Linuxfabrik: Build Windows (x86_64) #58
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Linuxfabrik: Build Windows (x86_64)' | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| compile-plugins: | |
| description: 'Space-separated list of check plugins to compile and package, for example "cpu-usage feed scanrootkit". Leave empty to build all plugins.' | |
| required: false | |
| default: '' | |
| # target-distros: | |
| # description: 'Space-separated list of operating systems to compile on and build packages for. Supported: `windows`. Cannot be empty.' | |
| # required: true | |
| # default: 'windows' | |
| version: | |
| description: 'Release version of the monitoring-plugins package in the form `X.Y.Z` (e.g. `3.0.0`), without leading `v`. Mirrors the GitHub release tag (`vX.Y.Z`) without its `v` prefix.' | |
| required: true | |
| package-iteration: | |
| description: 'Build iteration of this release version. Always `1` on the first build. Increment to `2`, `3`, ... only when re-building the same `X.Y.Z`, e.g. after fixing a packaging bug during the internal pre-release test.' | |
| required: true | |
| default: '1' | |
| # modify the default permissions granted to the GITHUB_TOKEN | |
| permissions: | |
| contents: 'read' | |
| jobs: | |
| build-windows-x86_64: | |
| runs-on: | |
| - 'windows-2025' # https://github.com/actions/runner-images/blob/main/images/windows/Windows2025-Readme.md | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - name: 'Set environment variables for the build scripts' | |
| shell: 'bash' | |
| run: | | |
| echo "LFMP_ARCH=x86_64" >> $GITHUB_ENV | |
| PLUGS="${{ github.event.inputs.compile-plugins }}" | |
| # accept either "a b c" or "a,b,c" | |
| PLUGS="${PLUGS//,/ }" | |
| echo "LFMP_COMPILE_PLUGINS=$PLUGS" >> $GITHUB_ENV | |
| echo "LFMP_PACKAGE_ITERATION=${{ github.event.inputs.package-iteration }}" >> $GITHUB_ENV | |
| echo "LFMP_VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV | |
| # echo "LFMP_TARGET_DISTROS=${{ github.event.inputs.target-distros }}" >> $GITHUB_ENV | |
| echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV | |
| echo "LFMP_DIR_REPOS=$GITHUB_WORKSPACE/repos" >> $GITHUB_ENV | |
| echo "LFMP_DIR_COMPILED=$RUNNER_TEMP/lfmp/compiled" >> $GITHUB_ENV | |
| echo "LFMP_DIR_PACKAGED=$RUNNER_TEMP/lfmp/packaged" >> $GITHUB_ENV | |
| - name: 'Create working directories' | |
| shell: 'bash' | |
| run: | | |
| mkdir -p $LFMP_DIR_REPOS | |
| mkdir -p $LFMP_DIR_COMPILED | |
| mkdir -p $LFMP_DIR_PACKAGED/{in,out} | |
| - name: 'git clone https://github.com/Linuxfabrik/THIS-REPO' | |
| uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # v6.0.2 | |
| with: | |
| path: '${{ env.LFMP_DIR_REPOS }}/monitoring-plugins' | |
| - name: 'Debug' | |
| shell: 'bash' | |
| run: > | |
| /bin/bash | |
| $LFMP_DIR_REPOS/monitoring-plugins/build/debug.sh | |
| - name: 'Install python3.13' | |
| uses: 'actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405' # v6.2.0 | |
| with: | |
| python-version: '3.13' | |
| - name: 'python.exe -m pip install --upgrade pip wheel setuptools' | |
| run: 'python.exe -m pip install --upgrade pip wheel setuptools' | |
| # ordered-set is for nuitka: "Nuitka:WARNING: Using very slow fallback for ordered sets, please install 'ordered-set' or 'orderedset' PyPI packages for best Python compile time performance." | |
| - name: 'python.exe -m pip install --upgrade ordered-set Nuitka' | |
| run: 'python.exe -m pip install --upgrade ordered-set Nuitka' | |
| # install 3rd party libraries for all check plugins | |
| - name: 'python.exe -m pip install --requirement ${{ github.workspace }}\repos\monitoring-plugins\requirements-windows.txt --require-hashes' | |
| run: 'python.exe -m pip install --requirement ${{ github.workspace }}\repos\monitoring-plugins\requirements-windows.txt --require-hashes' | |
| - name: 'Verify Python installation' | |
| run: 'python.exe -m pip list' | |
| - name: 'Compile the check plugins' | |
| shell: 'bash' | |
| run: > | |
| /bin/bash | |
| $LFMP_DIR_REPOS/monitoring-plugins/build/compile-multiple.sh | |
