Bläddra i källkod

CI: update workflows to use Azure Trusted Signing

Fixes #1778

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
Nicola Murino 8 månader sedan
förälder
incheckning
502e3658e0
3 ändrade filer med 280 tillägg och 161 borttagningar
  1. 139 53
      .github/workflows/development.yml
  2. 140 105
      .github/workflows/release.yml
  3. 1 3
      windows-installer/sftpgo.iss

+ 139 - 53
.github/workflows/development.yml

@@ -5,6 +5,10 @@ on:
     branches: [main]
     branches: [main]
   pull_request:
   pull_request:
 
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
 jobs:
   test-deploy:
   test-deploy:
     name: Test and deploy
     name: Test and deploy
@@ -13,11 +17,6 @@ jobs:
       matrix:
       matrix:
         go: ['1.23']
         go: ['1.23']
         os: [ubuntu-latest, macos-latest]
         os: [ubuntu-latest, macos-latest]
-        upload-coverage: [true]
-        include:
-          - go: '1.23'
-            os: windows-latest
-            upload-coverage: false
 
 
     steps:
     steps:
       - uses: actions/checkout@v4
       - uses: actions/checkout@v4
@@ -30,7 +29,6 @@ jobs:
           go-version: ${{ matrix.go }}
           go-version: ${{ matrix.go }}
 
 
       - name: Build for Linux/macOS x86_64
       - name: Build for Linux/macOS x86_64
-        if: startsWith(matrix.os, 'windows-') != true
         run: |
         run: |
           go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
           go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
           cd tests/eventsearcher
           cd tests/eventsearcher
@@ -46,8 +44,83 @@ jobs:
         if: startsWith(matrix.os, 'macos-') == true
         if: startsWith(matrix.os, 'macos-') == true
         run: CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 SDKROOT=$(xcrun --sdk macosx --show-sdk-path) go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo_arm64
         run: CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 SDKROOT=$(xcrun --sdk macosx --show-sdk-path) go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo_arm64
 
 
-      - name: Build for Windows
-        if: startsWith(matrix.os, 'windows-')
+      - name: Run test cases using SQLite provider
+        run: go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -coverprofile=coverage.txt -covermode=atomic
+
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          file: ./coverage.txt
+          fail_ci_if_error: false
+          token: ${{ secrets.CODECOV_TOKEN }}
+
+      - name: Run test cases using bolt provider
+        run: |
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/config -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/common -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/httpd -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 8m ./internal/sftpd -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/ftpd -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/webdavd -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/telemetry -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/mfa -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/command -covermode=atomic
+        env:
+          SFTPGO_DATA_PROVIDER__DRIVER: bolt
+          SFTPGO_DATA_PROVIDER__NAME: 'sftpgo_bolt.db'
+
+      - name: Run test cases using memory provider
+        run: go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic
+        env:
+          SFTPGO_DATA_PROVIDER__DRIVER: memory
+          SFTPGO_DATA_PROVIDER__NAME: ''
+
+      - name: Prepare build artifact for macOS
+        if: startsWith(matrix.os, 'macos-') == true
+        run: |
+          mkdir -p output/{init,bash_completion,zsh_completion}
+          cp sftpgo output/sftpgo_x86_64
+          cp sftpgo_arm64 output/
+          cp sftpgo.json output/
+          cp -r templates output/
+          cp -r static output/
+          cp -r openapi output/
+          cp init/com.github.drakkan.sftpgo.plist output/init/
+          ./sftpgo gen completion bash > output/bash_completion/sftpgo
+          ./sftpgo gen completion zsh > output/zsh_completion/_sftpgo
+          ./sftpgo gen man -d output/man/man1
+          gzip output/man/man1/*
+
+      - name: Upload build artifact
+        if: startsWith(matrix.os, 'ubuntu-') != true
+        uses: actions/upload-artifact@v4
+        with:
+          name: sftpgo-${{ matrix.os }}-go-${{ matrix.go }}
+          path: output
+
+  test-deploy-windows:
+    name: Test and deploy Windows
+    environment: signing
+    runs-on: windows-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Azure login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+
+      - name: Build
         run: |
         run: |
           $GIT_COMMIT = (git describe --always --abbrev=8 --dirty) | Out-String
           $GIT_COMMIT = (git describe --always --abbrev=8 --dirty) | Out-String
           $DATE_TIME = ([datetime]::Now.ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ssZ")) | Out-String
           $DATE_TIME = ([datetime]::Now.ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ssZ")) | Out-String
@@ -78,17 +151,31 @@ jobs:
           Remove-Item Env:\GOOS
           Remove-Item Env:\GOOS
           Remove-Item Env:\GOARCH
           Remove-Item Env:\GOARCH
 
