diff --git a/.gitea/workflows/build-and-test.yml b/.gitea/workflows/build-and-test.yml index 8fd738d..7f04e16 100644 --- a/.gitea/workflows/build-and-test.yml +++ b/.gitea/workflows/build-and-test.yml @@ -81,48 +81,45 @@ jobs: build-agent: name: Build Agent (Windows) - runs-on: ubuntu-latest + # Native build on the Pluto Gitea Actions runner (host-mode, Windows Server 2019). + # The MSVC toolchain (x86_64-pc-windows-msvc target + crt-static via .cargo/config.toml) + # is pre-installed under the Administrator profile; the runner itself runs as SYSTEM, so + # the job points CARGO_HOME/RUSTUP_HOME at the Administrator homes. + runs-on: windows-msvc + env: + CARGO_HOME: C:\Users\Administrator\.cargo + RUSTUP_HOME: C:\Users\Administrator\.rustup steps: - name: Checkout code uses: actions/checkout@v4 - - name: Install Rust toolchain - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - # Single source of truth for the Windows target used by the build below. - target: x86_64-pc-windows-gnu - override: true - - - name: Install cross-compilation tools + - name: Add cargo bin to PATH + shell: pwsh run: | - sudo apt-get update - sudo apt-get install -y mingw-w64 + # Make cargo/rustc from the Administrator toolchain visible to later steps. + "C:\Users\Administrator\.cargo\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - - name: Cache Cargo dependencies - uses: actions/cache@v3 - with: - path: | - ~/.cargo/bin/ - ~/.cargo/registry/index/ - ~/.cargo/registry/cache/ - ~/.cargo/git/db/ - target/ - key: ${{ runner.os }}-cargo-agent-${{ hashFiles('agent/Cargo.lock') }} - restore-keys: | - ${{ runner.os }}-cargo-agent- - - - name: Build agent (cross-compile for Windows) + - name: Toolchain sanity check + shell: pwsh run: | - # Target is installed by the toolchain step above (single source of truth). - cd agent - cargo build --release --target x86_64-pc-windows-gnu + # Fail early with a clear marker if the pre-installed toolchain is not reachable. + cargo --version + rustc --version + + - name: Build agent (native x86_64-pc-windows-msvc) + shell: pwsh + run: | + # crt-static and the default target come from .cargo/config.toml; we pass --target + # explicitly so the artifact path is deterministic regardless of host defaults. + Set-Location agent + cargo build --release --target x86_64-pc-windows-msvc + Write-Host "[OK] Built agent for x86_64-pc-windows-msvc" - name: Upload agent binary uses: actions/upload-artifact@v3 with: name: guruconnect-agent-windows - path: agent/target/x86_64-pc-windows-gnu/release/guruconnect.exe + path: agent/target/x86_64-pc-windows-msvc/release/guruconnect.exe retention-days: 30 security-audit: diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index 824bfc4..715bcea 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -7,16 +7,19 @@ name: Release # commit `chore: release vX.Y.Z [skip ci]`, and create + push tag vX.Y.Z. # 2. changelog — generate CHANGELOG.md + per-component changelogs with git-cliff (run inside # the version job so it is part of the release commit). -# 3. build — cross-compile the Windows agent (x86_64-pc-windows-gnu) to guruconnect.exe. -# 4. sign — sign guruconnect.exe with Azure Trusted Signing via jsign (fails the job if -# signing fails — never publish unsigned). +# 3. build — natively build the Windows agent (x86_64-pc-windows-msvc) to guruconnect.exe +# on the Pluto Gitea Actions runner (windows-msvc), upload it as an artifact. +# 4. sign — on Linux, download the Windows artifact and sign guruconnect.exe with Azure +# Trusted Signing via jsign (fails the job if signing fails — never publish +# unsigned). # 5. publish — upload signed exe + .sha256 + changelog artifacts; create a Gitea release. # # Loop guard: the workflow skips entirely when the head commit is a release commit # (`chore: release` / `[skip ci]`), and the release commit itself carries `[skip ci]`. # -# All jobs run on ubuntu-latest. GuruConnect ships a single .exe (no WiX/MSI); jsign is a Java -# tool that signs PE binaries on Linux, so no Windows runner is required. +# The agent is built NATIVELY on the windows-msvc runner (no mingw cross-compile). Signing and +# publishing run on ubuntu-latest: jsign is a Java tool that signs PE binaries on Linux, so the +# signed-binary handoff is Windows-build-job -> artifact -> Linux-sign-job. on: # Gated: releases are deliberate, NOT automatic