.github/workflows: Split build/sign into separate jobs

Environment Secrets don't get passed to fork workflows,
which breaks those workflows. Make sign a separate job
that only gets triggered by release to allow build job
to work for forked repos

See https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows#pull-request-events-for-forked-repositories
With the exception of GITHUB_TOKEN, secrets are not passed to the
runner when a workflow is triggered from a forked repository.

.github/workflows/build.yml

@@ -10,7 +10,6 @@ jobs:
   build:
     name: Build binaries
     runs-on: ubuntu-latest
-    environment: "Build, sign, release binaries"
     steps:
       - name: Install Go
         uses: actions/setup-go@v2
@@ -22,7 +21,6 @@ jobs:
           fetch-depth: 0
       - name: Build binaries
         run: |
-          sudo apt-get update && sudo apt-get install -y osslsigncode
           cp LICENSE "$RUNNER_TEMP/LICENSE"
           echo -e "\n---\n" >> "$RUNNER_TEMP/LICENSE"
           curl "https://golang.org/LICENSE?m=text" >> "$RUNNER_TEMP/LICENSE"
@@ -33,14 +31,6 @@ jobs:
             cp "$RUNNER_TEMP/LICENSE" "$DIR/age"
             go build -o "$DIR/age" -ldflags "-X main.Version=$VERSION" -trimpath ./cmd/...
             if [ "$GOOS" == "windows" ]; then
-              for exe in "$DIR"/age/*.exe; do
-                /usr/bin/osslsigncode sign -t "http://timestamp.comodoca.com" \
-                  -certs .github/workflows/certs/uitacllc.crt \
-                  -key .github/workflows/certs/uitacllc.key \
-                  -pass "${{ secrets.SIGN_PASS }}" \
-                  -n age -in "$exe" -out "$exe.signed"
-                mv "$exe.signed" "$exe"
-              done
               ( cd "$DIR"; zip age.zip -r age )
               mv "$DIR/age.zip" "age-$VERSION-$GOOS-$GOARCH.zip"
             else
@@ -60,10 +50,51 @@ jobs:
         with:
           name: age-binaries
           path: age-*
+  sign:
+    name: Sign Windows binaries
+    if: ${{ github.event_name == 'release' }}
+    needs: build
+    runs-on: ubuntu-latest
+    environment: "Build, sign, release binaries"
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Download workflow artifacts
+        uses: actions/download-artifact@v2
+        with:
+          name: age-binaries
+          path: age-binaries
+      - name: Sign binaries
+        run: |
+          sudo apt-get update && sudo apt-get install -y osslsigncode
+          VERSION="$(git describe --tags)"
+          cd age-binaries
+          DIR="$(mktemp -d)"
+          mkdir "$DIR/age"
+          for zip in *.zip; do
+            unzip "$zip" -d "$DIR"
+            for exe in "$DIR"/age/*.exe; do
+              /usr/bin/osslsigncode sign -t "http://timestamp.comodoca.com" \
+                -certs ../.github/workflows/certs/uitacllc.crt \
+                -key ../.github/workflows/certs/uitacllc.key \
+                -pass "${{ secrets.SIGN_PASS }}" \
+                -n age -in "$exe" -out "$exe.signed"
+              mv "$exe.signed" "$exe"
+            done
+            ( cd "$DIR"; zip age.zip -r age )
+            mv "$DIR/age.zip" "$zip"
+          done
+      - name: Upload workflow artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: age-binaries
+          path: age-*
   upload:
     name: Upload release binaries
     if: ${{ github.event_name == 'release' }}
-    needs: build
+    needs: sign
     permissions:
       contents: write
     runs-on: ubuntu-latest