Merge branch 'main' into lewis/comp-company-tasks

carhartlewis · web-flow · commit 1fa5a9de0866 · 2026-02-17T03:32:00.000-08:00
diff --git a/.github/workflows/device-agent-release.yml b/.github/workflows/device-agent-release.yml
@@ -31,8 +31,8 @@ jobs:
       - name: Compute next version
         id: version
         run: |
-          # Get the latest production tag (ignore -staging suffixes)
-          LATEST_TAG=$(git tag -l 'device-agent-v*' --sort=-v:refname | grep -v '\-staging' | head -1)
+          # Get the latest production tag (only match clean semver tags like device-agent-v1.0.0)
+          LATEST_TAG=$(git tag -l 'device-agent-v*' --sort=-v:refname | grep -E '^device-agent-v[0-9]+\.[0-9]+\.[0-9]+$' | head -1)
 
           if [ -z "$LATEST_TAG" ]; then
             # No existing tags - start at 1.0.0
@@ -179,24 +179,43 @@ jobs:
           AUTO_UPDATE_URL: ${{ needs.detect-version.outputs.auto_update_url }}
         run: bun run package:win
 
-      - name: Setup SSL.com eSigner CodeSignTool
-        uses: sslcom/esigner-codesign@develop
+      - name: Setup Java for CodeSignTool
+        uses: actions/setup-java@v4
         with:
-          command: get_credential_ids
-          username: ${{ secrets.ESIGNER_USERNAME }}
-          password: ${{ secrets.ESIGNER_PASSWORD }}
-          totp_secret: ${{ secrets.ESIGNER_TOTP_SECRET }}
+          distribution: 'corretto'
+          java-version: '11'
 
-      - name: Sign Windows EXE with SSL.com eSigner
-        uses: sslcom/esigner-codesign@develop
-        with:
-          command: sign
-          username: ${{ secrets.ESIGNER_USERNAME }}
-          password: ${{ secrets.ESIGNER_PASSWORD }}
-          credential_id: ${{ secrets.ESIGNER_CREDENTIAL_ID }}
-          totp_secret: ${{ secrets.ESIGNER_TOTP_SECRET }}
-          file_path: ${{ github.workspace }}/packages/device-agent/release
-          override: true
+      - name: Sign Windows EXE with SSL.com CodeSignTool
+        shell: powershell
+        working-directory: packages/device-agent/release
+        env:
+          ESIGNER_USERNAME: ${{ secrets.ESIGNER_USERNAME }}
+          ESIGNER_PASSWORD: ${{ secrets.ESIGNER_PASSWORD }}
+          ESIGNER_CREDENTIAL_ID: ${{ secrets.ESIGNER_CREDENTIAL_ID }}
+          ESIGNER_TOTP_SECRET: ${{ secrets.ESIGNER_TOTP_SECRET }}
+        run: |
+          # Download and extract CodeSignTool
+          Invoke-WebRequest -Uri "https://github.com/SSLcom/CodeSignTool/releases/download/v1.3.0/CodeSignTool-v1.3.0-windows.zip" -OutFile "codesigntool.zip"
+          Expand-Archive -Path "codesigntool.zip" -DestinationPath "codesigntool"
+
+          # Find the jar file
+          $jar = Get-ChildItem -Path "codesigntool" -Recurse -Filter "code_sign_tool-*.jar" | Select-Object -First 1
+          if (-not $jar) { throw "CodeSignTool jar not found" }
+          Write-Host "Found CodeSignTool jar at: $($jar.FullName)"
+
+          # Sign each .exe file using Java directly (skips .bat which needs bundled JDK)
+          Get-ChildItem -Filter "*.exe" | ForEach-Object {
+            Write-Host "Signing $($_.Name)..."
+            & java -Xmx1024M -jar "$($jar.FullName)" sign `
+              -username="$env:ESIGNER_USERNAME" `
+              -password="$env:ESIGNER_PASSWORD" `
+              -credential_id="$env:ESIGNER_CREDENTIAL_ID" `
+              -totp_secret="$env:ESIGNER_TOTP_SECRET" `
+              -input_file_path="$($_.FullName)" `
+              -override="true"
+            if ($LASTEXITCODE -ne 0) { throw "Code signing failed for $($_.Name)" }
+            Write-Host "Signed $($_.Name) successfully"
+          }
 
