clockworklabs
diff --git a/‎.github/workflows/check-merge-labels.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/check-merge-labels.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/package.yml‎
Lines changed: 41 additions & 79 deletions b/‎.github/workflows/package.yml‎
Lines changed: 41 additions & 79 deletions
diff --git a/‎.github/workflows/pr_approval_check.yml‎
Lines changed: 16 additions & 2 deletions b/‎.github/workflows/pr_approval_check.yml‎
Lines changed: 16 additions & 2 deletions
@@ -2,7 +2,7 @@ name: Check merge labels
 
 on:
   pull_request:
-    types: [opened, reopened, labeled, unlabeled]
+    types: [opened, reopened, synchronize, labeled, unlabeled]
   merge_group:
 
 permissions: read-all
 
@@ -11,7 +11,6 @@ permissions:
 
 jobs:
   build-cli:
-    if: ${{ !(startsWith(github.ref, 'refs/tags/') && matrix.target == 'x86_64-pc-windows-msvc') }}
     strategy:
       fail-fast: false
       matrix:
@@ -51,81 +50,45 @@ jobs:
       - name: Install rust target
         run: rustup target add ${{ matrix.target }}
 
-      - name: Compile
-        run: |
-          cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update
-
-      - name: Package (unix)
-        if: ${{ runner.os != 'Windows' }}
-        shell: bash
-        run: |
-          mkdir build
-          cd target/${{matrix.target}}/release
-          cp spacetimedb-update ../../../build/spacetimedb-update-${{matrix.target}}
-          tar -czf ../../../build/spacetime-${{matrix.target}}.tar.gz spacetimedb-{cli,standalone}
-
-      - name: Package (windows)
+      - name: Add signtool.exe to PATH
         if: ${{ runner.os == 'Windows' }}
-        shell: bash
+        shell: pwsh
         run: |
-          mkdir build
-          cd target/${{matrix.target}}/release
-          cp spacetimedb-update.exe ../../../build/spacetimedb-update-${{matrix.target}}.exe
-          7z a ../../../build/spacetime-${{matrix.target}}.zip spacetimedb-cli.exe spacetimedb-standalone.exe
-
-      - name: Extract branch name
-        shell: bash
-        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
-        id: extract_branch
-
-      - name: Upload to DO Spaces
-        uses: shallwefootball/s3-upload-action@master
-        with:
-          aws_key_id: ${{ secrets.AWS_KEY_ID }}
-          aws_secret_access_key: ${{ secrets.AWS_SECRET_ACCESS_KEY}}
-          aws_bucket: ${{ vars.AWS_BUCKET }}
-          source_dir: build
-          endpoint: https://nyc3.digitaloceanspaces.com
-          destination_dir: ${{ steps.extract_branch.outputs.branch }}
-
-  build-cli-windows-signed:
-    if: ${{ startsWith(github.ref, 'refs/tags/') }}
-    name: Build and sign CLI for x86_64 Windows
-    runs-on: [self-hosted, windows, signing]
-    environment: codesign
-    concurrency:
-      group: codesign-${{ github.ref }}
-      cancel-in-progress: false
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Install Rust
-        uses: dsherret/rust-toolchain-file@v1
+          $root = "${env:ProgramFiles(x86)}\Windows Kits\10\bin"
+          $signtool = Get-ChildItem $root -Recurse -Filter signtool.exe -ErrorAction SilentlyContinue |
+            Where-Object { $_.FullName -match '\\x64\\signtool\.exe$' } |
+            Sort-Object FullName -Descending |
+            Select-Object -First 1
 
-      - name: Install rust target
-        run: rustup target add x86_64-pc-windows-msvc
+          if (-not $signtool) { throw "signtool.exe not found under $root" }
 
-      - name: Compile
-        run: |
-          cargo build --release --target x86_64-pc-windows-msvc -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update
+          "Found: $($signtool.FullName)"
+          $dir = Split-Path $signtool.FullName
+          Add-Content -Path $env:GITHUB_PATH -Value $dir
 
-      - name: Write certificate file
+      - name: Write certificate file for signing
+        if: ${{ runner.os == 'Windows' }}
         shell: powershell
         env:
           DIGICERT_CERT_B64: ${{ secrets.DIGICERT_CERT_B64 }}
         run: |
-          [IO.File]::WriteAllBytes("digicert.crt", [Convert]::FromBase64String($env:DIGICERT_CERT_B64))
+          [IO.File]::WriteAllBytes("digicert.pfx", [Convert]::FromBase64String($env:DIGICERT_CERT_B64))
 
