name: sign-cli on: push: branches: - brendan/desktop-signpath workflow_dispatch: permissions: contents: write actions: read id-token: write jobs: sign-cli: runs-on: ubuntu-latest if: github.repository == 'anomalyco/opencode' steps: - uses: actions/checkout@v3 with: fetch-tags: true - uses: ./.github/actions/setup-bun - name: Build run: | ./packages/opencode/script/build.ts - name: Upload unsigned Windows CLI id: upload_unsigned_windows_cli uses: actions/upload-artifact@v4 with: name: unsigned-opencode-windows-cli path: packages/opencode/dist/opencode-windows-x64/bin/opencode.exe if-no-files-found: error - name: Upload unsigned Windows CLI id: upload_unsigned_windows_baseline_cli uses: actions/upload-artifact@v4 with: name: unsigned-opencode-windows-baseline-cli path: packages/opencode/dist/opencode-windows-x64-baseline/bin/opencode.exe if-no-files-found: error - name: Submit SignPath signing request id: submit_signpath_signing_request run: | ./packages/opencode/script/signpath.ts env: API_TOKEN: ${{ secrets.SIGNPATH_API_KEY }} ORGANIZATION_ID: ${{ vars.SIGNPATH_ORGANIZATION_ID }} PROJECT_SLUG: ${{ vars.SIGNPATH_PROJECT_SLUG }} SIGNING_POLICY_SLUG: ${{ vars.SIGNPATH_SIGNING_POLICY_SLUG }} ARTIFACT_CONFIGURATION_SLUG: ${{ vars.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }} GITHUB_ARTIFACT_ID: ${{ steps.upload_unsigned_windows_cli.outputs.artifact-id }} WAIT_FOR_COMPLETION-for-completion: true OUTPUT_ARTIFACT_DIRECTORY: signed-opencode-cli GITHUB_TOKEN: ${{ github.token }} INPUT_ARTIFACTS: ${{ steps.upload_unsigned_windows_cli.outputs.artifact-id }} ${{ steps.upload_unsigned_windows_baseline_cli.outputs.artifact-id }} - name: Upload signed Windows CLI uses: actions/upload-artifact@v4 with: name: signed-opencode-windows-cli path: signed-opencode-cli/*.exe if-no-files-found: error