azure code signing

2026-04-17 22:36:01 +00:00 · 2025-10-30 08:47:55 +01:00
parent 0e211dc91b
commit 4929d190a5
1 changed files with 46 additions and 9 deletions
--- a/workflow-templates/build-app.tpl.yaml
+++ b/workflow-templates/build-app.tpl.yaml
@@ -85,9 +85,14 @@ on:
    # branches:
    #   - production

+permissions:
+  id-token: write
+  contents: write
+
 jobs:
  build:
    runs-on: ${{ matrix.os }}
+    environment: dbgate-app

    strategy:
      fail-fast: false
@@ -145,33 +150,65 @@ jobs:
        _if: _community
        if: matrix.os == 'ubuntu-22.04'
        uses: samuelmeuli/action-snapcraft@v1
-      - name: Publish
+
+      - name: Publish Windows
+        if: matrix.os == 'windows-2022'
        run: |
          <<cd_merged>>
          yarn run build:app
        env:
          GH_TOKEN: ${{ secrets.GH_TOKEN }} # token for electron publish

-          WIN_CSC_LINK: ${{ secrets.WINCERT_2025 }}
-          WIN_CSC_KEY_PASSWORD: ${{ secrets.WINCERT_2025_PASSWORD }}
-          # WIN_CSC_LINK: ${{ secrets.WINCERT_CERTIFICATE }}
-          # WIN_CSC_KEY_PASSWORD: ${{ secrets.WINCERT_PASSWORD }}
-
+      - name: Publish MacOS
+        if: matrix.os == 'macos-14'
+        run: |
+          <<cd_merged>>
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }} # token for electron publish
          CSC_LINK: ${{ secrets.APPLECERT_CERTIFICATE }}
          CSC_KEY_PASSWORD: ${{ secrets.APPLECERT_PASSWORD }}
-
          APPLE_ID: ${{ secrets.APPLE_ID }}
          APPLE_TEAM_ID: ${{ secrets.APPLE_TEAM_ID }}
          APPLE_ID_PASSWORD: ${{ secrets.APPLE_ID_PASSWORD }}
-
-          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
          APPLE_APP_SPECIFIC_PASSWORD: ${{secrets.APPLE_APP_SPECIFIC_PASSWORD}}

+      - name: Publish Linux
+        if: matrix.os == 'ubuntu-22.04'
+        run: |
+          <<cd_merged>>
+          yarn run build:app
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }} # token for electron publish
+          SNAPCRAFT_STORE_CREDENTIALS: ${{secrets.SNAPCRAFT_LOGIN}}
+
      - name: generatePadFile
        _if: _community_stable
        run: |
          yarn generatePadFile

+      - name: Azure login (OIDC)
+        uses: azure/login@v2
+        if: matrix.os == 'windows-2022'
+        with:
+          client-id: ${{ secrets.AZURE_TC_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TC_TENANT_ID }}
+          allow-no-subscriptions: true
+
+      - name: Sign Windows artifacts with Azure Trusted Signing
+        uses: azure/trusted-signing-action@v0
+        if: matrix.os == 'windows-2022'
+        with:
+          endpoint: https://wus3.codesigning.azure.net/
+          trusted-signing-account-name: DbGate
+          certificate-profile-name: DbGate-Release
+
+          files-folder: app/dist
+          files-folder-filter: exe
+
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+
      - name: Copy artifacts
        run: |
          mkdir artifacts