feat(windows): integrate msi based releases

Signed-off-by: Swarit Pandey <swarit@stepsecurity.io>

Author: swarit-stepsecurity

.github/workflows/release.yml

@@ -85,6 +85,40 @@ jobs:
       - name: Install cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
 
+      - name: Build MSIs (x64 + arm64)
+        # WiX 4 runs on .NET, so we install it on the same ubuntu-latest
+        # runner. Output: dist/stepsecurity-dev-machine-guard-<v>-x64.msi
+        # and the arm64 counterpart. Both wrap the goreleaser-produced
+        # .exe and embed it via CAB compression. No PowerShell anywhere.
+        run: |
+          dotnet tool install --global wix --version 4.0.5
+          export PATH="$PATH:$HOME/.dotnet/tools"
+          wix --version
+
+          version="${{ steps.version.outputs.version }}"
+
+          win_amd64_exe=$(find dist -type f -name '*.exe' -path '*windows_amd64*' | head -1)
+          win_arm64_exe=$(find dist -type f -name '*.exe' -path '*windows_arm64*' | head -1)
+          if [ ! -f "$win_amd64_exe" ] || [ ! -f "$win_arm64_exe" ]; then
+            echo "::error::Windows .exe artifacts not found under dist/"
+            find dist -type f -name '*.exe'
+            exit 1
+          fi
+
+          wix build packaging/windows/Product.wxs \
+            -arch x64 \
+            -d Arch=x64 \
+            -d Version="$version" \
+            -d BinaryPath="$PWD/$win_amd64_exe" \
+            -out "dist/stepsecurity-dev-machine-guard-${version}-x64.msi"
+
+          wix build packaging/windows/Product.wxs \
+            -arch arm64 \
+            -d Arch=arm64 \
+            -d Version="$version" \
+            -d BinaryPath="$PWD/$win_arm64_exe" \
+            -out "dist/stepsecurity-dev-machine-guard-${version}-arm64.msi"
+
       - name: Locate binaries and packages
         id: binaries
         run: |
@@ -99,7 +133,10 @@ jobs:
           RPM_AMD64=$(find dist -type f -name '*-amd64.rpm' | head -1)
           RPM_ARM64=$(find dist -type f -name '*-arm64.rpm' | head -1)
 
-          for label in "darwin:${DARWIN}" "windows_amd64:${WIN_AMD64}" "windows_arm64:${WIN_ARM64}" "linux_amd64:${LINUX_AMD64}" "linux_arm64:${LINUX_ARM64}" "deb_amd64:${DEB_AMD64}" "deb_arm64:${DEB_ARM64}" "rpm_amd64:${RPM_AMD64}" "rpm_arm64:${RPM_ARM64}"; do
+          MSI_X64=$(find dist -type f -name '*-x64.msi' | head -1)
+          MSI_ARM64=$(find dist -type f -name '*-arm64.msi' | head -1)
+
+          for label in "darwin:${DARWIN}" "windows_amd64:${WIN_AMD64}" "windows_arm64:${WIN_ARM64}" "linux_amd64:${LINUX_AMD64}" "linux_arm64:${LINUX_ARM64}" "deb_amd64:${DEB_AMD64}" "deb_arm64:${DEB_ARM64}" "rpm_amd64:${RPM_AMD64}" "rpm_arm64:${RPM_ARM64}" "msi_x64:${MSI_X64}" "msi_arm64:${MSI_ARM64}"; do
             name="${label%%:*}"
             path="${label#*:}"
             if [ -z "$path" ] || [ ! -f "$path" ]; then
@@ -118,6 +155,8 @@ jobs:
           echo "deb_arm64=$DEB_ARM64" >> "$GITHUB_OUTPUT"
           echo "rpm_amd64=$RPM_AMD64" >> "$GITHUB_OUTPUT"
           echo "rpm_arm64=$RPM_ARM64" >> "$GITHUB_OUTPUT"
+          echo "msi_x64=$MSI_X64" >> "$GITHUB_OUTPUT"
+          echo "msi_arm64=$MSI_ARM64" >> "$GITHUB_OUTPUT"
 
