From a4c41be9e0f56c39f1de00b0dbbc9ba1cc1cea3a Mon Sep 17 00:00:00 2001 From: Vibe Kanban Date: Fri, 20 Feb 2026 07:15:30 +0000 Subject: [PATCH 01/11] Add Windows code signing to desktop build action Imports a PFX certificate into the Windows certificate store and sets WINDOWS_CERTIFICATE_THUMBPRINT so Tauri's signtool integration signs the installer. Secrets WINDOWS_CERTIFICATE and WINDOWS_CERTIFICATE_PASSWORD are passed through from build_desktop_common.yml. Co-Authored-By: Claude Sonnet 4.6 --- .github/actions/build_desktop/action.yml | 18 ++++++++++++++++++ .github/workflows/build_desktop_common.yml | 2 ++ 2 files changed, 20 insertions(+) diff --git a/.github/actions/build_desktop/action.yml b/.github/actions/build_desktop/action.yml index d6d276b..f4c7860 100644 --- a/.github/actions/build_desktop/action.yml +++ b/.github/actions/build_desktop/action.yml @@ -44,6 +44,12 @@ inputs: apple_team_id: required: false description: 'Apple team ID' + windows_certificate: + required: false + description: 'Windows code signing certificate (base64-encoded PFX)' + windows_certificate_password: + required: false + description: 'Windows code signing certificate password' tauri_signing_private_key: required: false description: 'Tauri updater signing private key' @@ -186,6 +192,18 @@ runs: echo "APPLE_TEAM_ID=${{ inputs.apple_team_id }}" >> $GITHUB_ENV fi + - name: Import Windows code signing certificate + if: inputs.sign_app == 'true' && runner.os == 'Windows' && inputs.windows_certificate != '' + shell: pwsh + run: | + $pfxBytes = [Convert]::FromBase64String("${{ inputs.windows_certificate }}") + $pfxPath = Join-Path $env:RUNNER_TEMP "signing_cert.pfx" + [IO.File]::WriteAllBytes($pfxPath, $pfxBytes) + $securePassword = ConvertTo-SecureString -String "${{ inputs.windows_certificate_password }}" -Force -AsPlainText + $cert = Import-PfxCertificate -FilePath $pfxPath -CertStoreLocation Cert:\CurrentUser\My -Password $securePassword + Remove-Item $pfxPath -Force + echo "WINDOWS_CERTIFICATE_THUMBPRINT=$($cert.Thumbprint)" >> $env:GITHUB_ENV + - name: Set Tauri signing environment variables shell: bash run: | diff --git a/.github/workflows/build_desktop_common.yml b/.github/workflows/build_desktop_common.yml index b400566..20f9f8c 100644 --- a/.github/workflows/build_desktop_common.yml +++ b/.github/workflows/build_desktop_common.yml @@ -95,6 +95,8 @@ jobs: apple_id: ${{ secrets.APPLE_ID }} apple_password: ${{ secrets.APPLE_PASSWORD }} apple_team_id: ${{ secrets.APPLE_TEAM_ID }} + windows_certificate: ${{ secrets.WINDOWS_CERTIFICATE }} + windows_certificate_password: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }} github_token: ${{ secrets.GITHUB_TOKEN }} enable_debug: ${{ inputs.enable_debug }} enable_custom_site_url: ${{ inputs.enable_custom_site_url }} From d81566cd4a51bcbbf22f485459c93f45bc2702f1 Mon Sep 17 00:00:00 2001 From: Vibe Kanban Date: Fri, 20 Feb 2026 08:26:23 +0000 Subject: [PATCH 02/11] Switch Windows signing to Azure Trusted Signing Replaces the PFX certificate approach with Azure Trusted Signing via trusted-signing-cli. Installs the CLI on Windows, passes Azure credentials as env vars to the Tauri build step, and wires up 6 new secrets: AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID, AZURE_SIGNING_ENDPOINT, AZURE_SIGNING_ACCOUNT_NAME, AZURE_SIGNING_CERT_PROFILE_NAME. Co-Authored-By: Claude Sonnet 4.6 --- .github/actions/build_desktop/action.yml | 42 ++++++++++++++-------- .github/workflows/build_desktop_common.yml | 8 +++-- 2 files changed, 33 insertions(+), 17 deletions(-) diff --git a/.github/actions/build_desktop/action.yml b/.github/actions/build_desktop/action.yml index