update build-multiplatform.yml and build.py #23
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR modifies the build system to support code signing for Windows executables and updates artifact handling by making zip file creation optional and uploading the entire dist directory instead of specific zip files.
- Adds a
--no-zipflag to the build script to skip zip file creation - Implements code signing for Windows executables using PFX certificates
- Changes artifact uploads to include the entire dist directory rather than pre-zipped files
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| build.py | Adds optional --no-zip flag support to skip zip file creation during build |
| .github/workflows/build-multiplatform.yml | Implements Windows code signing and updates artifact uploads to use dist directory |
| pip install -r requirements.txt | ||
| - name: Build engine and bootstrapper | ||
| run: | | ||
| python build.py |
There was a problem hiding this comment.
The build.py script should be called with the --no-zip flag since the workflow now uploads the entire dist directory instead of zip files. This ensures consistency with the new artifact upload approach.
| python build.py | |
| python build.py --no-zip |
| - name: Build engine and bootstrapper | ||
| run: | | ||
| python build.py | ||
| - name: Decodificar certificado PFX |
There was a problem hiding this comment.
[nitpick] The step name is in Spanish. For consistency with the rest of the workflow which uses English, consider using 'Decode PFX certificate' instead.
| - name: Decodificar certificado PFX | |
| - name: Decode PFX certificate |
| echo "${{ secrets.CODESIGN_PFX }}" | Out-File -Encoding ascii -FilePath cert_base64.txt | ||
| certutil -decode cert_base64.txt cert.pfx | ||
| shell: pwsh | ||
| - name: Firmar engine.exe y bootstrapper.exe |
There was a problem hiding this comment.
[nitpick] The step name is in Spanish. For consistency with the rest of the workflow which uses English, consider using 'Sign engine.exe and bootstrapper.exe' instead.
| - name: Firmar engine.exe y bootstrapper.exe | |
| - name: Sign engine.exe and bootstrapper.exe |
| pip install -r requirements.txt | ||
| - name: Build engine and bootstrapper | ||
| run: | | ||
| python build.py |
There was a problem hiding this comment.
The build.py script should be called with the --no-zip flag since the workflow now uploads the entire dist directory instead of zip files. This ensures consistency with the new artifact upload approach.
| python build.py | |
| python build.py --no-zip |
| & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /f cert.pfx /p "${{ secrets.CODESIGN_PFX_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 dist/engine.exe | ||
| & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /f cert.pfx /p "${{ secrets.CODESIGN_PFX_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 dist/lib/bootstrapper.exe |
There was a problem hiding this comment.
The hardcoded path to signtool.exe with a specific version (10.0.19041.0) may break if the Windows Kit version changes on the runner. Consider using a more flexible approach or documenting the version dependency.
| & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /f cert.pfx /p "${{ secrets.CODESIGN_PFX_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 dist/engine.exe | |
| & "C:\Program Files (x86)\Windows Kits\10\bin\10.0.19041.0\x64\signtool.exe" sign /f cert.pfx /p "${{ secrets.CODESIGN_PFX_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 dist/lib/bootstrapper.exe | |
| $SigntoolPath = Get-ChildItem "C:\Program Files (x86)\Windows Kits\10\bin\" -Directory | Sort-Object Name -Descending | Select-Object -First 1 | ForEach-Object { Join-Path $_.FullName "x64\signtool.exe" } | |
| & $SigntoolPath sign /f cert.pfx /p "${{ secrets.CODESIGN_PFX_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 dist/engine.exe | |
| & $SigntoolPath sign /f cert.pfx /p "${{ secrets.CODESIGN_PFX_PASSWORD }}" /tr http://timestamp.digicert.com /td sha256 /fd sha256 dist/lib/bootstrapper.exe |
No description provided.