Validate certificates used for signing

2025-12-10 09:32:29 +01:00 · 2024-11-16 20:51:22 +01:00
parent ef1d59e3b6
commit d784587374
1 changed files with 27 additions and 2 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -16,6 +16,16 @@ on:
      - '.github/workflows/localisation.yml'
      - '.gitignore'
      - '.vscode/**'
+  workflow_dispatch:
+    inputs:
+      sign:
+        description: Sign binaries
+        type: choice
+        options:
+          - test-signing
+          - release-signing
+        default: test-signing
+
 defaults:
  run:
    shell: bash
@@ -34,6 +44,11 @@ jobs:
  build_variables:
    name: Get version info
    runs-on: ubuntu-latest
+    # We want to sign tagged releases with release certificates, but it is only allowed to be ran manually.
+    # Disable automatic runs for tags and force release signing for tags.
+    if: |
+      (startsWith(github.ref, 'refs/tags/v') && github.event_name == 'workflow_dispatch' && github.event.inputs.sign == 'release-signing') ||
+      (!startsWith(github.ref, 'refs/tags/v') && github.event.inputs.sign != 'release-signing')
    outputs:
      name: ${{ steps.artifact-name.outputs.name }}
      describe: ${{ steps.ghd.outputs.describe }}
@@ -42,6 +57,7 @@ jobs:
      tag: ${{ steps.ghd.outputs.tag }}
      push: ${{ steps.setenv.outputs.push }}
      sign: ${{ steps.sign.outputs.sign }}
+      certificate: ${{ steps.sign.outputs.certificate }}
    steps:
      # We need to fetch entire repo to get the tags and correctly run `describe`
      - name: Check out code
@@ -80,7 +96,16 @@ jobs:
        id: sign
        run: |
          echo "sign=${{ env.SIGNPATH_API_TOKEN != '' && (needs.build_variables.outputs.push || startsWith(github.ref, 'refs/tags/v')) }}"
+          # if using workflow_dispatch, use the provided certificate
+          if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then
+            certificate=${{ github.event.inputs.sign }}
+          else
+            # Default to test-signing
+            certificate=test-signing
+          fi
+          echo "certificate=$certificate"
          echo "sign=${{ env.SIGNPATH_API_TOKEN != '' && (needs.build_variables.outputs.push || startsWith(github.ref, 'refs/tags/v')) }}" >> $GITHUB_OUTPUT
+          echo "certificate=$certificate" >> $GITHUB_OUTPUT
  lint-commit:
    name: Lint Commit Message
    if: github.event_name == 'pull_request'
@@ -186,7 +211,7 @@ jobs:
          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
          organization-id: 645b821f-6283-45e1-8198-264997072801
          project-slug: OpenRCT2
-          signing-policy-slug: 'test-signing'
+          signing-policy-slug: ${{ needs.build_variables.outputs.certificate }}
          artifact-configuration-slug: 'binaries'
          github-artifact-id: ${{ steps.upload-windows-binaries-unsigned.outputs.artifact-id }}
          wait-for-completion: true
@@ -234,7 +259,7 @@ jobs:
          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
          organization-id: 645b821f-6283-45e1-8198-264997072801
          project-slug: OpenRCT2
-          signing-policy-slug: 'test-signing'
+          signing-policy-slug: ${{ needs.build_variables.outputs.certificate }}
          artifact-configuration-slug: 'installer'
          github-artifact-id: ${{ steps.upload-windows-installer-unsigned.outputs.artifact-id }}
          wait-for-completion: true