       - name: Sign artifacts with Sigstore
         shell: bash
@@ -156,6 +195,20 @@ jobs:
             "${{ steps.binaries.outputs.rpm_amd64 }}.bundle"
           sign_with_retry "${{ steps.binaries.outputs.rpm_arm64 }}" \
             "${{ steps.binaries.outputs.rpm_arm64 }}.bundle"
+          sign_with_retry "${{ steps.binaries.outputs.msi_x64 }}" \
+            "${{ steps.binaries.outputs.msi_x64 }}.bundle"
+          sign_with_retry "${{ steps.binaries.outputs.msi_arm64 }}" \
+            "${{ steps.binaries.outputs.msi_arm64 }}.bundle"
+
+      - name: Upload MSIs to draft release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release upload "${{ steps.release.outputs.tag }}" \
+            "${{ steps.binaries.outputs.msi_x64 }}" \
+            "${{ steps.binaries.outputs.msi_arm64 }}" \
+            --clobber
+
       - name: Upload cosign bundles
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -170,6 +223,8 @@ jobs:
             "${{ steps.binaries.outputs.deb_arm64 }}.bundle" \
             "${{ steps.binaries.outputs.rpm_amd64 }}.bundle" \
             "${{ steps.binaries.outputs.rpm_arm64 }}.bundle" \
+            "${{ steps.binaries.outputs.msi_x64 }}.bundle" \
+            "${{ steps.binaries.outputs.msi_arm64 }}.bundle" \
             --clobber
 
       - name: Attest build provenance
@@ -185,3 +240,5 @@ jobs:
             ${{ steps.binaries.outputs.deb_arm64 }}
             ${{ steps.binaries.outputs.rpm_amd64 }}
             ${{ steps.binaries.outputs.rpm_arm64 }}
+            ${{ steps.binaries.outputs.msi_x64 }}
+            ${{ steps.binaries.outputs.msi_arm64 }}

Makefile

@@ -9,17 +9,42 @@ LDFLAGS := -s -w \
 	-X $(MODULE)/internal/buildinfo.ReleaseTag=$(TAG) \
 	-X $(MODULE)/internal/buildinfo.ReleaseBranch=$(BRANCH)
 
-.PHONY: build build-windows build-linux deploy-windows test lint clean smoke
+.PHONY: build build-windows build-windows-arm64 build-linux deploy-windows test lint clean smoke build-msi-amd64 build-msi-arm64
 
 build:
 	go build -trimpath -ldflags "$(LDFLAGS)" -o $(BINARY) ./cmd/stepsecurity-dev-machine-guard
 
 build-windows:
 	GOOS=windows GOARCH=amd64 go build -trimpath -ldflags "$(LDFLAGS)" -o $(BINARY).exe ./cmd/stepsecurity-dev-machine-guard
 
+build-windows-arm64:
+	GOOS=windows GOARCH=arm64 go build -trimpath -ldflags "$(LDFLAGS)" -o $(BINARY)-arm64.exe ./cmd/stepsecurity-dev-machine-guard
+
 build-linux:
 	GOOS=linux GOARCH=amd64 go build -trimpath -ldflags "$(LDFLAGS)" -o $(BINARY)-linux ./cmd/stepsecurity-dev-machine-guard
 
