Skip to content

Commit fadc07b

Browse files
committed
Test out Azure artifact signing
1 parent 690c04a commit fadc07b

2 files changed

Lines changed: 29 additions & 8 deletions

File tree

.github/workflows/ci.yml

Lines changed: 22 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -28,6 +28,12 @@ jobs:
2828
arch: arm64
2929
os: "macos-14"
3030
runs-on: ${{ matrix.os }}
31+
environment: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) && 'production' || null }}
32+
permissions:
33+
contents: read
34+
id-token: write # OIDC with Azure for Windows signing
35+
env:
36+
IS_RELEASE: ${{ github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') }}
3137
steps:
3238
- uses: actions/checkout@v6
3339

@@ -50,14 +56,21 @@ jobs:
5056

5157
# The API key in APPLE_API_KEY is a PEM cert that must be read from disk:
5258
- name: Prepare Apple API key
59+
if: env.IS_RELEASE == 'true' && startsWith(matrix.os, 'macos-')
5360
run: echo "$APPLE_API_KEY" > ./apple-api-key.p8
54-
if: github.event_name == 'push' && startsWith(matrix.os, 'macos-')
5561
env:
5662
APPLE_API_KEY: ${{ secrets.APPLE_API_KEY }}
5763

58-
# On push we do signed builds, on PRs we do unsigned builds only (next step)
64+
- name: Azure login for Windows signing
65+
if: env.IS_RELEASE == 'true' && matrix.platform == 'windows'
66+
uses: azure/login@v2
67+
with:
68+
client-id: ${{ vars.AZURE_CLIENT_ID }}
69+
tenant-id: ${{ vars.AZURE_TENANT_ID }}
70+
allow-no-subscriptions: true
71+
5972
- name: Run signed build
60-
if: github.event_name == 'push'
73+
if: env.IS_RELEASE == 'true'
6174
run: npm run build
6275
env:
6376
ENABLE_SIGNING: true
@@ -69,14 +82,16 @@ jobs:
6982
# For Mac signing:
7083
CSC_LINK: ${{ secrets.CSC_LINK }}
7184
CSC_KEY_PASSWORD: ${{ secrets.CSC_KEY_PASSWORD }}
72-
# For Windows signing:
73-
WIN_CSC_LINK: ${{ secrets.WIN_CSC_LINK }}
74-
WIN_CSC_KEY_PASSWORD: ${{ secrets.WIN_CSC_KEY_PASSWORD }}
85+
# For Windows signing via Azure Artifact Signing:
86+
AZURE_TENANT_ID: ${{ vars.AZURE_TENANT_ID }}
87+
AZURE_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }}
88+
# Workaround for broken electron-builder Azure auth validation:
89+
AZURE_USERNAME: skip-preflight-use-workload-identity
7590
# Workaround - see FPM install step above
7691
USE_SYSTEM_FPM: ${{ matrix.platform == 'linux' && matrix.arch == 'arm64' }}
7792

7893
- name: Run unsigned build
79-
if: github.event_name != 'push'
94+
if: env.IS_RELEASE != 'true'
8095
run: npm run build
8196
env:
8297
ENABLE_SIGNING: false

package.json

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -80,7 +80,13 @@
8080
],
8181
"artifactName": "HttpToolkit-${version}-${os}-${arch}.${ext}",
8282
"icon": "./src/icons/icon.ico",
83-
"forceCodeSigning": true
83+
"forceCodeSigning": true,
84+
"azureSignOptions": {
85+
"publisherName": "Toolshed Labs S.L.",
86+
"endpoint": "https://weu.codesigning.azure.net",
87+
"codeSigningAccountName": "tsl-code-signing",
88+
"certificateProfileName": "toolshed-labs"
89+
}
8490
},
8591
"nsis": {
8692
"installerIcon": "./src/icons/icon.ico",

0 commit comments

Comments
 (0)