f4c7860..e7f0a63 100644 --- a/.github/actions/build_desktop/action.yml +++ b/.github/actions/build_desktop/action.yml @@ -44,12 +44,24 @@ inputs: apple_team_id: required: false description: 'Apple team ID' - windows_certificate: + azure_client_id: required: false - description: 'Windows code signing certificate (base64-encoded PFX)' - windows_certificate_password: + description: 'Azure app registration client ID for Windows code signing' + azure_client_secret: required: false - description: 'Windows code signing certificate password' + description: 'Azure app registration client secret for Windows code signing' + azure_tenant_id: + required: false + description: 'Azure tenant ID for Windows code signing' + azure_signing_endpoint: + required: false + description: 'Azure Trusted Signing endpoint URL (e.g. https://eus.codesigning.azure.net)' + azure_signing_account_name: + required: false + description: 'Azure Trusted Signing account name' + azure_signing_cert_profile_name: + required: false + description: 'Azure Trusted Signing certificate profile name' tauri_signing_private_key: required: false description: 'Tauri updater signing private key' @@ -192,17 +204,10 @@ runs: echo "APPLE_TEAM_ID=${{ inputs.apple_team_id }}" >> $GITHUB_ENV fi - - name: Import Windows code signing certificate - if: inputs.sign_app == 'true' && runner.os == 'Windows' && inputs.windows_certificate != '' - shell: pwsh - run: | - $pfxBytes = [Convert]::FromBase64String("${{ inputs.windows_certificate }}") - $pfxPath = Join-Path $env:RUNNER_TEMP "signing_cert.pfx" - [IO.File]::WriteAllBytes($pfxPath, $pfxBytes) - $securePassword = ConvertTo-SecureString -String "${{ inputs.windows_certificate_password }}" -Force -AsPlainText - $cert = Import-PfxCertificate -FilePath $pfxPath -CertStoreLocation Cert:\CurrentUser\My -Password $securePassword - Remove-Item $pfxPath -Force - echo "WINDOWS_CERTIFICATE_THUMBPRINT=$($cert.Thumbprint)" >> $env:GITHUB_ENV + - name: Install trusted-signing-cli (Windows) + if: inputs.sign_app == 'true' && runner.os == 'Windows' && inputs.azure_client_id != '' + shell: bash + run: cargo install trusted-signing-cli - name: Set Tauri signing environment variables shell: bash @@ -222,6 +227,13 @@ runs: run: npm run tauri build -- ${{ inputs.tauri_args }} ${{ ((inputs.enable_debug == 'true') && '--debug') || '' }} working-directory: ./apps/desktop_tauri shell: bash + env: + AZURE_CLIENT_ID: ${{ inputs.azure_client_id }} + AZURE_CLIENT_SECRET: ${{ inputs.azure_client_secret }} + AZURE_TENANT_ID: ${{ inputs.azure_tenant_id }} + AZURE_SIGNING_ENDPOINT: ${{ inputs.azure_signing_endpoint }} + AZURE_SIGNING_ACCOUNT_NAME: ${{ inputs.azure_signing_account_name }} + AZURE_SIGNING_CERT_PROFILE_NAME: ${{ inputs.azure_signing_cert_profile_name }} # - uses: tauri-apps/tauri-action@v0 # env: diff --git a/.github/workflows/build_desktop_common.yml b/.github/workflows/build_desktop_common.yml index 20f9f8c..d07a841 100644 --- a/.github/workflows/build_desktop_common.yml +++ b/.github/workflows/build_desktop_common.yml @@ -95,8 +95,12 @@ jobs: apple_id: ${{ secrets.APPLE_ID }} apple_password: ${{ secrets.APPLE_PASSWORD }} apple_team_id: ${{ secrets.APPLE_TEAM_ID }} - windows_certificate: ${{ secrets.WINDOWS_CERTIFICATE }} - windows_certificate_password: ${{ secrets.WINDOWS_CERTIFICATE_PASSWORD }} + azure_client_id: ${{ secrets.AZURE_CLIENT_ID }} + azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} + azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }} + azure_signing_endpoint: ${{ secrets.AZURE_SIGNING_ENDPOINT }} + azure_signing_account_name: ${{ secrets.AZURE_SIGNING_ACCOUNT_NAME }} + azure_signing_cert_profile_name: ${{ secrets.AZURE_SIGNING_CERT_PROFILE_NAME }} github_token: ${{ secrets.GITHUB_TOKEN }} enable_debug: ${{ inputs.enable_debug }} enable_custom_site_url: ${{ inputs.enable_custom_site_url }} From a7b41224e8cd7d86a9046bc90c9339ef7d6fb2ee Mon Sep 17 00:00:00 2001 From: Vibe Kanban Date: Fri, 20 Feb 2026 08:28:06 +0000 Subject: [PATCH 03/11] Simplify Windows signing: remove redundant Azure endpoint/account/profile inputs The signCommand in tauri.base.conf.json already has the endpoint, account, and profile hardcoded. Only AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID need to be passed via CI secrets. Co-Authored-By: Claude Sonnet 4.6 --- .github/actions/build_desktop/action.yml | 12 ------------ .github/workflows/build_desktop_common.yml | 3 --- 2 files changed, 15 deletions(-) diff --git a/.github/actions/build_desktop/action.yml b/.github/actions/build_desktop/action.yml index e7f0a63..ef5f38c 100644 --- a/.github/actions/build_desktop/action.yml +++ b/.github/actions/build_desktop/action.yml @@ -53,15 +53,6 @@ inputs: azure_tenant_id: required: false description: 'Azure tenant ID for Windows code signing' - azure_signing_endpoint: - required: false - description: 'Azure Trusted Signing endpoint URL (e.g. https://eus.codesigning.azure.net)' - azure_signing_account_name: - required: false - description: 'Azure Trusted Signing account name' - azure_signing_cert_profile_name: - required: false - description: 'Azure Trusted Signing certificate profile name' tauri_signing_private_key: required: false description: 'Tauri updater signing private key' @@ -231,9 +222,6 @@ runs: AZURE_CLIENT_ID: ${{ inputs.azure_client_id }} AZURE_CLIENT_SECRET: ${{ inputs.azure_client_secret }} AZURE_TENANT_ID: ${{ inputs.azure_tenant_id }} - AZURE_SIGNING_ENDPOINT: ${{ inputs.azure_signing_endpoint }} - AZURE_SIGNING_ACCOUNT_NAME: ${{ inputs.azure_signing_account_name }} - AZURE_SIGNING_CERT_PROFILE_NAME: ${{ inputs.azure_signing_cert_profile_name }} # - uses: tauri-apps/tauri-action@v0 # env: diff --git a/.github/workflows/build_desktop_common.yml b/.github/workflows/build_desktop_common.yml index d07a841..840115b 100644 --- a/.github/workflows/build_desktop_common.yml +++ b/.github/workflows/build_desktop_common.yml @@ -98,9 +98,6 @@ jobs: azure_client_id: ${{ secrets.AZURE_CLIENT_ID }} azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }} - azure_signing_endpoint: ${{ secrets.AZURE_SIGNING_ENDPOINT }} - azure_signing_account_name: ${{ secrets.AZURE_SIGNING_ACCOUNT_NAME }} - azure_signing_cert_profile_name: ${{ secrets.AZURE_SIGNING_CERT_PROFILE_NAME }} github_token: ${{ secrets.GITHUB_TOKEN }} enable_debug: ${{ inputs.enable_debug }} enable_custom_site_url: ${{ inputs.enable_custom_site_url }} From f134112044161be0fb7946b64613df5f7e65ca7b Mon Sep 17 00:00:00 2001 From: Vibe Kanban Date: Fri, 20 Feb 2026 08:28:59 +0000 Subject: [PATCH 04/11] Inject Azure signing endpoint/account/profile via secrets Replaces hardcoded values in tauri.base.conf.json with %ENV_VAR% placeholders, passed through CI as AZURE_SIGNING_ENDPOINT, AZURE_SIGNING_ACCOUNT_NAME, and AZURE_SIGNING_CERT_PROFILE_NAME secrets. Co-Authored-By: Claude Sonnet 4.6 --- .github/actions/build_desktop/action.yml | 12 ++++++++++++ .github/workflows/build_desktop_common.yml | 3 +++ 2 files changed, 15 insertions(+) diff --git a/.github/actions/build_desktop/action.yml b/.github/actions/build_desktop/action.yml index ef5f38c..e7f0a63 100644 --- a/.github/actions/build_desktop/action.yml +++ b/.github/actions/build_desktop/action.yml @@ -53,6 +53,15 @@ inputs: azure_tenant_id: required: false description: 'Azure tenant ID for Windows code signing' + azure_signing_endpoint: + required: false + description: 'Azure Trusted Signing endpoint URL (e.g. https://eus.codesigning.azure.net)' + azure_signing_account_name: + required: false + description: 'Azure Trusted Signing account name' + azure_signing_cert_profile_name: + required: false + description: 'Azure Trusted Signing certificate profile name' tauri_signing_private_key: required: false description: 'Tauri updater signing private key' @@ -222,6 +231,9 @@ runs: AZURE_CLIENT_ID: ${{ inputs.azure_client_id }} AZURE_CLIENT_SECRET: ${{ inputs.azure_client_secret }} AZURE_TENANT_ID: ${{ inputs.azure_tenant_id }} + AZURE_SIGNING_ENDPOINT: ${{ inputs.azure_signing_endpoint }} + AZURE_SIGNING_ACCOUNT_NAME: ${{ inputs.azure_signing_account_name }} + AZURE_SIGNING_CERT_PROFILE_NAME: ${{ inputs.azure_signing_cert_profile_name }} # - uses: tauri-apps/tauri-action@v0 # env: diff --git a/.github/workflows/build_desktop_common.yml b/.github/workflows/build_desktop_common.yml index 840115b..d07a841 100644 --- a/.github/workflows/build_desktop_common.yml +++ b/.github/workflows/build_desktop_common.yml @@ -98,6 +98,9 @@ jobs: azure_client_id: ${{ secrets.AZURE_CLIENT_ID }} azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }} + azure_signing_endpoint: ${{ secrets.AZURE_SIGNING_ENDPOINT }} + azure_signing_account_name: ${{ secrets.AZURE_SIGNING_ACCOUNT_NAME }} + azure_signing_cert_profile_name: ${{ secrets.AZURE_SIGNING_CERT_PROFILE_NAME }} github_token: ${{ secrets.GITHUB_TOKEN }} enable_debug: ${{ inputs.enable_debug }} enable_custom_site_url: ${{ inputs.enable_custom_site_url }} From 1619bb27b80effa41ea0f47e2779b76baba396ae Mon Sep 17 00:00:00 2001 From: Vibe Kanban Date: Fri, 20 Feb 2026 08:38:06 +0000 Subject: [PATCH 05/11] Mirror macOS signing pattern for Windows Azure signing vars Sets Azure signing env vars via >> GITHUB_ENV in a dedicated step, consistent with how Apple signing vars are handled for macOS. Co-Authored-By: Claude Sonnet 4.6 --- .github/actions/build_desktop/action.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/actions/build_desktop/action.yml b/.github/actions/build_desktop/action.yml index e7f0a63..ff9c3cf 100644 --- a/.github/actions/build_desktop/action.yml +++ b/.github/actions/build_desktop/action.yml @@ -204,6 +204,17 @@ runs: echo "APPLE_TEAM_ID=${{ inputs.apple_team_id }}" >> $GITHUB_ENV fi + - name: Set Windows signing environment variables + shell: bash + if: inputs.sign_app == 'true' && runner.os == 'Windows' && inputs.azure_client_id != '' + run: | + echo "AZURE_CLIENT_ID=${{ inputs.azure_client_id }}" >> $GITHUB_ENV + echo "AZURE_CLIENT_SECRET=${{ inputs.azure_client_secret }}" >> $GITHUB_ENV + echo "AZURE_TENANT_ID=${{ inputs.azure_tenant_id }}" >> $GITHUB_ENV + echo "AZURE_SIGNING_ENDPOINT=${{ inputs.azure_signing_endpoint }}" >> $GITHUB_ENV + echo "AZURE_SIGNING_ACCOUNT_NAME=${{ inputs.azure_signing_account_name }}" >> $GITHUB_ENV + echo "AZURE_SIGNING_CERT_PROFILE_NAME=${{ inputs.azure_signing_cert_profile_name }}" >> $GITHUB_ENV + - name: Install trusted-signing-cli (Windows) if: inputs.sign_app == 'true' && runner.os == 'Windows' && inputs.azure_client_id != '' shell: bash @@ -227,13 +238,6 @@ runs: run: npm run tauri build -- ${{ inputs.tauri_args }} ${{ ((inputs.enable_debug == 'true') && '--debug') || '' }} working-directory: ./apps/desktop_tauri shell: bash - env: - AZURE_CLIENT_ID: ${{ inputs.azure_client_id }} - AZURE_CLIENT_SECRET: ${{ inputs.azure_client_secret }} - AZURE_TENANT_ID: ${{ inputs.azure_tenant_id }} - AZURE_SIGNING_ENDPOINT: ${{ inputs.azure_signing_endpoint }} - AZURE_SIGNING_ACCOUNT_NAME: ${{ inputs.azure_signing_account_name }} - AZURE_SIGNING_CERT_PROFILE_NAME: ${{ inputs.azure_signing_cert_profile_name }} # - uses: tauri-apps/tauri-action@v0 # env: From e0e9bf72ecdf06d05b55e2917330e2c76f096283 Mon Sep 17 00:00:00 2001 From: Vibe Kanban Date: Fri, 20 Feb 2026 08:52:44 +0000 Subject: [PATCH 06/11] Switch Windows runner to windows-11-arm for trusted-signing-cli compatibility windows-latest removed the Windows SDK version that trusted-signing-cli falls back to for signtool.exe. windows-11-arm has it available out of the box and is also faster. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build_desktop_all.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_desktop_all.yml b/.github/workflows/build_desktop_all.yml index 520a9fe..72aeb26 100644 --- a/.github/workflows/build_desktop_all.yml +++ b/.github/workflows/build_desktop_all.yml @@ -163,7 +163,7 @@ jobs: # args: '' # tauri_target: '' # # pkg_target: 'node20-linux-x64' - - platform: 'windows-latest' + - platform: 'windows-11-arm' args: '' tauri_target: '' # pkg_target: 'node20-windows-x64' From 39f7cecf47184ea939aaa66ee4edffb0ee15760c Mon Sep 17 00:00:00 2001 From: Vibe Kanban Date: Fri, 20 Feb 2026 09:01:20 +0000 Subject: [PATCH 07/11] Replace all windows-latest references with windows-11-arm / windows-* wildcard Updates tauri_e2e.yml runner and conditionals, and simplifies build_desktop_common.yml platform checks to use windows-* wildcard only, removing the now-redundant windows-latest check. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build_desktop_common.yml | 8 ++++---- .github/workflows/tauri_e2e.yml | 12 ++++++------ 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build_desktop_common.yml b/.github/workflows/build_desktop_common.yml index d07a841..fbcc0bc 100644 --- a/.github/workflows/build_desktop_common.yml +++ b/.github/workflows/build_desktop_common.yml @@ -179,7 +179,7 @@ jobs: echo "Sanitized filename: $SANITIZED_FILENAME" echo "Final filename: $NEW_FILENAME" - elif [[ "${{ inputs.platform }}" == "windows-latest" || "${{ inputs.platform }}" == "windows-"* ]]; then + elif [[ "${{ inputs.platform }}" == "windows-"* ]]; then echo "Processing Windows platform..." # Find EXE file with priority order: setup files first, then any exe @@ -216,7 +216,7 @@ jobs: else echo "ERROR: Unsupported platform: ${{ inputs.platform }}" - echo "Supported platforms: macos-latest, windows-latest (and variants)" + echo "Supported platforms: macos-latest, windows-11-arm (and other windows-* variants)" exit 1 fi @@ -270,7 +270,7 @@ jobs: echo "Staged updater payload: staging/$UPDATER_PAYLOAD_FILENAME" echo "Staged updater signature: staging/$UPDATER_SIGNATURE_FILENAME" - elif [[ "${{ inputs.platform }}" == "windows-latest" || "${{ inputs.platform }}" == "windows-"* ]]; then + elif [[ "${{ inputs.platform }}" == "windows-"* ]]; then echo "Locating Windows updater signature for selected installer..." EXE_SIG_FILE="${EXE_FILE}.sig" @@ -413,7 +413,7 @@ jobs: # Determine platform name for Discord message if [[ "${{ inputs.platform }}" == "macos-latest" || "${{ inputs.platform }}" == "macos-"* ]]; then PLATFORM_NAME="macOS" - elif [[ "${{ inputs.platform }}" == "windows-latest" || "${{ inputs.platform }}" == "windows-"* ]]; then + elif [[ "${{ inputs.platform }}" == "windows-"* ]]; then PLATFORM_NAME="Windows" else PLATFORM_NAME="${{ inputs.platform }}" diff --git a/.github/workflows/tauri_e2e.yml b/.github/workflows/tauri_e2e.yml index eb30f31..a70b95a 100644 --- a/.github/workflows/tauri_e2e.yml +++ b/.github/workflows/tauri_e2e.yml @@ -13,8 +13,8 @@ jobs: strategy: fail-fast: false matrix: - os: [windows-latest] - # os: [ubuntu-latest, windows-latest] + os: [windows-11-arm] + # os: [ubuntu-latest, windows-11-arm] runs-on: ${{ matrix.os }} steps: @@ -42,7 +42,7 @@ jobs: - name: Build Tauri App uses: ./.github/composite-actions/.github/actions/build_desktop with: - platform: ${{ matrix.os == 'ubuntu-latest' && 'ubuntu-22.04' || 'windows-latest' }} + platform: ${{ matrix.os == 'ubuntu-latest' && 'ubuntu-22.04' || matrix.os }} tauri_args: '' tauri_target: '' sign_app: false @@ -84,7 +84,7 @@ jobs: # ---- Windows-only bits: EdgeDriver + (optional) WebView2 runtime ---- - name: Install matching EdgeDriver - if: matrix.os == 'windows-latest' + if: runner.os == 'Windows' shell: bash run: | cargo install --git https://github.com/chippers/msedgedriver-tool @@ -93,14 +93,14 @@ jobs: # Optional WebView2 # - name: Install WebView2 Runtime (silent) - # if: matrix.os == 'windows-latest' + # if: runner.os == 'Windows' # shell: bash # run: | # curl -L -o webview2.exe https://go.microsoft.com/fwlink/p/?LinkId=2124703 # ./webview2.exe /silent /install - name: Run E2E via start-server-and-test - if: matrix.os == 'windows-latest' + if: runner.os == 'Windows' shell: bash run: | npx --yes start-server-and-test@2 \ From d7930341a8f13f843d9a3311dfbc94da692ad433 Mon Sep 17 00:00:00 2001 From: Vibe Kanban Date: Fri, 20 Feb 2026 09:02:19 +0000 Subject: [PATCH 08/11] Update commented windows-latest to windows-11-arm Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build_desktop_mac.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build_desktop_mac.yml b/.github/workflows/build_desktop_mac.yml index 2a57d4f..64f0994 100644 --- a/.github/workflows/build_desktop_mac.yml +++ b/.github/workflows/build_desktop_mac.yml @@ -69,7 +69,7 @@ jobs: # args: '' # tauri_target: '' # # pkg_target: 'node20-linux-x64' - # - platform: 'windows-latest' + # - platform: 'windows-11-arm' # args: '' # tauri_target: '' # # pkg_target: 'node20-windows-x64' From c4b2e1f1f6532c27cdf9f99c04550b2f1abd92a5 Mon Sep 17 00:00:00 2001 From: Vibe Kanban Date: Fri, 20 Feb 2026 15:57:20 +0000 Subject: [PATCH 09/11] Hardcode Azure signing values, set SIGNTOOL_PATH, disable publish_latest_manifest - Hardcode endpoint/account/profile in tauri.base.conf.json instead of using %ENV_VAR% placeholders which may not expand in Tauri's signCommand - Remove azure_signing_endpoint/account_name/cert_profile_name inputs/secrets - Set SIGNTOOL_PATH to known Windows SDK path so trusted-signing-cli can locate signtool.exe on windows-latest runners - Switch runner back to windows-latest - Disable publish_latest_manifest job for now Co-Authored-By: Claude Sonnet 4.6 --- .github/actions/build_desktop/action.yml | 13 +------------ .github/workflows/build_desktop_all.yml | 4 ++-- .github/workflows/build_desktop_common.yml | 3 --- 3 files changed, 3 insertions(+), 17 deletions(-) diff --git a/.github/actions/build_desktop/action.yml b/.github/actions/build_desktop/action.yml index ff9c3cf..9a2e72b 100644 --- a/.github/actions/build_desktop/action.yml +++ b/.github/actions/build_desktop/action.yml @@ -53,15 +53,6 @@ inputs: azure_tenant_id: required: false description: 'Azure tenant ID for Windows code signing' - azure_signing_endpoint: - required: false - description: 'Azure Trusted Signing endpoint URL (e.g. https://eus.codesigning.azure.net)' - azure_signing_account_name: - required: false - description: 'Azure Trusted Signing account name' - azure_signing_cert_profile_name: - required: false - description: 'Azure Trusted Signing certificate profile name' tauri_signing_private_key: required: false description: 'Tauri updater signing private key' @@ -211,9 +202,7 @@ runs: echo "AZURE_CLIENT_ID=${{ inputs.azure_client_id }}" >> $GITHUB_ENV echo "AZURE_CLIENT_SECRET=${{ inputs.azure_client_secret }}" >> $GITHUB_ENV echo "AZURE_TENANT_ID=${{ inputs.azure_tenant_id }}" >> $GITHUB_ENV - echo "AZURE_SIGNING_ENDPOINT=${{ inputs.azure_signing_endpoint }}" >> $GITHUB_ENV - echo "AZURE_SIGNING_ACCOUNT_NAME=${{ inputs.azure_signing_account_name }}" >> $GITHUB_ENV - echo "AZURE_SIGNING_CERT_PROFILE_NAME=${{ inputs.azure_signing_cert_profile_name }}" >> $GITHUB_ENV + echo "SIGNTOOL_PATH=C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" >> $GITHUB_ENV - name: Install trusted-signing-cli (Windows) if: inputs.sign_app == 'true' && runner.os == 'Windows' && inputs.azure_client_id != '' diff --git a/.github/workflows/build_desktop_all.yml b/.github/workflows/build_desktop_all.yml index 72aeb26..679bdf7 100644 --- a/.github/workflows/build_desktop_all.yml +++ b/.github/workflows/build_desktop_all.yml @@ -163,7 +163,7 @@ jobs: # args: '' # tauri_target: '' # # pkg_target: 'node20-linux-x64' - - platform: 'windows-11-arm' + - platform: 'windows-latest' args: '' tauri_target: '' # pkg_target: 'node20-windows-x64' @@ -186,7 +186,7 @@ jobs: enable_tauri_updates: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true') || (github.event_name == 'repository_dispatch' && github.event.action == 'new-commit-on-main') }} publish_latest_manifest: - if: (github.event_name == 'repository_dispatch' && github.event.action == 'new-commit-on-main') || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true') + if: false needs: [compute_publish_version, build_desktop_all] runs-on: ubuntu-latest steps: diff --git a/.github/workflows/build_desktop_common.yml b/.github/workflows/build_desktop_common.yml index fbcc0bc..824151d 100644 --- a/.github/workflows/build_desktop_common.yml +++ b/.github/workflows/build_desktop_common.yml @@ -98,9 +98,6 @@ jobs: azure_client_id: ${{ secrets.AZURE_CLIENT_ID }} azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }} - azure_signing_endpoint: ${{ secrets.AZURE_SIGNING_ENDPOINT }} - azure_signing_account_name: ${{ secrets.AZURE_SIGNING_ACCOUNT_NAME }} - azure_signing_cert_profile_name: ${{ secrets.AZURE_SIGNING_CERT_PROFILE_NAME }} github_token: ${{ secrets.GITHUB_TOKEN }} enable_debug: ${{ inputs.enable_debug }} enable_custom_site_url: ${{ inputs.enable_custom_site_url }} From a3eec1b99ac8378e9bfa694b4e4c207629b58d53 Mon Sep 17 00:00:00 2001 From: Vibe Kanban Date: Fri, 20 Feb 2026 15:58:03 +0000 Subject: [PATCH 10/11] Revert windows-11-arm back to windows-latest in non-build workflows Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build_desktop_mac.yml | 2 +- .github/workflows/tauri_e2e.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build_desktop_mac.yml b/.github/workflows/build_desktop_mac.yml index 64f0994..2a57d4f 100644 --- a/.github/workflows/build_desktop_mac.yml +++ b/.github/workflows/build_desktop_mac.yml @@ -69,7 +69,7 @@ jobs: # args: '' # tauri_target: '' # # pkg_target: 'node20-linux-x64' - # - platform: 'windows-11-arm' + # - platform: 'windows-latest' # args: '' # tauri_target: '' # # pkg_target: 'node20-windows-x64' diff --git a/.github/workflows/tauri_e2e.yml b/.github/workflows/tauri_e2e.yml index a70b95a..e157d8d 100644 --- a/.github/workflows/tauri_e2e.yml +++ b/.github/workflows/tauri_e2e.yml @@ -13,8 +13,8 @@ jobs: strategy: fail-fast: false matrix: - os: [windows-11-arm] - # os: [ubuntu-latest, windows-11-arm] + os: [windows-latest] + # os: [ubuntu-latest, windows-latest] runs-on: ${{ matrix.os }} steps: From f215df2751f0166126deca22569e3662876a1bac Mon Sep 17 00:00:00 2001 From: Vibe Kanban Date: Thu, 26 Feb 2026 18:58:39 +0000 Subject: [PATCH 11/11] sign_app runs full pipeline without uploading to R2 or