From b10b54d0bede3f67d5de0bea35d45ed9d3af9239 Mon Sep 17 00:00:00 2001 From: Baptiste Augrain Date: Tue, 22 Oct 2024 15:53:04 +0200 Subject: [PATCH] build(windows): add signing with SignPath (#2069) --- .github/workflows/insider-windows.yml | 1 - .github/workflows/stable-windows.yml | 31 +++++++++++++++++++++++++-- README.md | 4 ++++ 3 files changed, 33 insertions(+), 3 deletions(-) diff --git a/.github/workflows/insider-windows.yml b/.github/workflows/insider-windows.yml index 9a1ebd216cf..bf13990e74f 100644 --- a/.github/workflows/insider-windows.yml +++ b/.github/workflows/insider-windows.yml @@ -44,7 +44,6 @@ jobs: matrix: vscode_arch: - x64 - # - ia32 - arm64 outputs: RELEASE_VERSION: ${{ env.RELEASE_VERSION }} diff --git a/.github/workflows/stable-windows.yml b/.github/workflows/stable-windows.yml index 3f7e28368ce..22ff178ba80 100644 --- a/.github/workflows/stable-windows.yml +++ b/.github/workflows/stable-windows.yml @@ -30,7 +30,6 @@ env: VERSIONS_REPOSITORY: ${{ github.repository_owner }}/versions VSCODE_QUALITY: stable - jobs: build: runs-on: windows-2019 @@ -44,7 +43,6 @@ jobs: matrix: vscode_arch: - x64 - # - ia32 - arm64 outputs: RELEASE_VERSION: ${{ env.RELEASE_VERSION }} @@ -83,6 +81,7 @@ jobs: - name: Check existing VSCodium tags/releases env: + DISABLE_MSI: ${{ vars.DISABLE_STABLE_MSI }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: ./check_tags.sh if: env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true' @@ -99,6 +98,34 @@ jobs: run: ./prepare_assets.sh if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + - name: Upload unsigned artifacts + id: upload-unsigned-artifacts + uses: actions/upload-artifact@v4 + with: + name: unsigned-${{ matrix.vscode_arch }} + path: | + assets/*.exe + assets/*.msi + retention-days: 1 + if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + + - name: Signing + uses: signpath/github-action-submit-signing-request@v1 + with: + api-token: ${{ secrets.SIGNPATH_API_TOKEN }} + organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }} + project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }} + signing-policy-slug: ${{ secrets.SIGNPATH_POLICY_SLUG }} + github-artifact-id: ${{ steps.upload-unsigned-artifacts.outputs.artifact-id }} + artifact-configuration-slug: ${{ matrix.vscode_arch }} + wait-for-completion: true + output-artifact-directory: assets/ + if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + + - name: Prepare checksums + run: ./prepare_checksums.sh + if: env.SHOULD_BUILD == 'yes' && (env.SHOULD_DEPLOY == 'yes' || github.event.inputs.generate_assets == 'true') + - name: Release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/README.md b/README.md index 280f9645dd4..bbdd1892301 100644 --- a/README.md +++ b/README.md @@ -204,6 +204,10 @@ The minimal version is limited by the core component Electron, you may want to c MacStadium logo for providing a Mac mini M1 + + + SignPath logo + for Windows certificate @daiyam