ci: build MSIs on windows-latest (WiX 4 has Linux path-parsing bug)

Author: swarit-stepsecurity

.github/workflows/release.yml

@@ -13,6 +13,9 @@ jobs:
       contents: write
       id-token: write
       attestations: write
+    outputs:
+      version: ${{ steps.version.outputs.version }}
+      release_tag: ${{ steps.release.outputs.tag }}
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
@@ -85,40 +88,6 @@ jobs:
       - name: Install cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
-      - name: Build MSIs (x64 + arm64)
-        # WiX 4 runs on .NET, so we install it on the same ubuntu-latest
-        # runner. Output: dist/stepsecurity-dev-machine-guard-<v>-x64.msi
-        # and the arm64 counterpart. Both wrap the goreleaser-produced
-        # .exe and embed it via CAB compression. No PowerShell anywhere.
-        run: |
-          dotnet tool install --global wix --version 4.0.5
-          export PATH="$PATH:$HOME/.dotnet/tools"
-          wix --version
-
-          version="${{ steps.version.outputs.version }}"
-
-          win_amd64_exe=$(find dist -type f -name '*.exe' -path '*windows_amd64*' | head -1)
-          win_arm64_exe=$(find dist -type f -name '*.exe' -path '*windows_arm64*' | head -1)
-          if [ ! -f "$win_amd64_exe" ] || [ ! -f "$win_arm64_exe" ]; then
-            echo "::error::Windows .exe artifacts not found under dist/"
-            find dist -type f -name '*.exe'
-            exit 1
-          fi
-
-          wix build packaging/windows/Product.wxs \
-            -arch x64 \
-            -d Arch=x64 \
-            -d Version="$version" \
-            -d BinaryPath="$PWD/$win_amd64_exe" \
-            -out "dist/stepsecurity-dev-machine-guard-${version}-x64.msi"
-
-          wix build packaging/windows/Product.wxs \
-            -arch arm64 \
-            -d Arch=arm64 \
-            -d Version="$version" \
-            -d BinaryPath="$PWD/$win_arm64_exe" \
-            -out "dist/stepsecurity-dev-machine-guard-${version}-arm64.msi"
-
       - name: Locate binaries and packages
         id: binaries
         run: |
@@ -133,10 +102,7 @@ jobs:
           RPM_AMD64=$(find dist -type f -name '*-amd64.rpm' | head -1)
           RPM_ARM64=$(find dist -type f -name '*-arm64.rpm' | head -1)
 
-          MSI_X64=$(find dist -type f -name '*-x64.msi' | head -1)
-          MSI_ARM64=$(find dist -type f -name '*-arm64.msi' | head -1)
-
-          for label in "darwin:${DARWIN}" "windows_amd64:${WIN_AMD64}" "windows_arm64:${WIN_ARM64}" "linux_amd64:${LINUX_AMD64}" "linux_arm64:${LINUX_ARM64}" "deb_amd64:${DEB_AMD64}" "deb_arm64:${DEB_ARM64}" "rpm_amd64:${RPM_AMD64}" "rpm_arm64:${RPM_ARM64}" "msi_x64:${MSI_X64}" "msi_arm64:${MSI_ARM64}"; do
+          for label in "darwin:${DARWIN}" "windows_amd64:${WIN_AMD64}" "windows_arm64:${WIN_ARM64}" "linux_amd64:${LINUX_AMD64}" "linux_arm64:${LINUX_ARM64}" "deb_amd64:${DEB_AMD64}" "deb_arm64:${DEB_ARM64}" "rpm_amd64:${RPM_AMD64}" "rpm_arm64:${RPM_ARM64}"; do
             name="${label%%:*}"
             path="${label#*:}"
             if [ -z "$path" ] || [ ! -f "$path" ]; then
@@ -155,8 +121,6 @@ jobs:
           echo "deb_arm64=$DEB_ARM64" >> "$GITHUB_OUTPUT"
           echo "rpm_amd64=$RPM_AMD64" >> "$GITHUB_OUTPUT"
           echo "rpm_arm64=$RPM_ARM64" >> "$GITHUB_OUTPUT"
-          echo "msi_x64=$MSI_X64" >> "$GITHUB_OUTPUT"
-          echo "msi_arm64=$MSI_ARM64" >> "$GITHUB_OUTPUT"
 
       - name: Sign artifacts with Sigstore
         shell: bash
@@ -195,19 +159,6 @@ jobs:
             "${{ steps.binaries.outputs.rpm_amd64 }}.bundle"
           sign_with_retry "${{ steps.binaries.outputs.rpm_arm64 }}" \
             "${{ steps.binaries.outputs.rpm_arm64 }}.bundle"
-          sign_with_retry "${{ steps.binaries.outputs.msi_x64 }}" \
-            "${{ steps.binaries.outputs.msi_x64 }}.bundle"
-          sign_with_retry "${{ steps.binaries.outputs.msi_arm64 }}" \
-            "${{ steps.binaries.outputs.msi_arm64 }}.bundle"
-
-      - name: Upload MSIs to draft release
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: |
-          gh release upload "${{ steps.release.outputs.tag }}" \
-            "${{ steps.binaries.outputs.msi_x64 }}" \
-            "${{ steps.binaries.outputs.msi_arm64 }}" \
-            --clobber
 