 
+      - name: Sign binaries
+        uses: azure/trusted-signing-action@v0.5.0
+        with:
+          endpoint: https://eus.codesigning.azure.net/
+          trusted-signing-account-name: nicola
+          certificate-profile-name: SFTPGo
+          files: ${{ github.workspace }}\sftpgo.exe,${{ github.workspace }}\arm64\sftpgo.exe,${{ github.workspace }}\x86\sftpgo.exe
+          files-folder-filter: exe,dll
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+          exclude-environment-credential: true
+          exclude-workload-identity-credential: true
+          exclude-managed-identity-credential: true
+          exclude-shared-token-cache-credential: true
+          exclude-visual-studio-credential: true
+          exclude-visual-studio-code-credential: true
+          exclude-azure-cli-credential: false
+          exclude-azure-powershell-credential: true
+          exclude-azure-developer-cli-credential: true
+          exclude-interactive-browser-credential: true
+
       - name: Run test cases using SQLite provider
       - name: Run test cases using SQLite provider
         run: go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -coverprofile=coverage.txt -covermode=atomic
         run: go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -coverprofile=coverage.txt -covermode=atomic
 
 
-      - name: Upload coverage to Codecov
-        if: ${{ matrix.upload-coverage }}
-        uses: codecov/codecov-action@v5
-        with:
-          file: ./coverage.txt
-          fail_ci_if_error: false
-          token: ${{ secrets.CODECOV_TOKEN }}
-
       - name: Run test cases using bolt provider
       - name: Run test cases using bolt provider
         run: |
         run: |
           go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/config -covermode=atomic
           go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/config -covermode=atomic
@@ -110,24 +197,14 @@ jobs:
           SFTPGO_DATA_PROVIDER__DRIVER: memory
           SFTPGO_DATA_PROVIDER__DRIVER: memory
           SFTPGO_DATA_PROVIDER__NAME: ''
           SFTPGO_DATA_PROVIDER__NAME: ''
 
 
-      - name: Prepare build artifact for macOS
-        if: startsWith(matrix.os, 'macos-') == true
+      - name: Initialize data provider
         run: |
         run: |
-          mkdir -p output/{init,bash_completion,zsh_completion}
-          cp sftpgo output/sftpgo_x86_64
-          cp sftpgo_arm64 output/
-          cp sftpgo.json output/
-          cp -r templates output/
-          cp -r static output/
-          cp -r openapi output/
-          cp init/com.github.drakkan.sftpgo.plist output/init/
-          ./sftpgo gen completion bash > output/bash_completion/sftpgo
-          ./sftpgo gen completion zsh > output/zsh_completion/_sftpgo
-          ./sftpgo gen man -d output/man/man1
-          gzip output/man/man1/*
+          rm sftpgo.db
+          ./sftpgo initprovider
+        shell: bash
 
