Skip to content

Integrate SignPath for automated Windows code signing #1479

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
awawa-dev wants to merge 1 commit into
base: master
Choose a base branch
from
+76 −5
Open

Integrate SignPath for automated Windows code signing #1479

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
81 changes: 76 additions & 5 deletions .github/workflows/push-master.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ name: HyperHDR CI Build

on:
push:
pull_request:

env:
USE_CACHE: ${{ vars.USE_CACHE && vars.USE_CACHE || true }}
Expand Down Expand Up @@ -238,19 +237,91 @@ jobs:
env:
GH_TOKEN: ${{ github.token }}

- name: Upload unsigned artifacts
uses: actions/upload-artifact@v7.0.0
with:
name: unsigned-windows-installer
path: build/Hyper*
retention-days: 1

################################
###### Sign Windows ############
################################

sign-windows:
name: Sign Windows Installer
needs: [windows]
runs-on: ubuntu-24.04
env:
USE_SIGNPATH: ${{ vars.USE_SIGNPATH || 'false' }}
steps:
- name: Download unsigned artifact
uses: actions/download-artifact@v8.0.0
with:
name: unsigned-windows-installer
path: to_sign

- name: Check SignPath Secrets
if: env.USE_SIGNPATH == 'true' && github.event_name != 'pull_request'
env:
SIGNPATH_TOKEN: ${{ secrets.SIGNPATH_API_TOKEN }}
SIGNPATH_ORGANIZATION_ID: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
run: |
if [ -z "$SIGNPATH_TOKEN" ] || [ -z "$SIGNPATH_ORGANIZATION_ID" ]; then
echo "USE_SIGNPATH=false" >> $GITHUB_ENV
echo "SignPath secrets not found. Skipping signing process."
fi

- name: Upload unsigned ZIP to GitHub (SignPath V2 requirement)
if: ${{ env.USE_SIGNPATH == 'true' }}
id: upload-unsigned-artifact
uses: actions/upload-artifact@v7.0.0
with:
name: signpath_upload
path: to_sign/
retention-days: 1

- name: Sign artifact with SignPath
if: env.USE_SIGNPATH == 'true'
id: signpath_step
uses: signpath/github-action-submit-signing-request@v2
with:
api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
project-slug: 'hyperhdr'
signing-policy-slug: ${{ startsWith(github.ref, 'refs/tags/') && 'release-signing' || 'test-signing' }}
github-artifact-id: ${{ steps.upload-unsigned-artifact.outputs.artifact-id }}
wait-for-completion: true
output-artifact-directory: signed_artifact

- name: Check SignPath result & fail if needed
if: always() && env.USE_SIGNPATH == 'true'
run: |
if [ "${{ steps.signpath_step.outcome }}" != "success" ]; then
echo "::error::SignPath action failed technically (check logs for timeout/network issues)."
exit 1
fi

if [ ! -d "signed_artifact" ] || [ -z "$(ls -A signed_artifact 2>/dev/null)" ]; then
echo "::error::SignPath reported success, but NO signed artifacts were downloaded!"
echo "This usually means the signing request was REJECTED or failed silently."
exit 1
fi
echo "Signing successful. Artifacts found in 'signed_artifact'."

- name: Upload artifacts (release)
if: startsWith(github.event.ref, 'refs/tags') && github.event_name != 'pull_request'
uses: actions/upload-artifact@v7.0.0
with:
name: release-artifact-windows
path: build/Hyper*
path: ${{ env.USE_SIGNPATH == 'true' && 'signed_artifact' || 'to_sign' }}/Hyper*.exe

- name: Upload artifacts from commit
if: startsWith(github.event.ref, 'refs/tags') == false && github.event_name != 'pull_request'
uses: actions/upload-artifact@v7.0.0
with:
name: Windows_x64_setup
path: build/Hyper*.exe
name: Windows_x64_setup_${{ env.USE_SIGNPATH == 'true' && 'signed' || 'unsigned' }}
path: ${{ env.USE_SIGNPATH == 'true' && 'signed_artifact' || 'to_sign' }}/Hyper*.exe

################################
####### CodeQL support #########
Expand Down Expand Up @@ -360,7 +431,7 @@ jobs:
publish:
name: Publish Releases
if: startsWith(github.event.ref, 'refs/tags') && github.event_name != 'pull_request'
needs: [Linux, windows, macOS]
needs: [Linux, sign-windows, macOS]
runs-on: ubuntu-24.04
permissions:
contents: write
Expand Down
Loading