ci: SignPath Windows installer signing

[rainxchzed]

Wire SignPath Foundation signing into the Windows installer pipeline so users stop seeing "Unknown publisher" on .exe/.msi (issue #394).

Flow: build-windows → sign-windows (submit to SignPath, wait, fetch signed zip) → release uses signed artifact.

Currently policy=test-signing (release cert CSR pending). Swap to release-signing once SignPath issues prod cert.

Pre-merge checklist:

• Repo secret SIGNPATH_API_TOKEN set
• Artifact configuration slug confirmed in SignPath UI URL (assumed: initial-version)
• Trusted Build System "GitHub.com" already configured on org

Closes #394

Summary by CodeRabbit

• Chores
  • Release workflow now captures Windows build artifacts, submits them for digital signing, and uploads signed Windows installers before a draft release is assembled. The draft release staging now waits for signed Windows installers; macOS and Linux staging behavior remains unchanged.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e452c97c-d924-4e24-ac3e-a70e26504a15

📥 Commits

Reviewing files that changed from the base of the PR and between 7f10da9 and bbed74c.

📒 Files selected for processing (1)

• .github/workflows/build-desktop-platforms.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/build-desktop-platforms.yml

---

Walkthrough

Expose the Windows build artifact ID, add a sign-windows job that submits the Windows installer artifact to SignPath and uploads signed outputs, and update the draft release job to depend on signing and stage Windows installers from the signed artifact set.

Changes

Windows Installer Code Signing

Layer / File(s)	Summary
Windows Build Artifact Output Exposure .github/workflows/build-desktop-platforms.yml	Windows build job upload step receives an id, and the job's outputs section exposes windows-artifact-id for downstream use.
SignPath Windows Signing Job .github/workflows/build-desktop-platforms.yml	New sign-windows job on Ubuntu downloads the unsigned Windows installer artifact from build-windows, submits it to SignPath GitHub Action for code signing, and uploads the signed installers as windows-installers-signed.
Release Job Signing Dependency and Artifact Staging .github/workflows/build-desktop-platforms.yml	Release job needs updated to require sign-windows; release staging script now discovers/stages .exe/.msi from artifacts/windows-installers-signed instead of the unsigned artifact set.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• OpenHub-Store/GitHub-Store#280: Modifies the same workflow's installer packaging/uploads (including Windows); related to Windows artifact handling and uploads.
• OpenHub-Store/GitHub-Store#474: Modifies the release/draft-release staging logic in the same workflow that this change updates to consume signed Windows artifacts.

Poem

🐰 I hopped through CI with a cheery bound,
Sent the exe for signing, then danced around.
From artifact to SignPath, a tidy little flight,
Returned all signed and gleaming, ready for the light.
Release now smiles — the build is right.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: integrating SignPath-based signing for Windows installers in the CI pipeline.
Linked Issues check	✅ Passed	The PR implements code signing for Windows installers (.exe/.msi) via SignPath integration, directly addressing issue #394's requirement to eliminate 'Unknown publisher' warnings.
Out of Scope Changes check	✅ Passed	All changes are scoped to the GitHub Actions workflow for Windows installer signing; no unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/signpath-windows-signing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

• Inserts a sign-windows job between build-windows and release that submits Windows installers to SignPath Foundation for Authenticode signing; the release job now consumes the windows-installers-signed artifact instead of the raw build output.
• The SignPath action is pinned to a full commit SHA (addressing the mutable-tag concern from a prior review), and the signing-policy slug is now driven by vars.SIGNPATH_SIGNING_POLICY_SLUG (a repo variable) rather than a hardcoded string.
• A pre-flight step validates that all three required credentials/variables are present before the signing action runs, giving a clear error message instead of a cryptic auth failure mid-run.

Confidence Score: 4/5

Safe to merge once the pre-merge checklist items (repo secret, artifact slug, Trusted Build System) are confirmed; no blocking code defects found.

No P0 or P1 findings. Previous review concerns (mutable action tag, hardcoded test-signing policy) are both addressed. The only open item is a P2 suggestion to cap the wait-for-completion blocking time to avoid a worst-case 6-hour pipeline stall.

.github/workflows/build-desktop-platforms.yml — verify the artifact-configuration-slug: 'initial-version' matches the actual SignPath UI slug before merging (noted as assumed in the PR description).

Important Files Changed

Filename	Overview
.github/workflows/build-desktop-platforms.yml	Adds sign-windows job between build-windows and release; action is properly pinned to a commit SHA, signing policy moved to a repo variable, and pre-flight config check is included. One minor concern: no explicit timeout on the blocking wait-for-completion call.

Sequence Diagram

sequenceDiagram
    participant BW as build-windows
    participant SW as sign-windows
    participant SP as SignPath API
    participant R as release

    BW->>BW: Gradle build (.exe, .msi)
    BW->>BW: upload-artifact → windows-installers

    SW->>SW: "Verify SIGNPATH_* config"
    SW->>SP: Submit signing request (artifact-id, OIDC token, policy slug)
    SP-->>SW: Signed artifact
    SW->>SW: upload-artifact → windows-installers-signed

    R->>R: download-artifact (all)
    R->>R: Stage signed .exe/.msi → release-files/
    R->>R: gh release create (draft)

Loading

_{Reviews (3): Last reviewed commit: "ci(signpath): pin action to SHA, gate po..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-desktop-platforms.yml:
- Line 88: The workflow is using a mutable tag for the SignPath action ("uses:
signpath/github-action-submit-signing-request@v1"); replace the tag with the
action's full commit SHA to pin the dependency (e.g., "uses:
signpath/github-action-submit-signing-request@<full-commit-sha>") by looking up
the desired commit in the signpath/github-action-submit-signing-request
repository and updating the uses line accordingly so the workflow references an
immutable SHA instead of `@v1`.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e0a4dd0d-2d5c-416d-bd31-a0b500f12284

📥 Commits

Reviewing files that changed from the base of the PR and between 7a503ee and 54fe4b7.

📒 Files selected for processing (1)

• .github/workflows/build-desktop-platforms.yml