chore(ci): attach checksums and publish release with artifacts; add distribution README

David Imongirie · David Imongirie · commit 8a1a6943e89a · 2025-12-03T22:58:36.000+01:00
diff --git a/.github/workflows/windows_build.yml b/.github/workflows/windows_build.yml
@@ -11,8 +11,10 @@ jobs:
     runs-on: windows-latest
 
     steps:
-      - name: Checkout repository
+      - name: Checkout repository (full history)
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Set up Python
         uses: actions/setup-python@v4
@@ -41,46 +43,73 @@ jobs:
           Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
           .\build_windows.ps1 -CompileNSIS
 
-      - name: Upload EXE artifact
-        if: always()
-        uses: actions/upload-artifact@v4
-        with:
-          name: TestBuddy-exe
-          path: dist/TestBuddy.exe
+      - name: Compute checksums for artifacts
+        shell: powershell
+        run: |
+          $files = @()
+          if (Test-Path .\dist\TestBuddy.exe) { $files += Get-Item .\dist\TestBuddy.exe }
+          if (Test-Path .\dist\TestBuddy-signed.exe) { $files += Get-Item .\dist\TestBuddy-signed.exe }
+          if (Test-Path .\TestBuddy-Setup.exe) { $files += Get-Item .\TestBuddy-Setup.exe }
+          if (Test-Path .\TestBuddy-Setup-signed.exe) { $files += Get-Item .\TestBuddy-Setup-signed.exe }
+          if ($files.Count -eq 0) { Write-Host 'No build artifacts found to checksum.'; exit 0 }
+          $out = "CHECKSUMS.txt"
+          Remove-Item $out -ErrorAction SilentlyContinue
+          foreach ($f in $files) {
+            $sha = Get-FileHash -Algorithm SHA256 $f.FullName | Select-Object -ExpandProperty Hash
+            "$sha  $($f.Name)" | Out-File -FilePath $out -Encoding ascii -Append
+          }
+          Get-Content CHECKSUMS.txt
 
-      - name: Upload Installer artifact
-        if: always()
+      - name: Upload build artifacts and checksums
         uses: actions/upload-artifact@v4
         with:
-          name: TestBuddy-installer
-          path: TestBuddy-Setup.exe
+          name: TestBuddy-artifacts
+          path: |
+            dist/TestBuddy*.exe
+            TestBuddy-Setup*.exe
+            CHECKSUMS.txt
 
       - name: Optional: Sign artifacts (if PFX secret provided)
-        if: ${{ secrets.SIGN_CERT_PFX != '' && secrets.SIGN_CERT_PASSWORD != '' }}
+        if: ${{ secrets.SIGN_CERT_PFX && secrets.SIGN_CERT_PASSWORD }}
         shell: powershell
+        env:
+          PFX_BASE64: ${{ secrets.SIGN_CERT_PFX }}
+          PFX_PASS: ${{ secrets.SIGN_CERT_PASSWORD }}
         run: |
-          Write-Host "Writing PFX to file and attempting to sign artifacts..."
-          $pfxBase64 = '${{ secrets.SIGN_CERT_PFX }}'
-          [IO.File]::WriteAllBytes('cert.pfx', [Convert]::FromBase64String($pfxBase64))
-          choco install osslsigncode -y || Write-Host 'osslsigncode install may have failed'
+          Write-Host "Decoding PFX and writing to cert.pfx"
+          [IO.File]::WriteAllBytes('cert.pfx', [Convert]::FromBase64String($env:PFX_BASE64))
+          choco install osslsigncode -y || Write-Host 'osslsigncode may already be installed or install failed'
           if (Test-Path .\dist\TestBuddy.exe) {
-            Write-Host 'Signing dist\\TestBuddy.exe'
-            osslsigncode sign -pkcs12 cert.pfx -pass '${{ secrets.SIGN_CERT_PASSWORD }}' -n 'TestBuddy' -i 'http://testbuddy.local' -t 'http://timestamp.digicert.com' -in .\dist\TestBuddy.exe -out .\dist\TestBuddy-signed.exe || Write-Host 'Signing EXE failed'
+            $in = Resolve-Path .\dist\TestBuddy.exe
+            $out = Resolve-Path .\dist\TestBuddy-signed.exe
+            Write-Host "Signing $in -> $out"
+            osslsigncode sign -pkcs12 cert.pfx -pass $env:PFX_PASS -n 'TestBuddy' -i 'https://testbuddy.app' -t 'http://timestamp.digicert.com' -in $in -out $out
           }
           if (Test-Path .\TestBuddy-Setup.exe) {
-            Write-Host 'Signing TestBuddy-Setup.exe'
-            osslsigncode sign -pkcs12 cert.pfx -pass '${{ secrets.SIGN_CERT_PASSWORD }}' -n 'TestBuddy' -i 'http://testbuddy.local' -t 'http://timestamp.digicert.com' -in .\TestBuddy-Setup.exe -out .\TestBuddy-Setup-signed.exe || Write-Host 'Signing installer failed'
+            $in = Resolve-Path .\TestBuddy-Setup.exe
+            $out = Resolve-Path .\TestBuddy-Setup-signed.exe
+            Write-Host "Signing $in -> $out"
+            osslsigncode sign -pkcs12 cert.pfx -pass $env:PFX_PASS -n 'TestBuddy' -i 'https://testbuddy.app' -t 'http://timestamp.digicert.com' -in $in -out $out
           }
 
