From 32729350f6e38c41c708cae005821df7f454e438 Mon Sep 17 00:00:00 2001
From: CI workflows <info@dbgate.io>
Date: Thu, 30 Oct 2025 07:48:22 +0000
Subject: [PATCH] chore: auto-update github workflows

---
 .github/workflows/build-app-beta.yaml     | 43 +++++++++++++++++++--
 .github/workflows/build-app-check.yaml    | 43 +++++++++++++++++++--
 .github/workflows/build-app-pro-beta.yaml | 47 +++++++++++++++++++++--
 .github/workflows/build-app-pro.yaml      | 47 +++++++++++++++++++++--
 .github/workflows/build-app.yaml          | 43 +++++++++++++++++++--
 5 files changed, 203 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/build-app-beta.yaml b/.github/workflows/build-app-beta.yaml
index ca9df362f..d9003cafa 100644
--- a/.github/workflows/build-app-beta.yaml
+++ b/.github/workflows/build-app-beta.yaml
@@ -6,9 +6,13 @@ name: Electron app BETA
   push:
     tags:
       - v[0-9]+.[0-9]+.[0-9]+-beta.[0-9]+
+permissions:
+  id-token: write
+  contents: write
 jobs:
   build:
     runs-on: ${{ matrix.os }}
+    environment: dbgate-app
     strategy:
       fail-fast: false
       matrix:
@@ -60,21 +64,52 @@ jobs:
       - name: Install Snapcraft
         if: matrix.os == 'ubuntu-22.04'
         uses: samuelmeuli/action-snapcraft@v1
-      - name: Publish
+      - name: Publish Windows
+        if: matrix.os == 'windows-2022'
+        run: |
+
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      - name: Publish MacOS
+        if: matrix.os == 'macos-14'
         run: |
 
           yarn run build:app
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
-          WIN_CSC_LINK: ${{ secrets.WINCERT_2025 }}
-          WIN_CSC_KEY_PASSWORD: ${{ secrets.WINCERT_2025_PASSWORD }}
           CSC_LINK: ${{ secrets.APPLECERT_CERTIFICATE }}
           CSC_KEY_PASSWORD: ${{ secrets.APPLECERT_PASSWORD }}
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
           APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
-          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
           APPLE_APP_SPECIFIC_PASSWORD: ${{secrets.APPLE_APP_SPECIFIC_PASSWORD}}
+      - name: Publish Linux
+        if: matrix.os == 'ubuntu-22.04'
+        run: |
+
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
+      - name: Azure login (OIDC)
+        uses: azure/login@v2
+        if: matrix.os == 'windows-2022'
+        with:
+          client-id: ${{ secrets.AZURE_TC_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TC_TENANT_ID }}
+          allow-no-subscriptions: true
+      - name: Sign Windows artifacts with Azure Trusted Signing
+        uses: azure/trusted-signing-action@v0
+        if: matrix.os == 'windows-2022'
+        with:
+          endpoint: https://wus3.codesigning.azure.net/
+          trusted-signing-account-name: DbGate
+          certificate-profile-name: DbGate-Release
+          files-folder: app/dist
+          files-folder-filter: exe
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
       - name: Copy artifacts
         run: |
           mkdir artifacts          
diff --git a/.github/workflows/build-app-check.yaml b/.github/workflows/build-app-check.yaml
index c5686419e..112dca034 100644
--- a/.github/workflows/build-app-check.yaml
+++ b/.github/workflows/build-app-check.yaml
@@ -6,9 +6,13 @@ name: Electron app check build
   push:
     tags:
       - check-[0-9]+-[0-9]+-[0-9]+.[0-9]+
+permissions:
+  id-token: write
+  contents: write
 jobs:
   build:
     runs-on: ${{ matrix.os }}
+    environment: dbgate-app
     strategy:
       fail-fast: false
       matrix:
@@ -56,21 +60,52 @@ jobs:
       - name: Install Snapcraft
         if: matrix.os == 'ubuntu-22.04'
         uses: samuelmeuli/action-snapcraft@v1
-      - name: Publish
+      - name: Publish Windows
+        if: matrix.os == 'windows-2022'
+        run: |
+
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      - name: Publish MacOS
+        if: matrix.os == 'macos-14'
         run: |
 
           yarn run build:app
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
-          WIN_CSC_LINK: ${{ secrets.WINCERT_2025 }}
-          WIN_CSC_KEY_PASSWORD: ${{ secrets.WINCERT_2025_PASSWORD }}
           CSC_LINK: ${{ secrets.APPLECERT_CERTIFICATE }}
           CSC_KEY_PASSWORD: ${{ secrets.APPLECERT_PASSWORD }}
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
           APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
-          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
           APPLE_APP_SPECIFIC_PASSWORD: ${{secrets.APPLE_APP_SPECIFIC_PASSWORD}}
+      - name: Publish Linux
+        if: matrix.os == 'ubuntu-22.04'
+        run: |
+
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
+      - name: Azure login (OIDC)
+        uses: azure/login@v2
+        if: matrix.os == 'windows-2022'
+        with:
+          client-id: ${{ secrets.AZURE_TC_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TC_TENANT_ID }}
+          allow-no-subscriptions: true
+      - name: Sign Windows artifacts with Azure Trusted Signing
+        uses: azure/trusted-signing-action@v0
+        if: matrix.os == 'windows-2022'
+        with:
+          endpoint: https://wus3.codesigning.azure.net/
+          trusted-signing-account-name: DbGate
+          certificate-profile-name: DbGate-Release
+          files-folder: app/dist
+          files-folder-filter: exe
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
       - name: Copy artifacts
         run: |
           mkdir artifacts          
diff --git a/.github/workflows/build-app-pro-beta.yaml b/.github/workflows/build-app-pro-beta.yaml
index 4f1cd8591..2ae47f81b 100644
--- a/.github/workflows/build-app-pro-beta.yaml
+++ b/.github/workflows/build-app-pro-beta.yaml
@@ -6,9 +6,13 @@ name: Electron app PREMIUM BETA
   push:
     tags:
       - v[0-9]+.[0-9]+.[0-9]+-premium-beta.[0-9]+
+permissions:
+  id-token: write
+  contents: write
 jobs:
   build:
     runs-on: ${{ matrix.os }}
+    environment: dbgate-app
     strategy:
       fail-fast: false
       matrix:
@@ -87,7 +91,17 @@ jobs:
           cd dbgate-merged
 
           yarn fillPackagedPlugins
-      - name: Publish
+      - name: Publish Windows
+        if: matrix.os == 'windows-2022'
+        run: |
+          cd ..
+          cd dbgate-merged
+
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      - name: Publish MacOS
+        if: matrix.os == 'macos-14'
         run: |
           cd ..
           cd dbgate-merged
@@ -95,15 +109,40 @@ jobs:
           yarn run build:app
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
-          WIN_CSC_LINK: ${{ secrets.WINCERT_2025 }}
-          WIN_CSC_KEY_PASSWORD: ${{ secrets.WINCERT_2025_PASSWORD }}
           CSC_LINK: ${{ secrets.APPLECERT_CERTIFICATE }}
           CSC_KEY_PASSWORD: ${{ secrets.APPLECERT_PASSWORD }}
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
           APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
-          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
           APPLE_APP_SPECIFIC_PASSWORD: ${{secrets.APPLE_APP_SPECIFIC_PASSWORD}}
+      - name: Publish Linux
+        if: matrix.os == 'ubuntu-22.04'
+        run: |
+          cd ..
+          cd dbgate-merged
+
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
+      - name: Azure login (OIDC)
+        uses: azure/login@v2
+        if: matrix.os == 'windows-2022'
+        with:
+          client-id: ${{ secrets.AZURE_TC_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TC_TENANT_ID }}
+          allow-no-subscriptions: true
+      - name: Sign Windows artifacts with Azure Trusted Signing
+        uses: azure/trusted-signing-action@v0
+        if: matrix.os == 'windows-2022'
+        with:
+          endpoint: https://wus3.codesigning.azure.net/
+          trusted-signing-account-name: DbGate
+          certificate-profile-name: DbGate-Release
+          files-folder: app/dist
+          files-folder-filter: exe
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
       - name: Copy artifacts
         run: |
           mkdir artifacts          
diff --git a/.github/workflows/build-app-pro.yaml b/.github/workflows/build-app-pro.yaml
index 6ad30d299..a26e343ae 100644
--- a/.github/workflows/build-app-pro.yaml
+++ b/.github/workflows/build-app-pro.yaml
@@ -6,9 +6,13 @@ name: Electron app PREMIUM
   push:
     tags:
       - v[0-9]+.[0-9]+.[0-9]+
+permissions:
+  id-token: write
+  contents: write
 jobs:
   build:
     runs-on: ${{ matrix.os }}
+    environment: dbgate-app
     strategy:
       fail-fast: false
       matrix:
@@ -87,7 +91,17 @@ jobs:
           cd dbgate-merged
 