 
-      - name: Prepare Windows installer
-        if: ${{ startsWith(matrix.os, 'windows-') && github.event_name != 'pull_request' }}
+      - name: Prepare Windows installers
+        if: ${{ github.event_name != 'pull_request' }}
         run: |
         run: |
           Remove-Item -LiteralPath "output" -Force -Recurse -ErrorAction Ignore
           Remove-Item -LiteralPath "output" -Force -Recurse -ErrorAction Ignore
           mkdir output
           mkdir output
@@ -146,15 +223,7 @@ jobs:
           $REV_LIST=$LATEST_TAG+"..HEAD"
           $REV_LIST=$LATEST_TAG+"..HEAD"
           $COMMITS_FROM_TAG= ((git rev-list $REV_LIST --count) | Out-String).Trim()
           $COMMITS_FROM_TAG= ((git rev-list $REV_LIST --count) | Out-String).Trim()
           $Env:SFTPGO_ISS_DEV_VERSION = $LATEST_TAG  + "." + $COMMITS_FROM_TAG
           $Env:SFTPGO_ISS_DEV_VERSION = $LATEST_TAG  + "." + $COMMITS_FROM_TAG
-          $CERT_PATH=(Get-Location -PSProvider FileSystem).ProviderPath + "\cert.pfx"
-          [IO.File]::WriteAllBytes($CERT_PATH,[System.Convert]::FromBase64String($Env:CERT_DATA))
-          certutil -f -p "$Env:CERT_PASS" -importpfx MY "$CERT_PATH"
-          rm "$CERT_PATH"
-          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\sftpgo.exe
-          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\arm64\sftpgo.exe
-          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\x86\sftpgo.exe
-          $INNO_S='/Ssigntool=$qC:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe$q sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n $qNicola Murino$q /d $qSFTPGo$q $f'
-          iscc "$INNO_S" .\windows-installer\sftpgo.iss
+          iscc .\windows-installer\sftpgo.iss
 
 
           rm .\output\sftpgo.exe
           rm .\output\sftpgo.exe
           rm .\output\sftpgo.db
           rm .\output\sftpgo.db
@@ -166,40 +235,57 @@ jobs:
           Remove-Item Env:\SFTPGO_DATA_PROVIDER__DRIVER
           Remove-Item Env:\SFTPGO_DATA_PROVIDER__DRIVER
           Remove-Item Env:\SFTPGO_DATA_PROVIDER__NAME
           Remove-Item Env:\SFTPGO_DATA_PROVIDER__NAME
           $Env:SFTPGO_ISS_ARCH='arm64'
           $Env:SFTPGO_ISS_ARCH='arm64'
-          iscc "$INNO_S" .\windows-installer\sftpgo.iss
+          iscc .\windows-installer\sftpgo.iss
 
 
           rm .\output\sftpgo.exe
           rm .\output\sftpgo.exe
           copy .\x86\sftpgo.exe .\output
           copy .\x86\sftpgo.exe .\output
           $Env:SFTPGO_ISS_ARCH='x86'
           $Env:SFTPGO_ISS_ARCH='x86'
-          iscc "$INNO_S" .\windows-installer\sftpgo.iss
-          certutil -delstore MY "Nicola Murino"
-        env:
-          CERT_DATA: ${{ secrets.CERT_DATA }}
-          CERT_PASS: ${{ secrets.CERT_PASS }}
+          iscc .\windows-installer\sftpgo.iss
+
+      - name: Sign installers
+        uses: azure/trusted-signing-action@v0.5.0
+        with:
+          endpoint: https://eus.codesigning.azure.net/
+          trusted-signing-account-name: nicola
+          certificate-profile-name: SFTPGo
+          files: ${{ github.workspace }}\sftpgo_windows_x86_64.exe,${{ github.workspace }}\sftpgo_windows_arm64.exe,${{ github.workspace }}\sftpgo_windows_x86.exe
+          files-folder-filter: exe,dll
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+          exclude-environment-credential: true
+          exclude-workload-identity-credential: true
+          exclude-managed-identity-credential: true
+          exclude-shared-token-cache-credential: true
+          exclude-visual-studio-credential: true
+          exclude-visual-studio-code-credential: true
+          exclude-azure-cli-credential: false
+          exclude-azure-powershell-credential: true
+          exclude-azure-developer-cli-credential: true
+          exclude-interactive-browser-credential: true
 
