Skip to content

Commit cae4ffc

Browse files
committed
Sync workflowa with test-workflows branch
1 parent 632f5ea commit cae4ffc

4 files changed

Lines changed: 135 additions & 5 deletions

File tree

.github/workflows/build-release.yml

Lines changed: 94 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -202,11 +202,68 @@ jobs:
202202
/p:Configuration=Release `
203203
/p:Platform=x64
204204
205+
# -------------------------------------------------
206+
# Stage Windows PE files for signing
207+
# -------------------------------------------------
208+
- name: Stage Windows PE files for signing
209+
if: ${{ env.MODE != 'sanity' }}
210+
shell: pwsh
211+
run: |
212+
New-Item -ItemType Directory -Force to-sign | Out-Null
213+
# All signable DLLs are produced in dll/release, the shell EXEs in
214+
# lib/release (same paths package-windows collects from). Names are
215+
# unique across the variants, so a flat staging dir is collision-free.
216+
Copy-Item bin/vc17/dll/release/sqlite3mc*.dll to-sign/ -ErrorAction SilentlyContinue
217+
Copy-Item bin/vc17/lib/release/sqlite3mc_shell*.exe to-sign/ -ErrorAction SilentlyContinue
218+
Get-ChildItem to-sign
219+
220+
# -------------------------------------------------
221+
# Upload unsigned PE files
222+
# -------------------------------------------------
223+
- name: Upload unsigned PE files
224+
id: upload-unsigned-pe
225+
if: ${{ env.MODE != 'sanity' }}
226+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
227+
with:
228+
name: unsigned-windows-pe # must NOT start with sqlite3mc- (intermediate)
229+
path: to-sign
230+
if-no-files-found: error
231+
232+
# -------------------------------------------------
233+
# Submit signing request (SignPath)
234+
# -------------------------------------------------
235+
- name: Submit signing request (SignPath)
236+
if: ${{ env.MODE != 'sanity' }}
237+
uses: signpath/github-action-submit-signing-request@b9d91eadd323de506c0c81cf0c7fe7438f3360fd # v2.2
238+
with:
239+
api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
240+
organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
241+
project-slug: 'SQLite3MultipleCiphers'
242+
artifact-configuration-slug: 'windows-binaries'
243+
signing-policy-slug: ${{ env.MODE == 'release' && 'release-signing' || 'test-signing' }}
244+
github-artifact-id: '${{ steps.upload-unsigned-pe.outputs.artifact-id }}'
245+
wait-for-completion: true
246+
# release-signing typically requires manual approval -> wait longer
247+
wait-for-completion-timeout-in-seconds: 1800
248+
output-artifact-directory: 'signed'
249+
250+
# -------------------------------------------------
251+
# Restore signed PE files
252+
# -------------------------------------------------
253+
- name: Restore signed PE files
254+
if: ${{ env.MODE != 'sanity' }}
255+
shell: pwsh
256+
run: |
257+
# SignPath returns the same file names; put the signed DLLs/EXEs back
258+
# exactly where package-windows picks them up.
259+
Copy-Item signed/sqlite3mc*.dll bin/vc17/dll/release/ -Force
260+
Copy-Item signed/sqlite3mc_shell*.exe bin/vc17/lib/release/ -Force
261+
205262
# -------------------------------------------------
206263
# Upload Win32 and Win64 binaries
207264
# -------------------------------------------------
208265
- name: Upload build output
209-
uses: actions/upload-artifact@v7
266+
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
210267
with:
211268
name: build-output
212269
path: |
@@ -402,18 +459,34 @@ jobs:
402459
sdkmanager "ndk;26.3.11579264"
403460
404461
# -------------------------------------------------
405-
# Install Fossil
462+
# Download and verify Fossil
463+
# --------------
464+
# SHA3-256 checksum (retrieved from https://www3.fossil-scm.org/home/uvlist on 2026-06-08)
465+
# fossil-linux-x64-2.28.tar.gz cbd89e653e1b797802f2ee5bb55d6ad4959291ec6d6eb192c79ff62d9a224c33
406466
# -------------------------------------------------
407-
- name: Install Fossil
467+
