name: Prepare Release Artifacts description: Download, flatten, and verify release artifacts for publishing runs: using: composite steps: - name: Download all artifacts uses: actions/download-artifact@v4 with: path: artifacts - name: List downloaded artifacts shell: bash run: | echo "=== All artifacts downloaded ===" ls -lR artifacts/ echo "" echo "=== Windows artifacts only ===" ls -l artifacts/windows-*/ - name: Flatten artifacts (exclude unsigned Windows installers) shell: bash run: | mkdir -p staging # Copy all files except those from unsigned Windows artifact directories find artifacts -type f ! -path "*/windows-*-unsigned-*/*" -exec cp {} staging/ \; echo "" echo "=== Files copied to staging ===" ls -lh staging/ echo "" echo "=== Windows installers in staging ===" ls -lh staging/YACReader*.exe || echo "No Windows installers found" - name: Verify Windows installer signatures shell: bash run: | echo "=== Installing osslsigncode to verify signatures ===" sudo apt-get update sudo apt-get install -y osslsigncode echo "" echo "=== Checking signatures on Windows installers ===" for installer in staging/YACReader*.exe; do if [ -f "$installer" ]; then echo "Checking: $(basename $installer)" echo "File size: $(stat -c%s $installer) bytes" # Try to extract signature info if osslsigncode verify -in "$installer" 2>&1 | grep -q "Signature verification: ok"; then echo " ✓ SIGNED - Signature verified successfully" osslsigncode verify -in "$installer" 2>&1 | grep -E "(Signed|Signer|Timestamp)" else echo " ✗ UNSIGNED or INVALID - No valid signature found" osslsigncode verify -in "$installer" 2>&1 | head -20 fi echo "" fi done echo "=== Summary ===" echo "Total installers in staging: $(ls staging/YACReader*.exe 2>/dev/null | wc -l)"