-
Notifications
You must be signed in to change notification settings - Fork 8
60 lines (52 loc) · 1.78 KB
/
build-and-sign.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# see /README.md
name: build-and-sign
run-name: Demo workflow signing with SignPath
on:
push:
pull_request:
#schedule:
# - cron: '30 3 * * *' # every day at 3:30am UTC
workflow_dispatch: # Allows you to run this workflow manually from the Actions tab
jobs:
build_and_sign:
runs-on: windows-latest
steps:
- name: checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: build
run: ./src/Build.ps1
- name: create SBOM
run: ./sbom/Create-SBOM.ps1
- name: upload-unsigned-artifact
id: upload-unsigned-artifact
uses: actions/upload-artifact@v4
with:
name: "demo-application"
if-no-files-found: error
path: |
.\_BuildResult-unsigned\DemoExample.msi
.\_BuildResult-unsigned\bom.xml
- name: sign
uses: signpath/[email protected]
env:
# select release-signing policy for main and release branches
SIGNPATH_SIGNING_POLICY_SLUG: |
${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/'))
&& 'release-signing'
|| 'test-signing' }}
with:
api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
project-slug: 'Demo_Application'
signing-policy-slug: '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}'
github-artifact-id: "${{steps.upload-unsigned-artifact.outputs.artifact-id}}"
wait-for-completion: true
output-artifact-directory: 'demo-application-signed'
- name: upload-signed-artifact
uses: actions/upload-artifact@v4
with:
name: "demo-application-signed"
path: "demo-application-signed"
if-no-files-found: error