Skip to content

ci(release): silence Windows build warnings (digicert inputs + pin runner)#131

Merged
Nic-dorman merged 1 commit into
mainfrom
ci/fix-windows-release-warnings
May 19, 2026
Merged

ci(release): silence Windows build warnings (digicert inputs + pin runner)#131
Nic-dorman merged 1 commit into
mainfrom
ci/fix-windows-release-warnings

Conversation

@Nic-dorman
Copy link
Copy Markdown
Contributor

@Nic-dorman Nic-dorman commented May 18, 2026

Summary

Two unrelated annotations fire on every release build's Windows job. This PR addresses both.

1. Drop unsupported digicert/ssm-code-signing inputs

Warning observed on v0.8.0-rc.1 build:

Unexpected input(s) 'sm_host', 'sm_api_key', 'sm_client_cert_b64', 'sm_client_cert_password', valid inputs are ['force-download-tools']

Confirmed against the action's action.yml: the only valid input is force-download-tools. The action reads everything else from env vars (SM_HOST, SM_API_KEY, SM_CLIENT_CERT_FILE, SM_CLIENT_CERT_PASSWORD), all of which we already set — three at job scope, SM_CLIENT_CERT_FILE via the preceding create client certificate file step. The with: block was a no-op.

Also dropped the now-dead id: prepare_cert and sm_client_cert_b64 step output that only existed to feed the with: block.

2. Pin Windows runner to windows-2022

Notice observed on v0.8.0-rc.1 build:

NOTICE: windows-latest requests are being redirected to windows-2025-vs2026 by June 15, 2026

Pin to windows-2022 so the auto-migration to a VS2026-based image can't surprise a release mid-flight. VS2026 may affect smctl signing, Tauri MSI bundling, or any of the bash-shell glue we run on the Windows job — none of which we want to debug under tag-push pressure. A separate PR can validate windows-2025 on its own merits ahead of the eventual VS2022 EOL.

What's not fixed by this PR

digicert/ssm-code-signing@v1.2.1's action.yml declares using: "node20", so the Node 20 deprecation annotation will continue to fire on the Windows job until the maintainer cuts a Node 24 release. That's upstream, not actionable here.

Test plan

  • Watch the next release build — "Unexpected input(s)" warning should be gone from the setup DigiCert SSM tools step.
  • Confirm smctl healthcheck still passes (i.e. the env-var-only flow works as expected).
  • Confirm MSI Authenticode signature verifies (verify MSI signature step still passes).
  • Confirm the Windows runner is reported as Windows Server 2022 in the job log header.
  • windows-latest redirect NOTICE should no longer appear on the Windows job.

🤖 Generated with Claude Code

@Nic-dorman @claude
ci(release): silence Windows build warnings
bda1185 
Two unrelated annotations that fire on every release build's Windows job:

1. `digicert/ssm-code-signing@v1.2.1` only accepts `force-download-tools`
   as an input (confirmed against the action's action.yml). All credentials
   are read from env vars — SM_HOST / SM_API_KEY / SM_CLIENT_CERT_PASSWORD
   are already set at job scope, and SM_CLIENT_CERT_FILE is exported by the
   preceding step. The `with:` block was a no-op that produced an
   "Unexpected input(s)" warning. Drop it, along with the now-dead
   step output and id used to feed it.

2. `windows-latest` will auto-migrate to a VS2026-based image on
   2026-06-15. Pin to `windows-2022` so the cutover can't surprise a
   release mid-flight. A separate PR can validate `windows-2025` ahead
   of the eventual VS2022 EOL.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@Nic-dorman Nic-dorman merged commit 69e519b into main May 19, 2026
4 checks passed
@Nic-dorman Nic-dorman deleted the ci/fix-windows-release-warnings branch May 19, 2026 09:04
@Nic-dorman Nic-dorman mentioned this pull request May 21, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Nic-dorman