| - name: 'Upload the unsigned compiled plugins' | |
| uses: 'actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a' # v7.0.1 | |
| id: 'upload-unsigned-compiled' | |
| with: | |
| path: '${{ env.LFMP_DIR_COMPILED }}/check-plugins/*' | |
| name: "lfmp-${{ env.LFMP_VERSION }}-${{ env.LFMP_PACKAGE_ITERATION }}.unsigned-compiled.windows.${{ env.LFMP_ARCH }}" | |
| if-no-files-found: 'error' | |
| # https://github.com/SignPath/github-actions/tree/main/actions/submit-signing-request | |
| # https://about.signpath.io/documentation/trusted-build-systems/github | |
| - name: 'Sign the compiled plugins' | |
| uses: 'signpath/github-action-submit-signing-request@b9d91eadd323de506c0c81cf0c7fe7438f3360fd' # v2.2 | |
| with: | |
| api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' | |
| organization-id: '35067665-5434-42c5-9fa2-4c750069f161' | |
| project-slug: 'monitoring-plugins' | |
| signing-policy-slug: 'release-signing' | |
| artifact-configuration-slug: 'compiled' | |
| github-artifact-id: '${{ steps.upload-unsigned-compiled.outputs.artifact-id }}' | |
| wait-for-completion: true | |
| # note: the path is always relative to GITHUB_WORKSPACE (hardcoded in the signpath action) | |
| # and will be created if it does not exist | |
| output-artifact-directory: 'signed-compiled/' | |
| - name: 'Upload the signed compiled plugins' | |
| uses: 'actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a' # v7.0.1 | |
| with: | |
| path: '${{ github.workspace }}/signed-compiled/*' | |
| name: "lfmp-${{ env.LFMP_VERSION }}-${{ env.LFMP_PACKAGE_ITERATION }}.signed-compiled.windows.${{ env.LFMP_ARCH }}" | |
| - name: 'Configure MSBuild in the workflow PATH for building .NET Framework applications' | |
| uses: 'microsoft/setup-msbuild@30375c66a4eea26614e0d39710365f22f8b0af57' # v3.0.0 | |
| - name: 'Install WiX toolset, the packaging tool' | |
| # Pinned to 5.0.* because WiX 7 introduced the Open Source Maintenance Fee (OSMF) | |
| # EULA (https://wixtoolset.org/osmf/) that the build would otherwise have to accept. | |
| # 5.0.* matches the version used in the last successful release (v2.2.1). | |
| run: 'dotnet tool install --global wix --version 5.0.*' | |
| - name: 'Verify WiX installation' | |
| run: 'wix --version' | |
| - name: 'Create the wxs file for WiX' | |
| shell: 'bash' | |
| run: > | |
| /bin/bash | |
| $LFMP_DIR_REPOS/monitoring-plugins/build/create-wxs.sh | |
| - name: 'Create the package for Windows' | |
| run: > | |
| wix.exe build | |
| -arch x64 | |
| -defaultcompressionlevel high | |
| ${{ env.LFMP_DIR_PACKAGED }}\in\lfmp.wxs | |
| -out ${{ env.LFMP_DIR_PACKAGED }}\out\linuxfabrik-monitoring-plugins.msi | |
| - name: 'Upload the unsigned package (msi)' | |
| uses: 'actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a' # v7.0.1 | |
| id: 'upload-unsigned-packaged' | |
| with: | |
| path: '${{ env.LFMP_DIR_PACKAGED }}/out/*' | |
| name: "lfmp-${{ env.LFMP_VERSION }}-${{ env.LFMP_PACKAGE_ITERATION }}.unsigned-packaged.windows.${{ env.LFMP_ARCH }}" | |
| - name: 'Sign the package' | |
| uses: 'signpath/github-action-submit-signing-request@b9d91eadd323de506c0c81cf0c7fe7438f3360fd' # v2.2 | |
| with: | |
| api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' | |
| organization-id: '35067665-5434-42c5-9fa2-4c750069f161' | |
| project-slug: 'monitoring-plugins' | |
| signing-policy-slug: 'release-signing' | |
| artifact-configuration-slug: 'packaged' | |
| github-artifact-id: '${{ steps.upload-unsigned-packaged.outputs.artifact-id }}' | |
| wait-for-completion: true | |
| # note: the path is always relative to GITHUB_WORKSPACE (hardcoded in the signpath action) | |
| # and will be created if it does not exist | |
| output-artifact-directory: 'signed-packaged/' | |
| - name: 'Upload the signed package (msi)' | |
| uses: 'actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a' # v7.0.1 | |
| with: | |
| path: '${{ github.workspace }}/signed-packaged/*' | |
| name: "lfmp-${{ env.LFMP_VERSION }}-${{ env.LFMP_PACKAGE_ITERATION }}.signed-packaged.windows.${{ env.LFMP_ARCH }}" |