buildalon · StephenHodgson · May 2, 2025 · May 2, 2025 · May 2, 2025 · May 2, 2025
@@ -0,0 +1,45 @@
+{
+  "os": [
+    "windows-latest"
+  ],
+  "build-target": [
+    "WSAPlayer"
+  ],
+  "unity-version": [
+    "6000.0.49f1 (840e0a9776d9)"
+  ],
+  "uwp-arch": [
+    "x64",
+    "ARM64"
+  ],
+  "uwp-subtarget": [
+    "PC",
+    "HoloLens"
+  ],
+  "uwp-package-type": [
+    "sideload",
+    "upload"
+  ],
+  "certificate-type": [
+    "default",
+    "custom"
+  ],
+  "windows-sdk-version": [
+    "10.0.22621.0",
+    "10.0.26100.0"
+  ],
+  "exclude": [
+    {
+      "uwp-package-type": "upload",
+      "certificate-type": "custom"
+    },
+    {
+      "uwp-subtarget": "PC",
+      "uwp-arch": "ARM64"
+    },
+    {
+      "uwp-subtarget": "HoloLens",
+      "uwp-arch": "x64"
+    }
+  ]
+}
@@ -0,0 +1,204 @@
+name: build
+permissions:
+  contents: read
+on:
+  workflow_call:
+    inputs:
+      matrix:
+        required: true
+        type: string
+    secrets:
+      UNITY_USERNAME:
+        required: true
+      UNITY_PASSWORD:
+        required: true
+jobs:
+  build:
+    name: ${{ matrix.name }}
+    strategy:
+      matrix: ${{ fromJSON(inputs.matrix) }}
+      fail-fast: false
+    runs-on: ${{ matrix.os }}
+    permissions:
+      contents: read
+    env:
+      BUILD_OUTPUT_PATH: ${{ github.workspace }}/Builds/${{ matrix.build-target }}
+      TEMPLATE_PATH: ''
+      UNITY_PROJECT_PATH: '' # set by unity-setup action
+    steps:
+      - uses: actions/checkout@v4
+      - run: 'npm install -g openupm-cli'
+      - uses: buildalon/unity-setup@v1
+        with:
+          version-file: 'None'
+          build-targets: ${{ matrix.build-target }}
+          unity-version: ${{ matrix.unity-version }}
+      - name: Find Unity Template Path
+        run: |
+          $rootPath = $env:UNITY_EDITOR_PATH -replace "Editor.*", ""
+          Write-Host "ROOT_PATH=$rootPath"
+          $templatePath = Get-ChildItem -Recurse -Filter "com.unity.template.3d*.tgz" -Path $rootPath | Select-Object -First 1 | Select-Object -ExpandProperty FullName
+          Write-Host "TEMPLATE_PATH=$templatePath"
+          echo "TEMPLATE_PATH=$templatePath" >> $env:GITHUB_ENV
+          $projectPath = "${{ github.workspace }}/Test Project"
+          echo "UNITY_PROJECT_PATH=$projectPath" >> $env:GITHUB_ENV
+        shell: pwsh
+      - uses: buildalon/activate-unity-license@v1
+        with:
+          license: 'Personal'
+          username: ${{ secrets.UNITY_USERNAME }}
+          password: ${{ secrets.UNITY_PASSWORD }}
+      - uses: buildalon/unity-action@v1
+        name: Create Test Project
+        with:
+          log-name: 'create-test-project'
+          args: '-quit -nographics -batchmode -createProject "${{ env.UNITY_PROJECT_PATH }}" -cloneFromTemplate "${{ env.TEMPLATE_PATH }}"'
+      - run: 'openupm add com.virtualmaker.buildalon'
+        name: Add Build Pipeline Package
+        working-directory: ${{ env.UNITY_PROJECT_PATH }}
+      - uses: buildalon/unity-action@v1
+        name: '${{ matrix.build-target }}-Validate'
+        with:
+          build-target: ${{ matrix.build-target }}
+          log-name: '${{ matrix.build-target }}-Validate'
+          args: '-quit -nographics -batchmode -executeMethod Buildalon.Editor.BuildPipeline.UnityPlayerBuildTools.ValidateProject -importTMProEssentialsAsset'
+      - uses: buildalon/unity-action@v1
+        name: '${{ matrix.build-target }}-Build'
+        with:
+          build-target: ${{ matrix.build-target }}
+          log-name: '${{ matrix.build-target }}-Build'
+          args: '-quit -nographics -batchmode -executeMethod Buildalon.Editor.BuildPipeline.UnityPlayerBuildTools.StartCommandLineBuild -buildOutputDirectory ${{ env.BUILD_OUTPUT_PATH }} -sceneList Assets/Scenes/SampleScene.unity -arch ${{ matrix.uwp-arch }} -wsaSubtarget ${{ matrix.uwp-subtarget }} -wsaUWPSDK ${{ matrix.windows-sdk-version }}'
+      - name: Enumerate Build Directory
+        shell: bash
+        run: |
+          if [ -z "${{ env.BUILD_OUTPUT_PATH }}" ]; then
+            echo "::error::Failed to find build output path!"
