azcomputerguru/guru-connect
1
0
Fork 0
Code Issues 4 Pull Requests Actions Packages Projects Releases 1 Wiki Activity

ci: build Windows agent natively on Pluto runner (drop mingw cross-compile)
Some checks failed
Build and Test / Build Agent (Windows) (push) Failing after 7m29s
Details
Build and Test / Build Server (Linux) (push) Successful in 10m2s
Details
Build and Test / Security Audit (push) Failing after 4m39s
Details
Build and Test / Build Summary (push) Has been skipped
Details
Run Tests / Test Server (push) Has started running
Details
Run Tests / Test Agent (push) Has been cancelled
Details
Run Tests / Code Coverage (push) Has been cancelled
Details
Run Tests / Lint and Format Check (push) Has been cancelled
Details

Browse Source 
The build-agent job (build-and-test.yml) and a new build-agent-windows job (release.yml)
now run on the windows-msvc Gitea Actions runner on Pluto, building native
x86_64-pc-windows-msvc with crt-static. release.yml hands the unsigned guruconnect.exe to
the Linux job, which signs it with Azure Trusted Signing (jsign). Removes the fragile
mingw/GNU cross-compile. Reviewed by Code Review Agent (approve-with-nits).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-05-29 09:32:12 -07:00
parent cd88facaf0
commit 8a47332b39
2 changed files with 104 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
.gitea/workflows/build-and-test.yml
View File

@@ -81,48 +81,45 @@ jobs:
build-agent: build-agent:
name: Build Agent (Windows) name: Build Agent (Windows)
runs-on: ubuntu-latest # Native build on the Pluto Gitea Actions runner (host-mode, Windows Server 2019).
# The MSVC toolchain (x86_64-pc-windows-msvc target + crt-static via .cargo/config.toml)
# is pre-installed under the Administrator profile; the runner itself runs as SYSTEM, so
# the job points CARGO_HOME/RUSTUP_HOME at the Administrator homes.
runs-on: windows-msvc
env:
CARGO_HOME: C:\Users\Administrator\.cargo
RUSTUP_HOME: C:\Users\Administrator\.rustup
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Install Rust toolchain - name: Add cargo bin to PATH
uses: actions-rs/toolchain@v1 shell: pwsh
with:
toolchain: stable
# Single source of truth for the Windows target used by the build below.
target: x86_64-pc-windows-gnu
override: true
- name: Install cross-compilation tools
run: | run: |
sudo apt-get update # Make cargo/rustc from the Administrator toolchain visible to later steps.
sudo apt-get install -y mingw-w64 "C:\Users\Administrator\.cargo\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
- name: Cache Cargo dependencies - name: Toolchain sanity check
uses: actions/cache@v3 shell: pwsh
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-agent-${{ hashFiles('agent/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-agent-
- name: Build agent (cross-compile for Windows)
run: | run: |
# Target is installed by the toolchain step above (single source of truth). # Fail early with a clear marker if the pre-installed toolchain is not reachable.
cd agent cargo --version
cargo build --release --target x86_64-pc-windows-gnu rustc --version
- name: Build agent (native x86_64-pc-windows-msvc)
shell: pwsh
run: |
# crt-static and the default target come from .cargo/config.toml; we pass --target
# explicitly so the artifact path is deterministic regardless of host defaults.
Set-Location agent
cargo build --release --target x86_64-pc-windows-msvc
Write-Host "[OK] Built agent for x86_64-pc-windows-msvc"
- name: Upload agent binary - name: Upload agent binary
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
with: with:
name: guruconnect-agent-windows name: guruconnect-agent-windows
path: agent/target/x86_64-pc-windows-gnu/release/guruconnect.exe path: agent/target/x86_64-pc-windows-msvc/release/guruconnect.exe
retention-days: 30 retention-days: 30
security-audit: security-audit:

