Integrate SignPath binary signing for Windows

michaelherger · michaelherger · commit 9e17256f4fd3 · 2025-12-17T16:24:28.000+01:00
Signed-off-by: Michael Herger &lt;michael@herger.net&gt;
diff --git a/.github/actions/build/action.yaml b/.github/actions/build/action.yaml
@@ -13,6 +13,14 @@ inputs:
     description: The key ID to use to upload to S3
   AWS_SECRET_ACCESS_KEY:
     description: The secret to use to upload to S3
+  SIGNPATH_API_TOKEN:
+    description: The SignPath API token to use for code signing
+  SIGNPATH_ORG_ID:
+    description: The SignPath organization ID to use for code signing
+  SIGNPATH_PROJECT_SLUG:
+    description: The SignPath project slug to use for code signing
+  SIGNPATH_SIGNING_POLICY_SLUG:
+    description: The SignPath signing policy slug to use for code signing
 
 runs:
   using: composite
@@ -154,12 +162,28 @@ runs:
     - name: Archive artifacts
       if: ${{ !startsWith(inputs.build-params, 'docker') }}
       uses: actions/upload-artifact@v4
+      id: upload-artifact
       with:
         name: ${{ inputs.build-params }}
         path: publish
 
+    - name: Set up Windows environment
+      if: ${{ startsWith(inputs.build-params, 'win64') }}
+      uses: signpath/github-action-submit-signing-request@v2
+      with:
+        api-token: '${{ inputs.SIGNPATH_API_TOKEN }}'
+        organization-id: '${{ inputs.SIGNPATH_ORG_ID }}'
+        project-slug: '${{ inputs.SIGNPATH_PROJECT_SLUG }}'
+        signing-policy-slug: '${{ inputs.SIGNPATH_SIGNING_POLICY_SLUG }}'
+        github-artifact-id: '${{ steps.upload-artifact.outputs.artifact-id }}'
+        wait-for-completion: true
+        output-artifact-directory: publish
+        # parameters: |
+        #   version: ${{ toJSON(some.userinput) }}
+        #   myparam: "another param"
+
     - name: Upload artifacts to R2
-      if: ${{ !startsWith(inputs.build-params, 'docker') && github.repository_owner == 'LMS-Community' }}
+      if: false
       shell: bash
       env:
         AWS_ACCESS_KEY_ID: ${{ inputs.AWS_KEY_ID }}
diff --git a/.github/workflows/00_build.yaml b/.github/workflows/00_build.yaml
@@ -23,6 +23,7 @@ on:
 jobs:
   mac:
     name: Build LMS for Mac
+    if: false
     runs-on: macos-15
     env:
       BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }}
@@ -72,6 +73,7 @@ jobs:
 
   linux:
     name: Build LMS for Linux
+    if: false
     runs-on: ubuntu-22.04
     strategy:
       matrix:
@@ -110,6 +112,7 @@ jobs:
           AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
 
   docker:
+    if: false
     name: Build LMS for Docker
     runs-on: ubuntu-22.04
 
@@ -161,10 +164,14 @@ jobs:
           build-type: ${{ inputs.build_type }}
           AWS_KEY_ID: ${{ secrets.R2_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.R2_SECRET_ACCESS_KEY }}
+          SIGNPATH_API_TOKEN: ${{ secrets.SIGNPATH_API_TOKEN }}
+          SIGNPATH_ORG_ID: ${{ vars.SIGNPATH_ORG_ID }}
+          SIGNPATH_PROJECT_SLUG: ${{ vars.SIGNPATH_PROJECT_SLUG }}
+          SIGNPATH_SIGNING_POLICY_SLUG: ${{ vars.SIGNPATH_SIGNING_POLICY_SLUG }}
 
   updateRepoFile:
     name: Trigger repository file update
-    if: ${{ success() && inputs.build_type == 'nightly' && github.repository_owner == 'LMS-Community' }}
+    if: false
     runs-on: ubuntu-latest
     timeout-minutes: 2
     needs:
