feat: add SignPath code signing for Windows builds (#531)

- Split workflow into mac/linux and windows jobs - Add dist:win:build script with --publish never - Integrate SignPath signing for Windows executables - Sign both NSIS installer and portable EXE files
2026-01-11 10:38:33 +08:00 · 2026-01-08 10:51:12 +09:00
parent 6ad4a9b303
commit c4b1ec8d28
2 changed files with 54 additions and 6 deletions
--- a/.github/workflows/electron-release.yml
+++ b/.github/workflows/electron-release.yml
@@ -11,7 +11,8 @@ on:
        required: false
 jobs:
-  build:
+  # Mac and Linux: Build and publish directly (no signing needed)
  build-mac-linux:
    permissions:
      contents: write
    strategy:
@@ -20,13 +21,9 @@ jobs:
        include:
          - os: macos-latest
            platform: mac
          - os: windows-latest
            platform: win
          - os: ubuntu-latest
            platform: linux
    runs-on: ${{ matrix.os }}
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
@@ -40,7 +37,57 @@ jobs:
      - name: Install dependencies
        run: npm install
-      - name: Build and publish Electron app
+      - name: Build and publish
        run: npm run dist:${{ matrix.platform }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  # Windows: Build, sign with SignPath, then publish
  build-windows:
    permissions:
      contents: write
    runs-on: windows-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 24
          cache: "npm"
      - name: Install dependencies
        run: npm install
      # Build WITHOUT publishing
      - name: Build Windows app
        run: npm run dist:win:build
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Upload unsigned artifacts for signing
        uses: actions/upload-artifact@v4
        id: upload-unsigned
        with:
          name: windows-unsigned
          path: release/*.exe
          retention-days: 1
      - name: Sign with SignPath
        uses: signpath/github-action-submit-signing-request@v2
        with:
          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
          organization-id: '880a211d-2cd3-4e7b-8d04-3d1f8eb39df5'
          project-slug: 'next-ai-draw-io'
          signing-policy-slug: 'test-signing'
          github-artifact-id: ${{ steps.upload-unsigned.outputs.artifact-id }}
          wait-for-completion: true
          output-artifact-directory: release-signed
      - name: Upload signed artifacts to release
        uses: softprops/action-gh-release@v2
        with:
          files: release-signed/*.exe
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/package.json
+++ b/package.json
@@ -24,6 +24,7 @@
        "dist": "npm run electron:build && npm run electron:prepare && npx electron-builder --config electron/electron-builder.yml",
        "dist:mac": "npm run electron:build && npm run electron:prepare && npx electron-builder --config electron/electron-builder.yml --mac",
        "dist:win": "npm run electron:build && npm run electron:prepare && npx electron-builder --config electron/electron-builder.yml --win",
        "dist:win:build": "npm run electron:build && npm run electron:prepare && npx electron-builder --config electron/electron-builder.yml --win --publish never",
        "dist:linux": "npm run electron:build && npm run electron:prepare && npx electron-builder --config electron/electron-builder.yml --linux",
        "dist:all": "npm run electron:build && npm run electron:prepare && npx electron-builder --config electron/electron-builder.yml --mac --win --linux",
        "test": "vitest",