Skip to content

ci(release): wire Azure Trusted Signing for Windows#86

Merged
Kyle-Falconer merged 5 commits into
mainfrom
ci/windows-signing
Jun 24, 2026
Merged

ci(release): wire Azure Trusted Signing for Windows#86
Kyle-Falconer merged 5 commits into
mainfrom
ci/windows-signing

Conversation

@Kyle-Falconer

Copy link
Copy Markdown
Member

Replaces the #56 TODO in the gated Windows release job with the real signing path:

  • azure/login OIDC (federated credential, no stored secret)
  • sign the NSIS installer with azure/trusted-signing-action
  • RELEASING.md documents the repo Variables that flip WINDOWS_SIGNING_ENABLED on

Bumps janitor-gui to 0.1.1 so the v0.1.1 tag drives a draft release that exercises the signing step end-to-end (v0.1.0 was already tagged).

All Azure-side wiring is done: cert profile CircuitStitch (Public Trust) under account Circuit-Stitch (West US 2), app registration with a refs/tags/v* federated credential, and the Trusted Signing Certificate Profile Signer role assigned. Repo Variables set; gate is on.

Test run: tag v0.1.1 (this branch's HEAD).

Closes #56.

🤖 Generated with Claude Code

Kyle-Falconer and others added 3 commits June 24, 2026 14:58
Replaces the #56 TODO in the gated Windows job with the real signing
path: azure/login OIDC (federated, no stored secret) -> sign the NSIS
installer with azure/trusted-signing-action. Documents the repo
Variables an operator sets to flip WINDOWS_SIGNING_ENABLED on.

Bumps janitor-gui to 0.1.1 so a v0.1.1 tag can drive a draft release
that exercises the new signing step (v0.1.0 already tagged).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A tag-pattern federated credential can't wildcard without preview flexible
FICs, and those can't be smoke-tested (workflow_dispatch presents a branch
subject, not a tag one). Scope to a GitHub Environment instead: the OIDC
subject is repo:OWNER/REPO:environment:release regardless of trigger, so one
credential covers every release tag and the auth is verifiable in ~30s.

Adds oidc-smoke.yml (workflow_dispatch, environment: release) to verify the
azure/login token exchange without the ~17-min Windows build.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Auth is verified; the smoke no longer needs to auto-run on branch pushes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Kyle-Falconer Kyle-Falconer merged commit 74b3b04 into main Jun 24, 2026
1 check passed
@Kyle-Falconer Kyle-Falconer deleted the ci/windows-signing branch June 24, 2026 23:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Windows code signing via Azure Trusted Signing (OIDC federation, no-unsigned policy)

1 participant