+      - name: Compute release tag
+        id: tag
+        uses: actions/github-script@v6
+        with:
+          script: |
+            const date = new Date().toISOString().slice(0,10).replace(/-/g,'')
+            const tag = `v${date}-${process.env.GITHUB_RUN_NUMBER}`
+            return tag
+
       - name: Create GitHub release and attach artifacts
         uses: ncipollo/release-action@v1
         with:
-          tag: build-${{ github.run_number }}
-          name: TestBuddy build ${{ github.run_number }}
+          tag: ${{ steps.tag.outputs.result }}
+          name: TestBuddy ${{ steps.tag.outputs.result }}
           body: |
-            Automated build from commit ${{ github.sha }}
-            - Runner: ${{ runner.os }}
-            - Workflow: ${{ github.workflow }}
+            Automated build for commit ${{ github.sha }}
+            Artifacts include the executable(s) and installer. See attached CHECKSUMS.txt for SHA256 sums.
           files: |
             dist/TestBuddy*.exe
             TestBuddy-Setup*.exe
+            CHECKSUMS.txt
diff --git a/README_DISTRIBUTION.md b/README_DISTRIBUTION.md
@@ -0,0 +1,104 @@
+TestBuddy - Distribution & Signing Guide
+========================================
+
+Purpose
+-------
+This guide explains exactly how to produce signed, installable Windows artifacts for TestBuddy and how to configure the CI pipeline to produce release builds and signed installers.
+
+What we added for you
+---------------------
+- `build_windows.ps1` / `build_windows.bat` — build the EXE (PyInstaller) and compile NSIS installer (if `makensis` is available).
+- `testbuddy_installer.nsi` — NSIS installer script (references `dist/TestBuddy.exe`).
+- GitHub Actions workflow: `.github/workflows/windows_build.yml` that:
+  - Installs dependencies
+  - Runs tests
+  - Builds EXE and runs NSIS (on Windows runner)
+  - Generates `CHECKSUMS.txt` (SHA256)
+  - Uploads artifacts
+  - Optionally signs artifacts if signing secrets are present
+  - Creates a GitHub Release and attaches artifacts
+
+Requirements before distribution
+--------------------------------
+1. Windows code signing certificate (PFX) with private key.
+   - Obtain from a CA (DigiCert, Sectigo, GlobalSign). EV certificates are recommended for broad trust.
+2. GitHub repo-level secrets (to enable automatic signing):
+   - `SIGN_CERT_PFX` — base64-encoded contents of the PFX file
+   - `SIGN_CERT_PASSWORD` — password for the PFX
+
+How to create the base64 PFX secret (PowerShell)
+------------------------------------------------
+Run locally and copy the output into the `SIGN_CERT_PFX` secret value in GitHub:
+
+```powershell
+$bytes = [System.IO.File]::ReadAllBytes('C:\path\to\your-cert.pfx')
+$base64 = [Convert]::ToBase64String($bytes)
+# Save temporarily
+Set-Content -Path C:\tmp\cert.pfx.b64 -Value $base64
+# Open the file and copy-paste the single-line content into the repo secret
+notepad C:\tmp\cert.pfx.b64
+```
+
+Add the PFX password as `SIGN_CERT_PASSWORD` in GitHub Secrets.
+
+Signing options supported in the workflow
+----------------------------------------
+- `osslsigncode` (open-source): used on Windows runner (installed via Chocolatey). Works with PFX.
