phoenix-firestorm/.github/workflows/sign.yml

name: Manually Sign Windows Binaries

on:
  workflow_dispatch:
    inputs:
        build_run_number:
          description: 'GitHub Run Number (per build_viewer.yml workflow)'
          required: true
        # policy:
        #     description: 'Policy to sign binaries'
        #     required: true
        #     type: choice
        #     default: "Test"
        #     options:
        #     - "Test"
        #     - "Release"
        # viewer_version:
        #   description: 'viewer version not including build'
        #   required: true
        #   default: '7.1.10'
        # viewer_build:
        #   description: 'build id'
        #   required: true
        #   default: '799999'
        # viewer_release_type:
        #   description: 'release type'
        #   required: true
        #   default: 'Release'
        # branch:
        #   description: 'Branch to deploy from'
        #   required: false
        #   default: 'master'

jobs:
  find-setup-files:
    runs-on: windows-latest
    permissions:
        actions: read
        contents: read
    outputs:
        setup_files: ${{ steps.get-files.outputs.setup_files }}
    steps:        
      - name: Download Build Artifacts
        uses: dawidd6/action-download-artifact@v9
        id: download
        with:
            workflow: build_viewer.yml
            run_number: ${{ github.event.inputs.build_run_number  }}
            name: .*windows.*
            name_is_regexp: true
            path: artifacts
      - name: Get List of Setup.exe Files
        id: get-files
        shell: bash
        run: |
            mkdir -p setup_exe_files
            files=$(find artifacts -type f -name '*Setup.exe')
            for file in $files; do
                basename=$(basename "$file")
                cp "$file" "setup_exe_files/$basename"
            done            
            files_json=$(ls setup_exe_files | jq -R . | jq -s -c .)
            echo "setup_files=$files_json" >> $GITHUB_OUTPUT            
      - name: Upload Setup.exe Files
        uses: actions/upload-artifact@v4
        with:
          name: setup-exe-files
          path: setup_exe_files/
  sign-and-upload:
    name: Sign and Upload each Setup.exe
    needs: find-setup-files
    runs-on: windows-latest
    strategy:
      matrix:
        file: ${{ fromJson( needs.find-setup-files.outputs.setup_files) }}
    permissions:
        actions: read
        contents: read
    steps:
      - name: List Available Artifacts
        run: |
          echo "Available artifacts:"
          curl -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
            -H "Accept: application/vnd.github.v3+json" \
            https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts          
        shell: bash
      
      - name: Download Setup.exe Files Artifact
        uses: actions/download-artifact@v4
        with:
          name: setup-exe-files
          path: setup_exe_files
      - name: Prepare File for Signing
        run: |
          mkdir -p to_sign
          cp "setup_exe_files/${{ matrix.file }}" to_sign/          
        shell: bash
      # - name: Upload unsigned artifact
      #   id: upload-unsigned-artifact
      #   uses: actions/upload-artifact@v4
      #   with:
      #     name: unsigned-artifact-${{ matrix.file }}
      #     path: to_sign/${{ matrix.file }}          

      # - name: sign the file
        # uses: signpath/github-action-submit-signing-request@v1
        # env:
        #     SIGNPATH_SIGNING_POLICY_SLUG: ${{ github.event.inputs.policy == 'Test' && vars.SIGNPATH_SIGNING_POLICY_SLUG_TEST || vars.SIGNPATH_SIGNING_POLICY_SLUG_RELEASE }}
        # with:
        #   api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
        #   organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
        #   project-slug: '${{ vars.SIGNPATH_PROJECT_SLUG }}'
        #   signing-policy-slug:  '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}'
        #   github-artifact-id:  "${{steps.upload-unsigned-artifact.outputs.artifact-id}}"
        #   wait-for-completion: true
        #   output-artifact-directory: 'application-signed'
      - name: Azure Trusted Signing
        uses: azure/trusted-signing-action@v0.5.1
        with:
          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
          endpoint: ${{ secrets.AZURE_ENDPOINT }}
          trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
          certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
        
          # Sign all exes inside the folder
          files-folder: ${{ github.workspace }}\to_sign
          files-folder-filter: exe
          
      # - name: Upload signed artifact
      #   uses: actions/upload-artifact@v4
      #   with:
      #     name: signed-artifact-${{ matrix.file }}
      #     path: ./application-signed
            # - name: Upload unsigned artifact
      - name: Upload signed artifact
        id: upload-unsigned-artifact
        uses: actions/upload-artifact@v4
        with:
          name: unsigned-artifact-${{ matrix.file }}
          path: to_sign\${{ matrix.file }}