Skip to content

Commit 6bd9f4a

Browse files
LSRCTclaude
andauthored
ci: temporarily disable Windows code signing in pre-release (Vibe Kanban) (#3305)
* ci: temporarily disable Windows code signing in pre-release Azure Trusted Signing is returning 403 Forbidden on the signing API with no configuration changes on our side. Commenting out the signing steps to unblock releases while we resolve the issue with Azure support. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * trigger CI --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 13adc09 commit 6bd9f4a

2 files changed

Lines changed: 46 additions & 44 deletions

File tree

.github/workflows/pre-release.yml

Lines changed: 45 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -925,50 +925,51 @@ jobs:
925925
--target ${{ matrix.target }} \
926926
--version ${{ needs.bump-version.outputs.new_version }}
927927
928-
- name: Setup Jsign
929-
if: contains(matrix.target, 'windows')
930-
id: jsign
931-
uses: ./.github/actions/setup-jsign
932-
933-
- name: Install JRE for Jsign
934-
if: contains(matrix.target, 'windows')
935-
run: |
936-
sudo apt-get update
937-
sudo apt-get install -y default-jre-headless
938-
939-
- name: Azure CLI login
940-
if: contains(matrix.target, 'windows') && env.AZURE_ENDPOINT != ''
941-
uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2
942-
with:
943-
creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
944-
allow-no-subscriptions: true
945-
env:
946-
AZURE_ENDPOINT: ${{ secrets.AZURE_ENDPOINT }}
947-
948-
- name: Sign Windows artifacts with Azure Trusted Signing
949-
if: contains(matrix.target, 'windows') && env.AZURE_ENDPOINT != ''
950-
env:
951-
AZURE_ENDPOINT: ${{ secrets.AZURE_ENDPOINT }}
952-
AZURE_CODE_SIGNING_NAME: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
953-
AZURE_CERT_PROFILE_NAME: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
954-
run: |
955-
TOKEN=$(az account get-access-token --resource https://codesigning.azure.net --query accessToken -o tsv)
956-
957-
# Extract hostname from endpoint URL
958-
KEYSTORE=$(echo "$AZURE_ENDPOINT" | sed 's|https\?://||;s|/.*||')
959-
960-
# Sign all exe and msi files in the bundle directory
961-
find target/${{ matrix.target }}/release/bundle -type f \( -name "*.exe" -o -name "*.msi" \) | while read file; do
962-
echo "Signing: $file"
963-
java -jar "${{ steps.jsign.outputs.jar-path }}" \
964-
--storetype TRUSTEDSIGNING \
965-
--keystore "$KEYSTORE" \
966-
--storepass "$TOKEN" \
967-
--alias "${AZURE_CODE_SIGNING_NAME}/${AZURE_CERT_PROFILE_NAME}" \
968-
--tsaurl http://timestamp.acs.microsoft.com \
969-
--tsmode RFC3161 \
970-
"$file"
971-
done
928+
# TODO: Re-enable Windows code signing once Azure Trusted Signing 403 is resolved
929+
# - name: Setup Jsign
930+
# if: contains(matrix.target, 'windows')
931+
# id: jsign
932+
# uses: ./.github/actions/setup-jsign
933+
#
934+
# - name: Install JRE for Jsign
935+
# if: contains(matrix.target, 'windows')
936+
# run: |
937+
# sudo apt-get update
938+
# sudo apt-get install -y default-jre-headless
939+
#
940+
# - name: Azure CLI login
941+
# if: contains(matrix.target, 'windows') && env.AZURE_ENDPOINT != ''
942+
# uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2
943+
# with:
944+
# creds: '{"clientId":"${{ secrets.AZURE_CLIENT_ID }}","clientSecret":"${{ secrets.AZURE_CLIENT_SECRET }}","tenantId":"${{ secrets.AZURE_TENANT_ID }}"}'
945+
# allow-no-subscriptions: true
946+
# env:
947+
# AZURE_ENDPOINT: ${{ secrets.AZURE_ENDPOINT }}
948+
#
949+
# - name: Sign Windows artifacts with Azure Trusted Signing
950+
# if: contains(matrix.target, 'windows') && env.AZURE_ENDPOINT != ''
951+
# env:
952+
# AZURE_ENDPOINT: ${{ secrets.AZURE_ENDPOINT }}
953+
# AZURE_CODE_SIGNING_NAME: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
954+
# AZURE_CERT_PROFILE_NAME: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
955+
# run: |
956+
# TOKEN=$(az account get-access-token --resource https://codesigning.azure.net --query accessToken -o tsv)
957+
#
958+
# # Extract hostname from endpoint URL
959+
# KEYSTORE=$(echo "$AZURE_ENDPOINT" | sed 's|https\?://||;s|/.*||')
960+
#
961+
# # Sign all exe and msi files in the bundle directory
962+
# find target/${{ matrix.target }}/release/bundle -type f \( -name "*.exe" -o -name "*.msi" \) | while read file; do
963+
# echo "Signing: $file"
964+
# java -jar "${{ steps.jsign.outputs.jar-path }}" \
965+
# --storetype TRUSTEDSIGNING \
966+
# --keystore "$KEYSTORE" \
967+
# --storepass "$TOKEN" \
968+
# --alias "${AZURE_CODE_SIGNING_NAME}/${AZURE_CERT_PROFILE_NAME}" \
969+
# --tsaurl http://timestamp.acs.microsoft.com \
970+
# --tsmode RFC3161 \
971+
# "$file"
972+
# done
972973

973974
- name: Collect updater artifacts and installers
974975
run: |

AGENTS.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,3 +55,4 @@ Do not manually edit shared/remote-types.ts, instead edit crates/remote/src/bin/
5555
- Use `.env` for local overrides; never commit secrets. Key envs: `FRONTEND_PORT`, `BACKEND_PORT`, `HOST`
5656
- Dev ports and assets are managed by `scripts/setup-dev-environment.js`.
5757

58+

0 commit comments

Comments
 (0)