       - name: Upload cosign bundles
         env:
@@ -223,8 +174,6 @@ jobs:
             "${{ steps.binaries.outputs.deb_arm64 }}.bundle" \
             "${{ steps.binaries.outputs.rpm_amd64 }}.bundle" \
             "${{ steps.binaries.outputs.rpm_arm64 }}.bundle" \
-            "${{ steps.binaries.outputs.msi_x64 }}.bundle" \
-            "${{ steps.binaries.outputs.msi_arm64 }}.bundle" \
             --clobber
 
       - name: Attest build provenance
@@ -240,5 +189,119 @@ jobs:
             ${{ steps.binaries.outputs.deb_arm64 }}
             ${{ steps.binaries.outputs.rpm_amd64 }}
             ${{ steps.binaries.outputs.rpm_arm64 }}
-            ${{ steps.binaries.outputs.msi_x64 }}
-            ${{ steps.binaries.outputs.msi_arm64 }}
+
+  build-msi:
+    name: Build & Sign MSIs
+    needs: release
+    runs-on: windows-latest
+    permissions:
+      contents: write
+      id-token: write
+      attestations: write
+
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install WiX 4
+        # WiX 4 ships as a .NET global tool. windows-latest has the .NET SDK
+        # preinstalled, so this resolves quickly. We pin to a known-working
+        # version. Linux/macOS hosts have WiX 4 issues with Directory/@Name
+        # path validation — we always build the MSI on Windows.
+        shell: pwsh
+        run: |
+          dotnet tool install --global wix --version 4.0.5
+          wix --version
+
+      - name: Download Windows .exe assets from draft release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: pwsh
+        run: |
+          $tag = "${{ needs.release.outputs.release_tag }}"
+          New-Item -ItemType Directory -Path dist -Force | Out-Null
+          # Goreleaser produces archive names like:
+          #   stepsecurity-dev-machine-guard-<version>-windows_amd64.exe
+          # We download them by exact pattern to dist/.
+          gh release download "$tag" `
+            -R "${{ github.repository }}" `
+            -p "*-windows_amd64.exe" `
+            -p "*-windows_arm64.exe" `
+            -D dist
+          Get-ChildItem dist | Format-Table Name, Length
+
+      - name: Build MSIs (x64 + arm64)
+        shell: pwsh
+        run: |
+          $version = "${{ needs.release.outputs.version }}"
+          $amd64 = Get-ChildItem dist -Filter "*-windows_amd64.exe" | Select-Object -First 1
+          $arm64 = Get-ChildItem dist -Filter "*-windows_arm64.exe" | Select-Object -First 1
+          if (-not $amd64 -or -not $arm64) {
+            Write-Error "Windows .exe assets missing under dist/"
+            exit 1
+          }
+
+          wix build packaging/windows/Product.wxs `
+            -arch x64 `
+            -d Arch=x64 `
+            -d "Version=$version" `
+            -d "BinaryPath=$($amd64.FullName)" `
+            -out "dist/stepsecurity-dev-machine-guard-$version-x64.msi"
+
+          wix build packaging/windows/Product.wxs `
+            -arch arm64 `
+            -d Arch=arm64 `
+            -d "Version=$version" `
+            -d "BinaryPath=$($arm64.FullName)" `
+            -out "dist/stepsecurity-dev-machine-guard-$version-arm64.msi"
+
+          Get-ChildItem dist -Filter "*.msi" | Format-Table Name, Length
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Sign MSIs with Sigstore
+        shell: bash
+        run: |
+          set -euo pipefail
+          version="${{ needs.release.outputs.version }}"
+          for arch in x64 arm64; do
+            msi="dist/stepsecurity-dev-machine-guard-${version}-${arch}.msi"
+            bundle="${msi}.bundle"
+            for attempt in 1 2 3; do
+              if cosign sign-blob "$msi" --bundle "$bundle" --yes; then
+                echo "Signed $msi"
+                break
+              fi
+              echo "::warning::Sign attempt $attempt failed for $msi, retrying in 10s..."
+              sleep 10
+            done
+            test -f "$bundle" || { echo "::error::Failed to sign $msi"; exit 1; }
+          done
+
+      - name: Upload MSIs and bundles to draft release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          tag="${{ needs.release.outputs.release_tag }}"
+          version="${{ needs.release.outputs.version }}"
+          gh release upload "$tag" \
+            "dist/stepsecurity-dev-machine-guard-${version}-x64.msi" \
+            "dist/stepsecurity-dev-machine-guard-${version}-arm64.msi" \
+            "dist/stepsecurity-dev-machine-guard-${version}-x64.msi.bundle" \
+            "dist/stepsecurity-dev-machine-guard-${version}-arm64.msi.bundle" \
+            --clobber
+
+      - name: Attest MSI build provenance
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: |
+            dist/stepsecurity-dev-machine-guard-${{ needs.release.outputs.version }}-x64.msi
+            dist/stepsecurity-dev-machine-guard-${{ needs.release.outputs.version }}-arm64.msi

internal/buildinfo/version.go

@@ -3,7 +3,7 @@ package buildinfo
 import "fmt"
 
 const (
-	Version  = "1.11.2-msi-test1"
+	Version  = "1.11.2-msi-test2"
 	AgentURL = "https://github.com/step-security/dev-machine-guard"
 )