core-agent-ide/.github/actions/windows-code-sign/action.yml

name: windows-code-sign
description: Sign Windows binaries with Azure Trusted Signing.
inputs:
  target:
    description: Target triple for the artifacts to sign.
    required: true
  client-id:
    description: Azure Trusted Signing client ID.
    required: true
  tenant-id:
    description: Azure tenant ID for Trusted Signing.
    required: true
  subscription-id:
    description: Azure subscription ID for Trusted Signing.
    required: true
  endpoint:
    description: Azure Trusted Signing endpoint.
    required: true
  account-name:
    description: Azure Trusted Signing account name.
    required: true
  certificate-profile-name:
    description: Certificate profile name for signing.
    required: true

runs:
  using: composite
  steps:
    - name: Azure login for Trusted Signing (OIDC)
      uses: azure/login@v2
      with:
        client-id: ${{ inputs.client-id }}
        tenant-id: ${{ inputs.tenant-id }}
        subscription-id: ${{ inputs.subscription-id }}

    - name: Sign Windows binaries with Azure Trusted Signing
      uses: azure/trusted-signing-action@v0
      with:
        endpoint: ${{ inputs.endpoint }}
        trusted-signing-account-name: ${{ inputs.account-name }}
        certificate-profile-name: ${{ inputs.certificate-profile-name }}
        exclude-environment-credential: true
        exclude-workload-identity-credential: true
        exclude-managed-identity-credential: true
        exclude-shared-token-cache-credential: true
        exclude-visual-studio-credential: true
        exclude-visual-studio-code-credential: true
        exclude-azure-cli-credential: false
        exclude-azure-powershell-credential: true
        exclude-azure-developer-cli-credential: true
        exclude-interactive-browser-credential: true
        cache-dependencies: false
        files: |
          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex.exe
          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-responses-api-proxy.exe
          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-windows-sandbox-setup.exe
          ${{ github.workspace }}/codex-rs/target/${{ inputs.target }}/release/codex-command-runner.exe