MarkdownPointer/.github/workflows/release.yml at master · yotsuda/MarkdownPointer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
name: Release

on:
  push:
    tags:
      - 'v*.*.*'

jobs:
  release:
    runs-on: windows-latest
    permissions:
      contents: write
    steps:
      - uses: actions/checkout@v4

      - name: Setup .NET
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: '10.0.x'

      - name: Derive version from tag
        id: ver
        shell: pwsh
        run: |
          $tag = "${env:GITHUB_REF_NAME}"
          $v = $tag.TrimStart('v')
          "version=$v" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
          "tag=$tag"   | Out-File -FilePath $env:GITHUB_OUTPUT -Append

      - name: Verify version consistency across psd1 and csproj
        shell: pwsh
        run: |
          $expected = '${{ steps.ver.outputs.version }}'

          # psd1
          $data = Import-PowerShellDataFile Module/MarkdownPointer.psd1
          if ($data.ModuleVersion -ne $expected) {
            throw "Module/MarkdownPointer.psd1 ModuleVersion $($data.ModuleVersion) != tag v$expected"
          }

          # MarkdownPointer.App.csproj
          [xml]$appProj = Get-Content 'MarkdownPointer/MarkdownPointer.App.csproj'
          $appVer = $appProj.Project.PropertyGroup.Version | Where-Object { $_ } | Select-Object -First 1
          if ($appVer -ne $expected) {
            throw "MarkdownPointer.App.csproj Version $appVer != $expected"
          }

          # MarkdownPointer.Mcp.csproj
          [xml]$mcpProj = Get-Content 'MarkdownPointer.Mcp/MarkdownPointer.Mcp.csproj'
          $mcpVer = $mcpProj.Project.PropertyGroup.Version | Where-Object { $_ } | Select-Object -First 1
          if ($mcpVer -ne $expected) {
            throw "MarkdownPointer.Mcp.csproj Version $mcpVer != $expected"
          }

          Write-Host "All three version sources match: $expected"

      - name: Restore
        shell: pwsh
        run: |
          dotnet restore MarkdownPointer/MarkdownPointer.App.csproj --source https://api.nuget.org/v3/index.json --ignore-failed-sources
          dotnet restore MarkdownPointer.Mcp/MarkdownPointer.Mcp.csproj --source https://api.nuget.org/v3/index.json --ignore-failed-sources

      - name: Publish mdp.exe (App, single-file, framework-dependent)
        shell: pwsh
        run: |
          dotnet publish MarkdownPointer/MarkdownPointer.App.csproj `
            -c Release -r win-x64 --no-self-contained `
            -o "${env:RUNNER_TEMP}/publish-app"
          if ($LASTEXITCODE -ne 0) { throw "App publish failed" }

      - name: Publish mdp-mcp.exe (Mcp, single-file, framework-dependent)
        shell: pwsh
        run: |
          dotnet publish MarkdownPointer.Mcp/MarkdownPointer.Mcp.csproj `
            -c Release -r win-x64 --no-self-contained `
            -o "${env:RUNNER_TEMP}/publish-mcp"
          if ($LASTEXITCODE -ne 0) { throw "Mcp publish failed" }

      - name: Assemble module directory
        id: stage
        shell: pwsh
        run: |
          $stage = Join-Path $env:RUNNER_TEMP 'MarkdownPointer'
          $bin   = Join-Path $stage 'bin'
          New-Item -ItemType Directory -Path $stage -Force | Out-Null
          New-Item -ItemType Directory -Path $bin   -Force | Out-Null

          # Module files
          Copy-Item 'Module/MarkdownPointer.psd1' $stage
          Copy-Item 'Module/MarkdownPointer.psm1' $stage
          Copy-Item 'LICENSE' $stage

          # App and Mcp single-file exes
          Copy-Item "${env:RUNNER_TEMP}/publish-app/mdp.exe"     $bin
          Copy-Item "${env:RUNNER_TEMP}/publish-mcp/mdp-mcp.exe" $bin

          # SlideKit assets that flow to the Mcp publish output
          foreach ($asset in 'blank-template.pptx','Export-Slides.ps1') {
            $src = Join-Path "${env:RUNNER_TEMP}/publish-mcp" $asset
            if (Test-Path $src) { Copy-Item $src $bin }
            else { throw "Expected SlideKit asset not in Mcp publish output: $asset" }
          }

          "stage=$stage" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
          Write-Host "=== Staged module contents ==="
          Get-ChildItem $stage -Recurse | Select-Object FullName

      - name: Probe signing secret
        id: sign_probe
        shell: pwsh
        env:
          PFX_B64: ${{ secrets.CODE_SIGNING_PFX_BASE64 }}
        run: |
          $present = -not [string]::IsNullOrEmpty($env:PFX_B64)
          "present=$($present.ToString().ToLower())" | Out-File -FilePath $env:GITHUB_OUTPUT -Append

