sign windows builds

Update cargo dist to use the new dist-workspace.toml file

---------

Co-authored-by: Cédric Halber <cedric@braintrustdata.com>

Author: ankrgyl

.github/workflows/release-canary.yml

@@ -48,7 +48,7 @@ jobs:
 
       - name: Install dist
         shell: bash
-        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.30.3/cargo-dist-installer.sh | sh"
+        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.31.0/cargo-dist-installer.sh | sh"
 
       - name: Cache dist
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -113,6 +113,7 @@ jobs:
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       BUILD_MANIFEST_NAME: target/distrib/${{ join(matrix.targets, '-') }}-dist-manifest.json
+      HAS_SSLDOTCOM_SIGNING: ${{ secrets.SSLDOTCOM_USERNAME != '' && secrets.SSLDOTCOM_PASSWORD != '' && secrets.SSLDOTCOM_CREDENTIAL_ID != '' && secrets.SSLDOTCOM_TOTP_SECRET != '' }}
     steps:
       - name: Enable windows longpaths
         run: git config --global core.longpaths true
@@ -152,6 +153,31 @@ jobs:
       - name: Install dependencies
         run: ${{ matrix.packages_install }}
 
+      - name: Configure SSL.com signing env
+        if: ${{ runner.os == 'Windows' && env.HAS_SSLDOTCOM_SIGNING == 'true' }}
+        shell: bash
+        env:
+          SSLDOTCOM_USERNAME: ${{ secrets.SSLDOTCOM_USERNAME }}
+          SSLDOTCOM_PASSWORD: ${{ secrets.SSLDOTCOM_PASSWORD }}
+          SSLDOTCOM_CREDENTIAL_ID: ${{ secrets.SSLDOTCOM_CREDENTIAL_ID }}
+          SSLDOTCOM_TOTP_SECRET: ${{ secrets.SSLDOTCOM_TOTP_SECRET }}
+        run: |
+          write_github_env() {
+            local key="$1"
+            local value="$2"
+            local delimiter="EOF_${key}_$$"
+            {
+              echo "${key}<<${delimiter}"
+              echo "${value}"
+              echo "${delimiter}"
+            } >> "$GITHUB_ENV"
+          }
+
+          write_github_env "SSLDOTCOM_USERNAME" "$SSLDOTCOM_USERNAME"
+          write_github_env "SSLDOTCOM_PASSWORD" "$SSLDOTCOM_PASSWORD"
+          write_github_env "SSLDOTCOM_CREDENTIAL_ID" "$SSLDOTCOM_CREDENTIAL_ID"
+          write_github_env "SSLDOTCOM_TOTP_SECRET" "$SSLDOTCOM_TOTP_SECRET"
+
       - name: Build artifacts
         shell: bash
         run: |

.github/workflows/release.yml

@@ -63,7 +63,7 @@ jobs:
 
       - name: Install dist
         shell: bash
-        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.30.3/cargo-dist-installer.sh | sh"
+        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.31.0/cargo-dist-installer.sh | sh"
 
       - name: Cache dist
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -98,6 +98,7 @@ jobs:
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       BUILD_MANIFEST_NAME: target/distrib/${{ join(matrix.targets, '-') }}-dist-manifest.json
+      HAS_SSLDOTCOM_SIGNING: ${{ secrets.SSLDOTCOM_USERNAME != '' && secrets.SSLDOTCOM_PASSWORD != '' && secrets.SSLDOTCOM_CREDENTIAL_ID != '' && secrets.SSLDOTCOM_TOTP_SECRET != '' }}
     steps:
       - name: Enable windows longpaths
         run: git config --global core.longpaths true
@@ -137,6 +138,31 @@ jobs:
       - name: Install dependencies
         run: ${{ matrix.packages_install }}
 
+      - name: Configure SSL.com signing env
+        if: ${{ runner.os == 'Windows' && env.HAS_SSLDOTCOM_SIGNING == 'true' }}
+        shell: bash
+        env:
+          SSLDOTCOM_USERNAME: ${{ secrets.SSLDOTCOM_USERNAME }}
+          SSLDOTCOM_PASSWORD: ${{ secrets.SSLDOTCOM_PASSWORD }}
+          SSLDOTCOM_CREDENTIAL_ID: ${{ secrets.SSLDOTCOM_CREDENTIAL_ID }}
+          SSLDOTCOM_TOTP_SECRET: ${{ secrets.SSLDOTCOM_TOTP_SECRET }}
+        run: |
+          write_github_env() {
+            local key="$1"
+            local value="$2"
+            local delimiter="EOF_${key}_$$"
+            {
+              echo "${key}<<${delimiter}"
+              echo "${value}"
+              echo "${delimiter}"
+            } >> "$GITHUB_ENV"
+          }
+
+          write_github_env "SSLDOTCOM_USERNAME" "$SSLDOTCOM_USERNAME"
+          write_github_env "SSLDOTCOM_PASSWORD" "$SSLDOTCOM_PASSWORD"
+          write_github_env "SSLDOTCOM_CREDENTIAL_ID" "$SSLDOTCOM_CREDENTIAL_ID"
+          write_github_env "SSLDOTCOM_TOTP_SECRET" "$SSLDOTCOM_TOTP_SECRET"
+
       - name: Build artifacts
         shell: bash
         run: |

