feat(ci): use Azure Artifact Signing for Windows releases#15201
Merged
Hona merged 14 commits intoanomalyco:devfrom Mar 28, 2026
Merged
feat(ci): use Azure Artifact Signing for Windows releases#15201Hona merged 14 commits intoanomalyco:devfrom
Hona merged 14 commits intoanomalyco:devfrom
Conversation
Hona
force-pushed
the
feat/windows-trusted-signing
branch
from
9d63de3 to
582f69e
Compare
Hona
changed the title
Bring the Windows Trusted Signing release changes forward onto the latest dev branch, including the new Electron desktop pipeline and release workflow updates.
Include the ARM64 Windows CLI build in Trusted Signing outputs and route Windows Electron packaging through the signed artifact so beta and production desktop releases ship the expected signed sidecar.
Move the repeated Azure Trusted Signing setup and verification into a reusable repo action so the CLI signing job and Windows desktop packaging share the same signing configuration.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Windows release pipeline to sign both the CLI and desktop artifacts using Azure Trusted Signing, and ensures the signed CLI binaries are reused during desktop packaging and publishing.
Changes:
- Add a reusable PowerShell script to sign Windows binaries via the Azure Trusted Signing
signtool. - Integrate a new
sign-cli-windowsjob into the publish workflow and feed signed Windows CLI artifacts into Tauri/Electron packaging. - Configure Tauri Windows bundling to invoke the signing script via
signCommand, and update desktop prepare scripts to download a configurable CLI artifact.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
script/sign-windows.ps1 |
New signing helper that signs one or more binaries using Azure Trusted Signing CLI. |
packages/desktop/src-tauri/tauri.prod.conf.json |
Adds Tauri Windows signCommand to invoke the signing script in prod builds. |
packages/desktop/src-tauri/tauri.conf.json |
Adds Tauri Windows signCommand to invoke the signing script in dev config. |
packages/desktop/src-tauri/tauri.beta.conf.json |
Adds Tauri Windows signCommand to invoke the signing script in beta builds. |
packages/desktop/scripts/prepare.ts |
Makes the downloaded CLI artifact name configurable via OPENCODE_CLI_ARTIFACT. |
packages/desktop-electron/scripts/prepare.ts |
Makes the downloaded CLI artifact name configurable via OPENCODE_CLI_ARTIFACT. |
.github/workflows/sign-cli.yml |
Removes the legacy SignPath-only workflow. |
.github/workflows/publish.yml |
Adds Windows CLI signing job, wires signed artifacts into desktop packaging, and adds signature verification steps. |
Comments suppressed due to low confidence (1)
.github/workflows/publish.yml:170
- The repacked Windows CLI zip archives will likely have a different internal directory layout than the original zips produced by
packages/opencode/script/build.ts(which runszipfrom insidedist/<target>/bin, resulting inopencode.exeat the archive root).Compress-Archive -Path "opencode-windows-...\bin\*"will typically store paths likeopencode-windows-x64\bin\opencode.exeinside the zip, which can break consumers expectingopencode(.exe)at the top level. Repack in a way that preserves the previous archive structure (e.g., run the archive command from within eachbindirectory or otherwise strip the parent path).
- sign-cli-windows
- version
continue-on-error: false
strategy:
fail-fast: false
matrix:
settings:
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Drop the leftover SignPath policy now that Windows release signing is handled through Azure Trusted Signing, so the branch no longer carries an unused signing path.
Rename the reusable signing action to Azure Artifact Signing and make the Windows signing helper tolerate unmatched paths until the explicit no-files check runs.
Wire Azure Artifact Signing into the Electron packaging flow so the packaged app and installer executables are signed before publish metadata is generated, and fix the reusable signing action to handle file lists correctly.
Use the app token for cross-repo beta release uploads and update the Windows signing helper to use Azure Artifact Signing with stable single-file argument handling.
Move the custom Windows Electron signing hook under signtoolOptions so electron-builder accepts the config and still signs the packaged app and installer during release builds.
Stop checking the raw Cargo output after bundling and only verify the signed Windows sidecar and NSIS artifacts that Tauri actually ships.
Split the CLI workflow outputs so Windows signing only processes Windows binaries, stop non-Windows desktop jobs from waiting on the Windows signing job, and sign Windows desktop sidecars locally during packaging so release builds still ship signed binaries without the extra artifact handoff.
Keep local desktop dev and packaging flows from invoking Azure Artifact Signing while preserving the GitHub Actions signing path for Tauri and Electron release builds.
Replace the thin repo wrapper with Azure's maintained artifact-signing action for the CLI signing job, inline Windows Azure login in packaging jobs, and move the packaging hook script onto the TrustedSigning module path.
Use Node-compatible environment access in the desktop prepare and sidecar signing paths for the workflow changes added in this branch, while leaving unrelated Bun-specific runtime code untouched.
Hona
changed the title
Copilot AI
pushed a commit
to ian-morgan99/opencode
that referenced
this pull request
Mar 28, 2026
…15201) Co-authored-by: ian-morgan99 <[email protected]>
e-n-0
pushed a commit
to e-n-0/opencode
that referenced
this pull request
Mar 29, 2026
loocor
pushed a commit
to loocor/opencode
that referenced
this pull request
Mar 30, 2026
afanty2021
pushed a commit
to afanty2021/opencode
that referenced
this pull request
Mar 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Moves Windows release signing over to Azure Artifact Signing and removes the leftover SignPath bits. The CLI release job now uses the official Azure action, while Tauri and Electron sign the Windows artifacts they actually ship, including the bundled opencode-cli sidecar. It also narrows the Windows artifact flow so signing only touches Windows outputs, fixes the beta cross-repo upload path, and keeps signing on GitHub Actions only.