rehlds
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 186 additions & 19 deletions b/‎.github/workflows/build.yml‎
Lines changed: 186 additions & 19 deletions
@@ -5,36 +5,81 @@ on:
     branches: [master]
     paths-ignore:
       - '**.md'
+      - '.github/**'
 
   pull_request:
     types: [opened, reopened, synchronize]
   release:
     types: [published]
+  workflow_dispatch:
 
 jobs:
   windows:
     name: 'Windows'
-    runs-on: windows-2019
+    runs-on: windows-2025
 
     env:
       solution: 'msvc/reapi.sln'
       buildPlatform: 'Win32'
       buildRelease: 'Release'
 
     steps:
+      - name: Configure
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
       - name: Setup MSBuild
-        uses: microsoft/setup-msbuild@v1.1.3
-        with:
-          vs-version: '16.8'
+        uses: microsoft/setup-msbuild@v2
+
+# TODO: add support of 141_xp toolchain at VS2022+
+#      - name: Install v140, v141 and v142 toolsets
+#        shell: cmd
+#        run: |
+#          "C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.exe" modify ^
+#          --installPath "C:\Program Files\Microsoft Visual Studio\2022\Enterprise" ^
+#          --add Microsoft.VisualStudio.Component.WindowsXP ^
+#          --add Microsoft.VisualStudio.Component.VC.v140 ^
+#          --add Microsoft.VisualStudio.Component.VC.v140.x86.x64 ^
+#          --add Microsoft.VisualStudio.Component.VC.v140.xp ^
+#          --add Microsoft.VisualStudio.Component.VC.140.CRT ^
+#          --add Microsoft.VisualStudio.Component.VC.v141 ^
+#          --add Microsoft.VisualStudio.Component.VC.v141.x86.x64 ^
+#          --add Microsoft.VisualStudio.Component.VC.v141.xp ^
+#          --add Microsoft.VisualStudio.Component.VC.v142 ^
+#          --add Microsoft.VisualStudio.Component.VC.v142.x86.x64 ^
+#          --quiet --norestart
 
+      - name: Select PlatformToolset
+        id: select_toolset
+        shell: pwsh
+        run: |
+          $vswhere = "${env:ProgramFiles(x86)}\Microsoft Visual Studio\Installer\vswhere.exe"
+          $vs2019 = & $vswhere -products * -version "[16.0,17.0)" -property installationPath -latest
+          $vs2022 = & $vswhere -products * -version "[17.0,)" -property installationPath -latest
+          
+          if ($vs2019) {
+            "toolset=v140_xp" >> $env:GITHUB_OUTPUT
+            Write-Host "Selected v140_xp toolset"
+          } elseif ($vs2022) {
+            "toolset=v143" >> $env:GITHUB_OUTPUT
+            Write-Host "Selected v143 toolset"
+          } else {
+            Write-Error "No suitable Visual Studio installation found"
+            exit 1
+          }
       - name: Build
         run: |
-          msbuild ${{ env.solution }} -p:Configuration="${{ env.buildRelease }}" /t:Clean,Build /p:Platform=${{ env.buildPlatform }} /p:PlatformToolset=v140_xp /p:XPDeprecationWarning=false
+          $toolset = '${{ steps.select_toolset.outputs.toolset }}'
+          msbuild ${{ env.solution }} -p:Configuration="${{ env.buildRelease }}" /t:Clean,Build /p:Platform=${{ env.buildPlatform }} /p:PlatformToolset=$toolset /p:XPDeprecationWarning=false
+
+      - name: Get rcedit from chocolatey
+        shell: pwsh
+        run: |
+          choco install rcedit -y
 
       - name: Move files
         run: |
@@ -44,31 +89,128 @@ jobs:
           move msvc\${{ env.buildRelease }}\reapi_amxx.dll publish\addons\amxmodx\modules\reapi_amxx.dll
           move msvc\${{ env.buildRelease }}\reapi_amxx.pdb publish\debug\reapi_amxx.pdb
 