118
.gitea/workflows/release.yml
View File

@@ -7,16 +7,19 @@ name: Release
# commit `chore: release vX.Y.Z [skip ci]`, and create + push tag vX.Y.Z. # commit `chore: release vX.Y.Z [skip ci]`, and create + push tag vX.Y.Z.
# 2. changelog — generate CHANGELOG.md + per-component changelogs with git-cliff (run inside # 2. changelog — generate CHANGELOG.md + per-component changelogs with git-cliff (run inside
# the version job so it is part of the release commit). # the version job so it is part of the release commit).
# 3. build — cross-compile the Windows agent (x86_64-pc-windows-gnu) to guruconnect.exe. # 3. build — natively build the Windows agent (x86_64-pc-windows-msvc) to guruconnect.exe
# 4. sign — sign guruconnect.exe with Azure Trusted Signing via jsign (fails the job if # on the Pluto Gitea Actions runner (windows-msvc), upload it as an artifact.
# signing fails — never publish unsigned). # 4. sign — on Linux, download the Windows artifact and sign guruconnect.exe with Azure
# Trusted Signing via jsign (fails the job if signing fails — never publish
# unsigned).
# 5. publish — upload signed exe + .sha256 + changelog artifacts; create a Gitea release. # 5. publish — upload signed exe + .sha256 + changelog artifacts; create a Gitea release.
# #
# Loop guard: the workflow skips entirely when the head commit is a release commit # Loop guard: the workflow skips entirely when the head commit is a release commit
# (`chore: release` / `[skip ci]`), and the release commit itself carries `[skip ci]`. # (`chore: release` / `[skip ci]`), and the release commit itself carries `[skip ci]`.
# #
# All jobs run on ubuntu-latest. GuruConnect ships a single .exe (no WiX/MSI); jsign is a Java # The agent is built NATIVELY on the windows-msvc runner (no mingw cross-compile). Signing and
# tool that signs PE binaries on Linux, so no Windows runner is required. # publishing run on ubuntu-latest: jsign is a Java tool that signs PE binaries on Linux, so the
# signed-binary handoff is Windows-build-job -> artifact -> Linux-sign-job.
on: on:
# Gated: releases are deliberate, NOT automatic on every push to main. # Gated: releases are deliberate, NOT automatic on every push to main.
@@ -283,13 +286,20 @@ jobs:
retention-days: 90 retention-days: 90
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
# §2 BUILD + SIGN + PUBLISH # §2 BUILD (native Windows on Pluto windows-msvc runner)
# --------------------------------------------------------------------------- # ---------------------------------------------------------------------------
build-sign-publish: build-agent-windows:
name: Build, Sign, Publish Agent name: Build Agent (Windows, native)
runs-on: ubuntu-latest # Native build on the Pluto Gitea Actions runner (host-mode, Windows Server 2019).
# The MSVC toolchain (x86_64-pc-windows-msvc target + crt-static via .cargo/config.toml)
# is pre-installed under the Administrator profile; the runner itself runs as SYSTEM, so
# the job points CARGO_HOME/RUSTUP_HOME at the Administrator homes.
runs-on: windows-msvc
needs: version needs: version
if: needs.version.outputs.released == 'true' if: needs.version.outputs.released == 'true'
env:
CARGO_HOME: C:\Users\Administrator\.cargo
RUSTUP_HOME: C:\Users\Administrator\.rustup
steps: steps:
- name: Checkout the release tag - name: Checkout the release tag
uses: actions/checkout@v4 uses: actions/checkout@v4
@@ -298,45 +308,71 @@ jobs:
ref: v${{ needs.version.outputs.version }} ref: v${{ needs.version.outputs.version }}
fetch-depth: 0 fetch-depth: 0
- name: Install Rust toolchain - name: Add cargo bin to PATH
uses: actions-rs/toolchain@v1 shell: pwsh
with:
toolchain: stable
# Single source of truth for the Windows target used by the build below.
target: x86_64-pc-windows-gnu
override: true
- name: Install cross-compilation tools
run: | run: |
sudo apt-get update # Make cargo/rustc from the Administrator toolchain visible to later steps.
sudo apt-get install -y mingw-w64 "C:\Users\Administrator\.cargo\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
- name: Cache Cargo dependencies - name: Toolchain sanity check
uses: actions/cache@v3 shell: pwsh
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
key: ${{ runner.os }}-cargo-agent-release-${{ hashFiles('agent/Cargo.lock') }}
restore-keys: |
${{ runner.os }}-cargo-agent-release-
${{ runner.os }}-cargo-agent-
- name: Build agent (cross-compile for Windows)
run: | run: |
set -euo pipefail # Fail early with a clear marker if the pre-installed toolchain is not reachable.
# Target is installed by the toolchain step above (single source of truth). cargo --version
cd agent rustc --version
cargo build --release --target x86_64-pc-windows-gnu
echo "[OK] Built agent for x86_64-pc-windows-gnu" - name: Build agent (native x86_64-pc-windows-msvc)
shell: pwsh
run: |
# crt-static and the default target come from .cargo/config.toml; we pass --target
# explicitly so the artifact path is deterministic regardless of host defaults.
Set-Location agent
cargo build --release --target x86_64-pc-windows-msvc
Write-Host "[OK] Built agent for x86_64-pc-windows-msvc"
- name: Stage unsigned binary - name: Stage unsigned binary
shell: pwsh
run: |
Copy-Item agent\target\x86_64-pc-windows-msvc\release\guruconnect.exe .\guruconnect.exe
Get-Item .\guruconnect.exe | Format-List Name, Length
- name: Upload unsigned agent binary
uses: actions/upload-artifact@v3
with:
name: guruconnect-agent-unsigned
path: guruconnect.exe
retention-days: 90
# ---------------------------------------------------------------------------
# §2 SIGN + §2/§4 PUBLISH (Linux: jsign + Gitea REST)
# ---------------------------------------------------------------------------
build-sign-publish:
name: Sign, Publish Agent
runs-on: ubuntu-latest
needs: [version, build-agent-windows]
if: needs.version.outputs.released == 'true'
steps:
- name: Checkout the release tag
uses: actions/checkout@v4
with:
# Checked out for the Gitea publish step (repo metadata); the binary itself comes
# from the windows artifact downloaded below, not from a Linux build.
ref: v${{ needs.version.outputs.version }}
fetch-depth: 0
- name: Download unsigned agent binary
uses: actions/download-artifact@v3
with:
name: guruconnect-agent-unsigned
path: .
- name: Verify unsigned binary present
run: | run: |
set -euo pipefail set -euo pipefail
cp agent/target/x86_64-pc-windows-gnu/release/guruconnect.exe ./guruconnect.exe if [ ! -f ./guruconnect.exe ]; then
echo "[ERROR] guruconnect.exe not found after artifact download"
exit 1
fi
ls -l ./guruconnect.exe ls -l ./guruconnect.exe
# --- §2 Azure Trusted Signing (port of sign-windows.sh) --- # --- §2 Azure Trusted Signing (port of sign-windows.sh) ---