stacklok / toolhive-studio / 24522332081 / 1
70%
main: 70%

DEFAULT BRANCH: main
Ran
Files 455
Run time 16s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 63.166%. Remained the same
24522332081.1

push

github

web-flow 
feat(build): migrate Windows code signing to Azure Trusted Signing (#2021)

* feat(build): add Azure Trusted Signing for Windows code signing

Introduce `utils/windows-sign-azure.ts`, which returns an
`@electron/windows-sign` config using `signWithParams` with the
Azure Code Signing DLib and metadata.json, following the official
Electron Forge guide.

Wire it into `forge.config.ts` via a `getWindowsSignConfig()` helper
that prefers Azure Trusted Signing and falls back to the existing
DigiCert KeyLocker hook when only the legacy `SM_*` env vars are
set, so production releases keep working until the migration is
validated.

* feat(ci): wire Azure Trusted Signing into PR build-test workflow

Add the `setup-azure-trusted-signing` composite action that logs in
to Azure via OIDC (azure/login@v2.3.0), installs the Azure Code
Signing DLib via NuGet under `C:\azsign\` (no-space path required
by electron/windows-sign#45), locates `signtool.exe` in the Windows
SDK, writes `metadata.json`, and exports `AZURE_CODE_SIGNING_DLIB`,
`AZURE_METADATA_JSON`, and `SIGNTOOL_PATH` for Electron Forge.

Update `pr-build-test.yml` to use it when `--sign-windows` is set
and conditionally activate the `artifact-signing` GitHub
environment so the OIDC federated credential subject
(`repo:stacklok/toolhive-studio:environment:artifact-signing`) is
satisfied. Unsigned builds are unaffected since the environment
gate only activates with the flag.

* docs: document Azure Trusted Signing setup for Windows code signing

Replace the Windows signing section to describe the Azure Trusted
Signing flow (OIDC, environment-scoped secrets, the composite
action, and how to test on a PR with `/build-test --sign-windows`)
and demote the DigiCert KeyLocker section to a legacy fallback
note.

* fix(ci): scope artifact-signing environment to Windows matrix row

The \`environment\` keyword applies to the whole job, so every matrix
row (Linux/macOS/Windows) was entering \`artifact-signing\` whenever
\`-... (continued)

3549 of 5937 branches covered (59.78%)

5677 of 8669 relevant lines covered (65.49%)

121.03 hits per line

Source Files on job 24522332081.1