Skip to content

IEP-1475: Signing Windows Executable #1228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 33 commits into from
Jun 4, 2025
Merged

IEP-1475: Signing Windows Executable #1228

Changes from 8 commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
826dfc7
testing signing with jks
alirana01 May 19, 2025
200eee5
updated pfx pass
alirana01 May 19, 2025
914f938
upload added to test
alirana01 May 19, 2025
543756a
testing workflow with single file
alirana01 May 20, 2025
5c69473
fixing macos build steps
alirana01 May 20, 2025
8116925
fixing macos signing issues
alirana01 May 20, 2025
f10e08f
fixing the signing part
alirana01 May 20, 2025
47bcd01
fixing the build artifact name for windows signing
alirana01 May 20, 2025
70b422f
fixing naming issues
alirana01 May 20, 2025
cdfaf07
validation for certificate
alirana01 May 21, 2025
baeea69
fixing env level
alirana01 May 21, 2025
ff20f32
fixing errors
alirana01 May 22, 2025
09a227b
fixing path issues on windows signing
alirana01 May 22, 2025
e1ae050
retrigger workflow
alirana01 May 22, 2025
94b1f30
debugging information
alirana01 May 22, 2025
c27f9ba
fixing directory resolution
alirana01 May 22, 2025
e8d43f4
signature verification added
alirana01 May 22, 2025
9a8b624
fixing double zip
alirana01 May 26, 2025
f1aead4
updated the directory to include wildcards for upload
alirana01 May 27, 2025
c7a227e
fixed path for upload
alirana01 May 28, 2025
eb83701
trying without wildcard
alirana01 Jun 2, 2025
6b008a8
update for debugging
alirana01 Jun 2, 2025
38f2739
fixing paths
alirana01 Jun 2, 2025
6a0e72f
removing unsigned zip
alirana01 Jun 2, 2025
7024921
added the upload functionality
alirana01 Jun 3, 2025
28fd1f0
added the test keys to verify workflow
alirana01 Jun 3, 2025
b018315
some debugging information
alirana01 Jun 3, 2025
40e11f5
fixing and zipping again courtesy of microsoft :/
alirana01 Jun 3, 2025
c7097fe
correct path for the update zip
alirana01 Jun 3, 2025
a292776
fix for update path
alirana01 Jun 3, 2025
8a7b021
fixing version param for variable
alirana01 Jun 4, 2025
4327e23
fixed zip command
alirana01 Jun 4, 2025
b17abfe
fixed and finalized
alirana01 Jun 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
236 changes: 236 additions & 0 deletions .github/workflows/win_exe_sign_test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,236 @@
name: Espressif-IDE Cross-platform Release

on:
push:
branches: [master]
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Replace regex tag filter with glob pattern
GitHub Actions tag filters do not support regex syntax. Update the pattern from:

- tags:
-   - "v[0-9]+.[0-9]+.[0-9]+"

to a shell-style glob, for example:

+ tags:
+   - 'v*.*.*'

This ensures your workflow triggers correctly on version tags.

🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml at line 7, the tag filter uses a
regex pattern which is unsupported by GitHub Actions. Replace the regex
"v[0-9]+.[0-9]+.[0-9]+" with a glob pattern like 'v*.*.*' to correctly match
version tags and ensure the workflow triggers as expected.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Unsupported regex in tag filter
GitHub Actions tag filters use shell-style glob patterns, not regular expressions. Replace:

- tags:
-   - "v[0-9]+.[0-9]+.[0-9]+"

with:

  tags:
    - 'v*.*.*'
🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml at lines 6 to 7, the tag filter uses
an unsupported regular expression pattern "v[0-9]+.[0-9]+.[0-9]+". Replace this
regex with a shell-style glob pattern by changing the tag filter to 'v*.*.*' to
comply with GitHub Actions syntax.

pull_request:
branches: [master]

env:
ARCHIVE_PREFIX: com.espressif.idf.update-
ARCHIVE_SUFFIX: -SNAPSHOT.zip

jobs:

macos-build:
runs-on: macos-latest
outputs:
version: ${{ steps.get_version.outputs.version }}
steps:
- uses: actions/checkout@v3
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Upgrade actions/checkout to v4
The workflow uses an outdated checkout action (actions/checkout@v3), which may not be supported on newer runners. Bump all instances to actions/checkout@v4.

Also applies to: 145-145, 227-227

🧰 Tools
🪛 actionlint (1.7.7)

21-21: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml at lines 21, 145, and 227, the
workflow uses the outdated action version actions/checkout@v3. Update all these
instances to actions/checkout@v4 to ensure compatibility with newer runners and
maintain support.


Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Bump actions/checkout to latest version
actions/checkout@v3 is outdated per actionlint. Upgrade to actions/checkout@v4:

- uses: actions/checkout@v3
+ uses: actions/checkout@v4

Also applies to: 141-142

🧰 Tools
🪛 actionlint (1.7.7)

22-22: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml at lines 22-23 and also lines
141-142, the usage of actions/checkout is outdated at version v3. Update the
version from actions/checkout@v3 to actions/checkout@v4 to comply with the
latest recommended version by actionlint.

- name: Set up JDK 17
uses: actions/setup-java@v3
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Bump actions/setup-java to v4
actions/setup-java@v3 is flagged as outdated by actionlint. Update to actions/setup-java@v4 to ensure compatibility with the current runner.

🧰 Tools
🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml at line 24, the action
'actions/setup-java' is using version v3, which is outdated. Update the version
from v3 to v4 by changing the line to 'uses: actions/setup-java@v4' to ensure
compatibility with the current runner and resolve the actionlint warning.

with:
java-version: '17'
distribution: 'temurin'

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Upgrade actions/setup-java to v4
Actionlint flags actions/setup-java@v3 as too old. Update to actions/setup-java@v4 to ensure Java setup on the runner.

🧰 Tools
🪛 actionlint (1.7.7)

24-24: the runner of "actions/setup-java@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml between lines 23 and 28, the GitHub
action uses an outdated version v3 of actions/setup-java. Update the version
from v3 to v4 by changing the uses line to actions/setup-java@v4 to comply with
actionlint and ensure proper Java setup on the runner.

- name: Get version from tag
id: get_version
run: echo "version=${GITHUB_REF##*/v}" >> $GITHUB_OUTPUT

- name: Decode keystore and build with Maven
env:
JARSIGNER_KEYSTORE_B64: ${{ secrets.JARSIGNER_REL_KEYSTORE_B64 }}
JARSIGNER_STOREPASS: ${{ secrets.JARSIGNER_REL_STOREPASS }}
JARSIGNER_ALIAS: ${{ secrets.JARSIGNER_REL_ALIAS }}
run: |
KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
echo "${KEYSTORE_FILE}"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix unresolved keystore filename placeholder
The line

KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"

uses a literal placeholder. Replace it with a concrete filename or an env var, for example:

KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml at lines 39-40, the KEYSTORE_FILE
variable uses a literal placeholder {{secrets.JARSIGNER_KEYSTORE}} which is
unresolved. Replace this placeholder with the actual keystore filename or a
valid environment variable reference, for example, set
KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks" to ensure the path points to a
real file.

printf "%s" "${JARSIGNER_KEYSTORE_B64}" | base64 -d > "${KEYSTORE_FILE}"
mvn -e -X clean install -Djarsigner.keystore="${KEYSTORE_FILE}" -Djarsigner.alias="${JARSIGNER_ALIAS}" -Djarsigner.storepass="${JARSIGNER_STOREPASS}" -DskipTests=true
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Avoid verbose/debug flags to prevent leaking secrets
Running mvn -e -X generates detailed logs (including env vars), which can expose sensitive data. Remove -X (and consider dropping -e) to limit verbosity:

-          mvn -e -X clean install \
+          mvn clean install \

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml at line 42, remove the `-X` flag from
the `mvn` command to prevent verbose debug output that may leak sensitive
environment variables. Optionally, also remove the `-e` flag to further reduce
log verbosity. This will limit the exposure of secrets in the build logs.