+            exit 1
+          fi
+          if [ ! -d "${{ env.BUILD_OUTPUT_PATH }}" ]; then
+            echo "::error::Build output directory does not exist: ${{ env.BUILD_OUTPUT_PATH }}"
+            exit 1
+          fi
+          echo "::group::Build Artifacts"
+          ls -R "${{ env.BUILD_OUTPUT_PATH }}"
+          echo "::endgroup::"
+      - uses: microsoft/setup-msbuild@v2
+        with:
+          vs-version: '[15.0, )'
+      - name: Create Test Certificate
+        if: matrix.certificate-type == 'custom'
+        shell: pwsh
+        run: |
+          $certPath = "${{ github.workspace }}/TestCert.pfx"
+          $certPassword = "TestPassword123"
+
+          # Create a self-signed certificate for testing
+          $cert = New-SelfSignedCertificate -Type Custom -Subject "CN=TestPublisher" -KeyUsage DigitalSignature -FriendlyName "Test UWP Certificate" -CertStoreLocation "Cert:\CurrentUser\My" -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.3", "2.5.29.19={text}")
+
+          # Export the certificate to a PFX file
+          $pwd = ConvertTo-SecureString -String $certPassword -Force -AsPlainText
+          Export-PfxCertificate -cert "Cert:\CurrentUser\My\$($cert.Thumbprint)" -FilePath $certPath -Password $pwd
+
+          # Import the certificate into Trusted Root Certification Authorities so it is trusted for validation
+          Import-PfxCertificate -FilePath $certPath -CertStoreLocation "Cert:\LocalMachine\Root" -Password $pwd | Out-Null
+          Write-Host "Test certificate imported to Trusted Root Certification Authorities."
+
+          Write-Host "Test certificate created at: $certPath"
+      - uses: ./ # buildalon/unity-uwp-builder
+        id: uwp-build
+        with:
+          platform: ${{ matrix.uwp-arch }}
+          project-path: ${{ env.BUILD_OUTPUT_PATH }}
+          package-type: ${{ matrix.uwp-package-type }}
+          certificate-path: ${{ matrix.certificate-type == 'custom' && format('{0}/TestCert.pfx', github.workspace) || '' }}
+          certificate-password: ${{ matrix.certificate-type == 'custom' && 'TestPassword123' || '' }}
+          windows-sdk-version: ${{ matrix.windows-sdk-version }}
+      - name: Validate Outputs
+        shell: bash
+        run: |
+          set -e
+          OUTPUT_DIR="${{ steps.uwp-build.outputs.output-directory }}"
+          if [ -z "${OUTPUT_DIR}" ]; then
+            echo "❌ No output directory found at ${OUTPUT_DIR}"
+          else
+            echo "✅ Output Directory: ${OUTPUT_DIR}"
+          fi
+
+          ls -R "${OUTPUT_DIR}"
+      - name: Validate Certificate Usage
+        if: matrix.certificate-type == 'custom' && matrix.uwp-package-type == 'sideload'
+        shell: pwsh
+        run: |
+          $output_dir="${{ steps.uwp-build.outputs.output-directory }}"
+
+          if (-not (Test-Path $output_dir)) {
+            Write-Host "❌ Output directory does not exist: $output_dir"
+            exit 1
+          }
+
+          # get .appx, .appxbundle, .appxupload, .msix, .msixbundle, .msixupload files
+          $bundles = Get-ChildItem -Path $output_dir -Recurse -Include *.appx, *.appxbundle, *.appxupload, *.msix, *.msixbundle, *.msixupload | Select-Object -ExpandProperty FullName
+          if ($bundles.Count -eq 0) {
+            Write-Host "❌ No bundles found in output directory: $output_dir"
+            exit 1
+          }
+
+          $allValid = $true
+
+          foreach ($bundle in $bundles) {
+            # Skip Microsoft dependency packages
+            if ($bundle -match "Microsoft\.VCLibs\..*\.appx$") {
+              Write-Host "⏭️ Skipping Microsoft dependency package: $bundle"
+              continue
+            }
