required when publish

2026-04-24 14:45:27 +00:00 · 2026-02-13 14:55:56 -08:00
parent fb949eddc8
commit 5049040406
1 changed files with 31 additions and 0 deletions
--- a/.github/workflows/rust-release-windows.yml
+++ b/.github/workflows/rust-release-windows.yml
@@ -174,6 +174,37 @@ jobs:
          ls -lh target/${{ matrix.target }}/release/codex-windows-sandbox-setup.exe
          ls -lh target/${{ matrix.target }}/release/codex-command-runner.exe

+      - name: Validate signing secrets when publish is enabled
+        if: ${{ inputs.publish }}
+        shell: bash
+        env:
+          AZURE_TRUSTED_SIGNING_CLIENT_ID: ${{ secrets.AZURE_TRUSTED_SIGNING_CLIENT_ID }}
+          AZURE_TRUSTED_SIGNING_TENANT_ID: ${{ secrets.AZURE_TRUSTED_SIGNING_TENANT_ID }}
+          AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID: ${{ secrets.AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID }}
+          AZURE_TRUSTED_SIGNING_ENDPOINT: ${{ secrets.AZURE_TRUSTED_SIGNING_ENDPOINT }}
+          AZURE_TRUSTED_SIGNING_ACCOUNT_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_ACCOUNT_NAME }}
+          AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME: ${{ secrets.AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME }}
+        run: |
+          set -euo pipefail
+          missing=0
+          required=(
+            AZURE_TRUSTED_SIGNING_CLIENT_ID
+            AZURE_TRUSTED_SIGNING_TENANT_ID
+            AZURE_TRUSTED_SIGNING_SUBSCRIPTION_ID
+            AZURE_TRUSTED_SIGNING_ENDPOINT
+            AZURE_TRUSTED_SIGNING_ACCOUNT_NAME
+            AZURE_TRUSTED_SIGNING_CERTIFICATE_PROFILE_NAME
+          )
+          for key in "${required[@]}"; do
+            if [[ -z "${!key}" ]]; then
+              echo "::error::Missing required secret: ${key}"
+              missing=1
+            fi
+          done
+          if [[ "${missing}" -ne 0 ]]; then
+            exit 1
+          fi
+
      - name: Sign Windows binaries with Azure Trusted Signing
        if: ${{ inputs.publish }}
        uses: ./.github/actions/windows-code-sign