rm -v "${KEYSTORE_FILE}"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix unresolved placeholder in KEYSTORE_FILE path
The line

KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"

contains a literal placeholder instead of a real filename. Define a concrete keystore filename (or introduce an env var) before decoding:

- KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"
+ KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml around lines 39 to 44, the
KEYSTORE_FILE path uses a literal placeholder {{secrets.JARSIGNER_KEYSTORE}}
instead of an actual filename. Replace this placeholder with a concrete filename
or an environment variable that holds the keystore filename before decoding. For
example, define KEYSTORE_FILE as a fixed filename in the current directory or
use an existing environment variable that contains the keystore filename,
ensuring the base64 decoding writes to a valid file path.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix unresolved keystore filename placeholder
The line

KEYSTORE_FILE="${PWD}/{{secrets.JARSIGNER_KEYSTORE}}"

uses a literal placeholder. Replace with a real path or env var, e.g.:

KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks"
🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml at lines 39 to 43, the KEYSTORE_FILE
variable is assigned using a literal placeholder {{secrets.JARSIGNER_KEYSTORE}},
which does not resolve correctly. Replace this placeholder with a concrete
filename or environment variable, for example, set
KEYSTORE_FILE="${PWD}/jarsigner-keystore.jks" to ensure the path is valid and
the keystore file can be created and accessed properly.


- name: Codesign Espressif-IDE
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
echo $MACOS_CERTIFICATE | base64 --decode > certificate.p12
/usr/bin/security create-keychain -p espressif build.keychain
/usr/bin/security default-keychain -s build.keychain
/usr/bin/security unlock-keychain -p espressif build.keychain
/usr/bin/security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
/usr/bin/security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k espressif build.keychain

echo "codesigning espressif-ide-macosx.cocoa.x86_64"
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/x86_64/Espressif-IDE.app

echo "codesigning espressif-ide-macosx.cocoa.aarch64"
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/com.espressif.idf.product/target/products/com.espressif.idf.product/macosx/cocoa/aarch64/Espressif-IDE.app

echo "Creating dmg for espressif-ide-macosx.cocoa.x86_64"
$PWD/releng/ide-dmg-builder/ide-dmg-builder.sh
/usr/bin/codesign --entitlements $PWD/releng/com.espressif.idf.product/entitlements/espressif-ide.entitlement --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg

echo "Creating dmg for espressif-ide-macosx.cocoa.aarch64"
$PWD/releng/ide-dmg-builder/ide-dmg-builder-aarch64.sh
/usr/bin/codesign --options runtime --force -s "ESPRESSIF SYSTEMS (SHANGHAI) CO., LTD. (QWXF6GB4AV)" $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg -v
/usr/bin/codesign -v -vvv --deep $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg

- name: Notarization of Espressif-IDE dmg files
env:
NOTARIZATION_USERNAME: ${{ secrets.NOTARIZATION_USERNAME }}
NOTARIZATION_PASSWORD: ${{ secrets.NOTARIZATION_PASSWORD }}
NOTARIZATION_TEAM_ID: ${{ secrets.NOTARIZATION_TEAM_ID }}
run: |
echo "Create notary keychain"
/usr/bin/security create-keychain -p espressif notary.keychain
/usr/bin/security default-keychain -s notary.keychain
/usr/bin/security unlock-keychain -p espressif notary.keychain

echo "Create keychain profile"
xcrun notarytool store-credentials "ide-notarytool-profile" --apple-id $NOTARIZATION_USERNAME --team-id $NOTARIZATION_TEAM_ID --password $NOTARIZATION_PASSWORD
xcrun notarytool submit $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg --keychain-profile "ide-notarytool-profile" --wait

echo "Attach staple for x86_64.dmg"
xcrun stapler staple $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg

echo "Unlock the notary keychain"
/usr/bin/security unlock-keychain -p espressif notary.keychain

xcrun notarytool submit $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg --keychain-profile "ide-notarytool-profile" --wait
echo "Attach staple for aarch64.dmg"
xcrun stapler staple $PWD/releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg

- name: Upload Espressif-IDE-macosx-cocoa-x86_64.dmg
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: espressif-ide-macosx-cocoa-x86_64
path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-x86_64.dmg

- name: Upload Espressif-IDE-macosx-cocoa-aarch64.dmg
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: espressif-ide-macosx.cocoa.aarch64
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix indentation for with block
Line 112 is over-indented, causing a YAML lint warning. Adjust to match the other artifact upload steps:

-           name: espressif-ide.cocoa.aarch64
+         name: espressif-ide.cocoa.aarch64

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 YAMLlint (1.37.1)

[warning] 112-112: wrong indentation: expected 10 but found 11

(indentation)

🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml at line 112, the indentation of the
line "name: espressif-ide-macosx.cocoa.aarch64" is too deep, causing a YAML lint
warning. Adjust the indentation to align with the other artifact upload steps by
reducing the leading spaces so it matches the expected YAML structure.

path: releng/ide-dmg-builder/Espressif-IDE-macosx-cocoa-aarch64.dmg
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix artifact name and indentation for aarch64 DMG
The name field uses a dot and is over-indented:

-          name: espressif-ide-macosx.cocoa.aarch64
+          name: espressif-ide-macosx-cocoa-aarch64

Adjust indentation to match other upload steps.

🧰 Tools
🪛 YAMLlint (1.37.1)

[warning] 111-111: wrong indentation: expected 10 but found 11

(indentation)

🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml around lines 111 to 112, the artifact
name uses dots instead of dashes and is over-indented. Rename the artifact from
"espressif-ide-macosx.cocoa.aarch64" to "espressif-ide-macosx-cocoa-aarch64" and
adjust the indentation to align with other upload steps for consistency.


- name: Upload build artifacts
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: com.espressif.idf.update
path: releng/com.espressif.idf.update/target/repository

- name: Upload windows rcp
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: espressif-ide-win32
path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-win32.win32.x86_64.zip

- name: Upload linux rcp
if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4
with:
name: espressif-ide-linux
path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-linux.gtk.x86_64.tar.gz


windows-sign:
runs-on: windows-latest
needs: macos-build
steps:
- uses: actions/checkout@v3

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Install Java on Windows runner
The windows-sign job invokes keytool.exe but doesn't install Java or set JAVA_HOME. Add a setup step:

- name: Set up Java
  uses: actions/setup-java@v4
  with:
    distribution: 'temurin'
    java-version: '11'
🧰 Tools
🪛 actionlint (1.7.7)

141-141: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml around lines 137 to 142, the
windows-sign job uses keytool.exe but does not install Java or set JAVA_HOME.
Add a step before running keytool.exe to install Java by using the
actions/setup-java@v4 action with distribution set to 'temurin' and java-version
set to '11' to ensure Java is available on the Windows runner.

- name: Download built artifacts
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Add Java setup action to Windows job
The Windows runner invokes keytool.exe but no JDK is installed nor JAVA_HOME set. Insert before JKS decoding:

-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - name: Set up Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'temurin'
+          java-version: '11'

This ensures keytool.exe is available.

🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml around lines 146 to 147, the Windows
job uses keytool.exe without installing a JDK or setting JAVA_HOME. Fix this by
adding a Java setup step before the JKS decoding step: update the checkout
action to v4, then add a step using actions/setup-java@v4 with distribution
'temurin' and java-version '11' to ensure keytool.exe is available.

uses: actions/download-artifact@v4
with:
name: espressif-ide-win32
path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-win32.win32.x86_64.zip

- name: Extract Windows ZIP
run: |
Expand-Archive -Path (Get-ChildItem -Path artifacts -Filter "*win32.win32.x86_64.zip").FullName -DestinationPath extracted
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Align download path with Expand-Archive usage
The download step writes artifacts to releng/..., but the extract step looks in artifacts. Either change the download path to artifacts:

-      - name: Download built artifacts
-        uses: actions/download-artifact@v4
-        with:
-          name: espressif-ide-win32
-          path: releng/com.espressif.idf.product/target/products/Espressif-IDE-*-win32.win32.x86_64.zip
+      - name: Download built artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: espressif-ide-win32
+          path: artifacts

or update Expand-Archive to use the releng/... path.

🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml around lines 143 to 151, the download
step saves artifacts to the releng/com.espressif.idf.product/target/products
directory, but the extract step looks for ZIP files in the artifacts directory,
causing a path mismatch. Fix this by either changing the download path to
artifacts to match the extract step or update the Expand-Archive command to use
the releng/com.espressif.idf.product/target/products path where the ZIP files
are actually downloaded.


- name: Decode JKS and convert to PFX
env:
JKS_B64: ${{ secrets.JARSIGNER_REL_KEYSTORE_B64 }}
JKS_PASS: ${{ secrets.JARSIGNER_REL_STOREPASS }}
ALIAS: ${{ secrets.JARSIGNER_REL_ALIAS }}
PFX_PASS: ${{ secrets.JARSIGNER_REL_STOREPASS }}
run: |
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Install and configure Java on Windows runner
You invoke keytool.exe via $env:JAVA_HOME, but no JDK is installed or JAVA_HOME set on the Windows runner. Add a setup step before this block:

- name: Set up Java
  uses: actions/setup-java@v4
  with:
    distribution: 'temurin'
    java-version: '11'
🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml around lines 153 to 159, the workflow
uses keytool.exe via $env:JAVA_HOME but does not install Java or set JAVA_HOME
on the Windows runner. To fix this, add a step before this block that uses
actions/setup-java@v4 to install Java 11 from the Temurin distribution and set
JAVA_HOME properly.

echo $env:JKS_B64 | Out-File encoded.b64 -Encoding ASCII
certutil -decode encoded.b64 mykeystore.jks
Remove-Item encoded.b64
& "${env:JAVA_HOME}\bin\keytool.exe" -importkeystore `
-srckeystore mykeystore.jks `
-srcstorepass $env:JKS_PASS `
-srcalias $env:ALIAS `
-destkeystore cert.pfx `
-deststoretype PKCS12 `
-deststorepass $env:PFX_PASS

- name: Sign Windows Executable
run: |
$exe = Get-ChildItem -Recurse extracted\*.exe | Select-Object -First 1
& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.17763.0\x86\signtool.exe" sign `
/f cert.pfx `
/p $env:PFX_PASS `
/tr http://timestamp.digicert.com `
/td sha256 `
/fd sha256 `
$exe.FullName

- name: Repack signed Windows ZIP
run: |
Compress-Archive -Path extracted\* -DestinationPath artifacts/Espressif-IDE-win32.win32.x86_64.zip -Force

- name: Upload Signed Windows ZIP
uses: actions/upload-artifact@v4
with:
name: release-artifacts
path: artifacts/Espressif-IDE-win32.win32.x86_64.zip

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Consistent artifact naming for Windows ZIP upload
The step repacks and uploads the signed Windows ZIP under release-artifacts, which conflicts with the original upload naming. Unify artifact names across jobs. For instance, to continue using espressif-ide-win32:

-      - name: Upload Signed Windows ZIP
-        uses: actions/upload-artifact@v4
+      - name: Upload Signed Windows ZIP
+        uses: actions/upload-artifact@v4
         with:
-          name: release-artifacts
+          name: espressif-ide-win32
           path: artifacts/Espressif-IDE-win32.win32.x86_64.zip
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Repack signed Windows ZIP
run: |
Compress-Archive -Path extracted\* -DestinationPath artifacts/Espressif-IDE-win32.win32.x86_64.zip -Force
- name: Upload Signed Windows ZIP
uses: actions/upload-artifact@v4
with:
name: release-artifacts
path: artifacts/Espressif-IDE-win32.win32.x86_64.zip
- name: Repack signed Windows ZIP
run: |
Compress-Archive -Path extracted\* -DestinationPath artifacts/Espressif-IDE-win32.win32.x86_64.zip -Force
- name: Upload Signed Windows ZIP
uses: actions/upload-artifact@v4
with:
name: espressif-ide-win32
path: artifacts/Espressif-IDE-win32.win32.x86_64.zip
🤖 Prompt for AI Agents 
In .github/workflows/win_exe_sign_test.yml around lines 182 to 191, the artifact
name used for uploading the signed Windows ZIP is set to "release-artifacts,"
which is inconsistent with the original artifact naming convention. To fix this,
change the artifact name in the upload step to match the original naming, such
as "espressif-ide-win32," ensuring consistent artifact names across all jobs.

# deploy:
# runs-on: ubuntu-latest
# needs: [macos-build, windows-sign]
# steps:
# - uses: actions/checkout@v3

# - name: Download final artifacts
# uses: actions/download-artifact@v4
# with:
# name: release-artifacts
# path: final

# - name: Upload to S3 (dl.espressif.com)
# env:
# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# AWS_DEFAULT_REGION: ${{ secrets.AWS_DEFAULT_REGION }}
# DL_BUCKET: ${{ secrets.DL_BUCKET }}
# DL_DISTRIBUTION_ID: ${{ secrets.DL_DISTRIBUTION_ID }}
# run: |
# version=${GITHUB_REF##*/v}
# folder=v${version}

# mkdir "$folder"
# unzip -q final/com.espressif.idf.update-*.zip -d "$folder"

# mv final/com.espressif.idf.update-*.zip "${ARCHIVE_PREFIX}${version}.zip"
# mv final/Espressif-IDE-macosx-cocoa-x86_64.dmg "Espressif-IDE-macosx-cocoa-x86_64-${folder}.dmg"
# mv final/Espressif-IDE-macosx-cocoa-aarch64.dmg "Espressif-IDE-macosx-cocoa-aarch64-${folder}.dmg"

# aws s3 rm s3://$DL_BUCKET/dl/idf-eclipse-plugin/updates/latest --recursive
# aws s3 cp --acl=public-read --recursive "./$folder/" s3://$DL_BUCKET/dl/idf-eclipse-plugin/updates/latest
# aws s3 cp --acl=public-read ./releng/index.html s3://$DL_BUCKET/dl/idf-eclipse-plugin/updates/latest/
# aws s3 cp --acl=public-read --recursive "./$folder/" s3://$DL_BUCKET/dl/idf-eclipse-plugin/updates/$folder
# aws s3 cp --acl=public-read --recursive --exclude "*" --include "Espressif-IDE-*" final/ s3://$DL_BUCKET/dl/idf-eclipse-plugin/ide/
# aws s3 cp --acl=public-read "${ARCHIVE_PREFIX}${version}.zip" s3://$DL_BUCKET/dl/idf-eclipse-plugin/updates/
# aws s3 cp --acl=public-read "Espressif-IDE-macosx-cocoa-x86_64-${folder}.dmg" s3://$DL_BUCKET/dl/idf-eclipse-plugin/ide/
# aws s3 cp --acl=public-read "Espressif-IDE-macosx-cocoa-aarch64-${folder}.dmg" s3://$DL_BUCKET/dl/idf-eclipse-plugin/ide/

# aws cloudfront create-invalidation --distribution-id $DL_DISTRIBUTION_ID --paths "/dl/idf-eclipse-plugin/updates/latest/*"

# aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin/ide/Espressif-IDE-win32.win32.x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin/ide/Espressif-IDE-${version}-win32.win32.x86_64.zip"
# aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin/ide/Espressif-IDE-macosx-cocoa-x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin/ide/Espressif-IDE-macosx-cocoa-x86_64-${folder}.dmg"
# aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin/ide/Espressif-IDE-macosx-cocoa-aarch64/latest" --website-redirect-location "/dl/idf-eclipse-plugin/ide/Espressif-IDE-macosx-cocoa-aarch64-${folder}.dmg"
# aws s3api put-object --acl=public-read --bucket espdldata --key "dl/idf-eclipse-plugin/ide/Espressif-IDE-linux.gtk.x86_64/latest" --website-redirect-location "/dl/idf-eclipse-plugin/ide/Espressif-IDE-${version}-linux.gtk.x86_64.tar.gz"
Loading