ci(signpath): delete unsigned windows artifact after signing

rainxchzed · rainxchzed · commit d3eda73f81d5 · 2026-05-12T07:48:54.000+05:00
diff --git a/.github/workflows/build-desktop-platforms.yml b/.github/workflows/build-desktop-platforms.yml
@@ -95,6 +95,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      actions: write
 
     steps:
       # Fail loudly if any SignPath config is missing instead of letting the
@@ -147,6 +148,21 @@ jobs:
           retention-days: 30
           compression-level: 0
 
+      # Remove the unsigned upload so only the SignPath-signed installers are
+      # downloadable from the run page and end up in the draft release.
+      # Without this, both windows-installers (unsigned) and
+      # windows-installers-signed coexist as 30-day artifacts.
+      - name: Delete unsigned Windows artifact
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ARTIFACT_ID: ${{ needs.build-windows.outputs.windows-artifact-id }}
+          REPO: ${{ github.repository }}
+        run: |
+          set -euo pipefail
+          gh api -X DELETE "repos/${REPO}/actions/artifacts/${ARTIFACT_ID}"
+          echo "Deleted unsigned artifact id=${ARTIFACT_ID}"
+        shell: bash
+
   build-macos:
     strategy:
       matrix:
