ci: add preliminary windows codesigning via signpath

.github/workflows/release.yml

@@ -117,6 +117,30 @@ jobs:
         if: matrix.os == 'ubuntu-latest'
         run: cross build --release --locked --target ${{ matrix.target }}
 
+      - name: Sign | Upload executable [Windows]
+        continue-on-error: true
+        if: matrix.os == 'windows-latest'
+        uses: actions/upload-artifact@v4
+        with:
+          name: unsigned-${{ matrix.name }}-exe
+          path: target/${{ matrix.target }}/release/starship.exe
+
+      - name: Sign | Sign executable [Windows]
+        continue-on-error: true
+        if: matrix.os == 'windows-latest'
+        uses: signpath/github-action-submit-signing-request@v0.3
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
+          project-slug: 'starship'
+          signing-policy-slug: 'test-signing'
+          github-artifact-name: 'unsigned-${{ matrix.name }}-exe'
+          wait-for-completion: false
+          # TODO use release-signing certificate:
+          # signing-policy-slug: 'release-signing'
+          # wait-for-completion: true
+          # output-artifact-directory: 'target/${{ matrix.target }}/release'
+
       - name: Build | Installer [Windows]
         continue-on-error: true
         if: matrix.os == 'windows-latest' && matrix.target != 'aarch64-pc-windows-msvc'
@@ -153,6 +177,30 @@ jobs:
           name: starship-${{ matrix.target }}.msi
           path: target/wix/starship-${{ matrix.target }}.msi
 
+      - name: Sign | Installer [Windows]
+        continue-on-error: true
+        if: matrix.os == 'windows-latest' && matrix.target != 'aarch64-pc-windows-msvc'
+        uses: signpath/github-action-submit-signing-request@v0.3
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
+          project-slug: 'starship'
+          signing-policy-slug: 'test-signing'
+          github-artifact-name: 'starship-${{ matrix.target }}.msi'
+          wait-for-completion: false
+          # TODO:
+          # signing-policy-slug: 'release-signing'
+          # wait-for-completion: true
+          # output-artifact-directory: 'target/wix'
+
+      # - name: Release | Re-upload signed installer artifacts [Windows]
+      #   continue-on-error: true
+      #   if: matrix.os == 'windows-latest' && matrix.target != 'aarch64-pc-windows-msvc'
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     overwrite: true
+      #     name: starship-${{ matrix.target }}.msi
+      #     path: target/wix/starship-${{ matrix.target }}.msi
   # Notarize starship binaries for MacOS and build notarized pkg installers
   notarize_and_pkgbuild:
     runs-on: macos-latest

.github/workflows/workflow.yml

@@ -219,6 +219,26 @@ jobs:
         env:
           STARSHIP_VERSION: v1.2.3
 
+      - name: Sign | Upload Executable [Windows]
+        uses: actions/upload-artifact@v4
+        continue-on-error: true
+        if: matrix.os == 'windows-latest' && matrix.rust == 'stable' && github.event_name == 'push'
+        with:
+          name: windows-executable
+          path: target/debug/starship.exe
+
+      - name: Sign | Sign Executable [Windows]
+        uses: signpath/github-action-submit-signing-request@v0.3
+        continue-on-error: true
+        if: matrix.os == 'windows-latest' && matrix.rust == 'stable' && github.event_name == 'push'
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
+          project-slug: 'starship'
+          github-artifact-name: 'windows-executable'
+          signing-policy-slug: 'test-signing'
+          wait-for-completion: false
+
       - name: Upload coverage to Codecov
         uses: codecov/codecov-action@v4
         if: github.repository == 'starship/starship'

README.md

@@ -433,6 +433,8 @@ Please check out these previous works that helped inspire the creation of starsh
 
 Support this project by [becoming a sponsor](https://github.com/sponsors/starship). Your name or logo will show up here with a link to your website.
 
+- Free code signing provided by [SignPath.io], certificate by [SignPath Foundation]
+
 <p align="center">
     <br>
     <img width="100" src="https://raw.githubusercontent.com/starship/starship/master/media/icon.png" alt="Starship rocket icon">
@@ -458,6 +460,8 @@ This project is [ISC](https://github.com/starship/starship/blob/master/LICENSE)
 [OSS]: https://software.opensuse.org/package/starship
 [pkgsrc]: https://pkgsrc.se/shells/starship
 [scoop]: https://github.com/ScoopInstaller/Main/blob/master/bucket/starship.json
+[SignPath Foundation]: https://signpath.org
+[SignPath.io]: https://signpath.io
 [termux]: https://github.com/termux/termux-packages/tree/master/packages/starship
 [void linux packages]: https://github.com/void-linux/void-packages/tree/master/srcpkgs/starship
 [winget]: https://github.com/microsoft/winget-pkgs/tree/master/manifests/s/Starship/Starship