CI - Fix package job (#4552)

bfops · web-flow · commit 0a70eb9ed763 · 2026-03-11T09:29:40.000Z
# Description of Changes We were unable to test #4473 because #githubworkflowthings, and it turns out we broke the job. Here I fixed the job and merge the two jobs into one. **Signing still doesn't work so I've disabled the signing part for now.** # API and ABI breaking changes None. CI only. # Expected complexity level and risk 1 # Testing I ran a test job: https://github.com/clockworklabs/SpacetimeDB/actions/runs/22691343426/job/65787327828 - [x] Package job succeeds for non-windows - [x] Package job succeeds on windows --------- Co-authored-by: Zeke Foppa <bfops@users.noreply.github.com>
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -11,7 +11,6 @@ permissions:
 
 jobs:
   build-cli:
-    if: ${{ !(startsWith(github.ref, 'refs/tags/') && matrix.target == 'x86_64-pc-windows-msvc') }}
     strategy:
       fail-fast: false
       matrix:
@@ -51,81 +50,45 @@ jobs:
       - name: Install rust target
         run: rustup target add ${{ matrix.target }}
 
-      - name: Compile
-        run: |
-          cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update
-
-      - name: Package (unix)
-        if: ${{ runner.os != 'Windows' }}
-        shell: bash
-        run: |
-          mkdir build
-          cd target/${{matrix.target}}/release
-          cp spacetimedb-update ../../../build/spacetimedb-update-${{matrix.target}}
-          tar -czf ../../../build/spacetime-${{matrix.target}}.tar.gz spacetimedb-{cli,standalone}
-
-      - name: Package (windows)
+      - name: Add signtool.exe to PATH
         if: ${{ runner.os == 'Windows' }}
-        shell: bash
+        shell: pwsh
         run: |
-          mkdir build
-          cd target/${{matrix.target}}/release
-          cp spacetimedb-update.exe ../../../build/spacetimedb-update-${{matrix.target}}.exe
-          7z a ../../../build/spacetime-${{matrix.target}}.zip spacetimedb-cli.exe spacetimedb-standalone.exe
-
-      - name: Extract branch name
-        shell: bash
-        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
-        id: extract_branch
-
-      - name: Upload to DO Spaces
-        uses: shallwefootball/s3-upload-action@master
-        with:
-          aws_key_id: ${{ secrets.AWS_KEY_ID }}
-          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY}}
-          aws_bucket: ${{ vars.AWS_BUCKET }}
-          source_dir: build
-          endpoint: https://nyc3.digitaloceanspaces.com
-          destination_dir: ${{ steps.extract_branch.outputs.branch }}
-
-  build-cli-windows-signed:
-    if: ${{ startsWith(github.ref, 'refs/tags/') }}
-    name: Build and sign CLI for x86_64 Windows
-    runs-on: [self-hosted, windows, signing]
-    environment: codesign
-    concurrency:
-      group: codesign-${{ github.ref }}
-      cancel-in-progress: false
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Install Rust
-        uses: dsherret/rust-toolchain-file@v1
+          $root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin"
+          $signtool = Get-ChildItem $root -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue |
+            Where-Object { $_.FullName -match '\\x64\\signtool\.exe$' } |
+            Sort-Object FullName -Descending |
+            Select-Object -First 1
 
-      - name: Install rust target
-        run: rustup target add x86_64-pc-windows-msvc
+          if (-not $signtool) { throw "signtool.exe not found under $root" }
 
-      - name: Compile
-        run: |
-          cargo build --release --target x86_64-pc-windows-msvc -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update
+          "Found: $($signtool.FullName)"
+          $dir = Split-Path $signtool.FullName
+          Add-Content -Path $env:GITHUB_PATH -Value $dir
 
-      - name: Write certificate file
+      - name: Write certificate file for signing
+        if: ${{ runner.os == 'Windows' }}
         shell: powershell
         env:
           DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }}
         run: |
-          [IO.File]::WriteAllBytes("digicert.crt", [Convert]::FromBase64String($env:DIGICERT_CERT_B64))
+          [IO.File]::WriteAllBytes("digicert.pfx", [Convert]::FromBase64String($env:DIGICERT_CERT_B64))
 
-      - name: Sign binaries
+      - name: Compile
+        run: |
+          cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update
+
+      - name: Sign binaries for Windows
+        # Disabled for now since the current flow isn't working.
+        if: false
+        #if: ${{ runner.os == 'Windows' }}
         shell: powershell
         env:
           DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }}
         run: |
           $ErrorActionPreference = 'Stop'
           $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
-          $certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.crt'
+          $certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.pfx'
 
           $signtool = Get-Command signtool.exe -ErrorAction Stop
 
@@ -136,32 +99,31 @@ jobs:
           )
 
           foreach ($file in $files) {
-            & $signtool.Path sign /csp "DigiCert Signing Manager KSP" /kc $env:DIGICERT_KEYPAIR_ALIAS /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file
+            & $signtool.Path sign /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file
             & $signtool.Path verify /v /pa $file
           }
 
-      - name: Package (windows)
-        shell: powershell
+      - name: Package (unix)
+        if: ${{ runner.os != 'Windows' }}
+        shell: bash
         run: |
-          $ErrorActionPreference = 'Stop'
-          New-Item -ItemType Directory -Force -Path build | Out-Null
-          $releaseDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
+          mkdir build
+          cd target/${{matrix.target}}/release
+          cp spacetimedb-update ../../../build/spacetimedb-update-${{matrix.target}}
+          tar -czf ../../../build/spacetime-${{matrix.target}}.tar.gz spacetimedb-{cli,standalone}
 
-          Copy-Item (Join-Path $releaseDir 'spacetimedb-update.exe') (Join-Path $env:GITHUB_WORKSPACE 'build\spacetimedb-update-x86_64-pc-windows-msvc.exe')
-          Compress-Archive -Force -Path @(
-            (Join-Path $releaseDir 'spacetimedb-cli.exe'),
-            (Join-Path $releaseDir 'spacetimedb-standalone.exe')
-          ) -DestinationPath (Join-Path $env:GITHUB_WORKSPACE 'build\spacetime-x86_64-pc-windows-msvc.zip')
+      - name: Package (windows)
+        if: ${{ runner.os == 'Windows' }}
+        shell: bash
+        run: |
+          mkdir build
+          cd target/${{matrix.target}}/release
+          cp spacetimedb-update.exe ../../../build/spacetimedb-update-${{matrix.target}}.exe
+          7z a ../../../build/spacetime-${{matrix.target}}.zip spacetimedb-cli.exe spacetimedb-standalone.exe
 
       - name: Extract branch name
-        shell: powershell
-        run: |
-          $ErrorActionPreference = 'Stop'
-          $branch = $env:GITHUB_HEAD_REF
-          if ([string]::IsNullOrEmpty($branch)) {
-            $branch = $env:GITHUB_REF -replace '^refs/heads/', ''
-          }
-          "branch=$branch" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
+        shell: bash
+        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
         id: extract_branch
 
       - name: Upload to DO Spaces
