feat: windows codesign with Azure trusted signing#7675
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - if: ${{ contains(matrix.target, 'windows') }} | ||
| name: Sign Windows binaries with Azure Trusted Signing | ||
| uses: ./.github/actions/windows-code-sign | ||
| with: | ||
| target: ${{ matrix.target }} |
There was a problem hiding this comment.
The new Windows signing step runs for every Windows matrix entry in PRs (conditional only on contains(matrix.target, 'windows')), yet the step immediately consumes repository secrets (AZURE_TRUSTED_SIGNING_*). Forked pull requests do not receive these secrets, so azure/login@v2 will fail before the build completes, breaking all forked PRs on Windows. Mirror the Linux signing guard (skip when github.event.pull_request.head.repo.fork is true) so contributors’ PRs continue to build.
Useful? React with 👍 / 👎.
shijie-oai
force-pushed
the
shijie/windows-codesigning
branch
from
afba26b to
9646eca
Compare
shijie-oai
force-pushed
the
shijie/windows-codesigning
branch
from
9646eca to
546345a
Compare
|
|
||
| - if: ${{ contains(matrix.target, 'windows') }} | ||
| name: Sign Windows binaries with Azure Trusted Signing | ||
| uses: ./.github/actions/windows-code-sign |
There was a problem hiding this comment.
@codex should I update the runners to not be the @latest given the runner requirement at https://github.com/Azure/trusted-signing-action for trusted signing action.
There was a problem hiding this comment.
Summary
- Pinned the Windows x86_64 build matrix entry to
windows-2022to align with Azure Trusted Signing runner requirements. - Skipped the Windows signing step on forked pull requests to avoid failing when secrets are unavailable.
Testing
⚠️ Not run (workflow change only)
2 participants
Summary
Set up codesign for windows dist with Azure trusted signing and its github action integration.