Add release workflow with SignPath code signing#4
Open
hsbt wants to merge 3 commits into
Open
Conversation
SmartScreen and the file-properties dialog show these fields, and the code-signing provider requires them to identify the project. The release workflow overrides Version from the tag.
Catches AOT publish breakage on every push instead of at release time. The arm64 target cross-compiles on the x64 runner with the ARM64 MSVC tools present on the hosted image. CI artifacts are unsigned.
Pushing a v* tag builds rb.exe for win-x64 and win-arm64, signs both through SignPath Foundation, verifies the signatures, and attaches the binaries with .sha256 checksums to a GitHub release. Signing lives in the .github/actions/sign composite action so the planned migration to Azure Artifact Signing or an OV certificate only swaps that one seam. While the SignPath credentials are not configured, releases come out as unsigned drafts with a warning. docs/code-signing.md doubles as the signing policy and the SignPath Foundation application checklist.
There was a problem hiding this comment.
Pull request overview
Introduces a tag-driven release pipeline that builds NativeAOT rb.exe for win-x64 and win-arm64, optionally signs the binaries via SignPath Foundation (through a provider-isolated composite action), verifies Authenticode signatures, and publishes the binaries plus .sha256 files to a GitHub Release. It also adds VERSIONINFO metadata to the executable and documents the signing policy and operational steps.
Changes:
- Add a release workflow (
v*tags) to build, sign (when configured), verify, checksum, and publishrb.exeartifacts to a GitHub Release. - Add CI publishing of unsigned NativeAOT binaries for win-x64/win-arm64 to surface AOT breakage earlier.
- Add VERSIONINFO metadata and documentation covering the signing policy and setup checklist.
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
src/rbmanager/rbmanager.csproj |
Adds VERSIONINFO metadata used by SmartScreen/file properties and for signing-provider identification. |
README.md |
Documents the new release/signing pipeline and attribution requirements. |
docs/code-signing.md |
Adds the signing policy and operational/runbook documentation for release signing. |
.github/workflows/release.yml |
New tag-triggered release workflow that builds, signs (optional), verifies signatures, and creates GitHub Releases with checksums. |
.github/workflows/ci.yml |
Adds CI NativeAOT publish artifacts (unsigned) for win-x64 and win-arm64. |
.github/actions/sign/action.yml |
Adds a composite action encapsulating provider-specific signing behavior (SignPath today). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+12
to
+14
| permissions: | ||
| contents: read | ||
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pushing a
v*tag now builds NativeAOTrb.exefor win-x64 and win-arm64, signs both through SignPath Foundation, verifies the signatures withGet-AuthenticodeSignature, and attaches the binaries with.sha256checksums to a GitHub release.rb.exeis the one binary users download directly with a browser, so it carries the Mark of the Web and an unsigned build is effectively blocked by SmartScreen. That makes it the first signing target ahead of the MSI and winget channels.The signing provider will change later. SignPath Foundation goes first because Azure Trusted Signing currently limits identity validation to US/CA/EU/UK legal entities, so all provider-specific logic is isolated in the
.github/actions/signcomposite action and the release workflow only sees "unsigned artifact in, signed files out". The SignPath credentials live in therelease-signingGitHub environment (SIGNPATH_API_TOKENsecret plusSIGNPATH_ORGANIZATION_ID,SIGNPATH_PROJECT_SLUG, andSIGNPATH_SIGNING_POLICY_SLUGvariables), which can require reviewer approval before the job starts. While they are not configured, tag pushes still work but produce unsigned draft releases with a warning, so nothing unsigned is published silently.CI additionally publishes the NativeAOT binaries for both RIDs on every push and PR, unsigned, so AOT breakage surfaces before release time. The exe now carries VERSIONINFO metadata (
ProductNamerbmanager and friends) that SignPath uses to match the artifact to the project, anddocs/code-signing.mddoubles as the published signing policy and the SignPath Foundation application checklist.