+
+            Write-Host "::group::🔍 Validating certificate for bundle: $bundle"
+
+            if (-not (Test-Path $bundle)) {
+              Write-Host "❌ Bundle not found: $bundle"
+              Write-Host "::endgroup::"
+              $allValid = $false
+              continue
+            }
+
+            $signature = Get-AuthenticodeSignature -FilePath $bundle
+            if ($signature.Status -eq "Valid") {
+              Write-Host "✅ Bundle is properly signed"
+              Write-Host "📜 Certificate Subject: $($signature.SignerCertificate.Subject)"
+              Write-Host "👤 Certificate Issuer: $($signature.SignerCertificate.Issuer)"
+              Write-Host "📅 Certificate Valid From: $($signature.SignerCertificate.NotBefore)"
+              Write-Host "📅 Certificate Valid To: $($signature.SignerCertificate.NotAfter)"
+              Write-Host "🔑 Certificate Thumbprint: $($signature.SignerCertificate.Thumbprint)"
+
+              if ($signature.SignerCertificate.Subject -like "*TestPublisher*") {
+                Write-Host "✅✅ Confirmed: Custom test certificate was used successfully!"
+              } else {
+                Write-Host "❌  Warning: Certificate subject doesn't match expected test certificate"
+                $allValid = $false
+              }
+            } elseif ($signature.Status -eq "NotSigned") {
+              Write-Host "❌ Bundle is not signed"
+              $allValid = $false
+            } else {
+              Write-Host "❌ Bundle signature status: $($signature.Status)"
+              $allValid = $false
+            }
+
+            Write-Host "📝 Signature details: $($signature.StatusMessage)"
+            Write-Host "::endgroup::"
+          }
+          if (-not $allValid) {
+            Write-Host "❌ One or more bundles failed certificate validation."
+            exit 1
+          } else {
+            Write-Host "✅ All bundles passed certificate validation."
+          }
+      - uses: actions/upload-artifact@v4
+        if: always() || cancelled()
+        with:
+          retention-days: 1
+          overwrite: true
+          name: ${{ matrix.unity-version }} ${{ matrix.name }}
+          path: |
+            ${{ github.workspace }}/**/*.log
+            ${{ env.BUILD_OUTPUT_PATH }}
@@ -0,0 +1,15 @@
+name: Update Release Tags
+on:
+  push:
+    tags: ['*']
+  workflow_dispatch:
+jobs:
+  update-release-tags:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: RageAgainstThePixel/update-action-release-tags@v1
@@ -1,97 +1,38 @@
 name: validate
 on:
   push:
-    branches:
-      - 'main'
+    branches: ['main']
   pull_request:
-    branches:
-      - '*'
-  # Allows you to run this workflow manually from the Actions tab
+    branches: ['*']
   workflow_dispatch:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 jobs:
-  unity-build:
-    name: '(${{ matrix.unity-version }}) ${{ matrix.build-target }} - ${{ matrix.uwp-package-type }}'
-    env:
-      TEMPLATE_PATH: ''
-      UNITY_PROJECT_PATH: '' # set by unity-setup action
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [windows-latest]
-        build-target: [WSAPlayer]
-        unity-version: [2021.x, 2022.x, 6000.x]
-        uwp-package-type: [sideload, upload]
+  setup:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
-      - run: 'npm install -g openupm-cli'
-        # Installs the Unity Editor based on your project version text file
-        # sets -> env.UNITY_EDITOR_PATH
-        # sets -> env.UNITY_PROJECT_PATH
-      - uses: buildalon/unity-setup@v1
-        with:
-          version-file: 'None'
-          build-targets: ${{ matrix.build-target }}
-          unity-version: ${{ matrix.unity-version }}