 
       - name: Upload Windows installer x86_64 artifact
       - name: Upload Windows installer x86_64 artifact
-        if: ${{ startsWith(matrix.os, 'windows-') && github.event_name != 'pull_request' }}
+        if: ${{ github.event_name != 'pull_request' }}
         uses: actions/upload-artifact@v4
         uses: actions/upload-artifact@v4
         with:
         with:
           name: sftpgo_windows_installer_x86_64
           name: sftpgo_windows_installer_x86_64
           path: ./sftpgo_windows_x86_64.exe
           path: ./sftpgo_windows_x86_64.exe
 
 
       - name: Upload Windows installer arm64 artifact
       - name: Upload Windows installer arm64 artifact
-        if: ${{ startsWith(matrix.os, 'windows-') && github.event_name != 'pull_request' }}
+        if: ${{ github.event_name != 'pull_request' }}
         uses: actions/upload-artifact@v4
         uses: actions/upload-artifact@v4
         with:
         with:
           name: sftpgo_windows_installer_arm64
           name: sftpgo_windows_installer_arm64
           path: ./sftpgo_windows_arm64.exe
           path: ./sftpgo_windows_arm64.exe
 
 
       - name: Upload Windows installer x86 artifact
       - name: Upload Windows installer x86 artifact
-        if: ${{ startsWith(matrix.os, 'windows-') && github.event_name != 'pull_request' }}
+        if: ${{ github.event_name != 'pull_request' }}
         uses: actions/upload-artifact@v4
         uses: actions/upload-artifact@v4
         with:
         with:
           name: sftpgo_windows_installer_x86
           name: sftpgo_windows_installer_x86
           path: ./sftpgo_windows_x86.exe
           path: ./sftpgo_windows_x86.exe
 
 
       - name: Prepare build artifact for Windows
       - name: Prepare build artifact for Windows
-        if: startsWith(matrix.os, 'windows-')
         run: |
         run: |
           Remove-Item -LiteralPath "output" -Force -Recurse -ErrorAction Ignore
           Remove-Item -LiteralPath "output" -Force -Recurse -ErrorAction Ignore
           mkdir output
           mkdir output
@@ -218,10 +304,9 @@ jobs:
           xcopy .\openapi .\output\openapi\ /E
           xcopy .\openapi .\output\openapi\ /E
 
 
       - name: Upload build artifact
       - name: Upload build artifact
-        if: startsWith(matrix.os, 'ubuntu-') != true
         uses: actions/upload-artifact@v4
         uses: actions/upload-artifact@v4
         with:
         with:
-          name: sftpgo-${{ matrix.os }}-go-${{ matrix.go }}
+          name: sftpgo-windows-portable
           path: output
           path: output
 
 
   test-build-flags:
   test-build-flags:
@@ -524,4 +609,5 @@ jobs:
       - name: Run golangci-lint
       - name: Run golangci-lint
         uses: golangci/golangci-lint-action@v6
         uses: golangci/golangci-lint-action@v6
         with:
         with:
+          args: --timeout=10m
           version: latest
           version: latest

+ 140 - 105
.github/workflows/release.yml

@@ -4,8 +4,12 @@ on:
   push:
   push:
     tags: 'v*'
     tags: 'v*'
 
 
+permissions:
+  id-token: write
+  contents: write
+
 env:
 env:
-  GO_VERSION: 1.22.4
+  GO_VERSION: 1.23.3
 
 
 jobs:
 jobs:
   prepare-sources-with-deps:
   prepare-sources-with-deps:
@@ -38,12 +42,10 @@ jobs:
           path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_src_with_deps.tar.xz
           path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_src_with_deps.tar.xz
           retention-days: 1
           retention-days: 1
 
 
-  prepare-window-mac:
-    name: Prepare binaries
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [macos-12, windows-2022]
+  prepare-windows:
+    name: Prepare Windows binaries
+    environment: signing
+    runs-on: windows-2022
 
 
     steps:
     steps:
       - uses: actions/checkout@v4
       - uses: actions/checkout@v4
@@ -52,34 +54,19 @@ jobs:
         with:
         with:
           go-version: ${{ env.GO_VERSION }}
           go-version: ${{ env.GO_VERSION }}
 
