chore(ci): update SignPath configuration for Windows signing (#516)

2026-03-16 13:33:35 +08:00
parent 9ec23174c0
commit 75789b9947
4 changed files with 138 additions and 41 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,6 +15,7 @@ on:
 permissions:
  contents: write
  actions: read
 jobs:
  release:
@@ -32,30 +33,18 @@ jobs:
    steps:
      - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: '24'
-
+          cache: 'pnpm'
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
      - name: Get pnpm store directory
        shell: bash
        run: |
          echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
      - name: Setup pnpm cache
        uses: actions/cache@v4
        with:
          path: ${{ env.STORE_PATH }}
          key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
          restore-keys: |
            ${{ runner.os }}-pnpm-store-
      - name: Install dependencies
        run: pnpm install
@@ -87,21 +76,52 @@ jobs:
        run: |
          ulimit -n 65536
          echo "File descriptor limit: $(ulimit -n)"
-          pnpm run build:vite && pnpm exec zx scripts/bundle-openclaw.mjs && pnpm exec electron-builder --mac --publish never
+          pnpm run package:mac
      # Windows specific steps
      - name: Build Windows
        if: matrix.platform == 'win'
-        env:
+        run: pnpm run package:win
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
-        run: pnpm run build:vite && pnpm exec zx scripts/bundle-openclaw.mjs && pnpm exec electron-builder --win --publish never
+      - name: Upload unsigned Windows artifacts for SignPath
        if: matrix.platform == 'win'
        id: upload-unsigned-windows-artifact
        uses: actions/upload-artifact@v4
        with:
          name: unsigned-win-exe-${{ github.run_id }}-${{ github.run_attempt }}
          path: release/*.exe
          retention-days: 1
      - name: Sign Windows artifacts via SignPath
        if: matrix.platform == 'win'
        id: signpath-sign-windows
        uses: signpath/github-action-submit-signing-request@v2
        with:
          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
          organization-id: "78e37079-23df-4800-b41c-33312ad7c1e3"
          project-slug: "ValueCell"
          signing-policy-slug: "ValueCell-sign"
          github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}
          wait-for-completion: true
          output-artifact-directory: release/signed
      - name: Replace unsigned executables with signed ones
        if: matrix.platform == 'win'
        shell: pwsh
        run: |
          $signedExeFiles = Get-ChildItem -Path "release/signed" -Filter *.exe -File -Recurse
          if (-not $signedExeFiles) {
            throw "No signed .exe files found in release/signed"
          }
          foreach ($file in $signedExeFiles) {
            Copy-Item -Path $file.FullName -Destination "release/$($file.Name)" -Force
          }
          Write-Host "Signed executables copied to release/"
      # Linux specific steps
      - name: Build Linux
        if: matrix.platform == 'linux'
-        env:
+        run: pnpm run package:linux
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: pnpm run build:vite && pnpm exec zx scripts/bundle-openclaw.mjs && pnpm exec electron-builder --linux --publish never
      - name: Upload artifacts
        uses: actions/upload-artifact@v4
@@ -127,10 +147,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout code
+      - name: Download release artifacts only
        uses: actions/checkout@v4
      - name: Download all artifacts
        uses: actions/download-artifact@v4
        with:
          path: release-artifacts
@@ -222,10 +239,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout code
+      - name: Download release artifacts only
        uses: actions/checkout@v4
      - name: Download all artifacts
        uses: actions/download-artifact@v4
        with:
          path: release-artifacts
--- a/.github/workflows/win-build-test.yml
+++ b/.github/workflows/win-build-test.yml
@@ -0,0 +1,83 @@
 name: Windows Build Test
 on:
  workflow_dispatch:
    inputs:
      version:
        description: "Version for SignPath parameter (e.g., 1.0.0-test.1)"
        required: false
        default: "dev"
 permissions:
  contents: read
  actions: read
 jobs:
  windows-build-sign:
    runs-on: windows-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6
        with:
          fetch-depth: 0
      - name: Setup pnpm
        uses: pnpm/action-setup@v4
      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: "24"
          cache: "pnpm"
