From 48d3d14af2ff2ae50ab976a263e46ab568464ca4 Mon Sep 17 00:00:00 2001 From: yhh <359807859@qq.com> Date: Tue, 16 Dec 2025 13:09:39 +0800 Subject: [PATCH] =?UTF-8?q?feat(ci):=20=E6=94=B9=E8=BF=9B=20SignPath=20?= =?UTF-8?q?=E4=BB=A3=E7=A0=81=E7=AD=BE=E5=90=8D=E9=9B=86=E6=88=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 添加 SignPath 配置检查步骤 - 使用 test-signing 策略进行测试 - 即使签名跳过也能继续版本更新 PR --- .github/workflows/release-editor.yml | 48 +++++++++++++++++++++++----- 1 file changed, 40 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release-editor.yml b/.github/workflows/release-editor.yml index fc8fb5ae..aa0aeeb5 100644 --- a/.github/workflows/release-editor.yml +++ b/.github/workflows/release-editor.yml @@ -122,33 +122,62 @@ jobs: # SignPath 代码签名(Windows) # SignPath OSS code signing for Windows - # 注意:需要先在 https://signpath.io 申请 OSS 证书 - # Note: Apply for OSS certificate at https://signpath.io first - # 并配置 GitHub Secrets: SIGNPATH_API_TOKEN, SIGNPATH_ORGANIZATION_ID - # Configure GitHub Secrets: SIGNPATH_API_TOKEN, SIGNPATH_ORGANIZATION_ID + # + # 配置步骤 | Setup Steps: + # 1. 在 SignPath 门户创建项目 | Create project in SignPath portal + # 2. 导入 .signpath/artifact-configuration.xml | Import artifact configuration + # 3. 使用 'test-signing' 策略测试 | Use 'test-signing' policy for testing + # 生产环境改为 'release-signing' | Change to 'release-signing' for production + # 4. 配置 GitHub Secrets | Configure GitHub Secrets: + # - SIGNPATH_API_TOKEN: API token from SignPath + # - SIGNPATH_ORGANIZATION_ID: Your organization ID + # + # 文档 | Documentation: https://about.signpath.io/documentation/trusted-build-systems/github sign-windows: needs: build-tauri runs-on: ubuntu-latest - if: success() && secrets.SIGNPATH_API_TOKEN != '' + # 只有在构建成功时才运行 | Only run on successful build + if: success() steps: + - name: Check SignPath configuration + id: check-signpath + run: | + if [ -n "${{ secrets.SIGNPATH_API_TOKEN }}" ] && [ -n "${{ secrets.SIGNPATH_ORGANIZATION_ID }}" ]; then + echo "enabled=true" >> $GITHUB_OUTPUT + echo "SignPath is configured, proceeding with code signing" + else + echo "enabled=false" >> $GITHUB_OUTPUT + echo "SignPath secrets not configured, skipping code signing" + echo "To enable: add SIGNPATH_API_TOKEN and SIGNPATH_ORGANIZATION_ID secrets" + fi + - name: Checkout + if: steps.check-signpath.outputs.enabled == 'true' uses: actions/checkout@v4 - name: Download Windows artifact + if: steps.check-signpath.outputs.enabled == 'true' uses: actions/download-artifact@v4 with: name: windows-unsigned path: ./artifacts + - name: List artifacts for signing + if: steps.check-signpath.outputs.enabled == 'true' + run: | + echo "Files to be signed:" + find ./artifacts -type f \( -name "*.exe" -o -name "*.msi" \) | head -20 + - name: Submit to SignPath for code signing + if: steps.check-signpath.outputs.enabled == 'true' id: signpath uses: signpath/github-action-submit-signing-request@v1 with: api-token: ${{ secrets.SIGNPATH_API_TOKEN }} organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }} project-slug: 'ecs-framework' - signing-policy-slug: 'release-signing' + signing-policy-slug: 'test-signing' artifact-configuration-slug: 'default' github-artifact-name: 'windows-unsigned' wait-for-completion: true @@ -156,6 +185,7 @@ jobs: output-artifact-directory: './signed' - name: Upload signed artifacts to release + if: steps.check-signpath.outputs.enabled == 'true' uses: softprops/action-gh-release@v1 with: files: ./signed/* @@ -165,9 +195,11 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # 构建成功后,创建 PR 更新版本号 + # Create PR to update version after successful build update-version-pr: - needs: sign-windows - if: github.event_name == 'workflow_dispatch' && success() + needs: [build-tauri, sign-windows] + # 即使签名跳过也要运行 | Run even if signing is skipped + if: github.event_name == 'workflow_dispatch' && !failure() runs-on: ubuntu-latest steps: