@@ -129,23 +129,22 @@ jobs:
129129 runs-on : ubuntu-latest
130130
131131 steps :
132- - name : Download unsigned Windows artifacts
133- uses : actions/download-artifact@v4
134- with :
135- name : unsigned-windows
136- path : ./unsigned/windows/
137-
138- - name : Download unsigned macOS artifacts
139- uses : actions/download-artifact@v4
140- with :
141- name : unsigned-macos
142- path : ./unsigned/macos/
143-
144- - name : Download unsigned Linux artifacts
145- uses : actions/download-artifact@v4
146- with :
147- name : unsigned-linux
148- path : ./unsigned/linux/
132+ # SignPath requires a GitHub artifact ID (not a local path). Resolve each
133+ # artifact's numeric ID by name from the current workflow run.
134+ - name : Resolve artifact IDs
135+ id : artifact-ids
136+ env :
137+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
138+ run : |
139+ WIN_ID=$(gh api repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts \
140+ --jq '.artifacts[] | select(.name == "unsigned-windows") | .id')
141+ MAC_ID=$(gh api repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts \
142+ --jq '.artifacts[] | select(.name == "unsigned-macos") | .id')
143+ LNX_ID=$(gh api repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts \
144+ --jq '.artifacts[] | select(.name == "unsigned-linux") | .id')
145+ echo "windows=$WIN_ID" >> $GITHUB_OUTPUT
146+ echo "macos=$MAC_ID" >> $GITHUB_OUTPUT
147+ echo "linux=$LNX_ID" >> $GITHUB_OUTPUT
149148
150149# ── Windows (Authenticode) ───────────────────────────────────────────────
151150 - name : Sign Windows installer
@@ -156,7 +155,8 @@ jobs:
156155 project-slug : ${{ vars.SIGNPATH_PROJECT_SLUG }}
157156 signing-policy-slug : release-signing
158157 artifact-configuration-slug : windows-installer
159- input-artifact-path : ./unsigned/windows/
158+ github-artifact-id : ${{ steps.artifact-ids.outputs.windows }}
159+ github-token : ${{ secrets.GITHUB_TOKEN }}
160160 wait-for-completion : true
161161 output-artifact-directory : ./signed/windows/
162162
@@ -170,14 +170,13 @@ jobs:
170170 project-slug : ${{ vars.SIGNPATH_PROJECT_SLUG }}
171171 signing-policy-slug : release-signing
172172 artifact-configuration-slug : macos-dmg
173- input-artifact-path : ./unsigned/macos/
173+ github-artifact-id : ${{ steps.artifact-ids.outputs.macos }}
174+ github-token : ${{ secrets.GITHUB_TOKEN }}
174175 wait-for-completion : true
175176 output-artifact-directory : ./signed/macos/
176177
177178 # ── Linux (GPG) ──────────────────────────────────────────────────────────
178179 # Requires a GPG key configured in SignPath.
179- # To sign .deb and .AppImage separately, duplicate this step with a
180- # different artifact-configuration-slug for each format.
181180 - name : Sign Linux packages
182181 uses : SignPath/github-action-submit-signing-request@v1
183182 with :
@@ -186,7 +185,8 @@ jobs:
186185 project-slug : ${{ vars.SIGNPATH_PROJECT_SLUG }}
187186 signing-policy-slug : release-signing
188187 artifact-configuration-slug : linux-packages
189- input-artifact-path : ./unsigned/linux/
188+ github-artifact-id : ${{ steps.artifact-ids.outputs.linux }}
189+ github-token : ${{ secrets.GITHUB_TOKEN }}
190190 wait-for-completion : true
191191 output-artifact-directory : ./signed/linux/
192192
0 commit comments