git-xet Windows installer and code signing (#519)

seanses · web-flow · commit 6fbde98e5ec3 · 2025-10-02T12:40:09.000-07:00
This PR
- adds to the git-xet release workflow to code-sign Windows executable
"git-xet.exe" using the Microsoft Trusted Signing Service;
- builds a Windows installer for git-xet to place "git-xet.exe" in the
system, modify the system PATH environment variable, and run the command
"git-xet install" to configure git-xet; On uninstallation from "Control
Panel\Programs\Programs and Features", it first runs "git-xet uninstall
--all" so it is deregistered from git-lfs custom transfer.
- signs the built Windows installer msi file.
diff --git a/.github/actions/windows-codesign/action.yml b/.github/actions/windows-codesign/action.yml
@@ -0,0 +1,40 @@
+name: Codesign with Microsoft Trusted Signing
+description: Sign Windows files with Microsoft Trusted Signing Service
+runs:
+  using: "composite"
+  steps:
+    - uses: azure/trusted-signing-action@v0
+      with:
+        azure-tenant-id: ${{ inputs.azure_tenant_id }}
+        azure-client-id: ${{ inputs.azure_client_id }}
+        azure-client-secret: ${{ inputs.azure_client_secret }}
+        endpoint: https://eus.codesigning.azure.net/
+        trusted-signing-account-name: tsa-huggingface-apps
+        certificate-profile-name: git-xet-windows
+        files: ${{ inputs.file }}
+        file-digest: SHA256
+        timestamp-rfc3161: http://timestamp.acs.microsoft.com
+        timestamp-digest: SHA256
+        exclude-environment-credential: false
+        exclude-workload-identity-credential: true
+        exclude-managed-identity-credential: true
+        exclude-shared-token-cache-credential: true
+        exclude-visual-studio-credential: true
+        exclude-visual-studio-code-credential: true
+        exclude-azure-cli-credential: true
+        exclude-azure-powershell-credential: true
+        exclude-azure-developer-cli-credential: true
+        exclude-interactive-browser-credential: true
+inputs:
+  file:
+    required: true
+    type: string
+  azure_tenant_id:
+    required: true
+    type: string
+  azure_client_id:
+    required: true
+    type: string
+  azure_client_secret:
+    required: true
+    type: string
diff --git a/.github/workflows/git-xet-release.yml b/.github/workflows/git-xet-release.yml
@@ -88,14 +88,43 @@ jobs:
       - name: Install Rust 1.89
         uses: dtolnay/rust-toolchain@1.89.0
       - uses: ./.github/actions/cache-rust-build
+      - name: Install WiX
+        run: |
+          dotnet tool install --global wix
       - name: Build
         run: |
           cargo build --release
+          mkdir dist
+          cp target/release/git-xet.exe dist/
+      - name: Codesign the executable file
+        uses: ./.github/actions/windows-codesign
+        with:
+          file: ${{ github.workspace }}\dist\git-xet.exe
+          azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          azure_client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+      - name: Build installer
+        run: |
+          cp git_xet/windows_installer/Package.wxs dist/
+          cd dist
+          wix build Package.wxs -o bin\git-xet-windows-installer -arch x64
+      - name: Codesign the installer
+        uses: ./.github/actions/windows-codesign
+        with:
+          file: ${{ github.workspace }}\dist\bin\git-xet-windows-installer.msi
+          azure_tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          azure_client_id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }}
       - name: Upload binary
         uses: actions/upload-artifact@v4
         with:
           name: git-xet-windows-${{ matrix.platform.target }}
-          path: target/release/git-xet.exe
+          path: dist/git-xet.exe
+      - name: Upload installer
+        uses: actions/upload-artifact@v4
+        with:
+          name: git-xet-windows-installer-${{ matrix.platform.target }}
+          path: dist/bin/git-xet-windows-installer.msi
 
   github-release:
     name: Create GitHub release
diff --git a/git_xet/windows_installer/.gitignore b/git_xet/windows_installer/.gitignore
@@ -0,0 +1,2 @@
+bin
+*.exe
diff --git a/git_xet/windows_installer/Package.wxs b/git_xet/windows_installer/Package.wxs
@@ -0,0 +1,97 @@
+<Wix xmlns="http://wixtoolset.org/schemas/v4/wxs">
+  <Package Name="Git-Xet" 
+           Manufacturer="Hugging Face" 
+           Version="0.1.0" 
+           Language="1033"
+           UpgradeCode="1aedaf4a-9b02-44e5-be42-ef18ce3b5c28">
+
+    <!-- This tag ensures all installation files are compressed into a single .msi file. -->
+    <MediaTemplate EmbedCab="yes" />
+
+    <MajorUpgrade DowngradeErrorMessage="A newer version of [ProductName] is already installed." />
+
+    <!-- Define the directory structure. -->
+    <StandardDirectory Id="ProgramFiles64Folder">
+      <Directory Id="INSTALLFOLDER" Name="Git-Xet" />
+    </StandardDirectory>
+
+    <!-- 
+      This is the Feature tree. We have one main feature. 
