Add build and signing (#1)

.github/workflows/build.yml

@@ -0,0 +1,32 @@
+name: build
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize, reopened]
+  push:
+    branches:
+      - trunk
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Install Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: 3.13
+
+      - name: Make Package
+        run: |
+          make package
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: spice.unsigned.taco
+          path: spice.taco

.github/workflows/release.yml

@@ -1,36 +1,67 @@
 name: release
 on:
   workflow_dispatch:
+    inputs:
+      workflow_run_id:
+        description: 'ID of the workflow run to fetch artifacts from'
+        required: true
+        type: string
+      signed_binary_name:
+        description: 'Name of the signed binary'
+        required: false
+        default: 'spiceai.taco'
+        type: string
   release:
     types: [created]
+
 jobs:
-  build:
-    runs-on: macos-latest
+  release:
+    runs-on: code-signing
+    environment: signed_release
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           submodules: recursive
 
-      - name: Install Python
-        uses: actions/setup-python@v4
+      - name: Download Artifact
+        uses: actions/download-artifact@v4
         with:
-          python-version: 3.13
+          name: spice.unsigned.taco
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ inputs.workflow_run_id }}
 
-      - name: Install Make
+      - name: Copy unsigned taco
         run: |
-          brew install make
+          cp spice.taco ${{ inputs.signed_binary_name }}
+          echo "Signed binary name: ${{ inputs.signed_binary_name }}"
 
-      - name: Package (unsigned)
-        run: |
-          make package
-          mv spice.taco spice_unsigned.taco
+      - name: Set up Java for signing
+        uses: actions/setup-java@v4
+        with:
+          java-version: '11'
+          distribution: 'zulu'
+
+      - name: Sign ${{ inputs.signed_binary_name }}
+        shell: powershell
+        env:
+          DIGICERT_TOKEN_PASSWORD: ${{ secrets.DIGICERT_TOKEN_PASSWORD }}
+          DIGICERT_KEY_ALIAS: ${{ secrets.DIGICERT_KEY_ALIAS }}
+          DIGICERT_TOKEN_CFG_PATH: ${{ secrets.DIGICERT_TOKEN_CFG_PATH }}
+          SIGNED_BINARY_NAME: ${{ inputs.signed_binary_name }}
+        run: .\sign.ps1
+
+      - name: Upload ${{ inputs.signed_binary_name }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ inputs.signed_binary_name }}
+          path: ${{ inputs.signed_binary_name }}
 
-      - name: Upload
+      - name: Upload to release
         uses: softprops/action-gh-release@v2
         if: startsWith(github.ref, 'refs/tags/')
         with:
           draft: true
           prerelease: true
           fail_on_unmatched_files: true
-          files: spice_unsigned.taco
+          files: ${{ inputs.signed_binary_name }}

sign.ps1

@@ -0,0 +1,31 @@
+echo "Signing with Digicert Token"
+
+# Check if the required environment variables are set
+if (-not $env:DIGICERT_TOKEN_PASSWORD) {
+    Write-Host "Error: DIGICERT_TOKEN_PASSWORD environment variable is not set."
+    exit 1
+}
+if (-not $env:DIGICERT_TOKEN_CFG_PATH) {
+    Write-Host "Error: DIGICERT_TOKEN_CFG_PATH environment variable is not set."
+    exit 1
+}
+if (-not $env:DIGICERT_KEY_ALIAS) {
+    Write-Host "Error: DIGICERT_KEY_ALIAS environment variable is not set."
+    exit 1
+}
+if (-not $env:SIGNED_BINARY_NAME) {
+    Write-Host "Error: SIGNED_BINARY_NAME environment variable is not set."
+    exit 1
+}
+
+jarsigner -verbose `
+    -tsa http://timestamp.digicert.com `
+    -keystore NONE `
+    -storetype PKCS11 `
+    -storepass $env:DIGICERT_TOKEN_PASSWORD `
+    -providerClass sun.security.pkcs11.SunPKCS11 `
+    -providerArg "$env:DIGICERT_TOKEN_CFG_PATH" `
+    -sigalg SHA256withRSA `
+    -signedjar $env:SIGNED_BINARY_NAME `
+    spice.taco `
+    "$env:DIGICERT_KEY_ALIAS"