Signing exe files with SignPath #6

	# see /README.md

	name: sign-verify-origin
	run-name: Signing exe files with SignPath
	on:
	push:
	pull_request:
	#schedule:
	# - cron: '30 3 * * *' # every day at 3:30am UTC
	workflow_dispatch: # Allows you to run this workflow manually from the Actions tab

	jobs:
	build_and_sign:
	runs-on: windows-latest
	steps:

	- name: checkout
	uses: actions/checkout@v3
	with:
	fetch-depth: 0

	- name: build
	run: ./src/Build.ps1

	- name: create SBOM
	run: ./sbom/Create-SBOM.ps1

	- name: upload-unsigned-artifact
	id: upload-unsigned-artifact
	uses: actions/upload-artifact@v4
	with:
	name: "demo-application"
	if-no-files-found: error
	path: \|
	.\FFBatch_AV_Converter_64bit_unsigned.exe
	.\bom.xml

	- name: sign
	uses: signpath/[email protected]
	env:
	# select release-signing policy for main and release branches
	SIGNPATH_SIGNING_POLICY_SLUG: \|
	${{ (github.ref == 'refs/heads/main' \|\| startsWith(github.ref, 'refs/heads/release/'))
	&& 'release-signing'
	\|\| 'test-signing' }}
	with:
	api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
	organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
	project-slug: 'ffmpeg_batch'
	signing-policy-slug: '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}'
	github-artifact-id: "${{steps.upload-unsigned-artifact.outputs.artifact-id}}"
	wait-for-completion: true
	output-artifact-directory: 'application-signed'

	- name: upload-signed-artifact
	uses: actions/upload-artifact@v4
	with:
	name: "FFBatch_AV_Converter_64bit_signed.exe"
	path: "application-signed"
	if-no-files-found: error

Provide feedback