feat: add Windows signing process in desktop release workflow

- Added permissions for id-token to enable Windows signing. - Implemented logic to detect Windows signing eligibility based on production v* tags. - Integrated Azure login step for Windows signing if eligible. - Updated packaging command to include Windows signing options when applicable.
2026-04-25 00:36:31 +02:00 · 2026-04-20 23:14:59 -07:00 · 2026-04-20 23:14:59 -07:00 · 2703fd4ebe
commit 2703fd4ebe
parent 1919150523
1 changed files with 44 additions and 1 deletions
--- a/.github/workflows/desktop-release.yml
+++ b/.github/workflows/desktop-release.yml
@ -22,6 +22,7 @@ on:

 permissions:
  contents: write
+  id-token: write

 jobs:
  build:
@ -58,6 +59,30 @@ jobs:
          fi
          echo "VERSION=$VERSION" >> "$GITHUB_OUTPUT"

+      - name: Detect Windows signing eligibility
+        id: sign
+        shell: bash
+        run: |
+          # Sign Windows builds only on production v* tags (not beta-v*, not workflow_dispatch).
+          # This matches the single OIDC federated credential configured in Entra ID.
+          if [ "${{ matrix.os }}" = "windows-latest" ] \
+            && [ "${{ github.event_name }}" = "push" ] \
+            && [[ "$GITHUB_REF" == refs/tags/v* ]]; then
+            echo "enabled=true" >> "$GITHUB_OUTPUT"
+            echo "Windows signing: ENABLED (v* tag on windows-latest)"
+          else
+            echo "enabled=false" >> "$GITHUB_OUTPUT"
+            echo "Windows signing: skipped"
+          fi
+
+      - name: Azure login (for Windows signing)
+        if: steps.sign.outputs.enabled == 'true'
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
      - name: Setup pnpm
        uses: pnpm/action-setup@v5

@ -98,7 +123,25 @@ jobs:

      - name: Package & Publish
        shell: bash
-        run: pnpm exec electron-builder ${{ matrix.platform }} --config electron-builder.yml --publish ${{ inputs.publish || 'always' }} -c.extraMetadata.version=${{ steps.version.outputs.VERSION }}
+        run: |
+          CMD=(pnpm exec electron-builder ${{ matrix.platform }} \
+            --config electron-builder.yml \
+            --publish "${{ inputs.publish || 'always' }}" \
+            -c.extraMetadata.version="${{ steps.version.outputs.VERSION }}")
+
+          if [ "${{ steps.sign.outputs.enabled }}" = "true" ]; then
+            CMD+=(-c.win.publisherName="$WINDOWS_PUBLISHER_NAME")
+            CMD+=(-c.win.azureSignOptions.publisherName="$WINDOWS_PUBLISHER_NAME")
+            CMD+=(-c.win.azureSignOptions.endpoint="$AZURE_CODESIGN_ENDPOINT")
+            CMD+=(-c.win.azureSignOptions.codeSigningAccountName="$AZURE_CODESIGN_ACCOUNT")
+            CMD+=(-c.win.azureSignOptions.certificateProfileName="$AZURE_CODESIGN_PROFILE")
+          fi
+
+          "${CMD[@]}"
        working-directory: surfsense_desktop
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          WINDOWS_PUBLISHER_NAME: ${{ vars.WINDOWS_PUBLISHER_NAME }}
+          AZURE_CODESIGN_ENDPOINT: ${{ vars.AZURE_CODESIGN_ENDPOINT }}
+          AZURE_CODESIGN_ACCOUNT: ${{ vars.AZURE_CODESIGN_ACCOUNT }}
+          AZURE_CODESIGN_PROFILE: ${{ vars.AZURE_CODESIGN_PROFILE }}