Migrate Windows codesigning to SignPath.io with unified build-sign-release pipeline#275
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
…job, then create release and upload Agent-Logs-Url: https://github.com/overlayeddev/overlayed/sessions/604fd443-df2e-4ac5-a0e7-aba11888316b Co-authored-by: Hacksore <996134+Hacksore@users.noreply.github.com>
…fe file path construction Agent-Logs-Url: https://github.com/overlayeddev/overlayed/sessions/604fd443-df2e-4ac5-a0e7-aba11888316b Co-authored-by: Hacksore <996134+Hacksore@users.noreply.github.com>
|
@copilot none of the CI actually ran it just has a ✅ and ran for less than 10s. please make sure to only run the windows build for now so we can test singing e2e then after that's good we can expand the matrix back. |
Agent-Logs-Url: https://github.com/overlayeddev/overlayed/sessions/d78c6bd7-9817-4fce-bcde-64e5ce7a0e2e Co-authored-by: Hacksore <996134+Hacksore@users.noreply.github.com>
Done in b659a7b — macOS and Linux are commented out in the matrix with a |
|
Oh we have another issue we have the paths filter logic making sure there are app changes but since we are only working on CI it wont run, maybe disable that as well so we can observe a build without app changes. |
… changes Agent-Logs-Url: https://github.com/overlayeddev/overlayed/sessions/0904acca-f47e-4e3a-99d6-ee205f9d5ec7 Co-authored-by: Hacksore <996134+Hacksore@users.noreply.github.com>
Done in c2b670c — removed |
|
@copilot TBH we don't even want the CI job running we wanna test release.yaml workflow for e2e codesign flow. disable the CI jobs for this PR and focus on getting release.yaml to run the build ONLY for windows so we can test the full workflow for signing and release upload. |
…e signing test Agent-Logs-Url: https://github.com/overlayeddev/overlayed/sessions/3c7804c9-5b2f-4354-b1d8-4d8c818620fb Co-authored-by: Hacksore <996134+Hacksore@users.noreply.github.com>
Done in 65ffcfd:
|
|
@copilot here is the output from the release job. |
…(fix already_exists) Agent-Logs-Url: https://github.com/overlayeddev/overlayed/sessions/d474a418-4d3d-465f-90c5-f44d7da1e4c3 Co-authored-by: Hacksore <996134+Hacksore@users.noreply.github.com>
... Fixed in 9b12ecd. The
|
|
@copilot this is great and all but is there a way to make the code in release.yaml reusable cross-platform so there is only one source of truth? also i don't see the |
…t.json inclusion Agent-Logs-Url: https://github.com/overlayeddev/overlayed/sessions/6658cacb-6f3b-4925-87df-486df6c4be0d Co-authored-by: Hacksore <996134+Hacksore@users.noreply.github.com>
Done in 13d5313. Both addressed: Cross-platform reusability: The per-platform duplication is gone. There are now exactly two shared steps — "Collect release artifacts" and "Upload {os} release artifacts" — that run identically on Windows, macOS, and Linux. Between them, the Windows-only signing steps (extract → SignPath → replace) are sandwiched in. No more separate The collect step uses - name: Collect release artifacts
shell: bash
env:
ARTIFACT_PATHS: ${{ steps.tauri.outputs.artifactPaths }}
run: |
mkdir -p ./release-artifacts
node -e "...copy all paths into ./release-artifacts..."
|
Replaces the old Windows codesigning flow (build → upload to draft release → download → sign → re-upload) with a linear pipeline where signing happens inside the build job. The release is created only after all builds succeed.
Pipeline structure
macOS and Linux matrix entries are commented out with a
TODO: re-enable after Windows signing is verified e2enote and will be restored once the end-to-end signing flow is confirmed working.Key changes
release.yaml— full pipeline rewrite:build-taurimatrix while signing is being validated (macOS/Linux commented out)migrate/codesignandcopilot/sub-pr-253so the full pipeline can be observed on this branch without mergingbash+node, copying every file fromartifactPaths(includinglatest.jsonif generated by tauri-action) into./release-artifacts. This is the single source of truth for artifact collection — no more separate PowerShell vs Python paths per OS.signpath/github-action-submit-signing-request) extracts only.exe/.msifrom./release-artifacts, submits them to SignPath, then writes the signed files back in-place. All other files (.sig,.zip,latest.json) are left untouched.if:guards needed.create-releasenow runs after all builds, eliminating the race condition in the previous designupload-releasejob usesactions/download-artifact@v4.1.3(patched; previous@v4floating tag was vulnerable to arbitrary file write via artifact extraction — CVE affecting>= 4.0.0, < 4.1.3)upload-release-artifacts.jslists existing release assets and deletes any matching name before uploading, so workflow re-runs on a reused draft release don't fail withalready_existsci.yaml—pull_requesttrigger disabled (onlyworkflow_dispatchremains) while the Windows signing e2e flow is being validated; will be re-enabled after signing is confirmed workingscripts/actions/upload-release-artifacts.js— new script that uploads all files from./release-artifacts/to a release; deletes existing assets with the same name before uploading (upsert semantics); accumulates per-file errors and fails the workflow at the end rather than silently continuing; usespath.join()for safe path construction