Skip to content

Commit 469f06b

Browse files
okohlbacherclaude
andcommitted
ci(999.68): align SignPath slugs to real console (ball/initial) + selectable signing policy (WINSIGN-01)
Actual SignPath slugs (org 'Bioichemical Algorithms Library'): project=ball, artifact-configuration=initial, test policy=test-signing (VALID test cert), release policy=release-signing (HSM cert still CSR-pending). Changes: - project-slug 'ballview' -> 'ball' - artifact-configuration-slug 'installer' -> 'initial' - signing-policy-slug -> workflow_dispatch input (default release-signing), so a dispatch can pass test-signing to validate the pipeline against the test cert now, and tag-triggered releases use release-signing once the HSM cert goes VALID. Runbook updated with the verified slugs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent b6b0b57 commit 469f06b

2 files changed

Lines changed: 18 additions & 3 deletions

File tree

.github/workflows/release.yml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,11 @@ on:
3131
required: false
3232
type: boolean
3333
default: true
34+
signing_policy:
35+
description: "SignPath signing-policy slug (test-signing to validate the pipeline; release-signing to ship)"
36+
required: false
37+
type: string
38+
default: "release-signing"
3439
push:
3540
tags:
3641
- "v*.*.*"
@@ -1378,9 +1383,9 @@ jobs:
13781383
with:
13791384
api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
13801385
organization-id: ${{ secrets.SIGNPATH_ORG_ID }}
1381-
project-slug: 'ballview'
1382-
signing-policy-slug: 'release-signing'
1383-
artifact-configuration-slug: 'installer'
1386+
project-slug: 'ball'
1387+
signing-policy-slug: ${{ inputs.signing_policy || 'release-signing' }}
1388+
artifact-configuration-slug: 'initial'
13841389
github-artifact-id: ${{ steps.upload-unsigned-installer.outputs.artifact-id }}
13851390
wait-for-completion: true
13861391
output-artifact-directory: 'signed-installer'

.planning/phases/999.68-packaging-signing-license/SIGNPATH-SECRETS-RUNBOOK.md

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,16 @@ signing.
6666

6767
## 2. Create the project, artifact configuration, and signing policy
6868

69+
> **ACTUAL SLUGS (verified 2026-06-02, org "Bioichemical Algorithms Library"):**
70+
> project = **`ball`**, artifact-configuration = **`initial`**, test policy =
71+
> **`test-signing`** (bound to "Test certificate 2026", software keystore, VALID),
72+
> release policy = **`release-signing`** (bound to "Release certificate 2026", HSM —
73+
> **CSR PENDING**, not usable until VALID). release.yml is aligned to these:
74+
> `project-slug: 'ball'`, `artifact-configuration-slug: 'initial'`, and
75+
> `signing-policy-slug` is a `workflow_dispatch` input defaulting to `release-signing`
76+
> (pass `test-signing` to validate the pipeline against the test cert). The section
77+
> below is the original generic guidance.
78+
6979
Once the SignPath organization exists, in the SignPath web console:
7080

7181
1. **Create a project** with slug **`ballview`**.

0 commit comments

Comments
 (0)