 
+      - name: Azure login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
       - name: Get SFTPGo version
       - name: Get SFTPGo version
         id: get_version
         id: get_version
         run: echo "VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
         run: echo "VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
         shell: bash
         shell: bash
 
 
-      - name: Get OS name
-        id: get_os_name
-        run: |
-          if [[ $MATRIX_OS =~ ^macos.* ]]
-          then
-            echo "OS=macOS" >> $GITHUB_OUTPUT
-          else
-            echo "OS=windows" >> $GITHUB_OUTPUT
-          fi
-        shell: bash
-        env:
-          MATRIX_OS: ${{ matrix.os }}
-
-      - name: Build for macOS x86_64
-        if: startsWith(matrix.os, 'windows-') != true
-        run: go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
-
-      - name: Build for macOS arm64
-        if: startsWith(matrix.os, 'macos-') == true
-        run: CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 SDKROOT=$(xcrun --sdk macosx --show-sdk-path) go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo_arm64
-
-      - name: Build for Windows
-        if: startsWith(matrix.os, 'windows-')
+      - name: Build
         run: |
         run: |
           $GIT_COMMIT = (git describe --always --abbrev=8 --dirty) | Out-String
           $GIT_COMMIT = (git describe --always --abbrev=8 --dirty) | Out-String
           $DATE_TIME = ([datetime]::Now.ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ssZ")) | Out-String
           $DATE_TIME = ([datetime]::Now.ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ssZ")) | Out-String
@@ -103,43 +90,33 @@ jobs:
         env:
         env:
           SFTPGO_VERSION: ${{ steps.get_version.outputs.VERSION }}
           SFTPGO_VERSION: ${{ steps.get_version.outputs.VERSION }}
 
 
+      - name: Sign binaries
+        uses: azure/trusted-signing-action@v0.5.0
+        with:
+          endpoint: https://eus.codesigning.azure.net/
+          trusted-signing-account-name: nicola
+          certificate-profile-name: SFTPGo
+          files: ${{ github.workspace }}\sftpgo.exe,${{ github.workspace }}\arm64\sftpgo.exe,${{ github.workspace }}\x86\sftpgo.exe
+          files-folder-filter: exe,dll
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+          exclude-environment-credential: true
+          exclude-workload-identity-credential: true
+          exclude-managed-identity-credential: true
+          exclude-shared-token-cache-credential: true
+          exclude-visual-studio-credential: true
+          exclude-visual-studio-code-credential: true
+          exclude-azure-cli-credential: false
+          exclude-azure-powershell-credential: true
+          exclude-azure-developer-cli-credential: true
+          exclude-interactive-browser-credential: true
+
       - name: Initialize data provider
       - name: Initialize data provider
         run: ./sftpgo initprovider
         run: ./sftpgo initprovider
         shell: bash
         shell: bash
 
