ci: enable Windows ARM64 build in GitHub Actions

[sykuang]

Summary

• Add windows-11-arm runner to the build matrix for native ARM64 builds
• Set CC to zig cross-compiler (aarch64-windows-gnu) for ARM64 runner
• Increase npm ci timeout to 15 minutes for native module compilation on ARM64
• Add ARM64 MSI URL to winget publish command

Test plan

• Triggered workflow_dispatch build on fork — Windows ARM64 job completed successfully
• Produced Wave-win32-arm64-0.14.4.exe, .msi, and .zip artifacts
• Other platform builds (Linux x64/arm64, Windows x64) unaffected

🤖 Generated with Claude Code

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Walkthrough

The PR enables an active Windows ARM runner in the CI matrix (replacing a commented entry with platform: "windows" and runner: "windows-11-arm"), increases the npm ci step timeout from 5 to 15 minutes, conditionally sets CC to zig cc -target aarch64-windows-gnu when the chosen runner contains arm, tightens the create-release job if condition to exclude cancelled workflow runs, and updates the winget publish task to pass both x64 and arm64 MSI URLs to wingetcreate update.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: enabling Windows ARM64 builds in CI, which aligns with the primary modifications in both workflow and Taskfile.
Description check	✅ Passed	The description is directly related to the changeset, providing a clear summary of the changes made and a test plan demonstrating the new functionality works as intended.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build-helper.yml:
- Around line 32-33: The workflow currently adds the "windows-11-arm" runner but
still unconditionally installs the x64-only Keylockertools MSI
("Keylockertools-windows-x64.msi"), which fails on ARM; either remove the
"windows-11-arm" runner or add conditional logic around the signing job to
detect runner labels (e.g., check runner OS/architecture or job matrix value
"platform" == "windows" vs "windows-arm") and skip or use ARM-compatible signing
steps for ARM builds (or only run the MSI installation when platform ==
"windows" and not "windows-11-arm"), and ensure the signing step that downloads
"Keylockertools-windows-x64.msi" is gated behind that condition or replaced with
ARM-capable signing logic.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 66834ac2-3e12-42b6-bd2b-2d2cc94ab3db

📥 Commits

Reviewing files that changed from the base of the PR and between 388b4c9 and 43f54fd.

📒 Files selected for processing (2)

• .github/workflows/build-helper.yml
• Taskfile.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify that ARM runner is enabled and signing steps still use x64 Keylocker tooling.
rg -n -C2 'windows-11-arm|Set up certificate \(Windows only\)|Setup Keylocker KSP|Keylockertools-windows-x64.msi|github.event_name != '\''workflow_dispatch'\''' .github/workflows/build-helper.yml

Repository: wavetermdev/waveterm

Length of output: 2066

---

🌐 Web query:

Is DigiCert Signing Manager Keylocker officially supported on Windows 11 ARM64 runners, and is Keylockertools-windows-x64.msi supported for CI code signing on ARM64?

💡 Result:

No, DigiCert Signing Manager Keylocker is not officially supported on Windows 11 ARM64 runners. Official documentation lists support for Windows 11 under 64-bit x64 architecture only, with no mention of ARM64. The Windows client installer is exclusively Keylockertools-windows-x64.msi, indicating x64 binaries. While JCE library supports ARM via Java, core tools like SMCTL, PKCS11, and KSP are Windows x64-specific. GitHub Actions workflows use windows-latest (x64), not windows-latest-arm64. Keylockertools-windows-x64.msi is not natively supported for CI code signing on ARM64 runners, as it is an x64 MSI that may not install or run properly on ARM64 without emulation, which is unconfirmed and not recommended for production CI.

Citations:

• 1: https://docs.digicert.com/en/digicert-keylocker/client-tools/tool-packages/windows-clients-installer.html
• 2: https://docs.digicert.com/en/digicert-keylocker/client-tools/client-tool-compatibility.html
• 3: https://docs.digicert.com/en/digicert-keylocker/overview/compatible-operating-systems.html
• 4: https://docs.digicert.com/en/digicert-keylocker/ci-cd-integrations-and-deployment-pipelines/plugins/github/install-client-tools-for-standard-keypair-signing-on-github.html

---

ARM release builds cannot be signed with the current setup.

Adding windows-11-arm runner at line 33 enables ARM release builds, but the signing workflow still downloads and installs Keylockertools-windows-x64.msi (line 122) for all Windows jobs. DigiCert Signing Manager Keylocker is not officially supported on Windows ARM64; the installer is x64-exclusive and will not run on ARM runners. The reported test used workflow_dispatch (signing skipped), so ARM release signing was never tested.

Remove the windows-11-arm runner or add separate ARM-compatible signing logic before ARM releases can proceed.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-helper.yml around lines 32 - 33, The workflow
currently adds the "windows-11-arm" runner but still unconditionally installs
the x64-only Keylockertools MSI ("Keylockertools-windows-x64.msi"), which fails
on ARM; either remove the "windows-11-arm" runner or add conditional logic
around the signing job to detect runner labels (e.g., check runner
OS/architecture or job matrix value "platform" == "windows" vs "windows-arm")
and skip or use ARM-compatible signing steps for ARM builds (or only run the MSI
installation when platform == "windows" and not "windows-11-arm"), and ensure
the signing step that downloads "Keylockertools-windows-x64.msi" is gated behind
that condition or replaced with ARM-capable signing logic.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/build-helper.yml (1)

31-32: ⚠️ Potential issue | 🟠 Major

The new ARM Windows release path is still unverified.

Adding windows-11-arm means non-workflow_dispatch builds will run the same Windows signing setup on the ARM runner, but that setup still downloads Keylockertools-windows-x64.msi. The fork test does not cover that path because signing is skipped for workflow_dispatch, so tag/release builds can still fail before the ARM MSI is produced. Either gate the ARM lane out of signed releases for now or add runner-specific signing handling.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build-helper.yml around lines 31 - 32, The ARM Windows
runner addition (runner: "windows-11-arm") causes the existing signing step to
run on ARM while it still downloads the x64 MSI
(Keylockertools-windows-x64.msi), and tag/release builds (non-workflow_dispatch)
are unverified; update the workflow to either skip the ARM lane for
signed-release paths (guarding runner: "windows-11-arm" behind a condition that
requires workflow_dispatch or a non-signed-release flag) or implement
runner-specific signing handling that selects the correct MSI per runner
architecture before the signing job runs (adjust the signing job logic that
references Keylockertools-windows-x64.msi to branch on the runner label and pick
the appropriate artifact).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/build-helper.yml:
- Around line 31-32: The ARM Windows runner addition (runner: "windows-11-arm")
causes the existing signing step to run on ARM while it still downloads the x64
MSI (Keylockertools-windows-x64.msi), and tag/release builds
(non-workflow_dispatch) are unverified; update the workflow to either skip the
ARM lane for signed-release paths (guarding runner: "windows-11-arm" behind a
condition that requires workflow_dispatch or a non-signed-release flag) or
implement runner-specific signing handling that selects the correct MSI per
runner architecture before the signing job runs (adjust the signing job logic
that references Keylockertools-windows-x64.msi to branch on the runner label and
pick the appropriate artifact).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 32dcf62c-c06d-4dd9-a427-15043924f57c

📥 Commits

Reviewing files that changed from the base of the PR and between 82bdd3c and 381f297.

📒 Files selected for processing (2)

• .github/workflows/build-helper.yml
• Taskfile.yml