-
Notifications
You must be signed in to change notification settings - Fork 139
91 lines (76 loc) · 4.41 KB
/
Build AppControl Manager MSIX Package.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
name: Build AppControl Manager MSIX Package
permissions:
id-token: write
actions: read
contents: write
attestations: write
on:
workflow_dispatch:
jobs:
build:
runs-on: windows-latest
steps:
- name: Check out the repository code
uses: actions/checkout@v4
- name: Setting up and downloading Winget
shell: pwsh
run: |
# Set up URLs and retrieve Winget latest release information
[string]$WingetRepoURL = 'https://api.github.com/repos/microsoft/winget-cli/releases'
$WingetReleases = Invoke-RestMethod -Uri $WingetRepoURL
$LatestRelease = $WingetReleases | Select-Object -First 1
[string]$WingetURL2 = $LatestRelease.assets.browser_download_url | Where-Object { $_.EndsWith('.msixbundle') } | Select-Object -First 1
[string]$WingetLicense = $LatestRelease.assets.browser_download_url | Where-Object { $_.EndsWith('License1.xml') } | Select-Object -First 1
[hashtable]$Downloads = @{
'VCLibs.appx' = 'https://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx'
'Microsoft.UI.Xaml.appx' = 'https://github.com/microsoft/microsoft-ui-xaml/releases/download/v2.8.6/Microsoft.UI.Xaml.2.8.x64.appx'
'Winget.msixbundle' = 'https://aka.ms/getwinget'
'License1.xml' = $WingetLicense
}
$Downloads.GetEnumerator() | ForEach-Object -Parallel {
$FileName = $_.Key
$URL = $_.Value
Invoke-RestMethod -Uri $URL -OutFile $FileName
}
Add-AppxProvisionedPackage -Online -PackagePath 'Winget.msixbundle' -DependencyPackagePath 'Microsoft.UI.Xaml.appx', 'VCLibs.appx' -LicensePath 'License1.xml'
- name: Finishing setting up Winget
shell: powershell
run: |
Add-AppPackage -Path 'Winget.msixbundle' -DependencyPath 'Microsoft.UI.Xaml.appx', 'VCLibs.appx' -ForceTargetApplicationShutdown -ForceUpdateFromAnyVersion
# Add-AppPackage on Windows Server throws error so we use Windows PowerShell for this section.
- name: Installing the necessary programs
run: |
winget install --id Microsoft.DotNet.SDK.Preview --exact --accept-package-agreements --accept-source-agreements --uninstall-previous --force
winget install --id Microsoft.VisualStudio.2022.BuildTools --exact --accept-package-agreements --accept-source-agreements --uninstall-previous --force
winget install --id Microsoft.WindowsSDK.10.0.26100 --exact --accept-package-agreements --accept-source-agreements --uninstall-previous --force
winget install --id Microsoft.AppInstaller --exact --accept-package-agreements --accept-source-agreements --uninstall-previous --force
winget install --id Microsoft.VCRedist.2015+.x64 --exact --accept-package-agreements --accept-source-agreements --uninstall-previous --force
- name: Building the AppControl Manager
run: dotnet build "AppControl Manager/AppControl Manager.sln" --configuration Release --verbosity minimal
- name: Generating the MSIX Package
run: dotnet msbuild "AppControl Manager/AppControl Manager.sln" /p:Configuration=Release /p:AppxPackageDir="MSIXOutput\" /p:GenerateAppxPackageOnBuild=true
- name: Capturing the Generated MSIX file Path
shell: pwsh
run: |
[string]$MSIXPath = (Get-ChildItem -Path '.\AppControl Manager\MSIXOutput\AppControl Manage*\AppControl Manager*.msix').FullName
if ([string]::IsNullOrWhiteSpace($MSIXPath)) { throw "Couldn't find the generated MSIX package" }
# Write the MSIXPath to GITHUB_ENV to set it as an environment variable for the entire workflow
Add-Content -Path $env:GITHUB_ENV -Value "MSIX_PATH=$MSIXPath"
- name: Generating Artifact Attestation
uses: actions/attest-build-provenance@v1
with:
subject-path: ${{ env.MSIX_PATH }}
- name: Generating SBOM
uses: anchore/sbom-action@v0
with:
dependency-snapshot: true
upload-release-assets: false
upload-artifact: true
output-file: ./HardenWindowsSecurityRepoSBOM.spdx
artifact-name: HardenWindowsSecurityRepoSBOM.spdx
- name: Generating SBOM attestation
uses: actions/attest-sbom@v1
with:
subject-path: ${{ env.MSIX_PATH }}
sbom-path: ./HardenWindowsSecurityRepoSBOM.spdx
show-summary: true