 
-      - name: Prepare Release for macOS
-        if: startsWith(matrix.os, 'macos-')
-        run: |
-          mkdir -p output/{init,sqlite,bash_completion,zsh_completion}
-          echo "For documentation please take a look here:" > output/README.txt
-          echo "" >> output/README.txt
-          echo "https://docs.sftpgo.com" >> output/README.txt
-          cp LICENSE output/
-          cp NOTICE output/
-          cp sftpgo output/
-          cp sftpgo.json output/
-          cp sftpgo.db output/sqlite/
-          cp -r static output/
-          cp -r openapi output/
-          cp -r templates output/
-          cp init/com.github.drakkan.sftpgo.plist output/init/
-          ./sftpgo gen completion bash > output/bash_completion/sftpgo
-          ./sftpgo gen completion zsh > output/zsh_completion/_sftpgo
-          ./sftpgo gen man -d output/man/man1
-          gzip output/man/man1/*
-          cd output
-          tar cJvf ../sftpgo_${SFTPGO_VERSION}_${OS}_x86_64.tar.xz *
-          cd ..
-          cp sftpgo_arm64 output/sftpgo
-          cd output
-          tar cJvf ../sftpgo_${SFTPGO_VERSION}_${OS}_arm64.tar.xz *
-          cd ..
-        env:
-          SFTPGO_VERSION: ${{ steps.get_version.outputs.VERSION }}
-          OS: ${{ steps.get_os_name.outputs.OS }}
-
-      - name: Prepare Release for Windows
-        if: startsWith(matrix.os, 'windows-')
+      - name: Prepare Release
         run: |
         run: |
           mkdir output
           mkdir output
           copy .\sftpgo.exe .\output
           copy .\sftpgo.exe .\output
@@ -153,16 +130,7 @@ jobs:
           xcopy .\static .\output\static\ /E
           xcopy .\static .\output\static\ /E
           mkdir output\openapi
           mkdir output\openapi
           xcopy .\openapi .\output\openapi\ /E
           xcopy .\openapi .\output\openapi\ /E
-          $CERT_PATH=(Get-Location -PSProvider FileSystem).ProviderPath + "\cert.pfx"
-          [IO.File]::WriteAllBytes($CERT_PATH,[System.Convert]::FromBase64String($Env:CERT_DATA))
-          certutil -f -p "$Env:CERT_PASS" -importpfx MY "$CERT_PATH"
-          rm "$CERT_PATH"
-          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\sftpgo.exe
-          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\arm64\sftpgo.exe
-          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\x86\sftpgo.exe
-          $INNO_S='/Ssigntool=$qC:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe$q sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n $qNicola Murino$q /d $qSFTPGo$q $f'
-          iscc "$INNO_S" .\windows-installer\sftpgo.iss
-
+          iscc .\windows-installer\sftpgo.iss
           rm .\output\sftpgo.exe
           rm .\output\sftpgo.exe
           rm .\output\sftpgo.db
           rm .\output\sftpgo.db
           copy .\arm64\sftpgo.exe .\output
           copy .\arm64\sftpgo.exe .\output
@@ -173,20 +141,38 @@ jobs:
           Remove-Item Env:\SFTPGO_DATA_PROVIDER__DRIVER
           Remove-Item Env:\SFTPGO_DATA_PROVIDER__DRIVER
           Remove-Item Env:\SFTPGO_DATA_PROVIDER__NAME
           Remove-Item Env:\SFTPGO_DATA_PROVIDER__NAME
           $Env:SFTPGO_ISS_ARCH='arm64'
           $Env:SFTPGO_ISS_ARCH='arm64'
-          iscc "$INNO_S" .\windows-installer\sftpgo.iss
+          iscc .\windows-installer\sftpgo.iss
 
 
           rm .\output\sftpgo.exe
           rm .\output\sftpgo.exe
           copy .\x86\sftpgo.exe .\output
           copy .\x86\sftpgo.exe .\output
           $Env:SFTPGO_ISS_ARCH='x86'
           $Env:SFTPGO_ISS_ARCH='x86'
-          iscc "$INNO_S" .\windows-installer\sftpgo.iss
-          certutil -delstore MY "Nicola Murino"
+          iscc .\windows-installer\sftpgo.iss
         env:
         env:
           SFTPGO_ISS_VERSION: ${{ steps.get_version.outputs.VERSION }}
           SFTPGO_ISS_VERSION: ${{ steps.get_version.outputs.VERSION }}
-          CERT_DATA: ${{ secrets.CERT_DATA }}
-          CERT_PASS: ${{ secrets.CERT_PASS }}
 
