From 2bbf38f987d77d5ad3e119c6ce2798859787640c Mon Sep 17 00:00:00 2001 From: sudacode Date: Sun, 8 Mar 2026 20:44:00 -0700 Subject: [PATCH] fix: pin signpath artifact configuration --- .github/workflows/release.yml | 6 ++- ...ifact-configuration-in-release-workflow.md | 43 +++++++++++++++++++ ....2-for-SignPath-artifact-config-pinning.md | 41 ++++++++++++++++++ changes/signpath-artifact-config-pin.md | 4 ++ src/release-workflow.test.ts | 5 +++ 5 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 backlog/tasks/task-136 - Pin-SignPath-artifact-configuration-in-release-workflow.md create mode 100644 backlog/tasks/task-137 - Cut-patch-release-v0.5.2-for-SignPath-artifact-config-pinning.md create mode 100644 changes/signpath-artifact-config-pin.md diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 62bfcbf..a534e9b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -224,7 +224,7 @@ jobs: shell: bash run: | missing=0 - for name in SIGNPATH_API_TOKEN SIGNPATH_ORGANIZATION_ID SIGNPATH_PROJECT_SLUG SIGNPATH_SIGNING_POLICY_SLUG; do + for name in SIGNPATH_API_TOKEN SIGNPATH_ORGANIZATION_ID SIGNPATH_PROJECT_SLUG SIGNPATH_SIGNING_POLICY_SLUG SIGNPATH_ARTIFACT_CONFIGURATION_SLUG; do if [ -z "${!name}" ]; then echo "Missing required secret: $name" missing=1 @@ -239,6 +239,7 @@ jobs: SIGNPATH_ORGANIZATION_ID: ${{ secrets.SIGNPATH_ORGANIZATION_ID }} SIGNPATH_PROJECT_SLUG: ${{ secrets.SIGNPATH_PROJECT_SLUG }} SIGNPATH_SIGNING_POLICY_SLUG: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }} + SIGNPATH_ARTIFACT_CONFIGURATION_SLUG: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }} - name: Install dependencies run: bun install --frozen-lockfile @@ -272,6 +273,7 @@ jobs: organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }} project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }} signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }} + artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }} github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }} wait-for-completion: true output-artifact-directory: signed-windows-attempt-1 @@ -287,6 +289,7 @@ jobs: organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }} project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }} signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }} + artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }} github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }} wait-for-completion: true output-artifact-directory: signed-windows-attempt-2 @@ -302,6 +305,7 @@ jobs: organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }} project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }} signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }} + artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }} github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }} wait-for-completion: true output-artifact-directory: signed-windows-attempt-3 diff --git a/backlog/tasks/task-136 - Pin-SignPath-artifact-configuration-in-release-workflow.md b/backlog/tasks/task-136 - Pin-SignPath-artifact-configuration-in-release-workflow.md new file mode 100644 index 0000000..bc63a01 --- /dev/null +++ b/backlog/tasks/task-136 - Pin-SignPath-artifact-configuration-in-release-workflow.md @@ -0,0 +1,43 @@ +--- +id: TASK-136 +title: Pin SignPath artifact configuration in release workflow +status: In Progress +assignee: + - codex +created_date: '2026-03-08 20:41' +updated_date: '2026-03-08 20:41' +labels: + - ci + - release + - windows + - signing +dependencies: + - TASK-134 +references: + - .github/workflows/release.yml + - build/signpath-windows-artifact-config.xml + - src/release-workflow.test.ts +priority: high +--- + +## Description + + +The Windows release workflow currently relies on the default SignPath artifact configuration configured in the SignPath UI. Pin the workflow to an explicit artifact-configuration slug so the checked-in signing configuration and CI behavior stay deterministic across future SignPath project changes. + + +## Acceptance Criteria + +- [ ] #1 The Windows release workflow validates a dedicated SignPath artifact-configuration secret/input. +- [ ] #2 Every SignPath submission attempt passes `artifact-configuration-slug`. +- [ ] #3 Regression coverage fails if the explicit SignPath artifact-configuration binding is removed. + + +## Implementation Plan + + +1. Add a failing workflow regression test for the explicit SignPath artifact-configuration slug. +2. Patch the Windows signing secret validation and SignPath action inputs to require the slug. +3. Run targeted release-workflow verification plus the standard fast lane. +4. Cut a new patch release so the tag-triggered release workflow runs with the pinned SignPath configuration. + diff --git a/backlog/tasks/task-137 - Cut-patch-release-v0.5.2-for-SignPath-artifact-config-pinning.md b/backlog/tasks/task-137 - Cut-patch-release-v0.5.2-for-SignPath-artifact-config-pinning.md new file mode 100644 index 0000000..cc761d7 --- /dev/null +++ b/backlog/tasks/task-137 - Cut-patch-release-v0.5.2-for-SignPath-artifact-config-pinning.md @@ -0,0 +1,41 @@ +--- +id: TASK-137 +title: Cut patch release v0.5.2 for SignPath artifact config pinning +status: In Progress +assignee: + - codex +created_date: '2026-03-08 20:44' +updated_date: '2026-03-08 20:44' +labels: + - release + - patch +dependencies: + - TASK-136 +references: + - package.json + - CHANGELOG.md + - release/release-notes.md +priority: high +--- + +## Description + + +Publish a patch release from the SignPath artifact-configuration pinning change by bumping the app version, generating the committed changelog artifacts for the new version, and pushing a new `v0.5.2` tag. + + +## Acceptance Criteria + +- [ ] #1 Repository version metadata is updated to `0.5.2`. +- [ ] #2 `CHANGELOG.md` and `release/release-notes.md` contain the committed `v0.5.2` section and consumed fragments are removed. +- [ ] #3 New `v0.5.2` commit and tag are pushed to `origin`. + + +## Implementation Plan + + +1. Add the release fragment for the SignPath configuration pinning change. +2. Bump `package.json` to `0.5.2` and run the changelog builder. +3. Run changelog/typecheck/test verification. +4. Commit the release-prep change set, create `v0.5.2`, and push commit plus tag. + diff --git a/changes/signpath-artifact-config-pin.md b/changes/signpath-artifact-config-pin.md new file mode 100644 index 0000000..c1d0a28 --- /dev/null +++ b/changes/signpath-artifact-config-pin.md @@ -0,0 +1,4 @@ +type: internal +area: release + +- Pinned the Windows SignPath submission workflow to an explicit artifact-configuration slug instead of relying on the SignPath project's default configuration. diff --git a/src/release-workflow.test.ts b/src/release-workflow.test.ts index 1c274d1..97ee380 100644 --- a/src/release-workflow.test.ts +++ b/src/release-workflow.test.ts @@ -47,6 +47,11 @@ test('windows release workflow retries SignPath submission and fails only after assert.match(releaseWorkflow, /All SignPath signing attempts failed; rerun the workflow when SignPath is healthy\./); }); +test('windows release workflow pins the SignPath artifact configuration slug explicitly', () => { + assert.match(releaseWorkflow, /SIGNPATH_ARTIFACT_CONFIGURATION_SLUG/); + assert.match(releaseWorkflow, /artifact-configuration-slug: \$\{\{ secrets\.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG \}\}/); +}); + test('Makefile routes Windows install-plugin setup through bun and documents Windows builds', () => { assert.match(makefile, /windows\) printf '%s\\n' "\[INFO\] Windows builds run via: bun run build:win" ;;/); assert.match(makefile, /bun \.\/scripts\/configure-plugin-binary-path\.mjs/);