CONTRIBUTING.md

@@ -123,3 +123,14 @@ Notes:
 
 - The workflow publishes an immutable tag: `canary-<branch-slug>-<short-sha>`.
 - It also updates a moving branch tag: `canary-<branch-slug>` when the run is for the latest commit on that branch.
+
+## Windows Release Signing
+
+Release and canary workflows can Authenticode-sign Windows artifacts when these GitHub Actions repository secrets are configured:
+
+- `SSLDOTCOM_USERNAME`
+- `SSLDOTCOM_PASSWORD`
+- `SSLDOTCOM_CREDENTIAL_ID`
+- `SSLDOTCOM_TOTP_SECRET`
+
+If those secrets are absent, `cargo-dist` skips Windows signing and the published `bt.exe` remains unsigned.

Cargo.toml

@@ -8,6 +8,12 @@ description = "The Braintrust command line interface"
 license = "Apache-2.0"
 repository = "https://github.com/braintrustdata/bt"
 
+[package.metadata.wix]
+upgrade-guid = "5B558F98-EEBD-4F5E-A0C8-E7A039445139"
+path-guid = "7CD3044D-A62A-469C-8552-0E5C3A00FFF1"
+license = false
+eula = false
+
 [dependencies]
 actix-web = "4.11.0"
 anyhow = "1.0.89"
@@ -49,30 +55,6 @@ lto = "thin"
 [workspace]
 members = ["."]
 
-[workspace.metadata.dist]
-cargo-dist-version = "0.30.3"
-ci = "github"
-create-release = true
-pr-run-mode = "plan"
-allow-dirty = ["ci"]
-
-[package.metadata.dist]
-installers = ["shell", "powershell"]
-targets = [
-  "aarch64-apple-darwin",
-  "x86_64-apple-darwin",
-  "aarch64-unknown-linux-gnu",
-  "x86_64-unknown-linux-gnu",
-  "aarch64-unknown-linux-musl",
-  "x86_64-unknown-linux-musl",
-  "x86_64-pc-windows-msvc",
-]
-unix-archive = ".tar.gz"
-windows-archive = ".zip"
-install-path = ["$XDG_BIN_HOME/", "$XDG_DATA_HOME/../bin", "~/.local/bin"]
-install-updater = true
-install-success-msg = ""
-
 [dev-dependencies]
 tempfile = "3"
 assert_cmd = "2.2.0"

dist-workspace.toml

@@ -0,0 +1,31 @@
+[workspace]
+members = ["cargo:."]
+
+# Config for 'dist'
+[dist]
+# The preferred dist version to use in CI (Cargo.toml SemVer syntax)
+cargo-dist-version = "0.31.0"
+# CI backends to support
+ci = "github"
+# Whether dist should create a Github Release or use an existing draft
+create-release = true
+# Which actions to run on pull requests
+pr-run-mode = "plan"
+# Skip checking whether the specified configuration files are up to date
+allow-dirty = ["ci"]
+ssldotcom-windows-sign = "test"
+# The installers to generate for each app
+installers = ["shell", "powershell", "homebrew"]
+homepage = "https://github.com/braintrustdata/bt"
+# Target platforms to build apps for (Rust target-triple syntax)
+targets = ["aarch64-apple-darwin", "aarch64-unknown-linux-gnu", "x86_64-apple-darwin", "x86_64-unknown-linux-gnu", "x86_64-unknown-linux-musl", "x86_64-pc-windows-msvc"]
+# The archive format to use for non-windows builds (defaults .tar.xz)
+unix-archive = ".tar.gz"
+# The archive format to use for windows builds (defaults .zip)
+windows-archive = ".zip"
+# Path that installers should place binaries in
+install-path = ["$XDG_BIN_HOME/", "$XDG_DATA_HOME/../bin", "~/.local/bin"]
+# Whether to install an updater program
+install-updater = true
+# Custom message to display on successful install
+install-success-msg = ""