Open
Conversation
Imports a PFX certificate into the Windows certificate store and sets WINDOWS_CERTIFICATE_THUMBPRINT so Tauri's signtool integration signs the installer. Secrets WINDOWS_CERTIFICATE and WINDOWS_CERTIFICATE_PASSWORD are passed through from build_desktop_common.yml. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
mickmister
force-pushed
the
vk/2d05-sd-windows-app-c
branch
from
93ff60c to
a4c41be
Compare
Replaces the PFX certificate approach with Azure Trusted Signing via trusted-signing-cli. Installs the CLI on Windows, passes Azure credentials as env vars to the Tauri build step, and wires up 6 new secrets: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, AZURE_SIGNING_ENDPOINT, AZURE_SIGNING_ACCOUNT_NAME, AZURE_SIGNING_CERT_PROFILE_NAME. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…file inputs The signCommand in tauri.base.conf.json already has the endpoint, account, and profile hardcoded. Only AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID need to be passed via CI secrets. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replaces hardcoded values in tauri.base.conf.json with %ENV_VAR% placeholders, passed through CI as AZURE_SIGNING_ENDPOINT, AZURE_SIGNING_ACCOUNT_NAME, and AZURE_SIGNING_CERT_PROFILE_NAME secrets. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sets Azure signing env vars via >> GITHUB_ENV in a dedicated step, consistent with how Apple signing vars are handled for macOS. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…tibility windows-latest removed the Windows SDK version that trusted-signing-cli falls back to for signtool.exe. windows-11-arm has it available out of the box and is also faster. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
… wildcard Updates tauri_e2e.yml runner and conditionals, and simplifies build_desktop_common.yml platform checks to use windows-* wildcard only, removing the now-redundant windows-latest check. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…est_manifest - Hardcode endpoint/account/profile in tauri.base.conf.json instead of using %ENV_VAR% placeholders which may not expand in Tauri's signCommand - Remove azure_signing_endpoint/account_name/cert_profile_name inputs/secrets - Set SIGNTOOL_PATH to known Windows SDK path so trusted-signing-cli can locate signtool.exe on windows-latest runners - Switch runner back to windows-latest - Disable publish_latest_manifest job for now Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implement windows app code signing in the desktop app workflow/action in the ./songdrive-releases repo