+      - name: Get app version
+        id: get_version
+        shell: pwsh
+        run: |
+          $versionFile = "reapi/version/appversion.h"
+          if (-not (Test-Path $versionFile)) {
+            Write-Error "Version file not found: $versionFile"
+            exit 1
+          }
+
+          $content = Get-Content $versionFile
+          foreach ($line in $content) {
+            if ($line -match '^\s*#define\s+APP_VERSION\s+"([^"]+)"') {
+              $version = $matches[1]
+              "version=$version" >> $env:GITHUB_OUTPUT
+              Write-Host "Found version: $version"
+              exit 0
+            }
+          }
+          Write-Error "APP_VERSION not found in file"
+          exit 1
+
+      - name: Show version
+        run: echo "Version is ${{ steps.get_version.outputs.version }}"
+
+      - name: Edit resources at windows binaries
+        run: |
+         rcedit ${{ github.workspace }}\publish\addons\amxmodx\modules\reapi_amxx.dll --set-version-string CompanyName "ReHLDS Dev Team" --set-version-string LegalCopyright "Copyright 2025 ReHLDS DevTeam" --set-icon reapi/msvc/icon.ico
+        shell: "pwsh"
+
+      - name: Import PFX and sign
+        if: github.event_name != 'pull_request'
+        env:
+          KEY_PFX_PASS: ${{ secrets.KEY_PFX_PASS }}
+        # https://github.com/actions/runner-images/blob/main/images/windows/Windows2025-Readme.md
+        run: |
+               $pfxBase64 = "${{ secrets.KEY_PFX_B64 }}"
+               [IO.File]::WriteAllBytes("${{ github.workspace }}\signing-cert.pfx", [Convert]::FromBase64String($pfxBase64))
+               certutil -f -p "${{ secrets.KEY_PFX_PASS }}" -importPFX "${{ github.workspace }}\signing-cert.pfx"
+               & 'C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x86\signtool.exe' sign /a /f "${{ github.workspace }}\signing-cert.pfx"  /p $env:KEY_PFX_PASS /d "ReAPI - AMX Mod X module, using API regamedll & rehlds" /du "https://rehlds.dev/" /tr "http://timestamp.digicert.com" /td sha256 /fd sha256 /v ${{ github.workspace }}\publish\addons\amxmodx\modules\reapi_amxx.dll
+               Remove-Item -Recurse -Force "${{ github.workspace }}\signing-cert.pfx"
+        shell: "pwsh"
+
       - name: Deploy artifacts
-        uses: actions/upload-artifact@v3.1.1
+        uses: actions/upload-artifact@v4
         with:
           name: win32
           path: publish/*
 
   linux:
     name: 'Linux'
-    runs-on: ubuntu-latest
-    container: s1lentq/linux86buildtools:latest
+    runs-on: ubuntu-24.04
+    container: debian:11-slim
     outputs:
       app-version: ${{ steps.app-version.outputs.version }}
 
-    env:
-      ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
-
     steps:
+      - name: Check dependencies
+        run: |
+          dpkg --add-architecture i386
+          apt-get update
+          apt-get install -y \
+            gcc-multilib g++-multilib \
+            build-essential \
+            libc6-dev libc6-dev-i386 \
+            git cmake rsync \
+            g++ gcc
+
+      - name: Configure
+        run: git config --global --add safe.directory "$GITHUB_WORKSPACE"
+
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Build using Intel C++ Compiler 19.0
+      - name: GPG Import
+        run: |
+          echo "${{ secrets.PUB_ASC }}" > "${{ secrets.PUB_ASC_FILE }}"
+          echo "${{ secrets.KEY_ASC }}" > "${{ secrets.KEY_ASC_FILE }}"
+
+          # Import the public key
+          gpg --batch --yes --import "${{ secrets.PUB_ASC_FILE }}"
+          if [[ $? -ne 0 ]]; then
+            echo "Error: Failed to import the public key"
+            exit 1
+          fi
+          
+          # Import the private key
+          gpg --batch --yes --import "${{ secrets.KEY_ASC_FILE }}"
+          if [[ $? -ne 0 ]]; then
+            echo "Error: Failed to import the private key"
+            exit 2
+          fi
+          
+          # Extract the fingerprint of the imported public key
+          GPG_LINUX_FINGERPRINT=$(gpg --list-keys --with-colons | grep '^fpr' | head -n 1 | cut -d: -f10)
+          
+          # Check if the fingerprint was extracted
+          if [[ -z "$GPG_LINUX_FINGERPRINT" ]]; then
+            echo "Error: Failed to extract the fingerprint of the key"
+            exit 3
+          fi
+          
+          # Set the trust level for the key
+          echo "$GPG_LINUX_FINGERPRINT:6:" | gpg --batch --import-ownertrust
+          if [ $? -ne 0 ]; then
+            echo "Error: Failed to set trust for the key $GPG_LINUX_FINGERPRINT"
+            exit 4
+          fi
+          
+          echo "Key $GPG_LINUX_FINGERPRINT successfully imported and trusted"
+          gpg --list-keys
+
+          #export for global use
+          echo "GPG_LINUX_FINGERPRINT=$GPG_LINUX_FINGERPRINT" >> $GITHUB_ENV
+        shell: bash
+        if: github.event_name != 'pull_request'
+
+      - name: Build
         run: |
-          rm -rf build && CC=icc CXX=icpc cmake -B build && cmake --build build -j8
+          rm -rf build && CC=gcc CXX=g++ cmake -B build && cmake --build build -j8
 
       - name: Reading appversion.h
         id: app-version
@@ -80,6 +222,7 @@ jobs:
             else
               # Remove quotes
               APP_VERSION=$(echo $APP_VERSION | xargs)
+              echo "APP_VERSION=${APP_VERSION}" >> $GITHUB_ENV
             fi
           fi
           echo "version=${APP_VERSION}" >> "$GITHUB_OUTPUT"
@@ -107,7 +250,7 @@ jobs:
         shell: bash
 
       - name: Deploy artifacts
-        uses: actions/upload-artifact@v3.1.1
+        uses: actions/upload-artifact@v4
         id: upload-job
         with:
           name: linux32
@@ -120,12 +263,12 @@ jobs:
 
     steps:
       - name: Deploying linux artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: linux32
 
       - name: Deploying windows artifacts
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: win32
 
@@ -136,16 +279,40 @@ jobs:
           github.event.action == 'published' &&
           startsWith(github.ref, 'refs/tags/')
         run: |
+        
+          # new runner, niw signs
+          echo "${{ secrets.PUB_ASC }}" > "${{ secrets.PUB_ASC_FILE }}"
+          echo "${{ secrets.KEY_ASC }}" > "${{ secrets.KEY_ASC_FILE }}"
+          gpg --batch --yes --import "${{ secrets.PUB_ASC_FILE }}"
+          gpg --batch --yes --import "${{ secrets.KEY_ASC_FILE }}"
+          GPG_LINUX_FINGERPRINT=$(gpg --list-keys --with-colons | grep '^fpr' | head -n 1 | cut -d: -f10)
+          echo "$GPG_LINUX_FINGERPRINT:6:" | gpg --batch --import-ownertrust
+          echo "GPG_LINUX_FINGERPRINT=$GPG_LINUX_FINGERPRINT" >> $GITHUB_ENV
+
+          sign_file() {
+            local file=$1
+            gpg --batch --yes --detach-sign --armor -u "$GPG_LINUX_FINGERPRINT" "$file"
+            if [ $? -ne 0 ]; then
+              echo "Error: Failed to sign $file"
+              exit 2
+            fi
+            echo "$file signed successfully."
+          }
+          
+          # Pack and sign final archive
           7z a -tzip reapi-bin-${{ needs.linux.outputs.app-version }}.zip addons/
+          sign_file "reapi-bin-${{ env.APP_VERSION }}.zip"
 
       - name: Publish artifacts
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         id: publish-job
         if: |
           startsWith(github.ref, 'refs/tags/') &&
           steps.packaging-job.outcome == 'success'
         with:
           files: |
             *.zip
+            *.7z
+            *.asc
         env:
           GITHUB_TOKEN: ${{ secrets.API_TOKEN }}