Code sign Windows build with Azure Trusted Signing

phw · Dec 7, 2024 · 597384a · 597384a
1 parent c04025a
commit 597384a
Showing 1 changed file with 15 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -40,6 +40,8 @@ jobs:
   windows-portable:
     name: Build Windows portable
     runs-on: windows-latest
+    env:
+      CODESIGN: ${{ !!secrets.AZURE_CERT_PROFILE_NAME }}
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -92,6 +94,19 @@ jobs:
           mv dist\MusicBrainz-Picard-*.exe dist\MusicBrainz-Picard-daily.exe
         env:
           PICARD_BUILD_PORTABLE: 1
+      - name: Code signing
+        uses: azure/[email protected]
+        if: env.CODESIGN == 'true'
+        with:
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+          endpoint: ${{ secrets.AZURE_ENDPOINT }}
+          trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
+          certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
+          files: ${{ github.workspace }}\source\dist\MusicBrainz-Picard-daily.exe
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
       - name: Archive artifacts
         uses: actions/upload-artifact@v4
         with: