Skip to content

🤖 ci: add Windows build to PR/merge queue and EV code signing to releases #925

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ibetitsmike wants to merge 1 commit into
base: main
Choose a base branch
from
Open

🤖 ci: add Windows build to PR/merge queue and EV code signing to releases #925

ibetitsmike wants to merge 1 commit into from
+163 −2

Conversation

@ibetitsmike
Copy link
Contributor

@ibetitsmike ibetitsmike commented Dec 5, 2025

Summary

  • Add Windows build job to build.yml (runs on PRs and merge queue)
  • Add Windows EV code signing with GCP KMS and jsign (mirrors coder-desktop-windows pattern)
  • Custom signing script at scripts/sign-windows.js for electron-builder

Code Signing Setup

The Windows code signing follows the same pattern as coder-desktop-windows:

  • Uses jsign for signing with GCP Cloud KMS
  • Uses GCP Workload Identity for authentication

Required Secrets

Secret Description
EV_SIGNING_CERT EV certificate PEM file contents
GCP_WORKLOAD_ID_PROVIDER GCP workload identity provider
GCP_SERVICE_ACCOUNT GCP service account email

Required Variables

Variable Description
EV_KEYSTORE GCP Cloud KMS keystore URL
EV_KEY Key alias in the keystore
EV_TSA_URL Timestamp server URL

If secrets are not configured, the build will proceed without code signing (graceful degradation).

Generated with mux

@ibetitsmike
🤖 ci: add Windows build to PR/merge queue and EV code signing to rele…
cbb29fa 
…ases

- Add Windows build job to build.yml (runs on PRs and merge queue)
- Add Windows EV code signing with GCP KMS and jsign (mirrors coder-desktop-windows pattern)
- Custom signing script at scripts/sign-windows.js for electron-builder
- Uses repository variables for non-sensitive config (EV_KEYSTORE, EV_KEY, EV_TSA_URL)
- Uses secrets for sensitive data (EV_SIGNING_CERT, GCP_WORKLOAD_ID_PROVIDER, GCP_SERVICE_ACCOUNT)
- Gracefully skips signing if secrets not configured

_Generated with `mux`_
@ibetitsmike ibetitsmike force-pushed the windows-build-code-signing branch from f2a54fe to cbb29fa Compare December 5, 2025 07:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ibetitsmike