 
-      - name: Prepare Portable Release for Windows
-        if: startsWith(matrix.os, 'windows-')
+      - name: Sign installers
+        uses: azure/trusted-signing-action@v0.5.0
+        with:
+          endpoint: https://eus.codesigning.azure.net/
+          trusted-signing-account-name: nicola
+          certificate-profile-name: SFTPGo
+          files: ${{ github.workspace }}\sftpgo_windows_x86_64.exe,${{ github.workspace }}\sftpgo_windows_arm64.exe,${{ github.workspace }}\sftpgo_windows_x86.exe
+          files-folder-filter: exe,dll
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+          exclude-environment-credential: true
+          exclude-workload-identity-credential: true
+          exclude-managed-identity-credential: true
+          exclude-shared-token-cache-credential: true
+          exclude-visual-studio-credential: true
+          exclude-visual-studio-code-credential: true
+          exclude-azure-cli-credential: false
+          exclude-azure-powershell-credential: true
+          exclude-azure-developer-cli-credential: true
+          exclude-interactive-browser-credential: true
+
+      - name: Prepare Portable Release
         run: |
         run: |
           mkdir win-portable
           mkdir win-portable
           copy .\sftpgo.exe .\win-portable
           copy .\sftpgo.exe .\win-portable
@@ -207,54 +193,103 @@ jobs:
           xcopy .\openapi .\win-portable\openapi\ /E
           xcopy .\openapi .\win-portable\openapi\ /E
           Compress-Archive .\win-portable\* sftpgo_portable.zip
           Compress-Archive .\win-portable\* sftpgo_portable.zip
 
 
-      - name: Upload macOS x86_64 artifact
-        if: startsWith(matrix.os, 'macos-')
-        uses: actions/upload-artifact@v4
-        with:
-          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_x86_64.tar.xz
-          path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_x86_64.tar.xz
-          retention-days: 1
-
-      - name: Upload macOS arm64 artifact
-        if: startsWith(matrix.os, 'macos-')
-        uses: actions/upload-artifact@v4
-        with:
-          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_arm64.tar.xz
-          path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_arm64.tar.xz
-          retention-days: 1
-
       - name: Upload Windows installer x86_64 artifact
       - name: Upload Windows installer x86_64 artifact
-        if: startsWith(matrix.os, 'windows-')
         uses: actions/upload-artifact@v4
         uses: actions/upload-artifact@v4
         with:
         with:
-          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_x86_64.exe
+          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_windows_x86_64.exe
           path: ./sftpgo_windows_x86_64.exe
           path: ./sftpgo_windows_x86_64.exe
           retention-days: 1
           retention-days: 1
 
 
       - name: Upload Windows installer arm64 artifact
       - name: Upload Windows installer arm64 artifact
-        if: startsWith(matrix.os, 'windows-')
         uses: actions/upload-artifact@v4
         uses: actions/upload-artifact@v4
         with:
         with:
-          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_arm64.exe
+          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_windows_arm64.exe
           path: ./sftpgo_windows_arm64.exe
           path: ./sftpgo_windows_arm64.exe
           retention-days: 1
           retention-days: 1
 
 
       - name: Upload Windows installer x86 artifact
       - name: Upload Windows installer x86 artifact
-        if: startsWith(matrix.os, 'windows-')
         uses: actions/upload-artifact@v4
         uses: actions/upload-artifact@v4
         with:
         with:
-          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_x86.exe
+          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_windows_x86.exe
           path: ./sftpgo_windows_x86.exe
           path: ./sftpgo_windows_x86.exe
           retention-days: 1
           retention-days: 1
 
 
       - name: Upload Windows portable artifact
       - name: Upload Windows portable artifact
-        if: startsWith(matrix.os, 'windows-')
         uses: actions/upload-artifact@v4
         uses: actions/upload-artifact@v4
         with:
         with:
-          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_portable.zip
+          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_windows_portable.zip
           path: ./sftpgo_portable.zip
           path: ./sftpgo_portable.zip
           retention-days: 1
           retention-days: 1
 