      - name: Sign Windows binaries (mdp.exe + mdp-mcp.exe only)
        if: steps.sign_probe.outputs.present == 'true'
        shell: pwsh
        env:
          PFX_B64: ${{ secrets.CODE_SIGNING_PFX_BASE64 }}
          PFX_PW:  ${{ secrets.CODE_SIGNING_PFX_PASSWORD }}
        run: |
          $pfx = Join-Path $env:RUNNER_TEMP 'codesign.pfx'
          [IO.File]::WriteAllBytes($pfx, [Convert]::FromBase64String($env:PFX_B64))
          $pw = ConvertTo-SecureString $env:PFX_PW -AsPlainText -Force
          $cert = Get-PfxCertificate -FilePath $pfx -Password $pw
          $stage = '${{ steps.stage.outputs.stage }}'

          # Sign ONLY native Windows binaries. psd1 / psm1 are left unsigned:
          # Install-Module verifies Authenticode on script files and would reject
          # a self-signed signature on any machine where the cert is not pre-trusted.
          $files = @(
            "$stage/bin/mdp.exe",
            "$stage/bin/mdp-mcp.exe"
          )
          Set-AuthenticodeSignature -FilePath $files -Certificate $cert `
              -HashAlgorithm SHA256 `
              -TimestampServer http://timestamp.digicert.com `
              -IncludeChain NotRoot

          # Self-signed certs yield Status=UnknownError on machines where the cert
          # is not in the trust store (GitHub runners don't trust it). The signature
          # itself is correct; only chain validation needs the cert installed on the
          # end-user machine. Verify thumbprint matches + reject tamper / missing.
          $expected = $cert.Thumbprint
          $bad = Get-AuthenticodeSignature $files | Where-Object {
            $_.SignerCertificate.Thumbprint -ne $expected -or
            $_.Status -notin @('Valid','UnknownError')
          }
          if ($bad) {
            $bad | Format-Table Status, StatusMessage, Path
            throw 'One or more Windows binary signatures are missing, tampered, or signed by the wrong cert.'
          }

      - name: Guard — Windows binaries must be signed for a tagged release
        if: steps.sign_probe.outputs.present != 'true'
        shell: pwsh
        run: |
          throw 'CODE_SIGNING_PFX_BASE64 is not configured. Tagged releases must be signed. Add the secret and re-run, or delete the tag.'

      - name: Assert signing distribution (only the two exes)
        shell: pwsh
        run: |
          $stage = '${{ steps.stage.outputs.stage }}'
          $shouldBeSigned = @(
            "$stage/bin/mdp.exe",
            "$stage/bin/mdp-mcp.exe"
          )
          $shouldBeUnsigned = @(
            "$stage/MarkdownPointer.psd1",
            "$stage/MarkdownPointer.psm1"
          )
          foreach ($f in $shouldBeSigned) {
            $s = Get-AuthenticodeSignature $f
            if ($s.Status -eq 'NotSigned') { throw "Expected signed but NotSigned: $f" }
          }
          foreach ($f in $shouldBeUnsigned) {
            $s = Get-AuthenticodeSignature $f
            if ($s.Status -ne 'NotSigned') { throw "Expected unsigned but $($s.Status): $f" }
          }
          Write-Host 'Signing distribution OK: mdp.exe + mdp-mcp.exe signed; psd1 / psm1 unsigned.'

      - name: Publish to PSGallery
        shell: pwsh
        env:
          PSGALLERY_API_KEY: ${{ secrets.PSGALLERY_API_KEY }}
        run: |
          Publish-Module -Path '${{ steps.stage.outputs.stage }}' -NuGetApiKey $env:PSGALLERY_API_KEY -Verbose

      - name: Extract release notes for this version
        id: notes
        shell: pwsh
        run: |
          $version = '${{ steps.ver.outputs.version }}'
          $data = Import-PowerShellDataFile Module/MarkdownPointer.psd1
          $allNotes = $data.PrivateData.PSData.ReleaseNotes
          $lines = $allNotes -split "`r?`n"
          $inSection = $false
          $section = New-Object System.Collections.Generic.List[string]
          foreach ($line in $lines) {
            # Section headers in this psd1 are bare "X.Y.Z" on their own line.
            if ($line -match '^\s*(\d+\.\d+\.\d+)\s*$') {
              if ($matches[1] -eq $version) { $inSection = $true; continue }
              elseif ($inSection)            { break }
            }
            if ($inSection) { $section.Add($line) }
          }
          $body = ($section -join "`n").Trim()
          if ([string]::IsNullOrWhiteSpace($body)) {
            throw "No release notes section found for version $version in Module/MarkdownPointer.psd1"
          }
          $notesPath = Join-Path $env:RUNNER_TEMP 'release-notes.md'
          Set-Content -Path $notesPath -Value $body -Encoding UTF8
          "notes_path=$notesPath" | Out-File -FilePath $env:GITHUB_OUTPUT -Append

      - name: Create GitHub Release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: gh release create "${{ steps.ver.outputs.tag }}" --title "${{ steps.ver.outputs.tag }}" --notes-file "${{ steps.notes.outputs.notes_path }}"