-      - name: Find Unity Template Path
-        run: |
-          $rootPath = $env:UNITY_EDITOR_PATH -replace "Editor.*", ""
-          Write-Host "ROOT_PATH=$rootPath"
-          $templatePath = Get-ChildItem -Recurse -Filter "com.unity.template.3d*.tgz" -Path $rootPath | Select-Object -First 1 | Select-Object -ExpandProperty FullName
-          Write-Host "TEMPLATE_PATH=$templatePath"
-          echo "TEMPLATE_PATH=$templatePath" >> $env:GITHUB_ENV
-          $projectPath = "${{ github.workspace }}/Test Project"
-          echo "UNITY_PROJECT_PATH=$projectPath" >> $env:GITHUB_ENV
-        shell: pwsh
-        # Activates the installation with the provided credentials
-      - uses: buildalon/activate-unity-license@v1
-        with:
-          license: 'Personal'
-          username: ${{ secrets.UNITY_USERNAME }}
-          password: ${{ secrets.UNITY_PASSWORD }}
-      - uses: buildalon/unity-action@v1
-        name: Create Test Project
-        with:
-          log-name: 'create-test-project'
-          args: '-quit -nographics -batchmode -createProject "${{ env.UNITY_PROJECT_PATH }}" -cloneFromTemplate "${{ env.TEMPLATE_PATH }}"'
-      - run: 'openupm add com.virtualmaker.buildalon'
-        name: Add Build Pipeline Package
-        working-directory: ${{ env.UNITY_PROJECT_PATH }}
-      - uses: buildalon/unity-action@v1
-        name: '${{ matrix.build-target }}-Validate'
         with:
-          build-target: ${{ matrix.build-target }}
-          log-name: '${{ matrix.build-target }}-Validate'
-          args: '-quit -nographics -batchmode -executeMethod Buildalon.Editor.BuildPipeline.UnityPlayerBuildTools.ValidateProject -importTMProEssentialsAsset'
-      - uses: buildalon/unity-action@v1
-        name: '${{ matrix.build-target }}-Build'
+          sparse-checkout: .github/
+      - uses: RageAgainstThePixel/job-builder@v1
+        id: setup-jobs
         with:
-          build-target: ${{ matrix.build-target }}
-          log-name: '${{ matrix.build-target }}-Build'
-          args: '-quit -nographics -batchmode -executeMethod Buildalon.Editor.BuildPipeline.UnityPlayerBuildTools.StartCommandLineBuild -sceneList Assets/Scenes/SampleScene.unity -arch ARM64'
-      - uses: microsoft/setup-msbuild@v2
-
-        # builds visual studio project for UWP and packages it as an appx
-      - uses: ./ # buildalon/unity-uwp-builder
-        id: uwp-build
-        with:
-          project-path: ${{ env.UNITY_PROJECT_PATH }}/Builds/WSAPlayer
-          package-type: ${{ matrix.uwp-package-type }}
-
-      - name: print outputs
-        shell: bash
-        run: |
-          echo "Executable: ${{ steps.uwp-build.outputs.executable }}"
-          echo "Output Directory: ${{ steps.uwp-build.outputs.output-directory }}"
-          ls -R "${{ steps.uwp-build.outputs.output-directory }}"
-
-      - uses: actions/upload-artifact@v4
-        with:
-          retention-days: 1
-          name: ${{ github.run_number }}.${{ github.run_attempt }} ${{ matrix.unity-version }}-${{ matrix.build-target }}-${{ matrix.uwp-package-type }}
-          path: |
-            ${{ github.workspace }}/**/*.log
-            ${{ steps.uwp-build.outputs.output-directory }}
+          build-options: ./.github/workflows/build-options.json
+          group-by: 'unity-version'
+    outputs:
+      jobs: ${{ steps.setup-jobs.outputs.jobs }}
+  validate:
+    if: ${{ needs.setup.outputs.jobs }}
+    needs: setup
+    name: ${{ matrix.jobs.name }}
+    permissions:
+      contents: read
+    strategy:
+      matrix: ${{ fromJSON(needs.setup.outputs.jobs) }}
+    secrets: inherit
+    uses: ./.github/workflows/build.yml
+    with:
+      matrix: ${{ toJSON(matrix.jobs.matrix) }}