       - name: Recalculate latest.yml hash after signing
         shell: bash
@@ -377,10 +396,10 @@ jobs:
 
       - name: Upload installers to S3
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.APP_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.APP_AWS_SECRET_ACCESS_KEY }}
+          AWS_ACCESS_KEY_ID: ${{ needs.detect-version.outputs.s3_env == 'production' && secrets.APP_AWS_ACCESS_KEY_ID || secrets.APP_AWS_ACCESS_KEY_ID_STAGING }}
+          AWS_SECRET_ACCESS_KEY: ${{ needs.detect-version.outputs.s3_env == 'production' && secrets.APP_AWS_SECRET_ACCESS_KEY || secrets.APP_AWS_SECRET_ACCESS_KEY_STAGING }}
           AWS_REGION: ${{ secrets.APP_AWS_REGION }}
-          S3_BUCKET: ${{ secrets.FLEET_AGENT_BUCKET_NAME }}
+          S3_BUCKET: ${{ needs.detect-version.outputs.s3_env == 'production' && secrets.FLEET_AGENT_BUCKET_NAME || secrets.FLEET_AGENT_BUCKET_NAME_STAGING }}
           VERSION: ${{ needs.detect-version.outputs.version }}
           S3_ENV: ${{ needs.detect-version.outputs.s3_env }}
         run: |
@@ -403,23 +422,23 @@ jobs:
           aws s3 cp artifacts/CompAI-Device-Agent-${VERSION}-setup.exe \
             s3://${S3_BUCKET}/${PREFIX}/windows/latest-setup.exe
 
-          # Linux
-          aws s3 cp artifacts/CompAI-Device-Agent-${VERSION}-x64.deb \
-            s3://${S3_BUCKET}/${PREFIX}/linux/CompAI-Device-Agent-${VERSION}-x64.deb
-          aws s3 cp artifacts/CompAI-Device-Agent-${VERSION}-x64.deb \
-            s3://${S3_BUCKET}/${PREFIX}/linux/latest-x64.deb
+          # Linux (.deb uses amd64, .AppImage uses x86_64 architecture naming)
+          aws s3 cp artifacts/CompAI-Device-Agent-${VERSION}-amd64.deb \
+            s3://${S3_BUCKET}/${PREFIX}/linux/CompAI-Device-Agent-${VERSION}-amd64.deb
+          aws s3 cp artifacts/CompAI-Device-Agent-${VERSION}-amd64.deb \
+            s3://${S3_BUCKET}/${PREFIX}/linux/latest-amd64.deb
 
-          aws s3 cp artifacts/CompAI-Device-Agent-${VERSION}-x64.AppImage \
-            s3://${S3_BUCKET}/${PREFIX}/linux/CompAI-Device-Agent-${VERSION}-x64.AppImage
-          aws s3 cp artifacts/CompAI-Device-Agent-${VERSION}-x64.AppImage \
-            s3://${S3_BUCKET}/${PREFIX}/linux/latest-x64.AppImage
+          aws s3 cp artifacts/CompAI-Device-Agent-${VERSION}-x86_64.AppImage \
+            s3://${S3_BUCKET}/${PREFIX}/linux/CompAI-Device-Agent-${VERSION}-x86_64.AppImage
+          aws s3 cp artifacts/CompAI-Device-Agent-${VERSION}-x86_64.AppImage \
+            s3://${S3_BUCKET}/${PREFIX}/linux/latest-x86_64.AppImage
 
