|
25 | 25 | shell: pwsh |
26 | 26 | run: | |
27 | 27 | echo "SIGNED_OUT_DIR=$env:RUNNER_TEMP\signed-artifacts" >> $env:GITHUB_ENV |
| 28 | + echo "SIGNED_EXE_DIR=$env:RUNNER_TEMP\signed-exe" >> $env:GITHUB_ENV |
28 | 29 |
|
29 | 30 | - name: Check out repository |
30 | 31 | uses: actions/checkout@v4 |
@@ -225,11 +226,58 @@ jobs: |
225 | 226 | Write-Host "All signed DLLs restored to their original folders." |
226 | 227 |
|
227 | 228 |
|
228 | | - - name: Build Electron (no publish) |
| 229 | + - name: Build Electron unpacked (no publish) |
229 | 230 | env: |
230 | 231 | GH_TOKEN: ${{ secrets.GH_TOKEN }} |
231 | 232 | run: | |
232 | | - npx electron-builder --win --x64 --publish never |
| 233 | + npx electron-builder --win --x64 --dir --publish never |
| 234 | +
|
| 235 | + - name: Find Electron exe for signing |
| 236 | + id: stage-app-exe |
| 237 | + shell: pwsh |
| 238 | + run: | |
| 239 | + $exe = Get-ChildItem -Path "dist\win-unpacked" -Filter *.exe -File | Select-Object -First 1 |
| 240 | + if (-not $exe) { throw "No .exe found in dist\win-unpacked" } |
| 241 | + Write-Host "Found exe: $($exe.FullName)" |
| 242 | + "EXE_NAME=$($exe.Name)" >> $env:GITHUB_OUTPUT |
| 243 | +
|
| 244 | + - name: Upload unsigned Electron exe (for SignPath) |
| 245 | + id: upload-unsigned-exe |
| 246 | + uses: actions/upload-artifact@v4 |
| 247 | + with: |
| 248 | + name: unsigned-electron-exe |
| 249 | + path: dist/win-unpacked/${{ steps.stage-app-exe.outputs.EXE_NAME }} |
| 250 | + if-no-files-found: error |
| 251 | + compression-level: 0 |
| 252 | + |
| 253 | + - name: Submit Electron exe signing request to SignPath |
| 254 | + id: sign-app-exe |
| 255 | + uses: signpath/github-action-submit-signing-request@v1 |
| 256 | + with: |
| 257 | + api-token: '${{ secrets.SIGNPATH_API_TOKEN }}' |
| 258 | + organization-id: 'a11e9ec9-516b-42a1-97d7-8a62e7508a48' |
| 259 | + project-slug: 'wolfram-js-frontend' |
| 260 | + signing-policy-slug: 'release-signing' |
| 261 | + artifact-configuration-slug: 'exe' |
| 262 | + github-artifact-id: '${{ steps.upload-unsigned-exe.outputs.artifact-id }}' |
| 263 | + wait-for-completion: true |
| 264 | + output-artifact-directory: '${{ env.SIGNED_EXE_DIR }}' |
| 265 | + |
| 266 | + - name: Restore signed Electron exe |
| 267 | + shell: pwsh |
| 268 | + run: | |
| 269 | + $exeName = "${{ steps.stage-app-exe.outputs.EXE_NAME }}" |
| 270 | + $signed = Get-ChildItem -Path "$env:SIGNED_EXE_DIR" -Recurse -Filter $exeName -File | Select-Object -First 1 |
| 271 | + if (-not $signed) { throw "Signed exe '$exeName' not found under $env:SIGNED_EXE_DIR" } |
| 272 | + $dest = "dist\win-unpacked\$exeName" |
| 273 | + Copy-Item $signed.FullName -Destination $dest -Force |
| 274 | + Write-Host "Signed exe restored: $dest ($((Get-Item $dest).Length) bytes)" |
| 275 | +
|
| 276 | + - name: Build installer from pre-packaged signed app |
| 277 | + env: |
| 278 | + GH_TOKEN: ${{ secrets.GH_TOKEN }} |
| 279 | + run: | |
| 280 | + npx electron-builder --win --x64 --prepackaged dist/win-unpacked --publish never |
233 | 281 | |
234 | 282 | # ───────────────────────────── |
235 | 283 | # SignPath integration |
|
0 commit comments