Added manual signing for Windows binaries

WiP - A new GitHub workflow has been added to manually sign Windows binaries. This workflow is triggered on a dispatch event and requires the input of a build run number.
2024-10-02 18:54:57 +01:00 · 2024-10-02 18:54:57 +01:00 · 85dc3ea882
parent 03a08c05b5
commit 85dc3ea882
1 changed files with 75 additions and 0 deletions
--- a/.github/workflows/sign.yml
+++ b/.github/workflows/sign.yml
@ -0,0 +1,75 @@
+name: Manually Sign Windows Binaries
+
+on:
+  workflow_dispatch:
+    inputs:
+        build_run_number:
+          description: 'GitHub Run Number (per build_viewer.yml workflow)'
+          required: true
+        policy:
+            description: 'Policy to sign binaries'
+            required: true
+            type: choice
+            default: "Test"
+            options:
+            - "Test"
+            - "Release"
+        # viewer_version:
+        #   description: 'viewer version not including build'
+        #   required: true
+        #   default: '7.1.10'
+        # viewer_build:
+        #   description: 'build id'
+        #   required: true
+        #   default: '799999'
+        # viewer_release_type:
+        #   description: 'release type'
+        #   required: true
+        #   default: 'Release'
+        # branch:
+        #   description: 'Branch to deploy from'
+        #   required: false
+        #   default: 'master'
+
+jobs:
+  download-and-sign:
+    runs-on: ubuntu-latest
+    permissions:
+        actions: read
+        contents: read
+    steps:
+        
+    - name: Download Build Artifacts
+      uses: dawidd6/action-download-artifact@v6
+      id: download
+      with:
+        workflow: build_viewer.yml
+        run_number: ${{ github.event.inputs.build_run_number  }}
+        name: "windows"
+        path: to_sign
+            
+    - name: Upload unsigned artifact
+      uses: actions/upload-artifact@v2
+      with:
+        name: unsigned-artifact
+        path: ./to_sign
+
+    - name: sign
+      uses: signpath/github-action-submit-signing-request@v1
+      env:
+        SIGNPATH_SIGNING_POLICY_SLUG: ${{ github.event.inputs.policy == 'Test' && vars.SIGNPATH_SIGNING_POLICY_SLUG_TEST || vars.SIGNPATH_SIGNING_POLICY_SLUG_RELEASE }}
+
+      with:
+        api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+        organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
+        project-slug: '${{ vars.SIGNPATH_PROJECT_SLUG }}'
+        signing-policy-slug:  '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}'
+        github-artifact-id:  "${{steps.upload-unsigned-artifact.outputs.artifact-id}}"
+        wait-for-completion: true
+        output-artifact-directory: 'application-signed'
+
+    - name: Upload signed artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: signed-artifact
+        path: ./application-signed