 
+  prepare-mac:
+    name: Prepare macOS binaries
+    runs-on: macos-12
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Get SFTPGo version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
+        shell: bash
+
+      - name: Build for macOS x86_64
+        run: go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
+
+      - name: Build for macOS arm64
+        run: CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 SDKROOT=$(xcrun --sdk macosx --show-sdk-path) go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo_arm64
+
+      - name: Initialize data provider
+        run: ./sftpgo initprovider
+        shell: bash
+
+      - name: Prepare Release
+        run: |
+          mkdir -p output/{init,sqlite,bash_completion,zsh_completion}
+          echo "For documentation please take a look here:" > output/README.txt
+          echo "" >> output/README.txt
+          echo "https://docs.sftpgo.com" >> output/README.txt
+          cp LICENSE output/
+          cp NOTICE output/
+          cp sftpgo output/
+          cp sftpgo.json output/
+          cp sftpgo.db output/sqlite/
+          cp -r static output/
+          cp -r openapi output/
+          cp -r templates output/
+          cp init/com.github.drakkan.sftpgo.plist output/init/
+          ./sftpgo gen completion bash > output/bash_completion/sftpgo
+          ./sftpgo gen completion zsh > output/zsh_completion/_sftpgo
+          ./sftpgo gen man -d output/man/man1
+          gzip output/man/man1/*
+          cd output
+          tar cJvf ../sftpgo_${SFTPGO_VERSION}_macOS_x86_64.tar.xz *
+          cd ..
+          cp sftpgo_arm64 output/sftpgo
+          cd output
+          tar cJvf ../sftpgo_${SFTPGO_VERSION}_macOS_arm64.tar.xz *
+          cd ..
+        env:
+          SFTPGO_VERSION: ${{ steps.get_version.outputs.VERSION }}
+
+      - name: Upload macOS x86_64 artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_macOS_x86_64.tar.xz
+          path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_macOS_x86_64.tar.xz
+          retention-days: 1
+
+      - name: Upload macOS arm64 artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_macOS_arm64.tar.xz
+          path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_macOS_arm64.tar.xz
+          retention-days: 1
+
   prepare-linux:
   prepare-linux:
     name: Prepare Linux binaries
     name: Prepare Linux binaries
     runs-on: ubuntu-latest
     runs-on: ubuntu-latest
@@ -479,7 +514,7 @@ jobs:
 
 
   create-release:
   create-release:
     name: Release
     name: Release
-    needs: [prepare-linux-bundle, prepare-sources-with-deps, prepare-window-mac]
+    needs: [prepare-linux-bundle, prepare-sources-with-deps, prepare-mac, prepare-windows]
     runs-on: ubuntu-latest
     runs-on: ubuntu-latest
 
 
     steps:
     steps:

+ 1 - 3
windows-installer/sftpgo.iss

@@ -49,14 +49,12 @@ ArchitecturesAllowed={#MyAppArch}
 MinVersion=10.0.14393
 MinVersion=10.0.14393
 VersionInfoVersion={#MyVersionInfo}
 VersionInfoVersion={#MyVersionInfo}
 VersionInfoCopyright=AGPL-3.0 with additional terms
 VersionInfoCopyright=AGPL-3.0 with additional terms
-SignTool=signtool
-SignedUninstaller=yes
 
 
 [Languages]
 [Languages]
 Name: "english"; MessagesFile: "compiler:Default.isl"
 Name: "english"; MessagesFile: "compiler:Default.isl"
 
 
 [Files]
 [Files]
-Source: "{#MyAppDir}\sftpgo.exe"; DestDir: "{app}"; Flags: ignoreversion signonce
+Source: "{#MyAppDir}\sftpgo.exe"; DestDir: "{app}"; Flags: ignoreversion
 Source: "{#MyAppDir}\sftpgo.db"; DestDir: "{commonappdata}\{#MyAppName}"; Flags: onlyifdoesntexist uninsneveruninstall
 Source: "{#MyAppDir}\sftpgo.db"; DestDir: "{commonappdata}\{#MyAppName}"; Flags: onlyifdoesntexist uninsneveruninstall
 Source: "{#MyAppDir}\LICENSE.txt"; DestDir: "{app}"; Flags: ignoreversion
 Source: "{#MyAppDir}\LICENSE.txt"; DestDir: "{app}"; Flags: ignoreversion
 Source: "{#MyAppDir}\NOTICE.txt"; DestDir: "{app}"; Flags: ignoreversion
 Source: "{#MyAppDir}\NOTICE.txt"; DestDir: "{app}"; Flags: ignoreversion