- name: Download and verify Fossil
408468
shell: bash
409469
run: |
410470
set -euo pipefail
411471
412472
FOSSIL_VERSION="2.28"
473+
FOSSIL_SHA3="cbd89e653e1b797802f2ee5bb55d6ad4959291ec6d6eb192c79ff62d9a224c33"
413474
414475
curl -fL --retry 3 --retry-delay 5 -o fossil.tar.gz \
415476
https://www.fossil-scm.org/home/uv/fossil-linux-x64-$FOSSIL_VERSION.tar.gz
416477
478+
python3 scripts/verify_sha3.py \
479+
fossil.tar.gz \
480+
"${FOSSIL_SHA3}"
481+
482+
# -------------------------------------------------
483+
# Install Fossil
484+
# -------------------------------------------------
485+
- name: Install Fossil
486+
shell: bash
487+
run: |
488+
set -euo pipefail
489+
417490
tar -xzf fossil.tar.gz
418491
sudo mv fossil /usr/local/bin/
419492
fossil version
@@ -778,18 +851,34 @@ jobs:
778851
python scripts/build_context.py
779852
780853
# -------------------------------------------------
781-
# Install Fossil
854+
# Download and verify Fossil
855+
# --------------
856+
# SHA3-256 checksum (retrieved from https://www3.fossil-scm.org/home/uvlist on 2026-06-08)
857+
# fossil-linux-x64-2.28.tar.gz cbd89e653e1b797802f2ee5bb55d6ad4959291ec6d6eb192c79ff62d9a224c33
782858
# -------------------------------------------------
783-
- name: Install Fossil
859+
- name: Download and verify Fossil
784860
shell: bash
785861
run: |
786862
set -euo pipefail
787863
788864
FOSSIL_VERSION="2.28"
865+
FOSSIL_SHA3="cbd89e653e1b797802f2ee5bb55d6ad4959291ec6d6eb192c79ff62d9a224c33"
789866
790867
curl -fL --retry 3 --retry-delay 5 -o fossil.tar.gz \
791868
https://www.fossil-scm.org/home/uv/fossil-linux-x64-$FOSSIL_VERSION.tar.gz
792869
870+
python3 scripts/verify_sha3.py \
871+
fossil.tar.gz \
872+
"${FOSSIL_SHA3}"
873+
874+
# -------------------------------------------------
875+
# Install Fossil
876+
# -------------------------------------------------
877+
- name: Install Fossil
878+
shell: bash
879+
run: |
880+
set -euo pipefail
881+
793882
tar -xzf fossil.tar.gz
794883
sudo mv fossil /usr/local/bin/
795884
fossil version
Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
<?xml version="1.0" encoding="utf-8"?>
2+
<!--
3+
SignPath Artifact Configuration for the SQLite3MultipleCiphers repo.
4+
Register in the SignPath portal under project "SQLite3MultipleCiphers" with the
5+
configuration slug "windows-binaries". The portal copy is authoritative.
6+
7+
The workflow stages the signable PE files into a FLAT directory ("to-sign/")
8+
and uploads it with actions/upload-artifact, which wraps it in a ZIP -> root
9+
element <zip-file>. The DLLs/EXEs therefore sit directly at the ZIP root by
10+
file name (single level), so no recursive "**" is needed here.
11+
12+
min-matches="1" on the DLL pattern fails the request loudly if nothing was
13+
staged (at least sqlite3mc.dll is always built); the shell EXE stays optional.
14+
-->
15+
<artifact-configuration xmlns="http://signpath.io/artifact-configuration/v1">
16+
<zip-file>
17+
<pe-file-set>
18+
<include path="sqlite3mc*.dll" min-matches="1" max-matches="unbounded" />
19+
<include path="sqlite3mc_shell*.exe" min-matches="0" max-matches="unbounded" />
20+
<for-each>
21+
<authenticode-sign />
22+
</for-each>
23+
</pe-file-set>
24+
</zip-file>
25+
</artifact-configuration>

packaging/autoconf/VERSION.in

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
{SQLITE3MC_VERSION}

packaging/autoconf/sqlite3rc.h.in

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
#ifndef SQLITE3MC_VERSION_MAJOR
2+
#define SQLITE3MC_VERSION_MAJOR {SQLITE3MC_VERSION_MAJOR}
3+
#endif
4+
5+
#ifndef SQLITE3MC_VERSION_MINOR
6+
#define SQLITE3MC_VERSION_MINOR {SQLITE3MC_VERSION_MINOR}
7+
#endif
8+
9+
#ifndef SQLITE3MC_VERSION_RELEASE
10+
#define SQLITE3MC_VERSION_RELEASE {SQLITE3MC_VERSION_RELEASE}
11+
#endif
12+
13+
#ifndef SQLITE3MC_VERSION_SUBRELEASE
14+
#define SQLITE3MC_VERSION_SUBRELEASE {SQLITE3MC_VERSION_SUBRELEASE}
15+
#endif

0 commit comments

Comments
 (0)