From aab2356c439b3a341ad7259c179d6cb369d3fcf9 Mon Sep 17 00:00:00 2001
From: David Sanders <dsanders11@ucsbalum.com>
Date: Tue, 5 Nov 2024 16:19:16 -0800
Subject: [PATCH] ci: switch to GHA (#39)

Will publish with provenance enabled. `main` currently is blocked from
releasing due to an uncaught linting error which is fixed in this PR, so
merging this PR will trigger a new release.

Also adds Node.js v22 to the test matrix.
---
 .circleci/config.yml          | 43 -----------------------------------
 .github/workflows/release.yml | 28 +++++++++++++++++++++++
 .github/workflows/test.yml    | 42 ++++++++++++++++++++++++++++++++++
 package.json                  |  3 +++
 src/sign-with-signtool.ts     |  2 +-
 5 files changed, 74 insertions(+), 44 deletions(-)
 delete mode 100644 .circleci/config.yml
 create mode 100644 .github/workflows/release.yml
 create mode 100644 .github/workflows/test.yml

diff --git a/.circleci/config.yml b/.circleci/config.yml
deleted file mode 100644
index f65129e..0000000
--- a/.circleci/config.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-version: 2.1
-
-orbs:
-  cfa: continuousauth/npm@2.1.1
-  node: electronjs/node@2.3.1
-
-workflows:
-  test_and_release:
-    # Run the test jobs first, then the release only when all the test jobs are successful
-    jobs:
-      - node/test:
-          name: test-<< matrix.executor >>-<< matrix.node-version >>
-          test-steps:
-            - run: yarn lint
-            - when:
-                condition:
-                  equal: [ '20.9', << matrix.node-version >> ]
-                steps:
-                  - run: yarn test
-            - when:
-                condition:
-                  not:
-                    equal: [ '20.9', << matrix.node-version >> ]
-                steps:
-                  - run: yarn test:loader
-          use-test-steps: true
-          matrix:
-            alias: test
-            parameters:
-              executor:
-                - node/windows
-              node-version:
-                - '20.9'
-                - '18.17'
-                - '16.20'
-      - cfa/release:
-          requires:
-            - test
-          filters:
-            branches:
-              only:
-                - main
-          context: cfa-release
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..dafdfc7
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,28 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  test:
+    uses: ./.github/workflows/test.yml
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    needs: test
+    environment: npm
+    permissions:
+      id-token: write # for CFA and npm provenance
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: continuousauth/action@c32f05c950d4e6f4abd8d1d8a46269525e2dbf55 # v1.0.3
+        with:
+          project-id: ${{ secrets.CFA_PROJECT_ID }}
+          secret: ${{ secrets.CFA_SECRET }}
+          npm-token: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
new file mode 100644
index 0000000..1e69765
--- /dev/null
+++ b/.github/workflows/test.yml
@@ -0,0 +1,42 @@
+name: Test
+
+on:
+  pull_request:
+    branches:
+      - main
+  schedule:
+    - cron: '0 22 * * 3'
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Test
+    strategy:
+      matrix:
+        node-version:
+          - '22.11'
+          - '20.9'
+          - '18.17'
+          - '16.20'
+    runs-on: windows-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Setup Node.js
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: "${{ matrix.node-version }}"
+          cache: 'yarn'
+      - name: Install
+        run: yarn install --frozen-lockfile
+      - name: Lint
+        run: yarn lint
+      - name: Test (Node.js v20+)
+        if: ${{ matrix.node-version == '20.9' || matrix.node-version == '22.11' }}
+        run: yarn test
+      - name: Test (Node.js < v20)
+        if: ${{ matrix.node-version != '20.9' && matrix.node-version != '22.11' }}
+        run: yarn test:loader
diff --git a/package.json b/package.json
index 04e1d67..ee05a61 100644
--- a/package.json
+++ b/package.json
@@ -28,6 +28,9 @@
     "url": "https://github.com/electron/windows-sign/issues"
   },
   "homepage": "https://github.com/electron/windows-sign",
+  "publishConfig": {
+    "provenance": true
+  },
   "dependencies": {
     "cross-dirname": "^0.1.0",
     "debug": "^4.3.4",
diff --git a/src/sign-with-signtool.ts b/src/sign-with-signtool.ts
index 89edc6a..1e2c0af 100644
--- a/src/sign-with-signtool.ts
+++ b/src/sign-with-signtool.ts
@@ -128,7 +128,7 @@ export async function signWithSignTool(options: InternalSignOptions) {
   if (hashes.includes(HASHES.sha1)) {
     await execute({ ...internalOptions, hash: HASHES.sha1 });
     // If we signed with SHA1, we need to append the SHA256 signature:
-    internalOptions.appendSignature = true
+    internalOptions.appendSignature = true;
   }
   if (hashes.includes(HASHES.sha256)) {
     await execute({ ...internalOptions, hash: HASHES.sha256 });