44 release :
55 types : [ published ]
66 workflow_dispatch :
7-
87
98permissions :
109 contents : write
1110 id-token : write
1211 attestations : write
13-
12+
1413jobs :
1514 release :
1615 runs-on : windows-2022
@@ -20,18 +19,40 @@ jobs:
2019 uses : actions/setup-dotnet@v4
2120 with :
2221 dotnet-version : ' 8.0.x'
22+
2323 - name : Publish
2424 run : |
2525 dotnet publish app/GHelper.sln --configuration Release --runtime win-x64 -p:PublishSingleFile=true --no-self-contained
26- powershell Compress-Archive app/bin/x64/Release/net8.0-windows/win-x64/publish/GHelper.exe GHelper.zip
27- name : Upload
26+
27+ name : Upload unsigned EXE
28+ id : upload-unsigned
29+ uses : actions/upload-artifact@v4
30+ with :
31+ path : app/bin/x64/Release/net8.0-windows/win-x64/publish/GHelper.exe
32+
33+ - id : sign-exe
34+ 35+ with :
36+ api-token : ${{ secrets.SIGNPATH_API_TOKEN }}
37+ organization-id : ${{ secrets.SIGNPATH_ORG_ID }}
38+ project-slug : ${{ secrets.SIGNPATH_PROJECT }}
39+ signing-policy-slug : ${{ secrets.SIGNPATH_POLICY }}
40+ github-artifact-id : ${{ steps.upload-unsigned.outputs.artifact-id }}
41+ wait-for-completion : true
42+ output-artifact-directory : ' ./signed'
43+
44+ - name : Create ZIP from signed EXE
45+ run : powershell Compress-Archive ./signed/GHelper.exe ./signed/GHelper.zip
46+
47+ - name : Upload signed EXE and ZIP
2848 env :
2949 GH_TOKEN : ${{ github.token }}
3050 run : |
31- gh release upload ${{ github.ref_name }} app/bin/x64/Release/net8.0-windows/win-x64/publish/GHelper.exe GHelper.zip
51+ gh release upload ${{ github.ref_name }} ./signed/GHelper.exe ./signed/GHelper.zip
52+
3253name : Generate SLSA build provenance attestation
3354 uses : actions/attest-build-provenance@v2
3455 with :
3556 subject-path : |
36- app/bin/x64/Release/net8.0-windows/win-x64/publish /GHelper.exe
37- GHelper.zip
57+ ./signed /GHelper.exe
58+ ./signed/ GHelper.zip
0 commit comments