sudacode/SubMiner
1
0
Fork 0
mirror of https://github.com/ksyasuda/SubMiner.git synced 2026-03-20 12:11:28 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
f9b582582b0277f5e5c4a18ede9a542cadec74ce
SubMiner/backlog/tasks/task-136 - Pin-SignPath-artifact-configuration-in-release-workflow.md

2.7 KiB
Raw Blame History

id, title, status, assignee, created_date, updated_date, labels, dependencies, references, priority, ordinal
id title status assignee created_date updated_date labels dependencies references priority ordinal
TASK-136 Pin SignPath artifact configuration in release workflow Done
codex
2026-03-08 20:41 2026-03-16 05:13
ci
release
windows
signing
TASK-134
.github/workflows/release.yml
build/signpath-windows-artifact-config.xml
src/release-workflow.test.ts
high 48500

Description

The Windows release workflow currently relies on the default SignPath artifact configuration configured in the SignPath UI. Pin the workflow to an explicit artifact-configuration slug so the checked-in signing configuration and CI behavior stay deterministic across future SignPath project changes.

Acceptance Criteria

  • #1 The Windows release workflow validates a dedicated SignPath artifact-configuration secret/input.
  • #2 Every SignPath submission attempt passes artifact-configuration-slug.
  • #3 Regression coverage fails if the explicit SignPath artifact-configuration binding is removed.

Implementation Plan

  1. Add a failing workflow regression test for the explicit SignPath artifact-configuration slug.
  2. Patch the Windows signing secret validation and SignPath action inputs to require the slug.
  3. Run targeted release-workflow verification plus the standard fast lane.
  4. Cut a new patch release so the tag-triggered release workflow runs with the pinned SignPath configuration.

Implementation Notes

Added regression coverage in src/release-workflow.test.ts for an explicit SignPath artifact-configuration slug so the release workflow test now fails if the slug validation or action input is removed.

Patched .github/workflows/release.yml so Windows signing now requires SIGNPATH_ARTIFACT_CONFIGURATION_SLUG during secret validation and passes artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }} on every SignPath submission attempt.

Verification: bun test src/release-workflow.test.ts, bun run typecheck, bun run test:fast.

Final Summary

The release workflow is now pinned to an explicit SignPath artifact configuration instead of relying on whichever SignPath artifact config is marked default in the UI. Windows signing secret validation fails fast if SIGNPATH_ARTIFACT_CONFIGURATION_SLUG is missing, and every SignPath submission attempt now includes the pinned slug.

Validation: bun test src/release-workflow.test.ts, bun run typecheck, bun run test:fast.

Reference in New Issue View Git Blame Copy Permalink