Skip to content

Add Windows winget packaging and signing workflow#323

Merged
hoffmang9 merged 6 commits into
mainfrom
feat/windows-winget-publish-signing
Feb 24, 2026
Merged

Add Windows winget packaging and signing workflow#323
hoffmang9 merged 6 commits into
mainfrom
feat/windows-winget-publish-signing

Conversation

@hoffmang9
Copy link
Copy Markdown
Member

@hoffmang9 hoffmang9 commented Feb 24, 2026
edited by cursor Bot
Loading

Summary

  • add Windows bundle assembly and release artifact upload for chiavdf CLI binaries
  • add optional manual signing (workflow_dispatch.windows_sign) and enforce signing for release builds using DigiCert tooling
  • include windows_amd64 metadata in Glue trigger payload so downstream automation can publish winget assets

Test plan

  • Run workflow via workflow_dispatch with windows_sign=false and verify unsigned Windows bundle artifacts are created
  • Run workflow via workflow_dispatch with windows_sign=true and signing secrets present; verify signed executables and zipped artifact output
  • Run a release workflow and verify chiavdf-win64.zip and .sha256 are uploaded to GitHub release
  • Verify downstream Glue trigger receives release_version and windows_amd64

Made with Cursor

Note

Medium Risk
Changes release/CI packaging behavior for Windows, including optional/enforced code signing and new artifact upload paths, which could break releases if secrets/paths or signing tooling are misconfigured.

Overview
Adds Windows distribution packaging to the build-packages.yml workflow: assembles a dist/windows zip bundle (with bundled DLL dependencies), writes .sha256 files, and uploads the bundle as a CI artifact and as GitHub release assets.

Introduces optional Windows code-signing via workflow_dispatch.windows_sign (and enforced on releases), including a preflight check for required DigiCert SM_* secrets, signer tooling setup, and signtool signing/verification of bundled executables.

Updates the release metadata/Glue trigger payload to include a windows_amd64 asset name (chiavdf-win64.zip) for downstream automation.

Written by Cursor Bugbot for commit 95f792c. This will update automatically on new commits. Configure here.

hoffmang9 and others added 2 commits February 23, 2026 20:24
@hoffmang9 @cursoragent
Add Windows winget packaging and signing to build workflow.
467f56b 
Publish a Windows release bundle with optional manual signing and release-enforced signing, upload release assets, and pass Windows artifact metadata to Glue for downstream winget publication.

Co-authored-by: Cursor <cursoragent@cursor.com>
@hoffmang9 @cursoragent
Remove explicit sm_host input from Windows signer action.
db9bbde 
Rely on the action default host to reduce redundant workflow configuration while preserving signing behavior.

Co-authored-by: Cursor <cursoragent@cursor.com>
cmmarslender
cmmarslender requested changes Feb 24, 2026
View reviewed changes
Comment thread .github/workflows/build-packages.yml Outdated
Comment thread .github/workflows/build-packages.yml Outdated
cmmarslender
cmmarslender reviewed Feb 24, 2026
View reviewed changes
Comment thread .github/workflows/build-packages.yml
@hoffmang9 @cursoragent
Drop SM_HOST from required Windows signing secrets.
aa7d429 
Use the signer action default host consistently by removing SM_HOST from the workflow secret gate and required list.

Co-authored-by: Cursor <cursoragent@cursor.com>
cursor[bot]
cursor Bot reviewed Feb 24, 2026
View reviewed changes
Comment thread .github/workflows/build-packages.yml Outdated
Comment thread .github/workflows/build-packages.yml Outdated
hoffmang9 and others added 2 commits February 23, 2026 21:17
@hoffmang9 @cursoragent
Use brew_metadata output for repo update payload.
7954be6 
Build json_data with both release_version and windows_amd64 in brew_metadata and pass that output into the glue trigger step to avoid metadata drift.

Co-authored-by: Cursor <cursoragent@cursor.com>
@hoffmang9 @cursoragent
Remove unused IS_RELEASE env from Windows assemble step.
95135f9 
The variable was scoped to the assemble step but never read there, while packaging keeps its own IS_RELEASE value for release-only winget asset output.

Co-authored-by: Cursor <cursoragent@cursor.com>
cursor[bot]
cursor Bot reviewed Feb 24, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

Comment thread .github/workflows/build-packages.yml Outdated
@hoffmang9 @cursoragent
Keep Windows bundle and signing executable list in sync.
95f792c 
Define one shared executable list for Windows packaging/signing and consume it in both steps, with a fail-fast guard when the list is empty.

Co-authored-by: Cursor <cursoragent@cursor.com>
@hoffmang9 hoffmang9 merged commit 8754b42 into main Feb 24, 2026
83 of 85 checks passed
@hoffmang9 hoffmang9 deleted the feat/windows-winget-publish-signing branch February 24, 2026 06:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@cmmarslender cmmarslender cmmarslender approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hoffmang9 @cmmarslender