Create signpath.yml

Author: eibol

.github/workflows/signpath.yml

@@ -0,0 +1,60 @@
+# see /README.md
+
+name: build-and-sign
+run-name: Demo workflow signing with SignPath
+on: 
+  push:
+  pull_request:
+  #schedule:
+  #  - cron:  '30 3 * * *' # every day at 3:30am UTC
+  workflow_dispatch: # Allows you to run this workflow manually from the Actions tab
+
+jobs:
+  build_and_sign:
+    runs-on: windows-latest
+    steps:
+
+    - name: checkout
+      uses: actions/checkout@v3
+      with:
+        fetch-depth: 0
+
+    - name: build
+      run: ./src/Build.ps1
+
+    - name: create SBOM
+      run: ./sbom/Create-SBOM.ps1
+
+    - name: upload-unsigned-artifact
+      id: upload-unsigned-artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: "demo-application" 
+        if-no-files-found: error
+        path: |
+          .\_BuildResult-unsigned\DemoExample.msi
+          .\_BuildResult-unsigned\bom.xml
+
+    - name: sign
+      uses: signpath/[email protected]
+      env:
+        # select release-signing policy for main and release branches
+        SIGNPATH_SIGNING_POLICY_SLUG: | 
+          ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) 
+            && 'release-signing' 
+            || 'test-signing' }}
+      with:
+        api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+        organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
+        project-slug: 'Demo_Application'
+        signing-policy-slug:  '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}'
+        github-artifact-id:  "${{steps.upload-unsigned-artifact.outputs.artifact-id}}"
+        wait-for-completion: true
+        output-artifact-directory: 'demo-application-signed'
+    
+    - name: upload-signed-artifact
+      uses: actions/upload-artifact@v4
+      with:
+        name: "demo-application-signed" 
+        path: "demo-application-signed"
+        if-no-files-found: error