      - name: Install dependencies
        run: pnpm install
      - name: Download uv binaries for Windows
        run: pnpm run uv:download:win
      - name: Build Windows
        run: pnpm run package:win
      # Required by SignPath Trusted Build: artifact must exist on GitHub first.
      - name: Upload unsigned Windows artifacts for SignPath
        id: upload-unsigned-windows-artifact
        uses: actions/upload-artifact@v4
        with:
          name: unsigned-win-exe-${{ github.run_id }}-${{ github.run_attempt }}
          path: release/*.exe
          retention-days: 1
      - name: Sign Windows artifacts via SignPath
        id: signpath-sign-windows
        uses: signpath/github-action-submit-signing-request@v2
        with:
          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
          organization-id: "78e37079-23df-4800-b41c-33312ad7c1e3"
          project-slug: "ValueCell"
          signing-policy-slug: "ValueCell-sign"
          github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}
          wait-for-completion: true
          output-artifact-directory: release/signed
      - name: Replace unsigned executables with signed ones
        shell: pwsh
        run: |
          $signedExeFiles = Get-ChildItem -Path "release/signed" -Filter *.exe -File -Recurse
          if (-not $signedExeFiles) {
            throw "No signed .exe files found in release/signed"
          }
          foreach ($file in $signedExeFiles) {
            Copy-Item -Path $file.FullName -Destination "release/$($file.Name)" -Force
          }
          Write-Host "Signed executables copied to release/"
      - name: Upload signed Windows artifacts
        uses: actions/upload-artifact@v4
        with:
          name: signed-win-exe-${{ github.run_id }}-${{ github.run_attempt }}
          path: |
            release/*.exe
            release/latest*.yml
          retention-days: 7
--- a/electron-builder.yml
+++ b/electron-builder.yml
@@ -114,9 +114,9 @@ win:
  icon: resources/icons/icon.ico
  target:
    - target: nsis
-      arch:
+      arch: x64
-        - x64
+    - target: nsis
-        - arm64
+      arch: arm64
 nsis:
  oneClick: false
--- a/package.json
+++ b/package.json
@@ -40,11 +40,11 @@
        "uv:download:linux": "zx scripts/download-bundled-uv.mjs --platform=linux",
        "uv:download:all": "zx scripts/download-bundled-uv.mjs --all",
        "icons": "zx scripts/generate-icons.mjs",
-        "package": "vite build && zx scripts/bundle-openclaw.mjs && zx scripts/bundle-openclaw-plugins.mjs && zx scripts/bundle-preinstalled-skills.mjs && electron-builder",
+        "package": "vite build && zx scripts/bundle-openclaw.mjs && zx scripts/bundle-openclaw-plugins.mjs",
-        "package:mac": "vite build && zx scripts/bundle-openclaw.mjs && zx scripts/bundle-openclaw-plugins.mjs && zx scripts/bundle-preinstalled-skills.mjs && electron-builder --mac",
+        "package:mac": "pnpm run package && electron-builder --mac --publish never",
-        "package:win": "vite build && zx scripts/bundle-openclaw.mjs && zx scripts/bundle-openclaw-plugins.mjs && zx scripts/bundle-preinstalled-skills.mjs && electron-builder --win",
+        "package:win": "pnpm run package && electron-builder --win --publish never",
-        "package:linux": "vite build && zx scripts/bundle-openclaw.mjs && zx scripts/bundle-openclaw-plugins.mjs && zx scripts/bundle-preinstalled-skills.mjs && electron-builder --linux",
+        "package:linux": "pnpm run package && electron-builder --linux --publish never",
-        "release": "pnpm run uv:download && vite build && zx scripts/bundle-openclaw.mjs && zx scripts/bundle-openclaw-plugins.mjs && zx scripts/bundle-preinstalled-skills.mjs && electron-builder --publish always",
+        "release": "pnpm run uv:download && pnpm run package && electron-builder --publish always",
        "version:patch": "pnpm version patch",
        "version:minor": "pnpm version minor",
        "version:major": "pnpm version major",