diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index bfdc88e251..38caf6ca2a 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -116,6 +116,13 @@ jobs:
           name: opencode-cli
           path: packages/opencode/dist
 
+      - name: Setup git committer
+        id: committer
+        uses: ./.github/actions/setup-git-committer
+        with:
+          opencode-app-id: ${{ vars.OPENCODE_APP_ID }}
+          opencode-app-secret: ${{ secrets.OPENCODE_APP_SECRET }}
+
       - uses: ./.github/actions/windows-trusted-signing
         with:
           azure-client-id: ${{ vars.AZURE_CLIENT_ID || secrets.AZURE_CLIENT_ID }}
@@ -141,7 +148,7 @@ jobs:
         if: needs.version.outputs.release != ''
         shell: pwsh
         env:
-          GH_TOKEN: ${{ github.token }}
+          GH_TOKEN: ${{ steps.committer.outputs.token }}
         run: |
           gh release upload "v${{ needs.version.outputs.version }}" `
             "${{ github.workspace }}\packages\opencode\dist\opencode-windows-arm64.zip" `
diff --git a/script/sign-windows.ps1 b/script/sign-windows.ps1
index 4e47bfd942..d8e160f47b 100644
--- a/script/sign-windows.ps1
+++ b/script/sign-windows.ps1
@@ -16,7 +16,7 @@ $vars = @{
 }
 
 if ($vars.Values | Where-Object { -not $_ }) {
-  Write-Host "Skipping Windows signing because Trusted Signing is not configured"
+  Write-Host "Skipping Windows signing because Azure Artifact Signing is not configured"
   exit 0
 }
 
@@ -25,7 +25,7 @@ if (-not (Get-Command sign -ErrorAction SilentlyContinue)) {
   exit 0
 }
 
-$files = $Path | ForEach-Object { Resolve-Path $_ -ErrorAction SilentlyContinue } | Select-Object -ExpandProperty Path -Unique
+$files = @($Path | ForEach-Object { Resolve-Path $_ -ErrorAction SilentlyContinue } | Select-Object -ExpandProperty Path -Unique)
 
 if (-not $files -or $files.Count -eq 0) {
   throw "No files matched the requested paths"
@@ -35,17 +35,17 @@ $groups = $files | Group-Object { Split-Path $_ -Parent }
 
 foreach ($group in $groups) {
   $dir = $group.Name
-  $names = $group.Group | ForEach-Object { Split-Path $_ -Leaf }
+  $names = @($group.Group | ForEach-Object { Split-Path $_ -Leaf })
 
-  & sign code trusted-signing `
+  & sign code artifact-signing `
     -b $dir `
-    -tse $vars.endpoint `
-    -tscp $vars.profile `
-    -tsa $vars.account `
+    -ase $vars.endpoint `
+    -ascp $vars.profile `
+    -asa $vars.account `
     @names `
     -v Information
 
   if ($LASTEXITCODE -ne 0) {
-    throw "Trusted Signing failed for $($group.Name)"
+    throw "Azure Artifact Signing failed for $($group.Name)"
   }
 }