Add GitHub Actions workflow to build, sign, and upload Windows EXE

[diskchord]

Motivation

• Provide an automated release workflow that builds a Windows executable, signs it with Azure Trusted Signing, and publishes the signed artifact to releases or as a downloadable artifact.
• Ensure distributed binaries are code-signed with a timestamped SHA256 signature for integrity and trust.

Description

• Add /.github/workflows/release-windows-signed.yml which is triggered by workflow_dispatch and release events and sets contents: write permissions.
• The job runs on windows-latest, checks out the repo, sets up Python 3.11, installs dependencies and pyinstaller, and builds APSMIDIPrepTool.exe from aps_midi_prep_tool.py using pyinstaller.
• Installs AzureSignTool via dotnet tool, signs the built EXE with azuresigntool sign using Azure credential secrets (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TRUSTED_SIGNING_ACCOUNT, AZURE_TRUSTED_SIGNING_PROFILE, AZURE_TRUSTED_SIGNING_ENDPOINT), and verifies the signature with Get-AuthenticodeSignature.
• Uploads the signed binary as an artifact APSMIDIPrepTool-windows-signed with actions/upload-artifact@v4 and attaches the signed EXE to the GitHub release using softprops/action-gh-release@v2 when the event is a release.

Testing

• No automated unit or integration tests were added or run as part of this change.
• The workflow is intended to be exercised via workflow_dispatch or when publishing a GitHub release to perform build, sign, verify, and upload steps.

---

Codex Task

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: abc0c42755

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Use supported AzureSignTool signing parameters

This signing command mixes Trusted Signing signtool flags with azuresigntool: dotnet tool install --global AzureSignTool installs the AzureSignTool CLI, whose documented sign parameters are Key Vault options (including required -kvc) and do not include -dlib/-dmdf. In this form, the step will fail during argument parsing instead of signing, so every release/workflow_dispatch run will fail before upload.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Fail workflow on invalid Authenticode verification

The verification step only formats and prints the signature object, but never asserts Status == Valid; Get-AuthenticodeSignature can return successfully for unsigned/invalid files, so this workflow can continue to artifact upload even when signing is ineffective or broken. Add an explicit status check and throw on any non-Valid result to enforce signed-release guarantees.

Useful? React with 👍 / 👎.