-
-
Notifications
You must be signed in to change notification settings - Fork 77
84 lines (72 loc) · 2.38 KB
/
Sign.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: Code Sign App
on:
workflow_dispatch:
inputs:
target:
description: 'Target of Channel Name to Sign'
required: true
default: ''
type: string
workflow_call:
inputs:
target:
description: 'Target of Channel Name to Sign'
required: true
default: ''
type: string
jobs:
Sign_Code:
name: Sign ${{ inputs.target }} App
permissions:
id-token: write # Required for requesting the JWT
runs-on: windows-latest
steps:
- name: Download ${{ inputs.target }} Artifacts
uses: actions/download-artifact@v4
with:
name: ${{ inputs.target }}
path: .\ToSign\${{ inputs.target }}
- name: Download Build Artifacts
uses: actions/download-artifact@v4
with:
name: BuildArtifacts
path: .\BuildArtifacts
- name: Setup .NET
uses: actions/setup-dotnet@v4
with:
dotnet-version: |
8.0.x
9.0.x
- name: Install Code Sign CLI tool
# run: dotnet tool install --tool-path . sign --version 0.9.0-beta.23063.3
run: dotnet tool install --tool-path . --prerelease sign
- name: Azure Login
uses: azure/login@v2
with:
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Run Code Signing CLI
shell: pwsh
run: >
./sign code azure-key-vault
'**/*.{exe,zip,appxbundle,appinstaller}'
--timestamp-url "http://timestamp.digicert.com"
--base-directory "${{ github.workspace }}\ToSign"
--file-list "${{ github.workspace }}\BuildArtifacts\Signing\filelist.txt"
--publisher-name "Isaac Levin"
--description "PresenceLight"
--description-url "https://github.com/isaacrlevin/presencelight"
--azure-key-vault-managed-identity true
--azure-key-vault-url "${{ secrets.KEY_VAULT_URL }}"
--azure-key-vault-certificate "${{ secrets.KEY_VAULT_CERTIFICATE_ID }}"
--verbosity Trace
- name: Publish Signed ${{ inputs.target }} Packages
uses: actions/upload-artifact@v4
with:
path: .\ToSign\${{ inputs.target }}
name: '${{ inputs.target }}_Signed'
- name: Setup Tmate session
if: ${{ failure() }}
uses: mxschmitt/action-tmate@v3
timeout-minutes: 15