ffmpeg_batch/.github/workflows/signpath.yml at master · andercard0/ffmpeg_batch · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# see /README.md

name: sign-verify-origin
run-name: Signing exe files with SignPath
on:
  push:
  pull_request:
  #schedule:
  #  - cron:  '30 3 * * *' # every day at 3:30am UTC
  workflow_dispatch: # Allows you to run this workflow manually from the Actions tab

jobs:
  build_and_sign:
    runs-on: windows-latest
    steps:

    - name: checkout
      uses: actions/checkout@v3
      with:
        fetch-depth: 0

    - name: build
      run: ./src/Build.ps1

    - name: create SBOM
      run: ./sbom/Create-SBOM.ps1

    - name: upload-unsigned-artifact
      id: upload-unsigned-artifact
      uses: actions/upload-artifact@v4
      with:
        name: "demo-application"
        if-no-files-found: error
        path: |
          .\FFBatch_AV_Converter_64bit_unsigned.exe
          .\bom.xml

    - name: sign
      uses: signpath/github-action-submit-signing-request@v1.1
      env:
        # select release-signing policy for main and release branches
        SIGNPATH_SIGNING_POLICY_SLUG: |
          ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/'))
            && 'release-signing'
            || 'test-signing' }}
      with:
        api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
        organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
        project-slug: 'ffmpeg_batch'
        signing-policy-slug:  '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}'
        github-artifact-id:  "${{steps.upload-unsigned-artifact.outputs.artifact-id}}"
        wait-for-completion: true
        output-artifact-directory: 'application-signed'

    - name: upload-signed-artifact
      uses: actions/upload-artifact@v4
      with:
        name: "FFBatch_AV_Converter_64bit_signed.exe"
        path: "application-signed"
        if-no-files-found: error