fix: pin signpath artifact configuration

2026-03-20 03:16:46 -07:00 · 2026-03-08 20:44:00 -07:00
parent f09c91494d
commit 2bbf38f987
5 changed files with 98 additions and 1 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -224,7 +224,7 @@ jobs:
        shell: bash
        run: |
          missing=0
-          for name in SIGNPATH_API_TOKEN SIGNPATH_ORGANIZATION_ID SIGNPATH_PROJECT_SLUG SIGNPATH_SIGNING_POLICY_SLUG; do
+          for name in SIGNPATH_API_TOKEN SIGNPATH_ORGANIZATION_ID SIGNPATH_PROJECT_SLUG SIGNPATH_SIGNING_POLICY_SLUG SIGNPATH_ARTIFACT_CONFIGURATION_SLUG; do
            if [ -z "${!name}" ]; then
              echo "Missing required secret: $name"
              missing=1
@@ -239,6 +239,7 @@ jobs:
          SIGNPATH_ORGANIZATION_ID: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
          SIGNPATH_PROJECT_SLUG: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
          SIGNPATH_SIGNING_POLICY_SLUG: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
+          SIGNPATH_ARTIFACT_CONFIGURATION_SLUG: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}

      - name: Install dependencies
        run: bun install --frozen-lockfile
@@ -272,6 +273,7 @@ jobs:
          organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
          project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
          signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
+          artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}
          github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}
          wait-for-completion: true
          output-artifact-directory: signed-windows-attempt-1
@@ -287,6 +289,7 @@ jobs:
          organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
          project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
          signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
+          artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}
          github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}
          wait-for-completion: true
          output-artifact-directory: signed-windows-attempt-2
@@ -302,6 +305,7 @@ jobs:
          organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }}
          project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }}
          signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }}
+          artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }}
          github-artifact-id: ${{ steps.upload-unsigned-windows-artifact.outputs.artifact-id }}
          wait-for-completion: true
          output-artifact-directory: signed-windows-attempt-3
--- a/Pin-SignPath-artifact-configuration-in-release-workflow.md
+++ b/Pin-SignPath-artifact-configuration-in-release-workflow.md
@@ -0,0 +1,43 @@
+---
+id: TASK-136
+title: Pin SignPath artifact configuration in release workflow
+status: In Progress
+assignee:
+  - codex
+created_date: '2026-03-08 20:41'
+updated_date: '2026-03-08 20:41'
+labels:
+  - ci
+  - release
+  - windows
+  - signing
+dependencies:
+  - TASK-134
+references:
+  - .github/workflows/release.yml
+  - build/signpath-windows-artifact-config.xml
+  - src/release-workflow.test.ts
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+The Windows release workflow currently relies on the default SignPath artifact configuration configured in the SignPath UI. Pin the workflow to an explicit artifact-configuration slug so the checked-in signing configuration and CI behavior stay deterministic across future SignPath project changes.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 The Windows release workflow validates a dedicated SignPath artifact-configuration secret/input.
+- [ ] #2 Every SignPath submission attempt passes `artifact-configuration-slug`.
+- [ ] #3 Regression coverage fails if the explicit SignPath artifact-configuration binding is removed.
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Add a failing workflow regression test for the explicit SignPath artifact-configuration slug.
+2. Patch the Windows signing secret validation and SignPath action inputs to require the slug.
+3. Run targeted release-workflow verification plus the standard fast lane.
+4. Cut a new patch release so the tag-triggered release workflow runs with the pinned SignPath configuration.
+<!-- SECTION:PLAN:END -->
--- a/Cut-patch-release-v0.5.2-for-SignPath-artifact-config-pinning.md
+++ b/Cut-patch-release-v0.5.2-for-SignPath-artifact-config-pinning.md
@@ -0,0 +1,41 @@
+---
+id: TASK-137
+title: Cut patch release v0.5.2 for SignPath artifact config pinning
+status: In Progress
+assignee:
+  - codex
+created_date: '2026-03-08 20:44'
+updated_date: '2026-03-08 20:44'
+labels:
+  - release
+  - patch
+dependencies:
+  - TASK-136
+references:
+  - package.json
+  - CHANGELOG.md
+  - release/release-notes.md
+priority: high
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Publish a patch release from the SignPath artifact-configuration pinning change by bumping the app version, generating the committed changelog artifacts for the new version, and pushing a new `v0.5.2` tag.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 Repository version metadata is updated to `0.5.2`.
+- [ ] #2 `CHANGELOG.md` and `release/release-notes.md` contain the committed `v0.5.2` section and consumed fragments are removed.
+- [ ] #3 New `v0.5.2` commit and tag are pushed to `origin`.
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Add the release fragment for the SignPath configuration pinning change.
+2. Bump `package.json` to `0.5.2` and run the changelog builder.
+3. Run changelog/typecheck/test verification.
+4. Commit the release-prep change set, create `v0.5.2`, and push commit plus tag.
+<!-- SECTION:PLAN:END -->
--- a/changes/signpath-artifact-config-pin.md
+++ b/changes/signpath-artifact-config-pin.md
@@ -0,0 +1,4 @@
+type: internal
+area: release
+
+- Pinned the Windows SignPath submission workflow to an explicit artifact-configuration slug instead of relying on the SignPath project's default configuration.
--- a/src/release-workflow.test.ts
+++ b/src/release-workflow.test.ts
@@ -47,6 +47,11 @@ test('windows release workflow retries SignPath submission and fails only after
  assert.match(releaseWorkflow, /All SignPath signing attempts failed; rerun the workflow when SignPath is healthy\./);
 });

+test('windows release workflow pins the SignPath artifact configuration slug explicitly', () => {
+  assert.match(releaseWorkflow, /SIGNPATH_ARTIFACT_CONFIGURATION_SLUG/);
+  assert.match(releaseWorkflow, /artifact-configuration-slug: \$\{\{ secrets\.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG \}\}/);
+});
+
 test('Makefile routes Windows install-plugin setup through bun and documents Windows builds', () => {
  assert.match(makefile, /windows\) printf '%s\\n' "\[INFO\] Windows builds run via: bun run build:win" ;;/);
  assert.match(makefile, /bun \.\/scripts\/configure-plugin-binary-path\.mjs/);