       - name: Upload auto-update files to S3
         env:
-          AWS_ACCESS_KEY_ID: ${{ secrets.APP_AWS_ACCESS_KEY_ID }}
-          AWS_SECRET_ACCESS_KEY: ${{ secrets.APP_AWS_SECRET_ACCESS_KEY }}
+          AWS_ACCESS_KEY_ID: ${{ needs.detect-version.outputs.s3_env == 'production' && secrets.APP_AWS_ACCESS_KEY_ID || secrets.APP_AWS_ACCESS_KEY_ID_STAGING }}
+          AWS_SECRET_ACCESS_KEY: ${{ needs.detect-version.outputs.s3_env == 'production' && secrets.APP_AWS_SECRET_ACCESS_KEY || secrets.APP_AWS_SECRET_ACCESS_KEY_STAGING }}
           AWS_REGION: ${{ secrets.APP_AWS_REGION }}
-          S3_BUCKET: ${{ secrets.FLEET_AGENT_BUCKET_NAME }}
+          S3_BUCKET: ${{ needs.detect-version.outputs.s3_env == 'production' && secrets.FLEET_AGENT_BUCKET_NAME || secrets.FLEET_AGENT_BUCKET_NAME_STAGING }}
           S3_ENV: ${{ needs.detect-version.outputs.s3_env }}
         run: |
           UPDATE_DIR="device-agent/${S3_ENV}/updates"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,13 @@
+## [1.83.1](https://github.com/trycompai/comp/compare/v1.83.0...v1.83.1) (2026-02-17)
+
+
+### Bug Fixes
+
+* **ci:** fix Linux artifact names and consolidate all CI fixes ([#2144](https://github.com/trycompai/comp/issues/2144)) ([cbcf420](https://github.com/trycompai/comp/commit/cbcf420217c268fdfb35d9c03631a56d8822a028))
+* **ci:** handle pre-release tags in device agent version detection ([#2137](https://github.com/trycompai/comp/issues/2137)) ([b37f225](https://github.com/trycompai/comp/commit/b37f2252e9bf220600b2eb229364c4b6964b7cf0))
+* **ci:** pin Windows code signing to stable sslcom/esigner-codesign@v1.3.2 ([#2141](https://github.com/trycompai/comp/issues/2141)) ([5f35e35](https://github.com/trycompai/comp/commit/5f35e3500bbc6670464d83fb3c9eb7c5c3f4ec29))
+* **ci:** replace broken sslcom/esigner-codesign action with direct CodeSignTool invocation ([#2143](https://github.com/trycompai/comp/issues/2143)) ([884e0d2](https://github.com/trycompai/comp/commit/884e0d23dfce128b0359b3f5ad66d88aaba0c866))
+
 # [1.83.0](https://github.com/trycompai/comp/compare/v1.82.3...v1.83.0) (2026-02-13)
 
 
diff --git a/apps/portal/src/app/api/download-agent/constants.ts b/apps/portal/src/app/api/download-agent/constants.ts
@@ -24,8 +24,8 @@ export const DOWNLOAD_TARGETS: Record<
     contentType: 'application/octet-stream',
   },
   linux: {
-    key: `${S3_PREFIX}/linux/latest-x64.deb`,
-    filename: 'CompAI-Device-Agent-x64.deb',
+    key: `${S3_PREFIX}/linux/latest-amd64.deb`,
+    filename: 'CompAI-Device-Agent-amd64.deb',
     contentType: 'application/vnd.debian.binary-package',
   },
 };
diff --git a/packages/device-agent/package.json b/packages/device-agent/package.json
@@ -1,9 +1,9 @@
 {
   "name": "@comp/device-agent",
-  "version": "1.0.1",
-  "description": "Comp AI Device Compliance Agent - Device Compliance Checks",
+  "version": "1.0.0",
+  "description": "Comp AI Device Agent - Endpoint Compliance",
   "author": "Comp AI <hello@trycomp.ai>",
-  "homepage": "https://trycomp.ai",
+  "homepage": "https://trycomp.ai/",
   "private": true,
   "main": "dist/main/index.js",
   "scripts": {
