fix(ci): repair beta Windows signing uploads

Use the app token for cross-repo beta release uploads and update the Windows signing helper to use Azure Artifact Signing with stable single-file argument handling.
2026-04-23 22:34:53 +00:00 · 2026-03-28 07:21:28 +10:00
parent 1c6707cfa9
commit 3f5bd3dfab
2 changed files with 16 additions and 9 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -116,6 +116,13 @@ jobs:
          name: opencode-cli
          path: packages/opencode/dist

+      - name: Setup git committer
+        id: committer
+        uses: ./.github/actions/setup-git-committer
+        with:
+          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
+          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}
+
      - uses: ./.github/actions/windows-trusted-signing
        with:
          azure-client-id: ${{ vars.AZURE_CLIENT_ID || secrets.AZURE_CLIENT_ID }}
@@ -141,7 +148,7 @@ jobs:
        if: needs.version.outputs.release != ''
        shell: pwsh
        env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.committer.outputs.token }}
        run: |
          gh release upload "v${{ needs.version.outputs.version }}" `
            "${{ github.workspace }}\packages\opencode\dist\opencode-windows-arm64.zip" `
--- a/script/sign-windows.ps1
+++ b/script/sign-windows.ps1
@@ -16,7 +16,7 @@ $vars = @{
 }

 if ($vars.Values | Where-Object { -not $_ }) {
-  Write-Host "Skipping Windows signing because Trusted Signing is not configured"
+  Write-Host "Skipping Windows signing because Azure Artifact Signing is not configured"
  exit 0
 }

@@ -25,7 +25,7 @@ if (-not (Get-Command sign -ErrorAction SilentlyContinue)) {
  exit 0
 }

-$files = $Path | ForEach-Object { Resolve-Path $_ -ErrorAction SilentlyContinue } | Select-Object -ExpandProperty Path -Unique
+$files = @($Path | ForEach-Object { Resolve-Path $_ -ErrorAction SilentlyContinue } | Select-Object -ExpandProperty Path -Unique)

 if (-not $files -or $files.Count -eq 0) {
  throw "No files matched the requested paths"
@@ -35,17 +35,17 @@ $groups = $files | Group-Object { Split-Path $_ -Parent }

 foreach ($group in $groups) {
  $dir = $group.Name
-  $names = $group.Group | ForEach-Object { Split-Path $_ -Leaf }
+  $names = @($group.Group | ForEach-Object { Split-Path $_ -Leaf })

-  & sign code trusted-signing `
+  & sign code artifact-signing `
    -b $dir `
-    -tse $vars.endpoint `
-    -tscp $vars.profile `
-    -tsa $vars.account `
+    -ase $vars.endpoint `
+    -ascp $vars.profile `
+    -asa $vars.account `
    @names `
    -v Information

  if ($LASTEXITCODE -ne 0) {
-    throw "Trusted Signing failed for $($group.Name)"
+    throw "Azure Artifact Signing failed for $($group.Name)"
  }
 }