Update release.yml

seerge · web-flow · commit b036cf7a507a · 2025-08-20T15:27:37.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,13 +3,13 @@ name: Release
 on:
   release:
     types: [ published ]
-  workflow_dispatch:  
+  workflow_dispatch:
 
 permissions:
   contents: write
   id-token: write
   attestations: write
-  
+
 jobs:
   release:
     runs-on: windows-2022
@@ -24,25 +24,34 @@ jobs:
       - name: Publish
         run: |
           dotnet publish app/GHelper.sln --configuration Release --runtime win-x64 -p:PublishSingleFile=true --no-self-contained
-          powershell Compress-Archive app/bin/x64/Release/net8.0-windows/win-x64/publish/GHelper.exe GHelper-unsigned.zip
+          powershell Compress-Archive app/bin/x64/Release/net8.0-windows/win-x64/publish/GHelper.exe GHelper.zip
+
+      - name: Upload unsigned artifact
+        id: upload-unsigned-artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: GHelper.zip
 
-      - name: Sign artifact with SignPath
+      - id: sign
         uses: signpath/github-action-submit-signing-request@v1.1
         with:
-          project: ${{ secrets.SIGNPATH_PROJECT }} 
-          policy: ${{ secrets.SIGNPATH_POLICY }} 
-          input: GHelper-unsigned.zip
-          output: GHelper.zip
+          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
+          organization-id: ${{ secrets.SIGNPATH_ORG_ID }}
+          project-slug: ${{ secrets.SIGNPATH_PROJECT }}
+          signing-policy-slug: ${{ secrets.SIGNPATH_POLICY }}
+          github-artifact-id: ${{ steps.upload-unsigned-artifact.outputs.artifact-id }}
+          wait-for-completion: true
+          output-artifact-directory: './signed'
 
-      - name: Upload
+      - name: Upload signed artifact
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          gh release upload ${{ github.ref_name }} app/bin/x64/Release/net8.0-windows/win-x64/publish/GHelper.exe GHelper.zip
+          gh release upload ${{ github.ref_name }} app/bin/x64/Release/net8.0-windows/win-x64/publish/GHelper.exe ./signed/GHelper.zip
 
       - name: Generate SLSA build provenance attestation
         uses: actions/attest-build-provenance@v2
         with:
           subject-path: |
             app/bin/x64/Release/net8.0-windows/win-x64/publish/GHelper.exe
-            GHelper.zip
+            ./signed/GHelper.zip
