Skip to content

Require code signing for releases; bump setup-msbuild to v3 #355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
erikdarlingdata merged 1 commit into from
Jun 2, 2026
Merged

Require code signing for releases; bump setup-msbuild to v3 #355

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 11 additions & 12 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ jobs:
# The build step never fails the job (it only sets an output on success),
# so a VSIX build failure can never block the cross-platform app release.
- name: Add MSBuild to PATH
uses: microsoft/setup-msbuild@v2
uses: microsoft/setup-msbuild@v3
continue-on-error: true

- name: Build SSMS extension
Expand Down Expand Up @@ -127,28 +127,28 @@ jobs:
curl -sS -f "https://ssmsgallery.azurewebsites.net/api/upload" \
-F "file=@releases/PlanViewer.Ssms.vsix"

# ── SignPath code signing (Windows only, skipped if secret not configured) ──
- name: Check if signing is configured
id: signing
# ── SignPath code signing (Windows). Signing is REQUIRED for a release:
# if the SignPath token is missing the job fails loudly rather than
# silently shipping unsigned binaries. ──
- name: Verify signing is configured
shell: bash
env:
SIGNPATH_API_TOKEN: ${{ secrets.SIGNPATH_API_TOKEN }}
run: |
if [ -n "${{ secrets.SIGNPATH_API_TOKEN }}" ]; then
echo "ENABLED=true" >> $GITHUB_OUTPUT
else
echo "ENABLED=false" >> $GITHUB_OUTPUT
echo "::warning::SIGNPATH_API_TOKEN not configured — releasing unsigned binaries"
if [ -z "$SIGNPATH_API_TOKEN" ]; then
echo "::error::SIGNPATH_API_TOKEN missing — signing is required for a release; aborting."
exit 1
fi
echo "SignPath token present — Windows binaries will be signed."

- name: Upload Windows build for signing
if: steps.signing.outputs.ENABLED == 'true'
id: upload-unsigned
uses: actions/upload-artifact@v6
with:
name: App-unsigned
path: publish/win-x64/

- name: Sign Windows build
if: steps.signing.outputs.ENABLED == 'true'
uses: signpath/github-action-submit-signing-request@v2
with:
api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
Expand All @@ -161,7 +161,6 @@ jobs:
output-artifact-directory: 'signed/win-x64'

- name: Replace unsigned Windows build with signed
if: steps.signing.outputs.ENABLED == 'true'
shell: pwsh
run: |
Remove-Item -Recurse -Force publish/win-x64
Expand Down
Loading