Skip to content

add MSI Windows installer support#45

Merged
gontzess merged 4 commits intomainfrom
msi-release-workflow
Mar 3, 2026
Merged

add MSI Windows installer support#45
gontzess merged 4 commits intomainfrom
msi-release-workflow

Conversation

@gontzess
Copy link
Copy Markdown
Contributor

@gontzess gontzess commented Jan 28, 2026
edited
Loading

Summary

Stage 1 implementation of MSI Windows Installer support for connector releases:

  • New goreleaser-windows job - Runs on Windows runner with WiX Toolset

    • Builds both .zip and .msi from the same Windows binary
    • Native Windows build (not cross-compiled)
    • Deterministic UUID v5 UpgradeCode from repository name
    • Supports custom WXS templates via msi_wxs_path input
    • Conditional via msi boolean input (default true)
    • Cosign signatures, SBOM, and provenance attestations for all Windows artifacts

  • New templates:

    • .wxs-default-template.wxs - Default WXS for CLI installers (WiX-compatible version format)
    • .goreleaser-windows-template.yaml.tmpl - Windows zip + MSI GoReleaser config

  • Updated goreleaser-binaries - Now Linux + macOS only (Windows moved to dedicated job)

  • Unified checksums - Single checksums file containing all platforms, with correct manifest hash

  • Updated merge-manifests - Added -windows-manifest flag to include Windows assets

  • New generate-windows-manifest - Go tool using protobuf types for type-safe Windows manifest generation with signatureHref, certificateHref, and attestation support

  • New inputs/secrets:

    • msi boolean input (default true) to opt out of MSI builds
    • msi_wxs_path input for custom WXS templates (with path traversal validation)
    • GORELEASER_PRO_KEY secret (required only when msi: true)

  • Security hardening:

    • Path traversal validation on msi_wxs_path input
    • Heredoc output format for manifest outputs
    • Randomized heredoc delimiter for checksums
    • Defense-in-depth path validation in Go manifest tool
    • Stale checksums hash fix (re-compute after unification)

Test plan

  • Tested with baton-runner releases v0.1.12-test.6 through v0.1.12-test.14
  • Tested with baton-github-test v0.1.119-test.1
  • Verified manifest includes all 7 assets (checksums, 4 binaries, windows zip, windows msi)
  • Verified unified checksums file contains all platforms
  • Verified checksums hash in manifest matches actual file
  • Verified MSI attestations (sig, cert, SBOM, provenance) with cosign
  • Verified manifest signature with cosign
  • Verified MSI installer runs successdfully on actual Windows machine (baton-github-test v0.1.119-test.2, verified install/run/uninstall)
Screenshot 2026-03-03 at 11 58 07

Test manifests:

Follow-up items

  • Add signatureHref/certificateHref/attestations to Windows manifest generation
  • Go-based manifest generation for type safety (cmd/generate-windows-manifest)
  • Add MSI option to registry UI (ConnectorReleases PR #1337 merged)
  • Stage 2: Azure Trusted Signing integration (blocked on IT)
  • SHA-pin all third-party actions (separate PR)

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Jan 28, 2026
edited
Loading

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (11)
  • .github/workflows/release.yaml is excluded by none and included by none
  • README.md is excluded by none and included by none
  • cmd/generate-windows-manifest/main.go is excluded by none and included by none
  • cmd/merge-manifests/main.go is excluded by none and included by none
  • docs/diagrams/release-workflow.dot is excluded by !**/*.dot and included by none
  • docs/diagrams/release-workflow.png is excluded by !**/*.png and included by none
  • docs/release-workflow.md is excluded by none and included by none
  • scripts/validate-release-artifacts.sh is excluded by none and included by none
  • templates/.goreleaser-binaries-template.yaml.tmpl is excluded by none and included by none
  • templates/.goreleaser-windows-template.yaml.tmpl is excluded by none and included by none
  • templates/.wxs-default-template.wxs is excluded by none and included by none

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch msi-release-workflow

Comment @coderabbitai help to get the list of available commands and usage tips.