+      It contains the ComponentGroup we define below.
+    -->
+    <Feature Id="Main" Title="Main Feature" Level="1">
+      <ComponentGroupRef Id="AppComponents" />
+      <ComponentRef Id="UpdateSystemPath" />
+    </Feature>
+
+    <!-- 
+      Component Group for our application files.
+    -->
+    <ComponentGroup Id="AppComponents" Directory="INSTALLFOLDER">
+      <Component Id="MyAppExeComponent" Guid="0eaa2c4c-3512-4c0f-975f-7bcd1394f315">
+        <File Id="GitXet" Source="git-xet.exe" KeyPath="yes" Checksum="yes" />
+      </Component>
+    </ComponentGroup>
+
+    <!-- 
+      This component modifies the system PATH environment variable.
+    -->
+    <Component Id="UpdateSystemPath" Directory="INSTALLFOLDER" Guid="74890476-4e17-4f81-891b-e0251380bfcb">
+      <!-- 
+        - Name='Path': Specifies we're modifying the PATH variable.
+        - Action='set': We are setting a value.
+        - Value='[INSTALLFOLDER]': The value to add, which is the installation directory.
+        - Part='last': Appends our directory to the end of the existing PATH.
+        - System='yes': Modifies the system-wide PATH, not just the user's.
+      -->
+      <Environment Id="PATH" Name="Path" Value="[INSTALLFOLDER]" Part="last" Action="set" System="yes" />
+      
+      <!-- Every component needs a KeyPath. We create a dummy registry key for this non-file component. -->
+      <RegistryValue Root="HKCU" Key="Software\[Manufacturer]\[ProductName]" Name="PathAdded" Type="integer" Value="1" KeyPath="yes" />
+    </Component>
+
+    <!--
+      Define the Custom Action to run the install command.
+      - Execute="immediate": The action will run during normal processing time with user privileges.
+      - Return="check": The installer will check the exit code and roll back if it fails.
+    -->
+    <CustomAction Id="RunInstallCommand"
+                  FileRef="GitXet"
+                  ExeCommand="install --concurrency 3"
+                  Execute="immediate"
+                  Return="check" 
+                  Impersonate="yes"/>
+    
+    <!--
+      Define the Custom Action to run the uninstall command.
+      - Execute="immediate": The action will run during normal processing time with user privileges.
+      - Return="check": The installer will check the exit code and roll back if it fails.
+    -->
+    <CustomAction Id="RunUninstallCommand"
+                  FileRef="GitXet"
+                  ExeCommand="uninstall --all"
+                  Execute="immediate"
+                  Return="check" 
+                  Impersonate="yes"/>
+    
+    <!-- 
+      Schedule the Custom Action in the installation sequence.
+    -->
+    <InstallExecuteSequence>
+      <!-- 
+        - Action="RunInstallCommand": The ID of the Custom Action we defined above.
+        - After="InstallFinalize": Schedules the action to run late in the sequence, after all files and registry keys are in place.
+        - Condition="NOT Installed": This condition ensures the action only runs during the initial installation, not during an uninstall or repair.
+      -->
+      <Custom Action="RunInstallCommand" After="InstallFinalize" Condition="NOT Installed"/>
+
+      <!-- 
+        - Action="RunUninstallCommand": The ID of the Custom Action we defined above.
+        - Before="RemoveFiles": Runs the command before the .exe is deleted from the disk.
+        - Condition='REMOVE="ALL" AND NOT UPGRADINGPRODUCTCODE': Ensures this only runs on a clean uninstall, not during an upgrade.
+      -->
+      <Custom Action="RunUninstallCommand" Before="RemoveFiles" Condition='REMOVE="ALL" AND NOT UPGRADINGPRODUCTCODE' />
+    </InstallExecuteSequence>
+
+  </Package>
+</Wix>
diff --git a/git_xet/windows_installer/sign_metadata.json b/git_xet/windows_installer/sign_metadata.json
@@ -0,0 +1,16 @@
+{
+    "Endpoint": "https://eus.codesigning.azure.net/",
+    "CodeSigningAccountName": "tsa-huggingface-apps",
+    "CertificateProfileName": "git-xet-windows",
+    "ExcludeCredentials": [
+        "ManagedIdentityCredential",
+        "WorkloadIdentityCredential",
+        "SharedTokenCacheCredential",
+        "VisualStudioCredential",
+        "VisualStudioCodeCredential",
+        "AzureCliCredential",
+        "AzurePowerShellCredential",
+        "AzureDeveloperCliCredential",
+        "InteractiveBrowserCredential"
+    ]
+}
