add cli code signing to beta publish

2026-04-24 14:55:19 +00:00 · 2026-02-14 14:31:50 +08:00
parent e6832c483c
commit 7869f9eff3
1 changed files with 62 additions and 0 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -83,6 +83,68 @@ jobs:
          name: opencode-cli
          path: packages/opencode/dist

+      - name: Upload unsigned Windows CLI
+        id: upload_unsigned_windows_cli
+        uses: actions/upload-artifact@v4
+        if: ${{ github.ref_name == 'beta' }}
+        with:
+          name: unsigned-opencode-windows-cli
+          path: packages/opencode/dist/opencode-windows-x64/bin/opencode.exe
+          if-no-files-found: error
+
+      - name: Submit SignPath signing request
+        # id: submit_signpath_signing_request
+        uses: signpath/github-action-submit-signing-request@v1
+        if: ${{ github.ref_name == 'beta' }}
+        with:
+          api-token: ${{ secrets.SIGNPATH_API_KEY }}
+          organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
+          project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
+          signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
+          artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}
+          github-artifact-id: ${{ steps.upload_unsigned_windows_cli.outputs.artifact-id }}
+          wait-for-completion: true
+          output-artifact-directory: signed-opencode-cli
+
+      - name: Upload signed Windows CLI
+        uses: actions/upload-artifact@v4
+        if: ${{ github.ref_name == 'beta' }}
+        with:
+          name: signed-opencode-windows-cli
+          path: signed-opencode-cli/*.exe
+          if-no-files-found: error
+
+      - name: Upload unsigned Windows baseline CLI
+        id: upload_unsigned_windows_baseline_cli
+        uses: actions/upload-artifact@v4
+        if: ${{ github.ref_name == 'beta' }}
+        with:
+          name: unsigned-opencode-windows-baseline-cli
+          path: packages/opencode/dist/opencode-windows-x64-baseline/bin/opencode.exe
+          if-no-files-found: error
+
+      - name: Submit SignPath signing request
+        # id: submit_signpath_signing_request
+        uses: signpath/github-action-submit-signing-request@v1
+        if: ${{ github.ref_name == 'beta' }}
+        with:
+          api-token: ${{ secrets.SIGNPATH_API_KEY }}
+          organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
+          project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
+          signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
+          artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}
+          github-artifact-id: ${{ steps.upload_unsigned_windows_cli.outputs.artifact-id }}
+          wait-for-completion: true
+          output-artifact-directory: signed-opencode-cli
+
+      - name: Upload signed Windows baseline CLI
+        uses: actions/upload-artifact@v4
+        if: ${{ github.ref_name == 'beta' }}
+        with:
+          name: signed-opencode-windows-baseline-cli
+          path: signed-opencode-cli/*.exe
+          if-no-files-found: error
+
    outputs:
      version: ${{ needs.version.outputs.version }}