+# MSI builds. Require WiX 4 on PATH: `dotnet tool install --global wix --version 4.0.5`.
+# Output: dist/stepsecurity-dev-machine-guard-<version>-{x64,arm64}.msi
+# Reads Version from internal/buildinfo so MajorUpgrade semantics line up
+# with whatever the binary reports as `--version`.
+build-msi-amd64: build-windows
+	mkdir -p dist
+	wix build packaging/windows/Product.wxs \
+		-arch x64 \
+		-d Arch=x64 \
+		-d Version=$(VERSION) \
+		-d BinaryPath=$(CURDIR)/$(BINARY).exe \
+		-out dist/stepsecurity-dev-machine-guard-$(VERSION)-x64.msi
+
+build-msi-arm64: build-windows-arm64
+	mkdir -p dist
+	wix build packaging/windows/Product.wxs \
+		-arch arm64 \
+		-d Arch=arm64 \
+		-d Version=$(VERSION) \
+		-d BinaryPath=$(CURDIR)/$(BINARY)-arm64.exe \
+		-out dist/stepsecurity-dev-machine-guard-$(VERSION)-arm64.msi
+
 deploy-windows:
 	@bash scripts/deploy-windows.sh $(DEPLOY_ARGS)
 
@@ -30,7 +55,8 @@ lint:
 	golangci-lint run ./...
 
 clean:
-	rm -f $(BINARY) $(BINARY).exe $(BINARY)-linux
+	rm -f $(BINARY) $(BINARY).exe $(BINARY)-arm64.exe $(BINARY)-linux
+	rm -rf dist/
 
 smoke: build
 	bash tests/test_smoke_go.sh

README.md

@@ -469,6 +469,7 @@ See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
 - [Changelog](CHANGELOG.md)
 - [Scan Coverage](SCAN_COVERAGE.md) — full catalog of detections
 - [Release Process](docs/release-process.md) — how releases are signed and verified
+- [Deploying via SCCM](docs/deploying-via-sccm.md) — Windows fleet rollout via Microsoft Configuration Manager (signed MSI, no PowerShell)
 - [Versioning](VERSIONING.md) — why the version starts at 1.8.1
 - [Security Policy](SECURITY.md) — reporting vulnerabilities
 - [Code of Conduct](CODE_OF_CONDUCT.md)

cmd/stepsecurity-dev-machine-guard/main.go

@@ -113,9 +113,38 @@ func main() {
 
 	switch cfg.Command {
 	case "configure":
-		if err := config.RunConfigure(); err != nil {
-			fmt.Fprintf(os.Stderr, "Error: %v\n", err)
-			os.Exit(1)
+		// Non-interactive path: any explicit config flag, an explicit
+		// --non-interactive, OR the DMG_API_KEY env var route configure
+		// through the no-prompt code path. This is how MSI/SCCM/Intune
+		// custom actions drive configuration — they can't talk to stdin.
+		opts := config.NonInteractiveOptions{
+			FromFile:      cfg.ConfigFromFile,
+			CustomerID:    cfg.ConfigCustomerID,
+			APIEndpoint:   cfg.ConfigAPIEndpoint,
+			APIKey:        cfg.ConfigAPIKey,
+			ScanFrequency: cfg.ConfigScanFrequency,
+		}
+		if opts.APIKey == "" {
+			// Env-var fallback keeps the secret off the msiexec command
+			// line (which lands in AppEnforce.log on every endpoint).
+			opts.APIKey = os.Getenv("DMG_API_KEY")
+		}
+		// Only forward --search-dirs to configure when the user actually
+		// passed it on this invocation. (cli.Parse defaults SearchDirs to
+		// ["$HOME"] for the scan path, which we must not persist here.)
+		if len(cfg.SearchDirs) > 0 && !(len(cfg.SearchDirs) == 1 && cfg.SearchDirs[0] == "$HOME") {
+			opts.SearchDirs = cfg.SearchDirs
+		}
+		if cfg.NonInteractive || opts.HasAny() {
+			if err := config.RunConfigureNonInteractive(opts); err != nil {
+				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+				os.Exit(1)
+			}
+		} else {
+			if err := config.RunConfigure(); err != nil {
+				fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+				os.Exit(1)
+			}
 		}
 
 	case "configure show":