stacklok / toolhive-studio / 24568293232 / 1

70%

main: 70%

push

github

feat(ci): sign Windows prereleases with Azure Trusted Signing (#2032)

* feat(ci): sign Windows prereleases with Azure Trusted Signing

Route Windows prerelease builds (alpha/beta/rc) through the
\`setup-azure-trusted-signing\` composite action instead of DigiCert
KeyLocker, matching the OIDC path already validated in
\`pr-build-test.yml\`. Stable releases keep signing via DigiCert until
the Azure flow is confirmed end-to-end on prereleases.

Scope the \`artifact-signing\` GitHub environment to the Windows matrix
row only (\`matrix.os == 'windows-latest'\` and \`prerelease == true\`)
so Linux/macOS rows and stable Windows releases stay outside the
environment and don't pick up its secrets or approvals. The repo-wide
AWS OIDC trust policy (\`repo:stacklok/toolhive-studio:*\`) already
covers the new \`environment:artifact-signing\` subject, so S3 sync
and CloudFront invalidation keep working from the Windows prerelease
job.

* docs: note Azure Trusted Signing is used for Windows prereleases

Clarify that Azure Trusted Signing is now wired into both
\`pr-build-test.yml\` (via \`/build-test --sign-windows\`) and
\`on-release.yml\` for prerelease tags, and scope the DigiCert
fallback note to stable releases until the migration is completed.

* chore: format

* docs(ci): clarify artifact-signing environment comment

Reword the job-level environment comment so it no longer implies
Linux/macOS rows stay on DigiCert — DigiCert is Windows-only.
Explicitly list the three categories of matrix rows that stay
outside \`artifact-signing\` (Linux any release, macOS any release,
Windows stable) and split the AWS OIDC trust-policy note into its
own paragraph.

Flagged by Copilot review.

3582 of 5980 branches covered (59.9%)

5706 of 8708 relevant lines covered (65.53%)

120.56 hits per line