chore: use vault for windows certificates

.github/workflows/BUILD_ON_DEMAND.yml

@@ -59,6 +59,22 @@ jobs:
         CSC_KEY_PASSWORD: "${{ secrets.CSC_KEY_PASSWORD }}"
       run: npm run build -- --mac --publish --on-demand
 
+    - name: Import Secrets (Windows)
+      id: windows-secrets
+      uses: hashicorp/[email protected]
+      if: ${{ runner.os == 'Windows' }}
+      with:
+        url: ${{ secrets.VAULT_ADDR }}
+        method: approle
+        roleId: ${{ secrets.VAULT_ROLE_ID }}
+        secretId: ${{ secrets.VAULT_SECRET_ID }}
+        exportEnv: false
+        secrets: |
+          secret/data/products/desktop-modeler/ci/certificates CSC_CERT_WIN;
+    - name: Decode Secret
+      if: ${{ runner.os == 'Windows' }}
+      with:
+      run: echo ${{ steps.windows-secrets.outputs.CSC_CERT_WIN }} | base64 --decode > ./cert.pfx
     - name: Build distro (Windows)
       if: ${{ runner.os == 'Windows' }}
       env:
@@ -67,6 +83,5 @@ jobs:
         AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_ON_DEMAND_SECRET_ACCESS_KEY }}"
         AWS_REGION: "${{ secrets.AWS_ON_DEMAND_REGION }}"
         AWS_BUCKET: "${{ secrets.AWS_ON_DEMAND_BUCKET }}"
-        CSC_LINK: "${{ secrets.WIN_CSC_LINK }}"
-        CSC_KEY_PASSWORD: "${{ secrets.WIN_CSC_KEY_PASSWORD }}"
+        CSC_LINK: "file://./cert.pfx"
       run: npm run build -- --win --publish --on-demand

.github/workflows/NIGHTLY.yml

@@ -66,11 +66,26 @@ jobs:
         UPDATES_SERVER_PRODUCT_NAME: "${{ secrets.UPDATES_SERVER_PRODUCT_NAME }}"
       run: npm run build -- --mac
 
+    - name: Import Secrets (Windows)
+      id: windows-secrets
+      uses: hashicorp/[email protected]
+      if: ${{ runner.os == 'Windows' }}
+      with:
+        url: ${{ secrets.VAULT_ADDR }}
+        method: approle
+        roleId: ${{ secrets.VAULT_ROLE_ID }}
+        secretId: ${{ secrets.VAULT_SECRET_ID }}
+        exportEnv: false
+        secrets: |
+          secret/data/products/desktop-modeler/ci/certificates CSC_CERT_WIN;
+    - name: Decode Secret
+      if: ${{ runner.os == 'Windows' }}
+      with:
+      run: echo ${{ steps.windows-secrets.outputs.CSC_CERT_WIN }} | base64 --decode > ./cert.pfx
     - name: Build nightly (Windows)
       if: ${{ runner.os == 'Windows' }}
       env:
-        CSC_LINK: "${{ secrets.WIN_CSC_LINK }}"
-        CSC_KEY_PASSWORD: "${{ secrets.WIN_CSC_KEY_PASSWORD }}"
+        CSC_LINK: "file://./cert.pfx"
         MIXPANEL_TOKEN: "${{ secrets.MIXPANEL_PROJECT_TOKEN }}"
         MIXPANEL_STAGE: "int"
         NIGHTLY: 1

.github/workflows/RELEASE.yml

@@ -56,6 +56,7 @@ jobs:
         GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         NODE_ENV: "production"
       run: npm run build -- --linux --publish
+
     - name: Build release (MacOS)
       if: ${{ runner.os == 'macOS' }}
       env:
@@ -74,11 +75,27 @@ jobs:
         GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
         NODE_ENV: "production"
       run: npm run build -- --mac --publish
+
+    - name: Import Secrets (Windows)
+      id: windows-secrets
+      uses: hashicorp/[email protected]
+      if: ${{ runner.os == 'Windows' }}
+      with:
+        url: ${{ secrets.VAULT_ADDR }}
+        method: approle
+        roleId: ${{ secrets.VAULT_ROLE_ID }}
+        secretId: ${{ secrets.VAULT_SECRET_ID }}
+        exportEnv: false
+        secrets: |
+          secret/data/products/desktop-modeler/ci/certificates CSC_CERT_WIN;
+    - name: Decode Secret
+      if: ${{ runner.os == 'Windows' }}
+      with:
+      run: echo ${{ steps.windows-secrets.outputs.CSC_CERT_WIN }} | base64 --decode > ./cert.pfx
     - name: Build release (Windows)
       if: ${{ runner.os == 'Windows' }}
       env:
-        CSC_LINK: "${{ secrets.WIN_CSC_LINK }}"
-        CSC_KEY_PASSWORD: "${{ secrets.WIN_CSC_KEY_PASSWORD }}"
+        CSC_LINK: "file://./cert.pfx"
         MIXPANEL_TOKEN: "${{ secrets.MIXPANEL_PROJECT_TOKEN }}"
         MIXPANEL_STAGE: "prod"
         SENTRY_AUTH_TOKEN: "${{ secrets.SENTRY_AUTH_TOKEN }}"