
gc $home\.signingmanager\logs\smksp_cert_sync.log
- name: Cleanup dist before upload
run: |
Remove-Item -Path .\dist\${{ matrix.arch }}\cnquery.exe -Force
Remove-Item -Path .\dist\${{ matrix.arch }}\cnspec.exe -Force
- name: Upload Distribution
uses: actions/upload-artifact@v4
with:
name: msi-${{ matrix.arch }}
path: dist/${{ matrix.arch }}
test-msi-install:
name: Test Signed Package
strategy:
matrix:
arch:
- amd64
# - arm64 # we currently don't have windows arm64 runners to test arm against
needs:
- setup
- msi-build
runs-on: windows-latest
steps:
- name: Download MSI Package
uses: actions/download-artifact@v4
with:
name: msi-${{ matrix.arch }}
path: dist
- name: Verify digital signature is valid
run: |
cd dist
Get-AuthenticodeSignature -FilePath .\\mondoo_${{ matrix.arch }}.msi
- name: Install artifact
run: |
cd dist
msiexec /qn /i mondoo_${{ matrix.arch }}.msi
- name: Verify the correct cnquery version is installed
run: |
$version=& 'C:\Program Files\Mondoo\cnquery.exe' version
$match=$version -like "*${{ needs.setup.outputs.version }}*"
if (-not $match) {
exit 1
}
- name: Run a basic cnquery sanity check
run: |
& 'C:\Program Files\Mondoo\cnquery.exe' run -c "os.base.packages.where(name == 'Mondoo') { name }"
- name: Verify the correct cnspec version is installed
run: |
$version=& 'C:\Program Files\Mondoo\cnspec.exe' version
$match=$version -like "*${{ needs.setup.outputs.version }}*"
if (-not $match) {
exit 1
}
- name: Run a basic cnspec sanity check
run: |
& 'C:\Program Files\Mondoo\cnspec.exe' run -c "os.base.packages.where(name == 'Mondoo') { name }"
- name: Login to edge with cnspec
run: |
& 'C:\Program Files\Mondoo\cnspec.exe' login -t "${{ secrets.INSTALL_TEST_MONDOO_REGISTRATION_TOKEN }}" --config C:\ProgramData\Mondoo\mondoo.yml
- name: Run a basic cnspec sanity check
run: |
& 'C:\Program Files\Mondoo\cnspec.exe' policy download mondoo-windows-installer -f mondoo-windows-installer.mql.yaml
& 'C:\Program Files\Mondoo\cnspec.exe' scan local --detect-cicd --score-threshold 100 -o full --policy-bundle mondoo-windows-installer.mql.yaml
- name: Logout from edge with cnspec
run: |
& 'C:\Program Files\Mondoo\cnspec.exe' logout --config C:\ProgramData\Mondoo\mondoo.yml --force
publish:
name: 'Publish: Releases'
strategy:
matrix:
arch:
- amd64
- arm64
needs:
- setup
- msi-build
- test-msi-install
if: ${{ ! inputs.skip-publish }}
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Download MSI Package
uses: actions/download-artifact@v4
with:
name: msi-${{ matrix.arch }}
path: dist
- name: Authenticate with Google Cloud
id: gauth
uses: google-github-actions/auth@v2
with:
credentials_json: ${{secrets.GCP_CREDENTIALS}}
- name: Set up Cloud SDK
uses: google-github-actions/setup-gcloud@v2
- name: Verify access to release bucket
env:
VERSION: ${{ needs.setup.outputs.version }}
run: |
gsutil ls gs://releases-us.mondoo.io/mondoo
- name: Upload static content to buckets
env:
VERSION: ${{ needs.setup.outputs.version }}
run: |
cd dist
mv mondoo_${{ matrix.arch }}.msi mondoo_${VERSION}_windows_${{ matrix.arch }}.msi
sha256sum mondoo_${VERSION}_windows_${{ matrix.arch }}.msi >> checksums.windows_${{ matrix.arch }}.txt
gsutil cp checksums.windows_${{ matrix.arch }}.txt gs://releases-us.mondoo.io/mondoo/${VERSION}/checksums.windows_${{ matrix.arch }}.txt
gsutil cp mondoo_${VERSION}_windows_${{ matrix.arch }}.msi gs://releases-us.mondoo.io/mondoo/${VERSION}/mondoo_${VERSION}_windows_${{ matrix.arch }}.msi
- name: Reindex folder on releaser.mondoo.com
uses: peter-evans/repository-dispatch@v3
env:
VERSION: ${{ needs.setup.outputs.version }}
with:
token: ${{ secrets.RELEASR_ACTION_TOKEN }}
repository: "mondoohq/releasr"
event-type: reindex
client-payload: '{
"reindex-path": "mondoo/${{ env.VERSION }}",
"bucket": "releases-us.mondoo.io"
}'
- name: Cleanup
run: |
rm -f "${{ steps.gauth.outputs.credentials_file_path }}"