name: sign-cli on: push: branches: - brendan/desktop-signpath workflow_dispatch: permissions: contents: write actions: read id-token: write jobs: sign-cli: runs-on: ubuntu-latest if: github.repository == 'anomalyco/opencode' steps: - uses: actions/checkout@v3 with: fetch-tags: true - uses: ./.github/actions/setup-bun - name: Build run: | ./packages/opencode/script/build.ts - name: Upload unsigned Windows CLI id: upload_unsigned_windows_cli uses: actions/upload-artifact@v4 with: name: unsigned-opencode-windows-cli path: packages/opencode/dist/opencode-windows-x64/bin/opencode.exe if-no-files-found: error # - name: Submit SignPath signing request # id: submit_signpath_signing_request # uses: signpath/github-action-submit-signing-request@v1 # with: # api-token: ${{ secrets.SIGNPATH_API_KEY }} # organization-id: ${{ vars.SIGNPATH_ORGANIZATION_ID }} # project-slug: ${{ vars.SIGNPATH_PROJECT_SLUG }} # signing-policy-slug: ${{ vars.SIGNPATH_SIGNING_POLICY_SLUG }} # artifact-configuration-slug: ${{ vars.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }} # github-artifact-id: ${{ steps.upload_unsigned_windows_cli.outputs.artifact-id }} # wait-for-completion: true # output-artifact-directory: signed-opencode-cli - name: Submit SignPath signing request id: submit_signpath_signing_request run: | ./script/signpath.ts env: API_TOKEN: ${{ secrets.SIGNPATH_API_KEY }} ORGANIZATION_ID: ${{ vars.SIGNPATH_ORGANIZATION_ID }} PROJECT_SLUG: ${{ vars.SIGNPATH_PROJECT_SLUG }} SIGNING_POLICY_SLUG: ${{ vars.SIGNPATH_SIGNING_POLICY_SLUG }} ARTIFACT_CONFIGURATION_SLUG: ${{ vars.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }} GITHUB_ARTIFACT_ID: ${{ steps.upload_unsigned_windows_cli.outputs.artifact-id }} WAIT_FOR_COMPLETION-for-completion: true OUTPUT_ARTIFACT_DIRECTORY: signed-opencode-cli - name: Upload signed Windows CLI uses: actions/upload-artifact@v4 with: name: signed-opencode-windows-cli path: signed-opencode-cli/*.exe if-no-files-found: error