From 0f4a1f950e94e5a962dc39bb16b5f33d2c1ef619 Mon Sep 17 00:00:00 2001 From: luisangelsm Date: Thu, 5 Mar 2026 22:03:05 +0100 Subject: [PATCH] Start signing YACReader 10 dev builds that get published --- .github/workflows/build.yml | 38 ++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f93ce14e..4df9ccc2 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -13,8 +13,8 @@ on: - yacreader10 env: - IS_ORIGINAL_REPO: ${{ github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') }} - IS_FORK: ${{ github.repository != 'YACReader/yacreader' || (github.ref != 'refs/heads/master' && github.ref != 'refs/heads/develop') }} + IS_ORIGINAL_REPO: ${{ github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') }} + IS_FORK: ${{ github.repository != 'YACReader/yacreader' || (github.ref != 'refs/heads/master' && github.ref != 'refs/heads/develop' && github.ref != 'refs/heads/yacreader10') }} jobs: # Build number generation @@ -141,7 +141,7 @@ jobs: npm install -g appdmg - name: Import Code Signing Certificate - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') uses: apple-actions/import-codesign-certs@v2 with: p12-file-base64: ${{ secrets.MACOS_CERTIFICATE_P12_BASE64 }} @@ -160,7 +160,7 @@ jobs: run: ctest --test-dir build --output-on-failure - name: Notarize - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') run: | xcrun notarytool submit *.dmg --apple-id "${{ secrets.MACOS_APPLE_ID }}" --team-id "${{ secrets.MACOS_TEAM_ID }}" --password "${{ secrets.MACOS_APP_PASSWORD }}" --wait xcrun stapler staple *.dmg @@ -212,7 +212,7 @@ jobs: ctest --test-dir build --output-on-failure - name: Upload executables for signing - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') uses: actions/upload-artifact@v4 id: upload_executables with: @@ -223,7 +223,7 @@ jobs: build/bin/YACReaderLibraryServer.exe - name: Sign executables with SignPath - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') uses: signpath/github-action-submit-signing-request@v1 with: api-token: ${{ secrets.SIGNPATH_API_TOKEN }} @@ -237,7 +237,7 @@ jobs: output-artifact-directory: build/bin/signed - name: Replace with signed executables - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') shell: pwsh run: | Write-Host "=== Replacing executables with signed versions ===" @@ -259,7 +259,7 @@ jobs: .\create_installer.cmd x64 7z ${{ needs.initialization.outputs.build_number }} - name: Verify installer was created - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') shell: pwsh run: | if (-not (Test-Path "ci/win/Output/YACReader*.exe")) { @@ -268,7 +268,7 @@ jobs: Get-ChildItem "ci/win/Output/YACReader*.exe" - name: Upload unsigned installer - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') uses: actions/upload-artifact@v4 id: upload_unsigned with: @@ -276,7 +276,7 @@ jobs: path: ci/win/Output/YACReader*.exe - name: Submit to SignPath - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') uses: signpath/github-action-submit-signing-request@v1 with: api-token: ${{ secrets.SIGNPATH_API_TOKEN }} @@ -290,7 +290,7 @@ jobs: output-artifact-directory: ci/win/Output/signed - name: Replace with signed installer - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') shell: pwsh run: | Write-Host "=== Files in signed directory before move ===" @@ -350,7 +350,7 @@ jobs: cmake --build build --parallel - name: Upload executables for signing - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') uses: actions/upload-artifact@v4 id: upload_executables with: @@ -361,7 +361,7 @@ jobs: build/bin/YACReaderLibraryServer.exe - name: Submit to SignPath - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') uses: signpath/github-action-submit-signing-request@v1 with: api-token: ${{ secrets.SIGNPATH_API_TOKEN }} @@ -375,7 +375,7 @@ jobs: output-artifact-directory: 'build/bin/signed' - name: Replace executables with signed versions - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') shell: pwsh run: | Copy-Item "build/bin/signed/YACReader.exe" "build/bin/YACReader.exe" -Force @@ -392,7 +392,7 @@ jobs: .\create_installer.cmd arm64 7z ${{ needs.initialization.outputs.build_number }} - name: Verify installer was created - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') shell: pwsh run: | if (-not (Test-Path "ci/win/Output/YACReader*.exe")) { @@ -401,7 +401,7 @@ jobs: Get-ChildItem "ci/win/Output/YACReader*.exe" - name: Upload unsigned installer - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') uses: actions/upload-artifact@v4 id: upload_unsigned with: @@ -409,7 +409,7 @@ jobs: path: ci/win/Output/YACReader*.exe - name: Submit to SignPath - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') uses: signpath/github-action-submit-signing-request@v1 with: api-token: ${{ secrets.SIGNPATH_API_TOKEN }} @@ -423,7 +423,7 @@ jobs: output-artifact-directory: 'ci/win/Output/signed' - name: Replace with signed installer and cleanup - if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop') + if: github.repository == 'YACReader/yacreader' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/develop' || github.ref == 'refs/heads/yacreader10') shell: pwsh working-directory: ci/win/Output run: | @@ -769,7 +769,7 @@ jobs: echo " ✓ SIGNED - Signature verified successfully" osslsigncode verify -in "$installer" 2>&1 | grep -E "(Signed|Signer|Timestamp)" else - echo " ✗ UNSIGNED or INVALID - No valid signature found (expected for yacreader10 pre-releases)" + echo " ✗ UNSIGNED or INVALID - No valid signature found" osslsigncode verify -in "$installer" 2>&1 | head -20 fi echo ""