-      - name: Sign binaries
+      - name: Compile
+        run: |
+          cargo build --release --target ${{ matrix.target }} -p spacetimedb-cli -p spacetimedb-standalone -p spacetimedb-update
+
+      - name: Sign binaries for Windows
+        # Disabled for now since the current flow isn't working.
+        if: false
+        #if: ${{ runner.os == 'Windows' }}
         shell: powershell
         env:
           DIGICERT_KEYPAIR_ALIAS: ${{ secrets.DIGICERT_KEYPAIR_ALIAS }}
         run: |
           $ErrorActionPreference = 'Stop'
           $targetDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
-          $certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.crt'
+          $certFile = Join-Path $env:GITHUB_WORKSPACE 'digicert.pfx'
 
           $signtool = Get-Command signtool.exe -ErrorAction Stop
 
@@ -136,32 +99,31 @@ jobs:
           )
 
           foreach ($file in $files) {
-            & $signtool.Path sign /csp "DigiCert Signing Manager KSP" /kc $env:DIGICERT_KEYPAIR_ALIAS /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file
+            & $signtool.Path sign /f $certFile /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $file
             & $signtool.Path verify /v /pa $file
           }
 
-      - name: Package (windows)
-        shell: powershell
+      - name: Package (unix)
+        if: ${{ runner.os != 'Windows' }}
+        shell: bash
         run: |
-          $ErrorActionPreference = 'Stop'
-          New-Item -ItemType Directory -Force -Path build | Out-Null
-          $releaseDir = Join-Path $env:GITHUB_WORKSPACE 'target\x86_64-pc-windows-msvc\release'
+          mkdir build
+          cd target/${{matrix.target}}/release
+          cp spacetimedb-update ../../../build/spacetimedb-update-${{matrix.target}}
+          tar -czf ../../../build/spacetime-${{matrix.target}}.tar.gz spacetimedb-{cli,standalone}
 
-          Copy-Item (Join-Path $releaseDir 'spacetimedb-update.exe') (Join-Path $env:GITHUB_WORKSPACE 'build\spacetimedb-update-x86_64-pc-windows-msvc.exe')
-          Compress-Archive -Force -Path @(
-            (Join-Path $releaseDir 'spacetimedb-cli.exe'),
-            (Join-Path $releaseDir 'spacetimedb-standalone.exe')
-          ) -DestinationPath (Join-Path $env:GITHUB_WORKSPACE 'build\spacetime-x86_64-pc-windows-msvc.zip')
+      - name: Package (windows)
+        if: ${{ runner.os == 'Windows' }}
+        shell: bash
+        run: |
+          mkdir build
+          cd target/${{matrix.target}}/release
+          cp spacetimedb-update.exe ../../../build/spacetimedb-update-${{matrix.target}}.exe
+          7z a ../../../build/spacetime-${{matrix.target}}.zip spacetimedb-cli.exe spacetimedb-standalone.exe
 
       - name: Extract branch name
-        shell: powershell
-        run: |
-          $ErrorActionPreference = 'Stop'
-          $branch = $env:GITHUB_HEAD_REF
-          if ([string]::IsNullOrEmpty($branch)) {
-            $branch = $env:GITHUB_REF -replace '^refs/heads/', ''
-          }
-          "branch=$branch" | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
+        shell: bash
+        run: echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT
         id: extract_branch
 
       - name: Upload to DO Spaces
 
@@ -1,7 +1,17 @@
 name: Review Checks
 
+# SECURITY: This workflow uses pull_request_target so that it has write access to
+# set commit statuses on external (fork) PRs. pull_request_target runs in the
+# context of the base branch, which grants the GITHUB_TOKEN write permissions
+# that a regular pull_request event on a fork would not have.
+#
+# IMPORTANT: This workflow must NEVER check out, build, or execute code from the
+# PR branch. Doing so would allow a malicious fork to run arbitrary code with
+# write access to the repository. This workflow only reads PR metadata via the
+# GitHub API, which is safe.
+
 on:
-  pull_request:
+  pull_request_target:
     types: [opened, synchronize, reopened]
   pull_request_review:
     types: [submitted, dismissed]
@@ -21,6 +31,7 @@ jobs:
     name: Set approval status
     runs-on: ubuntu-latest
 
+    # SECURITY: Do not add a checkout step to this job. See comment at the top of this file.
     steps:
       - name: Evaluate and publish approval status
         uses: actions/github-script@v7
@@ -41,7 +52,10 @@ jobs:
               const pr = context.payload.pull_request;
               targetSha = pr.head.sha;
 
-              if (pr.user.login !== "clockwork-labs-bot") {
+              if (pr.head.repo.fork) {
+                state = "success";
+                description = "Skipped for external PR";
+              } else if (pr.user.login !== "clockwork-labs-bot") {
                 state = "success";
                 description = "PR author is not clockwork-labs-bot";
               } else {