MGough/tauri_ev.yaml

## tauri_ev.yaml
name: Build Tauri App

on:
  push:
    branches:
      - main

jobs:
  publish-artifacts:
    strategy:
      fail-fast: false
      matrix:
        runs_on: [windows-latest]
    runs-on: ${{ matrix.runs_on }}
    steps:
      - uses: actions/checkout@v3

      - name: setup node
        uses: actions/setup-node@v3
        with:
          node-version: 16

      - name: install Rust stable
        uses: actions-rs/toolchain@v1
        with:
          toolchain: stable

      - name: Install Yarn dependencies
        # Shell set to bash, to support MacOS & Windows simultaneously
        shell: bash
        run: yarn

      - name: Build App
        # Or whatever your build command is!
        run: yarn build
        # Shell set to bash, to support MacOS & Windows simultaneously
        shell: bash
        env:
          TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
          TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}

      - name: Sign Windows App (EV)
        if: ${{ matrix.platform == 'windows' }}
        run: |
          dotnet tool install --global AzureSignTool
          # You'll probably want to template in your app version number here somehow
          AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}"-kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v src-tauri\target\release\bundle\msi\Your_App_Name_And_Version_0.0.1_x64_en-US.msi -d "Your Company Name"

      - name: Sign Windows Update Bundle
        if: ${{ matrix.platform == 'windows' }}
        run: |
          # These files were generated by the build, but contain a non code signed (EV) version of our app
          # So we need to scrap them, and sign our own
          rm src-tauri\target\release\bundle\msi\Your_App_Name_And_Version_0.0.1_x64_en-US.msi.zip
          rm src-tauri\target\release\bundle\msi\Your_App_Name_And_Version_0.0.1_x64_en-US.msi.zip.sig
          # Zip the MSI we signed using AzureSignTool
          # Tauri currently zips, but doesn't compress. So we use `-mx=0` which enables copy/store mode
          7z a -mx=0 src-tauri\target\release\bundle\msi\Your_App_Name_And_Version_0.0.1_x64_en-US.msi.zip .\src-tauri\target\release\bundle\msi\Your_App_Name_And_Version_0.0.1_x64_en-US.msi
          # Generate the `msi.sig` file for the updater!
          yarn tauri signer sign src-tauri\target\release\bundle\msi\Your_App_Name_And_Version_0.0.1_x64_en-US.msi.zip --private-key ${{ secrets.TAURI_PRIVATE_KEY }} --password ${{ secrets.TAURI_KEY_PASSWORD }}
	name: Build Tauri App

	on:
	push:
	branches:
	- main

	jobs:
	publish-artifacts:
	strategy:
	fail-fast: false
	matrix:
	runs_on: [windows-latest]
	runs-on: ${{ matrix.runs_on }}
	steps:
	- uses: actions/checkout@v3

	- name: setup node
	uses: actions/setup-node@v3
	with:
	node-version: 16

	- name: install Rust stable
	uses: actions-rs/toolchain@v1
	with:
	toolchain: stable

	- name: Install Yarn dependencies
	# Shell set to bash, to support MacOS & Windows simultaneously
	shell: bash
	run: yarn

	- name: Build App
	# Or whatever your build command is!
	run: yarn build
	# Shell set to bash, to support MacOS & Windows simultaneously
	shell: bash
	env:
	TAURI_PRIVATE_KEY: ${{ secrets.TAURI_PRIVATE_KEY }}
	TAURI_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}

	- name: Sign Windows App (EV)
	if: ${{ matrix.platform == 'windows' }}
	run: \|
	dotnet tool install --global AzureSignTool
	# You'll probably want to template in your app version number here somehow
	AzureSignTool sign -kvu "${{ secrets.AZURE_KEY_VAULT_URI }}" -kvi "${{ secrets.AZURE_CLIENT_ID }}" -kvt "${{ secrets.AZURE_TENANT_ID }}"-kvs "${{ secrets.AZURE_CLIENT_SECRET }}" -kvc ${{ secrets.AZURE_CERT_NAME }} -tr http://timestamp.digicert.com -v src-tauri\target\release\bundle\msi\Your_App_Name_And_Version_0.0.1_x64_en-US.msi -d "Your Company Name"

	- name: Sign Windows Update Bundle
	if: ${{ matrix.platform == 'windows' }}
	run: \|
	# These files were generated by the build, but contain a non code signed (EV) version of our app
	# So we need to scrap them, and sign our own
	rm src-tauri\target\release\bundle\msi\Your_App_Name_And_Version_0.0.1_x64_en-US.msi.zip
	rm src-tauri\target\release\bundle\msi\Your_App_Name_And_Version_0.0.1_x64_en-US.msi.zip.sig
	# Zip the MSI we signed using AzureSignTool
	# Tauri currently zips, but doesn't compress. So we use `-mx=0` which enables copy/store mode
	7z a -mx=0 src-tauri\target\release\bundle\msi\Your_App_Name_And_Version_0.0.1_x64_en-US.msi.zip .\src-tauri\target\release\bundle\msi\Your_App_Name_And_Version_0.0.1_x64_en-US.msi
	# Generate the `msi.sig` file for the updater!
	yarn tauri signer sign src-tauri\target\release\bundle\msi\Your_App_Name_And_Version_0.0.1_x64_en-US.msi.zip --private-key ${{ secrets.TAURI_PRIVATE_KEY }} --password ${{ secrets.TAURI_KEY_PASSWORD }}