on every push to main. @@ -283,13 +286,20 @@ jobs: retention-days: 90 # --------------------------------------------------------------------------- - # §2 BUILD + SIGN + PUBLISH + # §2 BUILD (native Windows on Pluto windows-msvc runner) # --------------------------------------------------------------------------- - build-sign-publish: - name: Build, Sign, Publish Agent - runs-on: ubuntu-latest + build-agent-windows: + name: Build Agent (Windows, native) + # Native build on the Pluto Gitea Actions runner (host-mode, Windows Server 2019). + # The MSVC toolchain (x86_64-pc-windows-msvc target + crt-static via .cargo/config.toml) + # is pre-installed under the Administrator profile; the runner itself runs as SYSTEM, so + # the job points CARGO_HOME/RUSTUP_HOME at the Administrator homes. + runs-on: windows-msvc needs: version if: needs.version.outputs.released == 'true' + env: + CARGO_HOME: C:\Users\Administrator\.cargo + RUSTUP_HOME: C:\Users\Administrator\.rustup steps: - name: Checkout the release tag uses: actions/checkout@v4 @@ -298,45 +308,71 @@ jobs: ref: v${{ needs.version.outputs.version }} fetch-depth: 0 - - name: Install Rust toolchain - uses: actions-rs/toolchain@v1 - with: - toolchain: stable - # Single source of truth for the Windows target used by the build below. - target: x86_64-pc-windows-gnu - override: true - - - name: Install cross-compilation tools + - name: Add cargo bin to PATH + shell: pwsh run: | - sudo apt-get update - sudo apt-get install -y mingw-w64 + # Make cargo/rustc from the Administrator toolchain visible to later steps. + "C:\Users\Administrator\.cargo\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append - - name: Cache Cargo dependencies - uses: actions/cache@v3 - with: - path: | - ~/.cargo/bin/ - ~/.cargo/registry/index/ - ~/.cargo/registry/cache/ - ~/.cargo/git/db/ - target/ - key: ${{ runner.os }}-cargo-agent-release-${{ hashFiles('agent/Cargo.lock') }} - restore-keys: | - ${{ runner.os }}-cargo-agent-release- - ${{ runner.os }}-cargo-agent- - - - name: Build agent (cross-compile for Windows) + - name: Toolchain sanity check + shell: pwsh run: | - set -euo pipefail - # Target is installed by the toolchain step above (single source of truth). - cd agent - cargo build --release --target x86_64-pc-windows-gnu - echo "[OK] Built agent for x86_64-pc-windows-gnu" + # Fail early with a clear marker if the pre-installed toolchain is not reachable. + cargo --version + rustc --version + + - name: Build agent (native x86_64-pc-windows-msvc) + shell: pwsh + run: | + # crt-static and the default target come from .cargo/config.toml; we pass --target + # explicitly so the artifact path is deterministic regardless of host defaults. + Set-Location agent + cargo build --release --target x86_64-pc-windows-msvc + Write-Host "[OK] Built agent for x86_64-pc-windows-msvc" - name: Stage unsigned binary + shell: pwsh + run: | + Copy-Item agent\target\x86_64-pc-windows-msvc\release\guruconnect.exe .\guruconnect.exe + Get-Item .\guruconnect.exe | Format-List Name, Length + + - name: Upload unsigned agent binary + uses: actions/upload-artifact@v3 + with: + name: guruconnect-agent-unsigned + path: guruconnect.exe + retention-days: 90 + + # --------------------------------------------------------------------------- + # §2 SIGN + §2/§4 PUBLISH (Linux: jsign + Gitea REST) + # --------------------------------------------------------------------------- + build-sign-publish: + name: Sign, Publish Agent + runs-on: ubuntu-latest + needs: [version, build-agent-windows] + if: needs.version.outputs.released == 'true' + steps: + - name: Checkout the release tag + uses: actions/checkout@v4 + with: + # Checked out for the Gitea publish step (repo metadata); the binary itself comes + # from the windows artifact downloaded below, not from a Linux build. + ref: v${{ needs.version.outputs.version }} + fetch-depth: 0 + + - name: Download unsigned agent binary + uses: actions/download-artifact@v3 + with: + name: guruconnect-agent-unsigned + path: . + + - name: Verify unsigned binary present run: | set -euo pipefail - cp agent/target/x86_64-pc-windows-gnu/release/guruconnect.exe ./guruconnect.exe + if [ ! -f ./guruconnect.exe ]; then + echo "[ERROR] guruconnect.exe not found after artifact download" + exit 1 + fi ls -l ./guruconnect.exe # --- §2 Azure Trusted Signing (port of sign-windows.sh) ---