NeoAnd/mcp-server-wazuh
1
0
Fork 0
mirror of https://github.com/gbrigandi/mcp-server-wazuh.git synced 2025-12-24 21:57:44 -06:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
50f2fc968d1097b9ccb5721731d932a45775caec
mcp-server-wazuh/.github/workflows/release.yml
Gianluca Brigandi 50f2fc968d debug: add certificate import diagnostics 
Rollback conditional signing and add debugging to identify why
"0 valid identities found" error occurs. This will help diagnose:
- Whether APPLE_CERTIFICATE_BASE64 is properly set
- Whether the .p12 file is valid
- What certificates/identities are imported
2025-12-05 17:55:55 -08:00

276 lines
11 KiB
YAML
Raw Blame History

name: Release Build
on:
push:
tags:
- 'v*' # Trigger on version tags like v0.1.0
permissions:
contents: write # Needed to create releases
packages: write # Needed to push to GitHub Container Registry
jobs:
validate_version:
name: Validate Version
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Validate tag format
run: |
if [[ ! "${GITHUB_REF}" =~ ^refs/tags/v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "❌ Invalid tag format. Must be v#.#.#"
exit 1
fi
echo "✅ Tag format is valid"
- name: Check version in Cargo.toml
run: |
TAG_VERSION=${GITHUB_REF#refs/tags/v}
echo "Tag version: $TAG_VERSION"
CARGO_VERSION=$(grep '^version' Cargo.toml | head -1 | cut -d '"' -f 2)
echo "Cargo.toml version: $CARGO_VERSION"
if [ "$CARGO_VERSION" != "$TAG_VERSION" ]; then
echo "❌ Version mismatch"
echo " Tag version: $TAG_VERSION"
echo " Cargo.toml version: $CARGO_VERSION"
exit 1
fi
echo "✅ Version matches: $TAG_VERSION"
build_binaries:
name: Build Binaries for ${{ matrix.target }}
needs: validate_version
runs-on: ${{ matrix.os }}
strategy:
matrix:
include:
# Linux Intel (musl for static linking)
- os: ubuntu-latest
target: x86_64-unknown-linux-musl
asset_name_suffix: linux-amd64
output_name: mcp-server-wazuh
# Windows Intel
- os: windows-latest
target: x86_64-pc-windows-msvc
asset_name_suffix: windows-amd64.exe
output_name: mcp-server-wazuh.exe
# macOS Intel
- os: macos-latest
target: x86_64-apple-darwin
asset_name_suffix: macos-amd64
output_name: mcp-server-wazuh
# macOS Apple Silicon
- os: macos-14
target: aarch64-apple-darwin
asset_name_suffix: macos-arm64
output_name: mcp-server-wazuh
steps:
- uses: actions/checkout@v4
- name: Set up Rust for target ${{ matrix.target }}
uses: dtolnay/rust-toolchain@stable
with:
targets: ${{ matrix.target }}
- name: Install musl-tools (Linux MUSL target only)
if: matrix.os == 'ubuntu-latest' && contains(matrix.target, 'musl')
run: |
sudo apt-get update -y
sudo apt-get install -y musl-tools
- name: Build binary
run: cargo build --verbose --release --target ${{ matrix.target }}
- name: Check dynamic dependencies (macOS only)
if: matrix.os == 'macos-latest' || matrix.os == 'macos-14'
run: |
echo "=== Checking dynamic library dependencies ==="
otool -L ./target/${{ matrix.target }}/release/${{ matrix.output_name }} || true
echo ""
echo "=== Checking for problematic dependencies ==="
if otool -L ./target/${{ matrix.target }}/release/${{ matrix.output_name }} | grep -E "(liblzma|/opt/homebrew|/usr/local)"; then
echo "WARNING: Found dynamic dependencies that may cause issues with code signing"
fi
- name: Import Apple Certificate (macOS only)
if: matrix.os == 'macos-latest' || matrix.os == 'macos-14'
env:
APPLE_CERTIFICATE_BASE64: ${{ secrets.APPLE_CERTIFICATE_BASE64 }}
APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
run: |
# Debug: Check if secrets are set (without revealing them)
echo "=== Checking secrets ==="
if [ -z "$APPLE_CERTIFICATE_BASE64" ]; then
echo "ERROR: APPLE_CERTIFICATE_BASE64 is empty!"
exit 1
else
echo "APPLE_CERTIFICATE_BASE64: Set (length: ${#APPLE_CERTIFICATE_BASE64})"
fi
if [ -z "$APPLE_CERTIFICATE_PASSWORD" ]; then
echo "WARNING: APPLE_CERTIFICATE_PASSWORD is empty"
else
echo "APPLE_CERTIFICATE_PASSWORD: Set (length: ${#APPLE_CERTIFICATE_PASSWORD})"
fi
# Create temporary keychain with proper extension
security create-keychain -p temp-password build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p temp-password build.keychain
security set-keychain-settings -lut 21600 build.keychain
# Add build keychain to search list
security list-keychains -d user -s build.keychain $(security list-keychains -d user | sed s/\"//g)
# Import certificate with -A flag to avoid access control issues
echo "$APPLE_CERTIFICATE_BASE64" | base64 --decode > certificate.p12
# Debug: Check p12 file
echo "=== Checking .p12 file ==="
ls -la certificate.p12
file certificate.p12
# Import certificate (should contain both cert and private key)
echo "=== Importing certificate ==="
security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -A -T /usr/bin/codesign
IMPORT_RESULT=$?