updating latest.json - sign_app=true now passes publish_version so extract/stage/manifest steps run - Added publish_to_r2 input to gate S3 upload and Discord notification - publish_to_r2 is only true when publish=true or repository_dispatch - publish_latest_manifest job restored to its original condition (publish only) Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build_desktop_all.yml | 5 +++-- .github/workflows/build_desktop_common.yml | 8 ++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/.github/workflows/build_desktop_all.yml b/.github/workflows/build_desktop_all.yml index 679bdf7..b03fb3e 100644 --- a/.github/workflows/build_desktop_all.yml +++ b/.github/workflows/build_desktop_all.yml @@ -179,14 +179,15 @@ jobs: target_branch: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.ref != '' && github.event.inputs.ref) || (github.event_name == 'repository_dispatch' && github.event.client_payload.sha != '' && github.event.client_payload.sha) || 'main' }} profile: ${{ (github.event_name == 'workflow_dispatch' && (github.event.inputs.custom_profile || github.event.inputs.profile)) || (github.event_name == 'repository_dispatch' && github.event.client_payload.profile) || 'preview' }} site_url: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.site_url) || (github.event_name == 'repository_dispatch' && github.event.client_payload.site_url) || 'https://staging.songdrive.app' }} - publish_version: ${{ ((github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true') || (github.event_name == 'repository_dispatch' && github.event.action == 'new-commit-on-main')) && needs.compute_publish_version.outputs.publish_version || '' }} + publish_version: ${{ ((github.event_name == 'workflow_dispatch' && (github.event.inputs.publish == 'true' || github.event.inputs.sign_app == 'true')) || (github.event_name == 'repository_dispatch' && github.event.action == 'new-commit-on-main')) && needs.compute_publish_version.outputs.publish_version || '' }} # enable_debug: true enable_debug: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.enable_debug == 'true') }} enable_custom_site_url: false enable_tauri_updates: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true') || (github.event_name == 'repository_dispatch' && github.event.action == 'new-commit-on-main') }} + publish_to_r2: ${{ (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true') || (github.event_name == 'repository_dispatch' && github.event.action == 'new-commit-on-main') }} publish_latest_manifest: - if: false + if: (github.event_name == 'repository_dispatch' && github.event.action == 'new-commit-on-main') || (github.event_name == 'workflow_dispatch' && github.event.inputs.publish == 'true') needs: [compute_publish_version, build_desktop_all] runs-on: ubuntu-latest steps: diff --git a/.github/workflows/build_desktop_common.yml b/.github/workflows/build_desktop_common.yml index 824151d..aa5e5e6 100644 --- a/.github/workflows/build_desktop_common.yml +++ b/.github/workflows/build_desktop_common.yml @@ -46,6 +46,10 @@ on: required: false type: boolean default: false + publish_to_r2: + required: false + type: boolean + default: false jobs: build_tauri: @@ -295,7 +299,7 @@ jobs: echo "Installer extraction completed successfully!" - name: Upload installer to S3 compatible - if: inputs.publish_version != '' + if: inputs.publish_to_r2 uses: shallwefootball/s3-upload-action@master with: aws_key_id: ${{ secrets.R2_DESKTOP_APP_KEY_ID }} @@ -404,7 +408,7 @@ jobs: path: updater-platform-manifest - name: Send Discord message - if: inputs.publish_version != '' + if: inputs.publish_to_r2 shell: bash run: | # Determine platform name for Discord message