           yarn fillPackagedPlugins
-      - name: Publish
+      - name: Publish Windows
+        if: matrix.os == 'windows-2022'
+        run: |
+          cd ..
+          cd dbgate-merged
+
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      - name: Publish MacOS
+        if: matrix.os == 'macos-14'
         run: |
           cd ..
           cd dbgate-merged
@@ -95,15 +109,40 @@ jobs:
           yarn run build:app
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
-          WIN_CSC_LINK: ${{ secrets.WINCERT_2025 }}
-          WIN_CSC_KEY_PASSWORD: ${{ secrets.WINCERT_2025_PASSWORD }}
           CSC_LINK: ${{ secrets.APPLECERT_CERTIFICATE }}
           CSC_KEY_PASSWORD: ${{ secrets.APPLECERT_PASSWORD }}
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
           APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
-          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
           APPLE_APP_SPECIFIC_PASSWORD: ${{secrets.APPLE_APP_SPECIFIC_PASSWORD}}
+      - name: Publish Linux
+        if: matrix.os == 'ubuntu-22.04'
+        run: |
+          cd ..
+          cd dbgate-merged
+
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
+      - name: Azure login (OIDC)
+        uses: azure/login@v2
+        if: matrix.os == 'windows-2022'
+        with:
+          client-id: ${{ secrets.AZURE_TC_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TC_TENANT_ID }}
+          allow-no-subscriptions: true
+      - name: Sign Windows artifacts with Azure Trusted Signing
+        uses: azure/trusted-signing-action@v0
+        if: matrix.os == 'windows-2022'
+        with:
+          endpoint: https://wus3.codesigning.azure.net/
+          trusted-signing-account-name: DbGate
+          certificate-profile-name: DbGate-Release
+          files-folder: app/dist
+          files-folder-filter: exe
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
       - name: Copy artifacts
         run: |
           mkdir artifacts          
diff --git a/.github/workflows/build-app.yaml b/.github/workflows/build-app.yaml
index 22545dd62..00cb951c5 100644
--- a/.github/workflows/build-app.yaml
+++ b/.github/workflows/build-app.yaml
@@ -6,9 +6,13 @@ name: Electron app
   push:
     tags:
       - v[0-9]+.[0-9]+.[0-9]+
+permissions:
+  id-token: write
+  contents: write
 jobs:
   build:
     runs-on: ${{ matrix.os }}
+    environment: dbgate-app
     strategy:
       fail-fast: false
       matrix:
@@ -56,24 +60,55 @@ jobs:
       - name: Install Snapcraft
         if: matrix.os == 'ubuntu-22.04'
         uses: samuelmeuli/action-snapcraft@v1
-      - name: Publish
+      - name: Publish Windows
+        if: matrix.os == 'windows-2022'
+        run: |
+
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+      - name: Publish MacOS
+        if: matrix.os == 'macos-14'
         run: |
 
           yarn run build:app
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
-          WIN_CSC_LINK: ${{ secrets.WINCERT_2025 }}
-          WIN_CSC_KEY_PASSWORD: ${{ secrets.WINCERT_2025_PASSWORD }}
           CSC_LINK: ${{ secrets.APPLECERT_CERTIFICATE }}
           CSC_KEY_PASSWORD: ${{ secrets.APPLECERT_PASSWORD }}
           APPLE_ID: ${{ secrets.APPLE_ID }}
           APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
           APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
-          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
           APPLE_APP_SPECIFIC_PASSWORD: ${{secrets.APPLE_APP_SPECIFIC_PASSWORD}}
+      - name: Publish Linux
+        if: matrix.os == 'ubuntu-22.04'
+        run: |
+
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
       - name: generatePadFile
         run: |
           yarn generatePadFile
+      - name: Azure login (OIDC)
+        uses: azure/login@v2
+        if: matrix.os == 'windows-2022'
+        with:
+          client-id: ${{ secrets.AZURE_TC_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TC_TENANT_ID }}
+          allow-no-subscriptions: true
+      - name: Sign Windows artifacts with Azure Trusted Signing
+        uses: azure/trusted-signing-action@v0
+        if: matrix.os == 'windows-2022'
+        with:
+          endpoint: https://wus3.codesigning.azure.net/
+          trusted-signing-account-name: DbGate
+          certificate-profile-name: DbGate-Release
+          files-folder: app/dist
+          files-folder-filter: exe
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
       - name: Copy artifacts
         run: |
           mkdir artifacts