forked from cmancone/akeyless-action
-
Notifications
You must be signed in to change notification settings - Fork 4
63 lines (51 loc) · 2.33 KB
/
dynamic-azure-codesign.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: 'Azure Code Sign'
# Docs => https://docs.akeyless.io/docs/azure-ad-dynamic-secrets
# Using AzureSignTool https://learn.microsoft.com/en-us/windows/msix/desktop/cicd-keyvault
on:
workflow_dispatch:
jobs:
code_sign:
runs-on: windows-latest
name: Code Signing
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Fetch dynamic secret from Akleyless
id: fetch-secrets
uses: ./
with:
access-id: ${{ secrets.AKEYLESS_ACCESS_ID }}
dynamic-secrets: '{"/DevTools/live-azure-ad":"akelyess_payload"}'
- name: Verify Values (Temporary - only for debugging)
run: |
echo 'ID'
echo '${{ steps.fetch-secrets.outputs.akelyess_payload }}' | jq -r '.id'
echo 'MSG'
echo '${{ steps.fetch-secrets.outputs.akelyess_payload }}' | jq -r '.msg'
echo 'SECRET'
echo '${{ steps.fetch-secrets.outputs.akelyess_payload }}' | jq -r '.secret'
echo 'TTL_IN_MINUTES'
echo '${{ steps.fetch-secrets.outputs.akelyess_payload }}' | jq -r '.ttl_in_minutes'
### ARRRRG - Still trying pull apart the '[object, object]' in
- name: Learn keys
run: |
echo "secret: ${{ env.akelyess_payload_secret }}"
echo '${{ env.akelyess_payload_secret }}' | jq -r '.value'
# echo '${{ steps.fetch-secrets.outputs.akelyess_payload }}' | jq -r '.secret as $n | try to_entries[] | [ $n, .value]'
# cat '${{ steps.fetch-secrets.outputs.akelyess_payload }}' -o '${{ github.workspace }}\hello.txt'
# Get-Content '${{ github.workspace }}\hello.txt'
#### Option 1 ####
# The easiest, just use AzureSignTool
- name: Install AzureSignTool
id: install-signtool
run: dotnet tool install --global AzureSignTool
# Nice walkthrough https://melatonin.dev/blog/how-to-code-sign-windows-installers-with-an-ev-cert-on-github-actions/
- name: Use AzureSignTool
id: use-signtool
run: |
azuresigntool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}"-kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v '${{ github.workspace }}\.github\test_files\ConsoleApp1.exe'