Add job for production signing

AlbrechtL · Dec 8, 2024 · d495211 · d495211
1 parent 53a82be
commit d495211
Showing 1 changed file with 35 additions and 3 deletions.
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -88,14 +88,14 @@ jobs:
           path: to_publish\*.exe
           if-no-files-found: error
 
-      - name: Sign installer with SignPath
+      - name: Sign installer with self-signed certificate with SignPath
         id: signing_installer
         uses: signpath/github-action-submit-signing-request@v1
         with:
           api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
           organization-id: 'b7a507e8-ab76-445f-bfb5-05944bcbbee9'
           project-slug: 'welle.io'
-          signing-policy-slug: 'release-signing'
+          signing-policy-slug: 'test-signing'
           github-artifact-id: '${{steps.upload_artifact.outputs.artifact-id}}'
           wait-for-completion: true
           output-artifact-directory: 'publish'
@@ -104,7 +104,7 @@ jobs:
         id: upload_artifact_signed
         uses: actions/upload-artifact@v4
         with:
-          name: welle.io Windows installer signed
+          name: welle.io Windows installer self-signed
           path: publish\*.exe
           if-no-files-found: error
 
@@ -116,3 +116,35 @@ jobs:
           username: ${{ secrets.SFTP_USER }}
           password: ${{ secrets.SFTP_PASSWORD }}
           local_dir: publish/
+
+
+  production_signing:
+    name: Sign installer with production key
+    needs: qtbuild
+    runs-on: windows-latest
+
+    # Production signing needs a manual step in SignPath within 5 minutes.
+    # During development we don't need each build signed with a production key.
+    # So we can accept to fail here
+    continue-on-error: true 
+
+    steps:
+      - name: Production sign installer with SignPath
+        id: signing_installer
+        uses: signpath/github-action-submit-signing-request@v1
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: 'b7a507e8-ab76-445f-bfb5-05944bcbbee9'
+          project-slug: 'welle.io'
+          signing-policy-slug: 'release-signing'
+          github-artifact-id: '${{qtbuild.steps.upload_artifact.outputs.artifact-id}}'
+          wait-for-completion: true
+          output-artifact-directory: 'publish_production'
+
+      - name: Archive artifacts (welle.io Windows installer signed)
+        id: upload_artifact_signed
+        uses: actions/upload-artifact@v4
+        with:
+          name: welle.io Windows installer production-signed
+          path: publish_production\*.exe
+          if-no-files-found: error