From df7cb53ec9f51a44edd5d5efb3adf559c0fd4161 Mon Sep 17 00:00:00 2001 From: Mohamed Hegazy Date: Wed, 26 Nov 2025 18:41:48 -0800 Subject: [PATCH 1/3] Extract common signing setup to a composite action --- .../actions/setup-windows-signing/action.yml | 93 ++++ .github/workflows/swift-toolchain.yml | 423 +++++------------- 2 files changed, 202 insertions(+), 314 deletions(-) create mode 100644 .github/actions/setup-windows-signing/action.yml diff --git a/.github/actions/setup-windows-signing/action.yml b/.github/actions/setup-windows-signing/action.yml new file mode 100644 index 000000000..5f6950d03 --- /dev/null +++ b/.github/actions/setup-windows-signing/action.yml @@ -0,0 +1,93 @@ +name: Setup Windows signing +description: Import the signing certificate or configure Azure trusted signing inputs for Windows builds. +inputs: + uses-trusted-signing: + description: Whether to use Azure trusted signing. + required: true + certificate: + description: Base64-encoded PFX certificate for classic signing. + required: false + azure-sp-credentials: + description: Azure service principal credentials used for trusted signing. + required: false + trusted-signing-account: + description: Azure trusted signing account name. + required: false + trusted-signing-prod-profile: + description: Azure trusted signing production certificate profile name. + required: false +outputs: + certificate-path: + description: Path to the decoded PFX when classic signing is used. + value: ${{ steps.import_certificate.outputs.certificate-path }} + signtool-path: + description: Path to the signtool directory when using trusted signing. + value: ${{ steps.prepare_trusted_signing.outputs.signtool-path }} + trusted-signing-dll-path: + description: Path to the Azure trusted signing DLL. + value: ${{ steps.prepare_trusted_signing.outputs.trusted-signing-dll-path }} + trusted-signing-metadata-path: + description: Path to the Azure trusted signing metadata file. + value: ${{ steps.prepare_trusted_signing.outputs.trusted-signing-metadata-path }} +runs: + using: composite + steps: + - name: Import certificate + id: import_certificate + if: inputs.uses-trusted-signing == 'false' + shell: pwsh + run: | + $CertificatePath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.b64 + $PFXPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.pfx + Set-Content -Path $CertificatePath -Value '${{ inputs.certificate }}' + certutil.exe -decode $CertificatePath $PFXPath + Write-Host "certificate-path=$PFXPath" + "certificate-path=$PFXPath" | Out-File -FilePath ${env:GITHUB_OUTPUT} -Encoding utf8 -Append + + - name: Authenticate with Azure + if: inputs.uses-trusted-signing == 'true' + uses: azure/login@v2 + with: + creds: ${{ inputs.azure-sp-credentials }} + + - name: Download trusted signing dll + if: inputs.uses-trusted-signing == 'true' + uses: actions/download-artifact@v4 + with: + name: trusted-signing-dll + path: ${{ runner.temp }}/trusted-signing-dll + + - name: Prepare trusted signing arguments + id: prepare_trusted_signing + if: inputs.uses-trusted-signing == 'true' + shell: pwsh + run: | + # We're unconditionally using x64 because there's no arm64 version of the DLL as of Oct 2025. + # TODO: Update with more info once we've filed a bug against Microsoft. + $signtoolPath = Join-Path -Path ${env:WindowsSdkVerBinPath} -ChildPath "x64/" + Write-Host "signtool-path=$signtoolPath" + "signtool-path=$signtoolPath" | Out-File -FilePath ${env:GITHUB_OUTPUT} -Encoding utf8 -Append + + $trustedSigningDllPath = Join-Path -Path ${env:RUNNER_TEMP}/trusted-signing-dll -ChildPath "Azure.CodeSigning.Dlib.dll" + Write-Host "trusted-signing-dll-path=$trustedSigningDllPath" + "trusted-signing-dll-path=$trustedSigningDllPath" | Out-File -FilePath ${env:GITHUB_OUTPUT} -Encoding utf8 -Append + + $metadataPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath "metadata.json" + '{ + "Endpoint": "https://eus.codesigning.azure.net", + "CodeSigningAccountName": "${{ inputs.trusted-signing-account }}", + "CertificateProfileName": "${{ inputs.trusted-signing-prod-profile }}", + "ExcludeCredentials": [ + "ManagedIdentityCredential", + "WorkloadIdentityCredential", + "SharedTokenCacheCredential", + "VisualStudioCredential", + "VisualStudioCodeCredential", + "EnvironmentCredential", + "AzurePowerShellCredential", + "AzureDeveloperCliCredential", + "InteractiveBrowserCredential" + ] + }' | Out-File -FilePath $metadataPath -Encoding utf8 + Write-Host "trusted-signing-metadata-path=$metadataPath" + "trusted-signing-metadata-path=$metadataPath" | Out-File -FilePath ${env:GITHUB_OUTPUT} -Encoding utf8 -Append diff --git a/.github/workflows/swift-toolchain.yml b/.github/workflows/swift-toolchain.yml index 364e7f106..f92e5f89d 100644 --- a/.github/workflows/swift-toolchain.yml +++ b/.github/workflows/swift-toolchain.yml @@ -4346,14 +4346,6 @@ jobs: Move-Item "${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Windows.platform/Developer/SDKs/WindowsExperimental.sdk/usr/bin" "${{ github.workspace }}/BuildRoot/Library/Developer/Runtimes.Experimental/usr" - - run: | - $CertificatePath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.b64 - $PFXPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.pfx - Set-Content -Path $CertificatePath -Value '${{ secrets.CERTIFICATE }}' - certutil.exe -decode $CertificatePath $PFXPath - Write-Output CERTIFICATE=$PFXPath | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'false' - - name: Install WixToolset.Sdk run: | if ((Get-Package -Name WixToolset.Sdk -ErrorAction SilentlyContinue) -eq $null) { @@ -4373,20 +4365,6 @@ jobs: Move-Item ${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Windows.platform/Developer/SDKs/WindowsExperimental.sdk/usr/lib/swift/_foundation_unicode ${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Windows.platform/Developer/SDKs/WindowsExperimental.sdk/usr/include/ Move-Item ${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Windows.platform/Developer/SDKs/WindowsExperimental.sdk/usr/lib/swift/_FoundationCShims ${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Windows.platform/Developer/SDKs/WindowsExperimental.sdk/usr/include/ - - run: | - $CertificatePath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.b64 - $PFXPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.pfx - Set-Content -Path $CertificatePath -Value '${{ secrets.CERTIFICATE }}' - certutil -decode $CertificatePath $PFXPath - Echo CERTIFICATE=$PFXPath | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'false' - - - name: Install WixToolset.Sdk - run: | - if ((Get-Package -Name WixToolset.Sdk -ErrorAction SilentlyContinue) -eq $null) { - Install-Package -Name WixToolset.Sdk -RequiredVersion 4.0.1 -Force - } - - name: Complete NoAsserts layout run: | $AssertToolchainRoot = "${{ github.workspace }}\BuildRoot\Library\Developer\Toolchains\${{ inputs.swift_version }}+Asserts" @@ -4455,46 +4433,16 @@ jobs: & "${{ github.workspace }}\SourceCache\mimalloc\bin\minject$BuildSuffix" -l "$Exe" } - - uses: azure/login@v2 + - name: Setup signing inputs + id: setup_signing + if: inputs.signed + uses: ./SourceCache/ci-build/.github/actions/setup-windows-signing with: - creds: ${{ secrets.AZURE_SP_CREDENTIALS }} - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' - - - uses: actions/download-artifact@v4 - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' - with: - name: trusted-signing-dll - path: ${{ runner.temp }}/trusted-signing-dll - - - name: Prepare trusted signing arguments - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' - run: | - # We're unconditionally using x64 because there's no arm64 version of the DLL as of Oct 2025. - # TODO: Update with more info once we've filed a bug against Microsoft. - $signtoolPath = Join-Path -Path ${env:WindowsSdkVerBinPath} -ChildPath "x64/" - echo "SIGNTOOL_PATH=$signtoolPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - - $trustedSigningDllPath = Join-Path -Path ${env:RUNNER_TEMP}/trusted-signing-dll -ChildPath "Azure.CodeSigning.Dlib.dll" - echo "TRUSTED_SIGNING_DLL_PATH=$trustedSigningDllPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - - $metadataPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath "metadata.json" - '{ - "Endpoint": "https://eus.codesigning.azure.net", - "CodeSigningAccountName": "${{ secrets.TRUSTED_SIGNING_ACCOUNT }}", - "CertificateProfileName": "${{ secrets.TRUSTED_SIGNING_PROD_PROFILE }}", - "ExcludeCredentials": [ - "ManagedIdentityCredential", - "WorkloadIdentityCredential", - "SharedTokenCacheCredential", - "VisualStudioCredential", - "VisualStudioCodeCredential", - "EnvironmentCredential", - "AzurePowerShellCredential", - "AzureDeveloperCliCredential", - "InteractiveBrowserCredential" - ] - }' | Out-File -FilePath $metadataPath -Encoding utf8 - echo "TRUSTED_SIGNING_METADATA_PATH=$metadataPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append + uses-trusted-signing: ${{ needs.configure_signing.outputs.uses_trusted_signing }} + certificate: ${{ secrets.CERTIFICATE }} + azure-sp-credentials: ${{ secrets.AZURE_SP_CREDENTIALS }} + trusted-signing-account: ${{ secrets.TRUSTED_SIGNING_ACCOUNT }} + trusted-signing-prod-profile: ${{ secrets.TRUSTED_SIGNING_PROD_PROFILE }} - name: Package Build Tools (Asserts) run: | @@ -4502,11 +4450,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:WORKAROUND_MIMALLOC_ISSUE_997=false ` -p:ProductVersion=${{ inputs.swift_version }} ` @@ -4519,11 +4467,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:WORKAROUND_MIMALLOC_ISSUE_997=false ` -p:ProductVersion=${{ inputs.swift_version }} ` @@ -4536,12 +4484,12 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` -p:SWIFT_DOCC_RENDER_ARTIFACT_ROOT="${{ github.workspace }}\SourceCache\swift-docc-render-artifact" ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4553,12 +4501,12 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` -p:SWIFT_DOCC_RENDER_ARTIFACT_ROOT="${{ github.workspace }}\SourceCache\swift-docc-render-artifact" ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4570,11 +4518,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4586,11 +4534,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4602,11 +4550,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4618,11 +4566,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4634,11 +4582,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4654,11 +4602,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -5067,14 +5015,6 @@ jobs: path: ${{ github.workspace }}/SourceCache/swift-installer-scripts show-progress: false - - run: | - $CertificatePath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.b64 - $PFXPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.pfx - Set-Content -Path $CertificatePath -Value '${{ secrets.CERTIFICATE }}' - certutil.exe -decode $CertificatePath $PFXPath - Write-Output CERTIFICATE=$PFXPath | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'false' - - name: Install WixToolset.Sdk run: | if ((Get-Package -Name WixToolset.Sdk -ErrorAction SilentlyContinue) -eq $null) { @@ -5094,46 +5034,16 @@ jobs: Move-Item ${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Windows.platform/Developer/SDKs/WindowsExperimental.sdk/usr/lib/swift_static/_foundation_unicode ${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Windows.platform/Developer/SDKs/WindowsExperimental.sdk/usr/include/ Move-Item ${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Windows.platform/Developer/SDKs/WindowsExperimental.sdk/usr/lib/swift_static/_FoundationCShims ${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Windows.platform/Developer/SDKs/WindowsExperimental.sdk/usr/include/ - - uses: azure/login@v2 - with: - creds: ${{ secrets.AZURE_SP_CREDENTIALS }} - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' - - - uses: actions/download-artifact@v4 - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' + - name: Setup signing inputs + id: setup_signing + if: inputs.signed + uses: ./SourceCache/ci-build/.github/actions/setup-windows-signing with: - name: trusted-signing-dll - path: ${{ runner.temp }}/trusted-signing-dll - - - name: Prepare trusted signing arguments - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' - run: | - # We're unconditionally using x64 because there's no arm64 version of the DLL as of Oct 2025. - # TODO: Update with more info once we've filed a bug against Microsoft. - $signtoolPath = Join-Path -Path ${env:WindowsSdkVerBinPath} -ChildPath "x64/" - echo "SIGNTOOL_PATH=$signtoolPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - - $trustedSigningDllPath = Join-Path -Path ${env:RUNNER_TEMP}/trusted-signing-dll -ChildPath "Azure.CodeSigning.Dlib.dll" - echo "TRUSTED_SIGNING_DLL_PATH=$trustedSigningDllPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - - $metadataPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath "metadata.json" - '{ - "Endpoint": "https://eus.codesigning.azure.net", - "CodeSigningAccountName": "${{ secrets.TRUSTED_SIGNING_ACCOUNT }}", - "CertificateProfileName": "${{ secrets.TRUSTED_SIGNING_PROD_PROFILE }}", - "ExcludeCredentials": [ - "ManagedIdentityCredential", - "WorkloadIdentityCredential", - "SharedTokenCacheCredential", - "VisualStudioCredential", - "VisualStudioCodeCredential", - "EnvironmentCredential", - "AzurePowerShellCredential", - "AzureDeveloperCliCredential", - "InteractiveBrowserCredential" - ] - }' | Out-File -FilePath $metadataPath -Encoding utf8 - echo "TRUSTED_SIGNING_METADATA_PATH=$metadataPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append + uses-trusted-signing: ${{ needs.configure_signing.outputs.uses_trusted_signing }} + certificate: ${{ secrets.CERTIFICATE }} + azure-sp-credentials: ${{ secrets.AZURE_SP_CREDENTIALS }} + trusted-signing-account: ${{ secrets.TRUSTED_SIGNING_ACCOUNT }} + trusted-signing-prod-profile: ${{ secrets.TRUSTED_SIGNING_PROD_PROFILE }} - name: Package Platform run: | @@ -5141,11 +5051,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ inputs.build_arch }} ` @@ -5397,14 +5307,6 @@ jobs: path: ${{ github.workspace }}/SourceCache/swift-installer-scripts show-progress: false - - if: inputs.build_android && inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'false' - run: | - $CertificatePath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.b64 - $PFXPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.pfx - Set-Content -Path $CertificatePath -Value '${{ secrets.CERTIFICATE }}' - certutil.exe -decode $CertificatePath $PFXPath - Write-Output CERTIFICATE=$PFXPath | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - - if: inputs.build_android name: Install WixToolset.Sdk run: | @@ -5427,46 +5329,16 @@ jobs: Move-Item ${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Android.platform/Developer/SDKs/AndroidExperimental.sdk/usr/lib/swift_static/_foundation_unicode ${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Android.platform/Developer/SDKs/AndroidExperimental.sdk/usr/include Move-Item ${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Android.platform/Developer/SDKs/AndroidExperimental.sdk/usr/lib/swift_static/_FoundationCShims ${{ github.workspace }}/BuildRoot/Library/Developer/Platforms/Android.platform/Developer/SDKs/AndroidExperimental.sdk/usr/include - - uses: azure/login@v2 - with: - creds: ${{ secrets.AZURE_SP_CREDENTIALS }} - if: inputs.build_android && inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' - - - uses: actions/download-artifact@v4 - if: inputs.build_android && inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' + - name: Setup signing inputs + id: setup_signing + if: inputs.build_android && inputs.signed + uses: ./SourceCache/ci-build/.github/actions/setup-windows-signing with: - name: trusted-signing-dll - path: ${{ runner.temp }}/trusted-signing-dll - - - name: Prepare trusted signing arguments - if: inputs.build_android && inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' - run: | - # We're unconditionally using x64 because there's no arm64 version of the DLL as of Oct 2025. - # TODO: Update with more info once we've filed a bug against Microsoft. - $signtoolPath = Join-Path -Path ${env:WindowsSdkVerBinPath} -ChildPath "x64/" - echo "SIGNTOOL_PATH=$signtoolPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - - $trustedSigningDllPath = Join-Path -Path ${env:RUNNER_TEMP}/trusted-signing-dll -ChildPath "Azure.CodeSigning.Dlib.dll" - echo "TRUSTED_SIGNING_DLL_PATH=$trustedSigningDllPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - - $metadataPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath "metadata.json" - '{ - "Endpoint": "https://eus.codesigning.azure.net", - "CodeSigningAccountName": "${{ secrets.TRUSTED_SIGNING_ACCOUNT }}", - "CertificateProfileName": "${{ secrets.TRUSTED_SIGNING_PROD_PROFILE }}", - "ExcludeCredentials": [ - "ManagedIdentityCredential", - "WorkloadIdentityCredential", - "SharedTokenCacheCredential", - "VisualStudioCredential", - "VisualStudioCodeCredential", - "EnvironmentCredential", - "AzurePowerShellCredential", - "AzureDeveloperCliCredential", - "InteractiveBrowserCredential" - ] - }' | Out-File -FilePath $metadataPath -Encoding utf8 - echo "TRUSTED_SIGNING_METADATA_PATH=$metadataPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append + uses-trusted-signing: ${{ needs.configure_signing.outputs.uses_trusted_signing }} + certificate: ${{ secrets.CERTIFICATE }} + azure-sp-credentials: ${{ secrets.AZURE_SP_CREDENTIALS }} + trusted-signing-account: ${{ secrets.TRUSTED_SIGNING_ACCOUNT }} + trusted-signing-prod-profile: ${{ secrets.TRUSTED_SIGNING_PROD_PROFILE }} - if: inputs.build_android name: Package SDK @@ -5476,11 +5348,11 @@ jobs: -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` -p:ANDROID_INCLUDE_DS2=true ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ inputs.build_arch }} ` @@ -5538,60 +5410,22 @@ jobs: path: ${{ github.workspace }}/SourceCache/swift-installer-scripts show-progress: false - - run: | - $CertificatePath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.b64 - $PFXPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.pfx - Set-Content -Path $CertificatePath -Value '${{ secrets.CERTIFICATE }}' - certutil.exe -decode $CertificatePath $PFXPath - Write-Output CERTIFICATE=$PFXPath | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'false' - - name: Install WixToolset.Sdk run: | if ((Get-Package -Name WixToolset.Sdk -ErrorAction SilentlyContinue) -eq $null) { Install-Package -Name WixToolset.Sdk -RequiredVersion 4.0.1 -Force } - - uses: azure/login@v2 + - name: Setup signing inputs + id: setup_signing + if: inputs.signed + uses: ./SourceCache/ci-build/.github/actions/setup-windows-signing with: - creds: ${{ secrets.AZURE_SP_CREDENTIALS }} - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' - - - uses: actions/download-artifact@v4 - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' - with: - name: trusted-signing-dll - path: ${{ runner.temp }}/trusted-signing-dll - - - name: Prepare trusted signing arguments - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' - run: | - # We're unconditionally using x64 because there's no arm64 version of the DLL as of Oct 2025. - # TODO: Update with more info once we've filed a bug against Microsoft. - $signtoolPath = Join-Path -Path ${env:WindowsSdkVerBinPath} -ChildPath "x64/" - echo "SIGNTOOL_PATH=$signtoolPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - - $trustedSigningDllPath = Join-Path -Path ${env:RUNNER_TEMP}/trusted-signing-dll -ChildPath "Azure.CodeSigning.Dlib.dll" - echo "TRUSTED_SIGNING_DLL_PATH=$trustedSigningDllPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - - $metadataPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath "metadata.json" - '{ - "Endpoint": "https://eus.codesigning.azure.net", - "CodeSigningAccountName": "${{ secrets.TRUSTED_SIGNING_ACCOUNT }}", - "CertificateProfileName": "${{ secrets.TRUSTED_SIGNING_PROD_PROFILE }}", - "ExcludeCredentials": [ - "ManagedIdentityCredential", - "WorkloadIdentityCredential", - "SharedTokenCacheCredential", - "VisualStudioCredential", - "VisualStudioCodeCredential", - "EnvironmentCredential", - "AzurePowerShellCredential", - "AzureDeveloperCliCredential", - "InteractiveBrowserCredential" - ] - }' | Out-File -FilePath $metadataPath -Encoding utf8 - echo "TRUSTED_SIGNING_METADATA_PATH=$metadataPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append + uses-trusted-signing: ${{ needs.configure_signing.outputs.uses_trusted_signing }} + certificate: ${{ secrets.CERTIFICATE }} + azure-sp-credentials: ${{ secrets.AZURE_SP_CREDENTIALS }} + trusted-signing-account: ${{ secrets.TRUSTED_SIGNING_ACCOUNT }} + trusted-signing-prod-profile: ${{ secrets.TRUSTED_SIGNING_PROD_PROFILE }} - name: Download and expand Python @@ -5635,11 +5469,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:PythonVersion=${{ inputs.python_version }} ` @@ -5763,55 +5597,16 @@ jobs: path: ${{ github.workspace }}/SourceCache/swift-installer-scripts show-progress: false - - run: | - $CertificatePath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.b64 - $PFXPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath CodeSign.pfx - Set-Content -Path $CertificatePath -Value '${{ secrets.CERTIFICATE }}' - certutil -decode $CertificatePath $PFXPath - Echo CERTIFICATE=$PFXPath | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'false' - - - name: Authenticate with Azure - uses: azure/login@v2 - with: - creds: ${{ secrets.AZURE_SP_CREDENTIALS }} - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' - - - uses: actions/download-artifact@v4 - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' + - name: Setup signing inputs + id: setup_signing + if: inputs.signed + uses: ./SourceCache/ci-build/.github/actions/setup-windows-signing with: - name: trusted-signing-dll - path: ${{ runner.temp }}/trusted-signing-dll - - - name: Prepare trusted signing arguments - if: inputs.signed && needs.configure_signing.outputs.uses_trusted_signing == 'true' - run: | - # We're unconditionally using x64 because there's no arm64 version of the DLL as of Oct 2025. - # TODO: Update with more info once we've filed a bug against Microsoft. - $signtoolPath = Join-Path -Path ${env:WindowsSdkVerBinPath} -ChildPath "x64/" - echo "SIGNTOOL_PATH=$signtoolPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - - $trustedSigningDllPath = Join-Path -Path ${env:RUNNER_TEMP}/trusted-signing-dll -ChildPath "Azure.CodeSigning.Dlib.dll" - echo "TRUSTED_SIGNING_DLL_PATH=$trustedSigningDllPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append - - $metadataPath = Join-Path -Path ${env:RUNNER_TEMP} -ChildPath "metadata.json" - '{ - "Endpoint": "https://eus.codesigning.azure.net", - "CodeSigningAccountName": "${{ secrets.TRUSTED_SIGNING_ACCOUNT }}", - "CertificateProfileName": "${{ secrets.TRUSTED_SIGNING_PROD_PROFILE }}", - "ExcludeCredentials": [ - "ManagedIdentityCredential", - "WorkloadIdentityCredential", - "SharedTokenCacheCredential", - "VisualStudioCredential", - "VisualStudioCodeCredential", - "EnvironmentCredential", - "AzurePowerShellCredential", - "AzureDeveloperCliCredential", - "InteractiveBrowserCredential" - ] - }' | Out-File -FilePath $metadataPath -Encoding utf8 - echo "TRUSTED_SIGNING_METADATA_PATH=$metadataPath" | Out-File -FilePath ${env:GITHUB_ENV} -Encoding utf8 -Append + uses-trusted-signing: ${{ needs.configure_signing.outputs.uses_trusted_signing }} + certificate: ${{ secrets.CERTIFICATE }} + azure-sp-credentials: ${{ secrets.AZURE_SP_CREDENTIALS }} + trusted-signing-account: ${{ secrets.TRUSTED_SIGNING_ACCOUNT }} + trusted-signing-prod-profile: ${{ secrets.TRUSTED_SIGNING_PROD_PROFILE }} # The installer bundle needs the shared project for localization strings, # but it won't build the dependency