ci: bundle release zip with loader, SHA256SUMS, and Sigstore provenance#37
Merged
Merged
Conversation
The existing workflow shipped a bare Charon.dll on tag push. Users still
had to source the DLLLoader separately and trust the upload by hand.
This switches the release output to a self-contained Charon-vX.X.X-x86.zip
(Charon.dll + dbghelp.dll + readme.md + SHA256SUMS.txt) matching the
unzip-to-D2-directory install flow in the readme. The DLLLoader is
pinned to upstream tag 0.1.3 and its dbghelp.dll is verified against a
hardcoded sha256 before bundling, so an upstream asset swap can't slip
a different binary into the zip.
Adds a Sigstore-signed build provenance attestation on the zip and pdb
(actions/attest-build-provenance). Anyone can verify a release artifact
came from this repo+workflow with:
gh attestation verify Charon-vX.X.X-x86.zip --repo blizzhackers/Charon
Authenticode code signing is intentionally skipped: Charon.dll isn't a
standalone exe that hits SmartScreen, it's side-loaded into Game.exe via
DLLLoader. Real certs cost money, self-signed ones still warn, and
provenance attestations cover the supply-chain integrity question that
actually applies here without key management or expiry.
Other changes:
- Symbols (.pdb) uploaded as a separate workflow artifact and published
on the release for crash debugging.
- All actions pinned to commit shas with version comments.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the release pipeline that fires on
v*tag pushes. The existing workflow uploaded a bareCharon.dlland required users to source the DLLLoader on their own. This produces a self-contained, verifiable release.Charon-vX.X.X-x86.zipnow containsCharon.dll+dbghelp.dll(DLLLoader) +readme.md+SHA256SUMS.txt. Matches the unzip-to-D2-directory install flow already documented in the readme.0.1.3, and itsdbghelp.dllis verified against a hardcoded sha256 before bundling — an upstream asset swap can't slip a different binary into the zip.actions/attest-build-provenanceon the.zipand.pdb. Anyone can verify a release artifact came from this repo + this workflow with:.pdbuploaded as a separate workflow artifact and published on the release for crash debugging.Why not Authenticode code signing?
Charon.dllisn't a standalone exe that hits SmartScreen — it's side-loaded intoGame.exevia DLLLoader. Real EV certs cost money, self-signed ones still warn, and provenance attestations cover the supply-chain integrity question that actually applies here without any of the key management or expiry overhead.Test plan
v0.0.0-testtag against this branch and confirm thereleasejob assembles the zip, publishes it, and attaches a provenance attestation visible under the run's Attestations tab.gh attestation verify Charon-v0.0.0-test-x86.zip --repo blizzhackers/Charonon the produced asset.sha256sum -c SHA256SUMS.txtpasses inside the unzipped bundle.Game.exe -loaddll Charon.dll, sanity-check load.