SD - Windows app code signing (vibe-kanban)#4
Merged
mickmister merged 16 commits intodevfrom Mar 23, 2026
Merged
Conversation
Imports a PFX certificate into the Windows certificate store and sets WINDOWS_CERTIFICATE_THUMBPRINT so Tauri's signtool integration signs the installer. Secrets WINDOWS_CERTIFICATE and WINDOWS_CERTIFICATE_PASSWORD are passed through from build_desktop_common.yml. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mickmister
force-pushed
the
vk/2d05-sd-windows-app-c
branch
from
93ff60c to
a4c41be
Compare
Replaces the PFX certificate approach with Azure Trusted Signing via trusted-signing-cli. Installs the CLI on Windows, passes Azure credentials as env vars to the Tauri build step, and wires up 6 new secrets: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, AZURE_SIGNING_ENDPOINT, AZURE_SIGNING_ACCOUNT_NAME, AZURE_SIGNING_CERT_PROFILE_NAME. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…file inputs The signCommand in tauri.base.conf.json already has the endpoint, account, and profile hardcoded. Only AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID need to be passed via CI secrets. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces hardcoded values in tauri.base.conf.json with %ENV_VAR% placeholders, passed through CI as AZURE_SIGNING_ENDPOINT, AZURE_SIGNING_ACCOUNT_NAME, and AZURE_SIGNING_CERT_PROFILE_NAME secrets. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sets Azure signing env vars via >> GITHUB_ENV in a dedicated step, consistent with how Apple signing vars are handled for macOS. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…tibility windows-latest removed the Windows SDK version that trusted-signing-cli falls back to for signtool.exe. windows-11-arm has it available out of the box and is also faster. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… wildcard Updates tauri_e2e.yml runner and conditionals, and simplifies build_desktop_common.yml platform checks to use windows-* wildcard only, removing the now-redundant windows-latest check. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…est_manifest - Hardcode endpoint/account/profile in tauri.base.conf.json instead of using %ENV_VAR% placeholders which may not expand in Tauri's signCommand - Remove azure_signing_endpoint/account_name/cert_profile_name inputs/secrets - Set SIGNTOOL_PATH to known Windows SDK path so trusted-signing-cli can locate signtool.exe on windows-latest runners - Switch runner back to windows-latest - Disable publish_latest_manifest job for now Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…t.json - sign_app=true now passes publish_version so extract/stage/manifest steps run - Added publish_to_r2 input to gate S3 upload and Discord notification - publish_to_r2 is only true when publish=true or repository_dispatch - publish_latest_manifest job restored to its original condition (publish only) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Allows triggering a Windows build in isolation without affecting the Mac app or publishing to R2/latest.json. When sign_app=true, passes a dummy publish_version so the full extract/stage/manifest pipeline runs. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
When publish=true: uploads to R2, enables tauri updater, and updates latest.json with Windows-only platform entries. Mac auto-update is unaffected since this workflow never touches the Mac build. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fetches the current latest.json from R2 before building, then merges the new Windows platform entries on top. Mac auto-update entries are kept intact so Mac users are unaffected. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace the separate build_desktop_windows.yml with a platforms input (all/macos/windows) on build_desktop_all.yml. Uses a dynamic matrix computed at runtime so only the selected platform(s) are built. publish_latest_manifest now always fetches and merges the existing latest.json from R2, preserving entries for platforms not built in the current run. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implement windows app code signing in the desktop app workflow/action in the ./songdrive-releases repo