From 8841702b150717cc51f8713f4298d48e3cc831fe Mon Sep 17 00:00:00 2001 From: Brendan Allan Date: Thu, 12 Feb 2026 18:35:14 +0800 Subject: [PATCH 1/4] sign-cli workflow --- .github/workflows/sign-cli.yml | 51 ++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 .github/workflows/sign-cli.yml diff --git a/.github/workflows/sign-cli.yml b/.github/workflows/sign-cli.yml new file mode 100644 index 00000000000..79159d61cb7 --- /dev/null +++ b/.github/workflows/sign-cli.yml @@ -0,0 +1,51 @@ +name: sign-cli + +on: + workflow_dispatch: + +permissions: + contents: read + actions: read + +jobs: + sign-cli: + runs-on: blacksmith-4vcpu-ubuntu-2404 + if: github.repository == 'anomalyco/opencode' + steps: + - uses: actions/checkout@v3 + with: + fetch-tags: true + + - uses: ./.github/actions/setup-bun + + - name: Build + run: | + ./packages/opencode/script/build.ts + + - name: Upload unsigned Windows CLI + id: upload_unsigned_windows_cli + uses: actions/upload-artifact@v4 + with: + name: unsigned-opencode-windows-cli + path: packages/opencode/dist/opencode-windows-x64/bin/opencode.exe + if-no-files-found: error + + - name: Submit SignPath signing request + id: submit_signpath_signing_request + uses: signpath/github-action-submit-signing-request@v1 + with: + api-token: ${{ secrets.SIGNPATH_API_TOKEN }} + organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }} + project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }} + signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }} + artifact-configuration-slug: ${{ secrets.SIGNPATH_ARTIFACT_CONFIGURATION_SLUG }} + github-artifact-id: ${{ steps.upload_unsigned_windows_cli.outputs.artifact-id }} + wait-for-completion: true + output-artifact-directory: signed-opencode-cli + + - name: Upload signed Windows CLI + uses: actions/upload-artifact@v4 + with: + name: signed-opencode-windows-cli + path: signed-opencode-cli/*.exe + if-no-files-found: error From 7a8d58cf42f874a5063b55a45f996ec95c302225 Mon Sep 17 00:00:00 2001 From: Brendan Allan Date: Thu, 12 Feb 2026 18:37:24 +0800 Subject: [PATCH 2/4] push trigger --- .github/workflows/sign-cli.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/sign-cli.yml b/.github/workflows/sign-cli.yml index 79159d61cb7..7cae95d5777 100644 --- a/.github/workflows/sign-cli.yml +++ b/.github/workflows/sign-cli.yml @@ -1,6 +1,9 @@ name: sign-cli on: + push: + branches: + - brendan/desktop-signpath workflow_dispatch: permissions: From 4a410b3499941cd9f869ae03eb6538e97c9d0173 Mon Sep 17 00:00:00 2001 From: Brendan Allan Date: Thu, 12 Feb 2026 18:39:07 +0800 Subject: [PATCH 3/4] SIGNPATH_API_KEY --- .github/workflows/sign-cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/sign-cli.yml b/.github/workflows/sign-cli.yml index 7cae95d5777..d9d61fd800e 100644 --- a/.github/workflows/sign-cli.yml +++ b/.github/workflows/sign-cli.yml @@ -37,7 +37,7 @@ jobs: id: submit_signpath_signing_request uses: signpath/github-action-submit-signing-request@v1 with: - api-token: ${{ secrets.SIGNPATH_API_TOKEN }} + api-token: ${{ secrets.SIGNPATH_API_KEY }} organization-id: ${{ secrets.SIGNPATH_ORGANIZATION_ID }} project-slug: ${{ secrets.SIGNPATH_PROJECT_SLUG }} signing-policy-slug: ${{ secrets.SIGNPATH_SIGNING_POLICY_SLUG }} From c9913ce72c6f5895d167bc8bd7f11ac9f5b8bce8 Mon Sep 17 00:00:00 2001 From: Brendan Allan Date: Thu, 12 Feb 2026 18:45:00 +0800 Subject: [PATCH 4/4] signpath signing policy --- .signpath/policies/test-signing.yml | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 .signpath/policies/test-signing.yml diff --git a/.signpath/policies/test-signing.yml b/.signpath/policies/test-signing.yml new file mode 100644 index 00000000000..4c9f654cd32 --- /dev/null +++ b/.signpath/policies/test-signing.yml @@ -0,0 +1,7 @@ +github-policies: + runners: + allowed_groups: + - "blacksmith runners 01kbd5v56sg8tz7rea39b7ygpt" + build: + disallow_reruns: false + branch_rulesets: