ci: add Windows Authenticode signing to release pipeline#244
Open
Theosakamg wants to merge 1 commit into
Open
Conversation
- Extract macOS sign+notarize logic into composite action sign-macos - Add Windows Authenticode signing via composite action sign-windows - sign-windows: uses osslsigncode on ubuntu-latest (no Windows runner needed), signs with SHA-256 + DigiCert RFC 3161 timestamp, verifies in-place - sign-macos: extracts existing rcodesign install/sign/notarize/verify steps - release.yml: replace ~100 inline signing lines with two 'uses:' calls - Signing is gated on semver tags only; PRs cross-compile unsigned New secrets required (GitHub → Settings → Secrets): WINDOWS_CERTIFICATE (base64-encoded .pfx) WINDOWS_CERTIFICATE_PASSWORD
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add Windows Authenticode code signing to the release pipeline. Binaries are signed on
ubuntu-latestusingosslsigncode(Linux-native Authenticode signer), mirroring the existing macOSrcodesignpattern. The inline signing logic (macOS + Windows) is extracted into two reusable composite actions to keeprelease.ymlmaintainable.Type of Change
Related Issues
< Link every issue this PR closes or relates to. -->
Closes #
Changes
New composite actions
.github/actions/sign-windows/action.yml— installsosslsigncodevia APT, signs the.exewith SHA-256 + DigiCert RFC 3161 timestamp, verifies the signature in-place.github/actions/sign-macos/action.yml— extracts the existingrcodesigninstall / sign / notarize / verify stepsModified
.github/workflows/release.yml— replaces ~100 lines of inline signing with twouses:calls; signing is gated on semver tags onlyNew GitHub secrets required (manual step)
WINDOWS_CERTIFICATEbase64 -w 0 cert.pfxWINDOWS_CERTIFICATE_PASSWORD.pfxChecklist
make lintpasses —gofmtformatting +go vetcleanmake buildpasses on Linux and macOSmake test-cipasses — unit tests with race detectormake coverage-cirun (if this PR adds or changes covered code)slog.Debug/slog.DebugContextcall