on its own due to -p:BuildProjectReferences=false. @@ -5821,11 +5616,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:ProductArchitecture=${{ matrix.arch }} ` -p:ProductVersion=${{ inputs.swift_version }}-${{ inputs.swift_tag }} ` ${{ github.workspace }}/SourceCache/swift-installer-scripts/platforms/Windows/shared/shared.wixproj @@ -5842,11 +5637,11 @@ jobs: -p:Configuration=Release ` -p:BuildProjectReferences=false ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:BundleFlavor=offline ` -p:Platforms="`"$($Platforms -Join ';')`"" ` -p:AndroidArchitectures="`"aarch64;armv7;i686;x86_64`"" ` @@ -5891,12 +5686,12 @@ jobs: -p:Configuration=Release ` -p:BuildProjectReferences=false ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${env:CERTIFICATE} ` + -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` -p:SWIFT_DOCC_RENDER_ARTIFACT_ROOT="${{ github.workspace }}\SourceCache\swift-docc-render-artifact" ` - -p:SignToolPath=${env:SIGNTOOL_PATH} ` - -p:AzureSignMetadata=${env:TRUSTED_SIGNING_METADATA_PATH} ` - -p:AzureSignDlib=${env:TRUSTED_SIGNING_DLL_PATH} ` + -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` + -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` + -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` -p:BundleFlavor=online ` -p:BaseReleaseDownloadUrl=$BaseReleaseDownloadUrl ` -p:Platforms="`"$($Platforms -Join ';')`"" ` From 1d60bef5c33c58c90f09dd35d7599f5f857ac857 Mon Sep 17 00:00:00 2001 From: Mohamed Hegazy Date: Fri, 28 Nov 2025 13:59:19 -0800 Subject: [PATCH 2/3] Quoate strings --- .github/workflows/swift-toolchain.yml | 128 +++++++++++++------------- 1 file changed, 64 insertions(+), 64 deletions(-) diff --git a/.github/workflows/swift-toolchain.yml b/.github/workflows/swift-toolchain.yml index f92e5f89d..ac1efb5ca 100644 --- a/.github/workflows/swift-toolchain.yml +++ b/.github/workflows/swift-toolchain.yml @@ -4450,11 +4450,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:WORKAROUND_MIMALLOC_ISSUE_997=false ` -p:ProductVersion=${{ inputs.swift_version }} ` @@ -4467,11 +4467,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:WORKAROUND_MIMALLOC_ISSUE_997=false ` -p:ProductVersion=${{ inputs.swift_version }} ` @@ -4484,12 +4484,12 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` -p:SWIFT_DOCC_RENDER_ARTIFACT_ROOT="${{ github.workspace }}\SourceCache\swift-docc-render-artifact" ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4501,12 +4501,12 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` -p:SWIFT_DOCC_RENDER_ARTIFACT_ROOT="${{ github.workspace }}\SourceCache\swift-docc-render-artifact" ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4518,11 +4518,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4534,11 +4534,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4550,11 +4550,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4566,11 +4566,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4582,11 +4582,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -4602,11 +4602,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ matrix.arch }} ` @@ -5051,11 +5051,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ inputs.build_arch }} ` @@ -5348,11 +5348,11 @@ jobs: -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` -p:ANDROID_INCLUDE_DS2=true ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:ProductArchitecture=${{ inputs.build_arch }} ` @@ -5469,11 +5469,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ImageRoot=${{ github.workspace }}/BuildRoot/Library/Developer ` -p:ProductVersion=${{ inputs.swift_version }} ` -p:PythonVersion=${{ inputs.python_version }} ` @@ -5616,11 +5616,11 @@ jobs: -p:BaseOutputPath=${{ github.workspace }}\BinaryCache\installer\ ` -p:Configuration=Release ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:ProductArchitecture=${{ matrix.arch }} ` -p:ProductVersion=${{ inputs.swift_version }}-${{ inputs.swift_tag }} ` ${{ github.workspace }}/SourceCache/swift-installer-scripts/platforms/Windows/shared/shared.wixproj @@ -5637,11 +5637,11 @@ jobs: -p:Configuration=Release ` -p:BuildProjectReferences=false ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:BundleFlavor=offline ` -p:Platforms="`"$($Platforms -Join ';')`"" ` -p:AndroidArchitectures="`"aarch64;armv7;i686;x86_64`"" ` @@ -5686,12 +5686,12 @@ jobs: -p:Configuration=Release ` -p:BuildProjectReferences=false ` -p:SignOutput=${{ inputs.signed }} ` - -p:CERTIFICATE=${{ steps.setup_signing.outputs.certificate-path }} ` + -p:CERTIFICATE="${{ steps.setup_signing.outputs.certificate-path }}" ` -p:PASSPHRASE=${{ secrets.PASSPHRASE }} ` -p:SWIFT_DOCC_RENDER_ARTIFACT_ROOT="${{ github.workspace }}\SourceCache\swift-docc-render-artifact" ` - -p:SignToolPath=${{ steps.setup_signing.outputs.signtool-path }} ` - -p:AzureSignMetadata=${{ steps.setup_signing.outputs.trusted-signing-metadata-path }} ` - -p:AzureSignDlib=${{ steps.setup_signing.outputs.trusted-signing-dll-path }} ` + -p:SignToolPath="${{ steps.setup_signing.outputs.signtool-path }}" ` + -p:AzureSignMetadata="${{ steps.setup_signing.outputs.trusted-signing-metadata-path }}" ` + -p:AzureSignDlib="${{ steps.setup_signing.outputs.trusted-signing-dll-path }}" ` -p:BundleFlavor=online ` -p:BaseReleaseDownloadUrl=$BaseReleaseDownloadUrl ` -p:Platforms="`"$($Platforms -Join ';')`"" ` From 6464026f1b7f45f576109ccac091d8d4afa42672 Mon Sep 17 00:00:00 2001 From: Mohamed Hegazy Date: Fri, 28 Nov 2025 14:02:24 -0800 Subject: [PATCH 3/3] Change file name --- .../action.yml | 0 .github/workflows/swift-toolchain.yml | 10 +++++----- 2 files changed, 5 insertions(+), 5 deletions(-) rename .github/actions/{setup-windows-signing => setup-signing}/action.yml (100%) diff --git a/.github/actions/setup-windows-signing/action.yml b/.github/actions/setup-signing/action.yml similarity index 100% rename from .github/actions/setup-windows-signing/action.yml rename to .github/actions/setup-signing/action.yml diff --git a/.github/workflows/swift-toolchain.yml b/.github/workflows/swift-toolchain.yml index ac1efb5ca..e64c9fd78 100644 --- a/.github/workflows/swift-toolchain.yml +++ b/.github/workflows/swift-toolchain.yml @@ -4436,7 +4436,7 @@ jobs: - name: Setup signing inputs id: setup_signing if: inputs.signed - uses: ./SourceCache/ci-build/.github/actions/setup-windows-signing + uses: ./SourceCache/ci-build/.github/actions/setup-signing with: uses-trusted-signing: ${{ needs.configure_signing.outputs.uses_trusted_signing }} certificate: ${{ secrets.CERTIFICATE }} @@ -5037,7 +5037,7 @@ jobs: - name: Setup signing inputs id: setup_signing if: inputs.signed - uses: ./SourceCache/ci-build/.github/actions/setup-windows-signing + uses: ./SourceCache/ci-build/.github/actions/setup-signing with: uses-trusted-signing: ${{ needs.configure_signing.outputs.uses_trusted_signing }} certificate: ${{ secrets.CERTIFICATE }} @@ -5332,7 +5332,7 @@ jobs: - name: Setup signing inputs id: setup_signing if: inputs.build_android && inputs.signed - uses: ./SourceCache/ci-build/.github/actions/setup-windows-signing + uses: ./SourceCache/ci-build/.github/actions/setup-signing with: uses-trusted-signing: ${{ needs.configure_signing.outputs.uses_trusted_signing }} certificate: ${{ secrets.CERTIFICATE }} @@ -5419,7 +5419,7 @@ jobs: - name: Setup signing inputs id: setup_signing if: inputs.signed - uses: ./SourceCache/ci-build/.github/actions/setup-windows-signing + uses: ./SourceCache/ci-build/.github/actions/setup-signing with: uses-trusted-signing: ${{ needs.configure_signing.outputs.uses_trusted_signing }} certificate: ${{ secrets.CERTIFICATE }} @@ -5600,7 +5600,7 @@ jobs: - name: Setup signing inputs id: setup_signing if: inputs.signed - uses: ./SourceCache/ci-build/.github/actions/setup-windows-signing + uses: ./SourceCache/ci-build/.github/actions/setup-signing with: uses-trusted-signing: ${{ needs.configure_signing.outputs.uses_trusted_signing }} certificate: ${{ secrets.CERTIFICATE }}