CocosPlugin/esengine
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci(editor): add SignPath OSS code signing for Windows builds

Browse Source 
- Upload Windows artifacts (exe/msi) for SignPath signing
- Configure SignPath action with organization secrets
- Fix artifact name to 'windows-unsigned'
- Add bilingual comments for required secrets
This commit is contained in:
yhh
2025-12-15 10:20:15 +08:00
parent 85e95ec18c
commit d834ca5e77
1 changed files with 35 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
.github/workflows/release-editor.yml vendored
View File

@@ -92,6 +92,7 @@ jobs:
node scripts/bundle-runtime.mjs node scripts/bundle-runtime.mjs
- name: Build Tauri app - name: Build Tauri app
id: tauri
uses: tauri-apps/tauri-action@v0.5 uses: tauri-apps/tauri-action@v0.5
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -102,31 +103,59 @@ jobs:
tagName: ${{ github.event_name == 'workflow_dispatch' && format('editor-v{0}', github.event.inputs.version) || github.ref_name }} tagName: ${{ github.event_name == 'workflow_dispatch' && format('editor-v{0}', github.event.inputs.version) || github.ref_name }}
releaseName: 'ECS Editor v${{ github.event.inputs.version || github.ref_name }}' releaseName: 'ECS Editor v${{ github.event.inputs.version || github.ref_name }}'
releaseBody: 'See the assets to download this version and install.' releaseBody: 'See the assets to download this version and install.'
releaseDraft: true # 改为草稿,等待 SignPath 签名 releaseDraft: true
prerelease: false prerelease: false
includeUpdaterJson: true includeUpdaterJson: true
updaterJsonKeepUniversal: false updaterJsonKeepUniversal: false
args: ${{ matrix.platform == 'macos-latest' && format('--target {0}', matrix.target) || '' }} args: ${{ matrix.platform == 'macos-latest' && format('--target {0}', matrix.target) || '' }}
# Windows 构建上传 artifact 供 SignPath 签名
- name: Upload Windows artifacts for signing
if: matrix.platform == 'windows-latest'
uses: actions/upload-artifact@v4
with:
name: windows-unsigned
path: |
packages/editor-app/src-tauri/target/release/bundle/nsis/*.exe
packages/editor-app/src-tauri/target/release/bundle/msi/*.msi
retention-days: 1
# SignPath 代码签名Windows # SignPath 代码签名Windows
# SignPath OSS code signing for Windows
# 注意:需要先在 https://signpath.io 申请 OSS 证书
# Note: Apply for OSS certificate at https://signpath.io first
# 并配置 GitHub Secrets: SIGNPATH_API_TOKEN, SIGNPATH_ORGANIZATION_ID
# Configure GitHub Secrets: SIGNPATH_API_TOKEN, SIGNPATH_ORGANIZATION_ID
sign-windows: sign-windows:
needs: build-tauri needs: build-tauri
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: success() if: success() && secrets.SIGNPATH_API_TOKEN != ''
steps: steps:
- name: Checkout
uses: actions/checkout@v4
- name: Download Windows artifact
uses: actions/download-artifact@v4
with:
name: windows-unsigned
path: ./artifacts
- name: Submit to SignPath for code signing - name: Submit to SignPath for code signing
uses: signpath/github-action-submit-signing-request@v0.4 id: signpath
uses: signpath/github-action-submit-signing-request@v1
with: with:
api-token: ${{ secrets.SIGNPATH_API_TOKEN }} api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
organization-id: 'esengine-editor' organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
project-slug: 'ecs-framework' project-slug: 'ecs-framework'
signing-policy-slug: 'release-signing' signing-policy-slug: 'release-signing'
github-artifact-id: '*.exe' artifact-configuration-slug: 'default'
github-artifact-name: 'windows-unsigned'
wait-for-completion: true wait-for-completion: true
wait-for-completion-timeout-in-seconds: 600
output-artifact-directory: './signed' output-artifact-directory: './signed'
- name: Publish signed release - name: Upload signed artifacts to release
uses: softprops/action-gh-release@v1 uses: softprops/action-gh-release@v1
with: with:
files: ./signed/* files: ./signed/*