ci(test-build): pack an unsigned .intunewin + add correlation run-name#133
Open
raysubham wants to merge 3 commits into
Open
ci(test-build): pack an unsigned .intunewin + add correlation run-name#133raysubham wants to merge 3 commits into
raysubham wants to merge 3 commits into
Conversation
test-build.yml built MSIs only. The integration-test Intune MSI E2E needs a per-commit .intunewin to validate the real Win32 delivery path BEFORE a release is tagged, and only release.yml could produce one (IntuneWinAppUtil runs on a Windows runner). This adds, in the existing windows build-msi job, a pack step mirroring release.yml -- pinned + Authenticode-verified IntuneWinAppUtil, install.cmd as the setup entry point with uninstall.cmd and the MSI staged alongside -- and uploads the result as the windows-intunewin artifact. No Sigstore signing or release upload: this is an unsigned snapshot for pre-tag validation only; packaging and filename are otherwise byte-identical to a release. Also adds an optional correlation_id input echoed into run-name, so a dispatcher (the integration-test E2E) can bind to the exact run it triggered -- a workflow_dispatch run's head_sha is the ref HEAD, not commit_id, so the SHA alone cannot identify it. No change to existing artifacts (windows-msis/-exes/linux/darwin) or the PR-comment flow.
ashishkurmi
approved these changes
Jun 8, 2026
raysubham
force-pushed
the
feat/test-build-intunewin
branch
from
7db61d5 to
bbbe7cb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
test-build.ymlbuilds MSIs only (artifactswindows-msis,windows-exes,linux,darwin). The integration-test Intune MSI E2E is gaining a commit mode so we can validate the real Win32 Intune delivery path against an arbitrary commit before tagging a release — but that needs a.intunewin, and today onlyrelease.ymlproduces one (IntuneWinAppUtil runs on a Windows runner; the ubuntu Go harness can't pack it).What
In the existing
build-msi(windows) job, after the MSIs are built:release.yml, then an Authenticode check (Microsoft Corporation, Status=Valid)..intunewin(x64 + arm64) — mirrorsrelease.ymlexactly:install.cmdas the-ssetup entry point, withuninstall.cmdand the MSI staged in the source folder; renamed tostepsecurity-dev-machine-guard-<version>-<arch>.intunewin.windows-intunewinartifact.No Sigstore signing, no release upload, no attestation — this is an unsigned snapshot for pre-tag validation only. Packaging and filename are otherwise byte-identical to a release, so the downstream Intune pipeline is unchanged.
Also adds an optional
correlation_idinput echoed intorun-name, so a dispatcher (the E2E) can bind to the exact run it triggered — aworkflow_dispatchrun'shead_shais the ref HEAD, notcommit_id, so the SHA alone can't identify it, and a newest-run heuristic could bind to a concurrent dispatch.Safety / blast radius
buildjob, or the PR-comment flow.correlation_idis optional — existing callers are unaffected, and an empty value just leaves a trailing space inrun-name.release.yml.permissions:unchanged (contents: readon the job).Companion / validation
windows-intunewinand matches the run by thecorrelation_idmarker). Merge this first so that PR's commit mode can run..github/workflows/test-build.ymlparses as valid YAML; the added steps are a faithful copy of the provenrelease.ymlpack. Will confirm end-to-end by dispatching this workflow for a recent commit and checking thewindows-intunewinartifact before the E2E uses it.