wangxuming/NianToB
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: skip Windows SignPath code signing for alpha/beta prereleases

Browse Source
This commit is contained in:
paisley
2026-03-17 19:02:06 +08:00
parent 1c1bf03877
commit 871459c475
1 changed files with 24 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
.github/workflows/release.yml vendored
View File

@@ -83,8 +83,27 @@ jobs:
if: matrix.platform == 'win' if: matrix.platform == 'win'
run: pnpm run package:win run: pnpm run package:win
- name: Validate unsigned Windows artifacts before SignPath # Detect release channel from tag to skip code signing for alpha/beta builds
- name: Detect Windows release channel
if: matrix.platform == 'win' if: matrix.platform == 'win'
id: win-channel
shell: bash
run: |
if [[ "${{ github.ref }}" == refs/tags/v* ]]; then
TAG="${GITHUB_REF#refs/tags/v}"
else
TAG="${{ github.event.inputs.version }}"
fi
if [[ "$TAG" =~ (alpha|beta) ]]; then
echo "is_stable=false" >> $GITHUB_OUTPUT
echo "Channel: prerelease ($TAG) — skipping code signing"
else
echo "is_stable=true" >> $GITHUB_OUTPUT
echo "Channel: stable ($TAG) — will sign"
fi
- name: Validate unsigned Windows artifacts before SignPath
if: matrix.platform == 'win' && steps.win-channel.outputs.is_stable == 'true'
shell: pwsh shell: pwsh
run: | run: |
$unsignedExeFiles = Get-ChildItem -Path "release" -Filter *.exe -File $unsignedExeFiles = Get-ChildItem -Path "release" -Filter *.exe -File
@@ -97,7 +116,7 @@ jobs:
$unsignedExeFiles | ForEach-Object { Write-Host " - $($_.Name)" } $unsignedExeFiles | ForEach-Object { Write-Host " - $($_.Name)" }
- name: Upload unsigned Windows artifacts for SignPath - name: Upload unsigned Windows artifacts for SignPath
if: matrix.platform == 'win' if: matrix.platform == 'win' && steps.win-channel.outputs.is_stable == 'true'
id: upload-unsigned-windows-artifact id: upload-unsigned-windows-artifact
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v4
with: with:
@@ -106,7 +125,7 @@ jobs:
retention-days: 1 retention-days: 1
- name: Sign Windows artifacts via SignPath - name: Sign Windows artifacts via SignPath
if: matrix.platform == 'win' if: matrix.platform == 'win' && steps.win-channel.outputs.is_stable == 'true'
id: signpath-sign-windows id: signpath-sign-windows
uses: signpath/github-action-submit-signing-request@v2 uses: signpath/github-action-submit-signing-request@v2
with: with:
@@ -119,7 +138,7 @@ jobs:
output-artifact-directory: release/signed output-artifact-directory: release/signed
- name: Replace unsigned executables with signed ones - name: Replace unsigned executables with signed ones
if: matrix.platform == 'win' if: matrix.platform == 'win' && steps.win-channel.outputs.is_stable == 'true'
shell: pwsh shell: pwsh
run: | run: |
Write-Host "SignPath GitHub artifact ID: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}" Write-Host "SignPath GitHub artifact ID: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}"
@@ -154,7 +173,7 @@ jobs:
# sha512: <base64> # sha512: <base64>
# releaseDate: '...' # releaseDate: '...'
- name: Update latest.yml sha512 after code signing - name: Update latest.yml sha512 after code signing
if: matrix.platform == 'win' if: matrix.platform == 'win' && steps.win-channel.outputs.is_stable == 'true'
shell: pwsh shell: pwsh
run: | run: |
$ymlFiles = Get-ChildItem -Path "release" -Filter "*.yml" -File | Where-Object { $_.Name -ne "builder-debug.yml" } $ymlFiles = Get-ChildItem -Path "release" -Filter "*.yml" -File | Where-Object { $_.Name -ne "builder-debug.yml" }