+- `signtool` (Microsoft): preferred for EV certs / MS recommended signing. If you prefer `signtool`, you can modify the workflow to call `signtool` instead; it requires the Windows SDK or a runner that has `signtool.exe` available.
+
+How to trigger a release build
+------------------------------
+- Option A: Push a commit to `main` branch (workflow runs automatically)
+- Option B: Run `Build Windows` workflow manually from the Actions UI (workflow_dispatch)
+
+How the workflow produces artifacts
+-----------------------------------
+1. `pyinstaller` creates `dist/TestBuddy.exe` (one-file, windowed).
+2. NSIS compiles `TestBuddy-Setup.exe` if `makensis` is available on the runner.
+3. `CHECKSUMS.txt` is produced with SHA256 lines for each artifact.
+4. Optional signing step (if secrets present) produces `*-signed.exe` variants.
+5. The release flow creates a tag like `vYYYYMMDD-<run_number>` and publishes a Release, attaching artifacts and `CHECKSUMS.txt`.
+
+Manual verification steps (recommended)
+--------------------------------------
+- Download artifacts from the workflow run or Release.
+- Verify SHA256 matches the values in `CHECKSUMS.txt`:
+  ```powershell
+  Get-FileHash .\TestBuddy-Setup.exe -Algorithm SHA256
+  Get-Content CHECKSUMS.txt
+  ```
+- Install on a clean VM (Windows 10/11) and verify:
+  - App launches
+  - Sessions load
+  - Export features work (PDF, DOCX, CSV, HTML, Markdown, JSON, TXT)
+  - Document Intelligence analyze works (with Tesseract installed)
+  - Uninstall removes program files
+
+If you want to use `signtool` instead of `osslsigncode`
+------------------------------------------------------
+- Upload PFX as repo secret as above.
+- Modify the workflow step `Optional: Sign artifacts` to call `signtool.exe sign /f cert.pfx /p <password> /tr http://timestamp.digicert.com /td sha256 /fd sha256 <file>`
+- On hosted runners, `signtool` may not be present. You'll need either to install Windows SDK in the runner (adds time), or use a self-hosted Windows runner that has `signtool` installed and your signing cert available.
+
+Recommended post-release steps
+------------------------------
+- Sign all binaries and installer before publishing to avoid "Unknown Publisher" warnings.
+- Consider using an official code-signing service or HSM for private key security.
+- Publish checksums on the website and in the release notes.
+- For automated distribution, consider pushing artifacts to a CDN or S3 bucket and use the installer to fetch updates.
+
+Support and troubleshooting
+-------------------------
+If a workflow fails:
+- Open the Actions run and expand logs for the failing step.
+- For signing issues, ensure the PFX is valid and not password-protected with non-ASCII characters that could break environment handling.
+- For NSIS errors, ensure makensis is available and the path to the EXE referenced in `testbuddy_installer.nsi` matches the build output.
+
+Contact
+-------
+If you'd like, I can:
+- Switch the workflow to use `signtool` and/or a self-hosted signing runner.
+- Add automatic changelog generation using Conventional Commits or `release-drafter`.
+- Add an auto-update server or mechanism.
+
+*** End of guide ***