@gontzess gontzess force-pushed the msi-release-workflow branch 6 times, most recently from cd9e771 to 325aedb Compare January 28, 2026 03:18
@gontzess gontzess changed the title feat: add MSI Windows installer support add MSI Windows installer support Jan 28, 2026
@gontzess gontzess force-pushed the msi-release-workflow branch from c32daf4 to 347d278 Compare January 28, 2026 14:51
@gontzess gontzess requested review from ggreer and kans January 28, 2026 14:52
@gontzess gontzess force-pushed the msi-release-workflow branch 2 times, most recently from 58a57e6 to 0c4f89f Compare January 28, 2026 22:00
kans
kans reviewed Jan 29, 2026
View reviewed changes
Comment thread .github/workflows/release.yaml
required: true
DATADOG_API_KEY:
required: true
GORELEASER_PRO_KEY:
Copy link
Copy Markdown
Collaborator

@kans kans Jan 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we ever want a build without a MSI?

Copy link
Copy Markdown
Collaborator

@ggreer ggreer Feb 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably.

Copy link
Copy Markdown
Contributor Author

@gontzess gontzess Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok cool we can make it optional but default to building with an MSI

kans
kans reviewed Jan 29, 2026
View reviewed changes
Comment thread cmd/generate-windows-manifest/main.go
os.Exit(1)
}

baseURL := fmt.Sprintf("%s/%s", cdnBaseURL, s3Dir)
Copy link
Copy Markdown
Collaborator

@kans kans Jan 29, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if someone could add ~ "../../okta" to a tag to get a build into the wrong bucket.

Copy link
Copy Markdown
Contributor Author

@gontzess gontzess Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tag is already validated by strict semver regex at line 76 in the release.yaml file. The character class [0-9a-zA-Z-] doesn't allow / or . in positions that could form .., so ../../okta is impossible as a tag.

But we can add another check here to be safe, incase that other file ever gets changed.

@gontzess gontzess force-pushed the msi-release-workflow branch 2 times, most recently from 243c1be to 6294e64 Compare January 29, 2026 19:09
gontzess added 2 commits March 3, 2026 10:37
@gontzess
feat: add MSI Windows installer support
c1c8c9f 
Build MSI installers for Windows using GoReleaser Pro and WiX Toolset:

- Add goreleaser-windows job that runs on Windows runner
- Generate MSI with deterministic UpgradeCode (UUID v5 from repo name)
- Support custom WXS templates via msi_wxs_path input
- Include default WXS template for simple CLI installers
- Full attestation coverage: sig, cert, SBOM, provenance for MSI
- Flatten MSI directory structure to match binaries job pattern
- Go-based manifest generation for type safety

Tested with baton-runner (custom WXS) and baton-github-test (default WXS).
@gontzess
fix: address PR review feedback for MSI support
e8e4bc2 
- Add `msi` boolean input (default true) for opt-out
- Make GORELEASER_PRO_KEY optional, validated when msi=true
- Add msi_wxs_path path traversal validation
- Fix stale checksums hash: re-compute and re-sign manifest
  after unified checksums file is created
- Switch windows_manifest output to heredoc format
- Use randomized heredoc delimiter for checksums output
- Add path traversal check in generate-windows-manifest tool
- Pin GoReleaser to ~> v2.13 consistently across all jobs
- Remove -Recurse from S3 uploads (artifacts already flattened)
- Handle skipped goreleaser-windows in record-connector-registry
- Update README and docs with msi parameter and validations
@gontzess gontzess force-pushed the msi-release-workflow branch from 6294e64 to e8e4bc2 Compare March 3, 2026 16:19
gontzess added 2 commits March 3, 2026 11:49
@gontzess
temp: add MSI install verification step (remove before merge)
e371c0e
@gontzess
remove temporary MSI install test step
13ed935 
Install verified on Windows runner (baton-github-test v0.1.119-test.2):
- Installs to C:\Program Files\ConductorOne\<name>
- Binary executes correctly
- Clean uninstall removes directory
@gontzess gontzess merged commit 44aa752 into main Mar 3, 2026
2 checks passed
@gontzess gontzess deleted the msi-release-workflow branch March 3, 2026 17:18
@gontzess gontzess mentioned this pull request Mar 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kans kans kans approved these changes

@ggreer ggreer Awaiting requested review from ggreer

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@gontzess @ggreer @kans