echo "Import exit code: $IMPORT_RESULT"
# Debug: List all items in keychain
echo "=== All certificates in build.keychain ==="
security find-certificate -a build.keychain || true
echo "=== All identities (including non-codesigning) ==="
security find-identity -v build.keychain || true
# Import Apple intermediate certificate (DER format)
curl -o DeveloperIDG2CA.cer https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer
security import DeveloperIDG2CA.cer -k build.keychain -A -T /usr/bin/codesign
# Import Apple Worldwide Developer Relations CA G3 (DER format)
curl -o AppleWWDRCAG3.cer https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer
security import AppleWWDRCAG3.cer -k build.keychain -A -T /usr/bin/codesign
# Set partition list to avoid password prompts
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k temp-password build.keychain
# Clean up certificate files
rm certificate.p12 DeveloperIDG2CA.cer AppleWWDRCAG3.cer
- name: Code Sign Binary (macOS only)
if: matrix.os == 'macos-latest' || matrix.os == 'macos-14'
env:
APPLE_SIGNING_IDENTITY: ${{ secrets.APPLE_SIGNING_IDENTITY }}
run: |
# Check identities in build keychain
echo "=== Code signing identities in build.keychain ==="
security find-identity -v -p codesigning build.keychain || true
# Extract signing identity hash from build keychain
SIGNING_HASH=$(security find-identity -v -p codesigning build.keychain | grep "$APPLE_SIGNING_IDENTITY" | grep -oE "[0-9A-F]{40}" | head -n 1)
echo "Using signing hash: $SIGNING_HASH"
# Sign the binary using the SHA-1 hash
/usr/bin/codesign --force --sign "$SIGNING_HASH" --timestamp --options runtime ./target/${{ matrix.target }}/release/${{ matrix.output_name }} -v
# Verify signature
/usr/bin/codesign --verify --verbose ./target/${{ matrix.target }}/release/${{ matrix.output_name }}
- name: Notarize Binary (macOS only)
if: matrix.os == 'macos-latest' || matrix.os == 'macos-14'
env:
APPLE_API_KEY_BASE64: ${{ secrets.APPLE_API_KEY_BASE64 }}
APPLE_API_KEY_ID: ${{ secrets.APPLE_API_KEY_ID }}
APPLE_API_ISSUER_ID: ${{ secrets.APPLE_API_ISSUER_ID }}
run: |
# Create API key file
echo "=== Creating API key file ==="
API_KEY_FILE="AuthKey_${APPLE_API_KEY_ID}.p8"
echo "$APPLE_API_KEY_BASE64" | base64 --decode > "$API_KEY_FILE"
echo "Created: $API_KEY_FILE"
# Create zip file for notarization using ditto (preserves metadata better)
echo "=== Creating zip file for notarization ==="
ZIP_FILE="mcp-server-wazuh-${{ matrix.asset_name_suffix }}-notarization.zip"
ditto -c -k --sequesterRsrc --keepParent ./target/${{ matrix.target }}/release/${{ matrix.output_name }} "$ZIP_FILE"
echo "Created: $ZIP_FILE"
# Submit for notarization
echo "=== Submitting for notarization ==="
echo "This may take several minutes..."
xcrun notarytool submit "$ZIP_FILE" \
--key "$API_KEY_FILE" \
--key-id "$APPLE_API_KEY_ID" \
--issuer "$APPLE_API_ISSUER_ID" \
--wait
# Attempt to staple the notarization (will fail for command-line tools - this is expected)
echo "=== Attempting to staple notarization ==="
echo "Note: Stapling fails for command-line tools - this is normal"
xcrun stapler staple ./target/${{ matrix.target }}/release/${{ matrix.output_name }} || echo "Stapling failed (expected for command-line tools)"
# Final verification
echo "=== Final signature and notarization verification ==="
codesign --verify --verbose ./target/${{ matrix.target }}/release/${{ matrix.output_name }}
spctl --assess --type execute --verbose ./target/${{ matrix.target }}/release/${{ matrix.output_name }} || echo "spctl assessment completed"
# Clean up files
rm -f "$ZIP_FILE" "$API_KEY_FILE"
echo "=== Notarization completed successfully ==="
- name: Rename binary for upload
shell: bash
run: |
cp ./target/${{ matrix.target }}/release/${{ matrix.output_name }} mcp-server-wazuh-${{ matrix.asset_name_suffix }}
- name: Upload Release Asset
uses: softprops/action-gh-release@v2
with:
files: mcp-server-wazuh-${{ matrix.asset_name_suffix }}
build_docker:
name: Build and Push Docker Image
needs: validate_version
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/gbrigandi/mcp-server-wazuh
tags: |
type=ref,event=tag
type=raw,value=latest
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
Reference in New Issue View Git Blame Copy Permalink