Require code signing for releases; bump setup-msbuild to v3#355
Merged
Conversation
The signing step previously degraded to unsigned binaries when
SIGNPATH_API_TOKEN was absent, only emitting a ::warning::. Two problems:
- A genuinely missing/broken token would silently ship unsigned binaries
and the release would still succeed — discovered only via user SmartScreen
reports.
- Because GitHub echoes the full run: script into the log, the literal
"releasing unsigned binaries" text appears in every run's log regardless
of which branch executes, making `grep`-ing the log for signing status
misleading (the warning never actually fired on signed releases).
Make signing required instead: if the token is missing the job fails loudly
(::error:: + exit 1). The Upload/Sign/Replace steps now run unconditionally
(this workflow only fires on maintainer dev->main release merges, where the
secret is always available). Secret is read via env: rather than inline
${{ }} interpolation into the script.
Also bump microsoft/setup-msbuild@v2 -> @V3 to move off the deprecated
Node 20 runtime (v3 runs on Node 24).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@-