build: unify preinstalled skills bundling across dev/package/release and harden SignPath validation (#524)

2026-03-16 16:55:56 +08:00
parent f6128ed743
commit 4e3f3c83f6
10 changed files with 143 additions and 36 deletions
--- a/.github/workflows/package-win-manual.yml
+++ b/.github/workflows/package-win-manual.yml
@@ -52,7 +52,7 @@ jobs:
      - name: Build Windows package (no publish)
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: pnpm run build:vite && pnpm exec zx scripts/bundle-openclaw.mjs && pnpm exec electron-builder --win --publish never
+        run: pnpm run package:win

      - name: Upload Windows Installer (x64)
        uses: actions/upload-artifact@v4
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -83,6 +83,19 @@ jobs:
        if: matrix.platform == 'win'
        run: pnpm run package:win

+      - name: Validate unsigned Windows artifacts before SignPath
+        if: matrix.platform == 'win'
+        shell: pwsh
+        run: |
+          $unsignedExeFiles = Get-ChildItem -Path "release" -Filter *.exe -File
+          if (-not $unsignedExeFiles) {
+            throw "No unsigned .exe files found in release/ before SignPath upload"
+          }
+          $unsignedCount = $unsignedExeFiles.Count
+          "UNSIGNED_EXE_COUNT=$unsignedCount" | Out-File -FilePath $env:GITHUB_ENV -Append
+          Write-Host "Found $unsignedCount unsigned .exe file(s):"
+          $unsignedExeFiles | ForEach-Object { Write-Host " - $($_.Name)" }
+
      - name: Upload unsigned Windows artifacts for SignPath
        if: matrix.platform == 'win'
        id: upload-unsigned-windows-artifact
@@ -109,14 +122,23 @@ jobs:
        if: matrix.platform == 'win'
        shell: pwsh
        run: |
+          Write-Host "SignPath GitHub artifact ID: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}"
          $signedExeFiles = Get-ChildItem -Path "release/signed" -Filter *.exe -File -Recurse
          if (-not $signedExeFiles) {
            throw "No signed .exe files found in release/signed"
          }
+          $signedCount = $signedExeFiles.Count
+          if ($env:UNSIGNED_EXE_COUNT -and ($signedCount -ne [int]$env:UNSIGNED_EXE_COUNT)) {
+            throw "Signed .exe count ($signedCount) does not match unsigned count ($env:UNSIGNED_EXE_COUNT)"
+          }
          foreach ($file in $signedExeFiles) {
            Copy-Item -Path $file.FullName -Destination "release/$($file.Name)" -Force
          }
-          Write-Host "Signed executables copied to release/"
+          $finalExeFiles = Get-ChildItem -Path "release" -Filter *.exe -File
+          if ($env:UNSIGNED_EXE_COUNT -and ($finalExeFiles.Count -ne [int]$env:UNSIGNED_EXE_COUNT)) {
+            throw "Final release .exe count ($($finalExeFiles.Count)) does not match unsigned count ($env:UNSIGNED_EXE_COUNT)"
+          }
+          Write-Host "Signed executables copied to release/ ($($finalExeFiles.Count) file(s))"

      # Linux specific steps
      - name: Build Linux
--- a/.github/workflows/win-build-test.yml
+++ b/.github/workflows/win-build-test.yml
@@ -40,6 +40,18 @@ jobs:
      - name: Build Windows
        run: pnpm run package:win

+      - name: Validate unsigned Windows artifacts before SignPath
+        shell: pwsh
+        run: |
+          $unsignedExeFiles = Get-ChildItem -Path "release" -Filter *.exe -File
+          if (-not $unsignedExeFiles) {
+            throw "No unsigned .exe files found in release/ before SignPath upload"
+          }
+          $unsignedCount = $unsignedExeFiles.Count
+          "UNSIGNED_EXE_COUNT=$unsignedCount" | Out-File -FilePath $env:GITHUB_ENV -Append
+          Write-Host "Found $unsignedCount unsigned .exe file(s):"
+          $unsignedExeFiles | ForEach-Object { Write-Host " - $($_.Name)" }
+
      # Required by SignPath Trusted Build: artifact must exist on GitHub first.
      - name: Upload unsigned Windows artifacts for SignPath
        id: upload-unsigned-windows-artifact
@@ -64,14 +76,23 @@ jobs:
      - name: Replace unsigned executables with signed ones
        shell: pwsh
        run: |
+          Write-Host "SignPath GitHub artifact ID: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}"
          $signedExeFiles = Get-ChildItem -Path "release/signed" -Filter *.exe -File -Recurse
          if (-not $signedExeFiles) {
            throw "No signed .exe files found in release/signed"
          }
+          $signedCount = $signedExeFiles.Count
+          if ($env:UNSIGNED_EXE_COUNT -and ($signedCount -ne [int]$env:UNSIGNED_EXE_COUNT)) {
+            throw "Signed .exe count ($signedCount) does not match unsigned count ($env:UNSIGNED_EXE_COUNT)"
+          }
          foreach ($file in $signedExeFiles) {
            Copy-Item -Path $file.FullName -Destination "release/$($file.Name)" -Force
          }
-          Write-Host "Signed executables copied to release/"
+          $finalExeFiles = Get-ChildItem -Path "release" -Filter *.exe -File
+          if ($env:UNSIGNED_EXE_COUNT -and ($finalExeFiles.Count -ne [int]$env:UNSIGNED_EXE_COUNT)) {
+            throw "Final release .exe count ($($finalExeFiles.Count)) does not match unsigned count ($env:UNSIGNED_EXE_COUNT)"
+          }
+          Write-Host "Signed executables copied to release/ ($($finalExeFiles.Count) file(s))"

      - name: Upload signed Windows artifacts
        uses: actions/upload-artifact@v4