fix(ci): replace broken sslcom/esigner-codesign action with direct CodeSignTool invocation

The sslcom/esigner-codesign GitHub Action (both @develop and @v1.3.2)
has a bug where it fails to pass -username and -password flags to the
CodeSignTool CLI. Replaced with direct download and invocation of
CodeSignTool v1.3.0 via PowerShell.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: tofikwest

.github/workflows/device-agent-release.yml

@@ -179,24 +179,43 @@ jobs:
           AUTO_UPDATE_URL: ${{ needs.detect-version.outputs.auto_update_url }}
         run: bun run package:win
 
-      - name: Setup SSL.com eSigner CodeSignTool
-        uses: sslcom/esigner-codesign@v1.3.2
+      - name: Setup Java for CodeSignTool
+        uses: actions/setup-java@v4
         with:
-          command: get_credential_ids
-          username: ${{ secrets.ESIGNER_USERNAME }}
-          password: ${{ secrets.ESIGNER_PASSWORD }}
-          totp_secret: ${{ secrets.ESIGNER_TOTP_SECRET }}
+          distribution: 'corretto'
+          java-version: '11'
 
-      - name: Sign Windows EXE with SSL.com eSigner
-        uses: sslcom/esigner-codesign@v1.3.2
-        with:
-          command: sign
-          username: ${{ secrets.ESIGNER_USERNAME }}
-          password: ${{ secrets.ESIGNER_PASSWORD }}
-          credential_id: ${{ secrets.ESIGNER_CREDENTIAL_ID }}
-          totp_secret: ${{ secrets.ESIGNER_TOTP_SECRET }}
-          file_path: ${{ github.workspace }}/packages/device-agent/release
-          override: true
+      - name: Sign Windows EXE with SSL.com CodeSignTool
+        shell: powershell
+        working-directory: packages/device-agent/release
+        env:
+          ESIGNER_USERNAME: ${{ secrets.ESIGNER_USERNAME }}
+          ESIGNER_PASSWORD: ${{ secrets.ESIGNER_PASSWORD }}
+          ESIGNER_CREDENTIAL_ID: ${{ secrets.ESIGNER_CREDENTIAL_ID }}
+          ESIGNER_TOTP_SECRET: ${{ secrets.ESIGNER_TOTP_SECRET }}
+        run: |
+          # Download and extract CodeSignTool
+          Invoke-WebRequest -Uri "https://github.com/SSLcom/CodeSignTool/releases/download/v1.3.0/CodeSignTool-v1.3.0-windows.zip" -OutFile "codesigntool.zip"
+          Expand-Archive -Path "codesigntool.zip" -DestinationPath "codesigntool"
+
+          # Find CodeSignTool.bat (may be in root or a subdirectory)
+          $cstBat = Get-ChildItem -Path "codesigntool" -Recurse -Filter "CodeSignTool.bat" | Select-Object -First 1
+          if (-not $cstBat) { throw "CodeSignTool.bat not found" }
+          Write-Host "Found CodeSignTool at: $($cstBat.FullName)"
+
+          # Sign each .exe file
+          Get-ChildItem -Filter "*.exe" | ForEach-Object {
+            Write-Host "Signing $($_.Name)..."
+            cmd /c "$($cstBat.FullName)" sign `
+              -username="$env:ESIGNER_USERNAME" `
+              -password="$env:ESIGNER_PASSWORD" `
+              -credential_id="$env:ESIGNER_CREDENTIAL_ID" `
+              -totp_secret="$env:ESIGNER_TOTP_SECRET" `
+              -input_file_path="$($_.FullName)" `
+              -override="true"
+            if ($LASTEXITCODE -ne 0) { throw "Code signing failed for $($_.Name)" }
+            Write-Host "Signed $($_.Name) successfully"
+          }
 
       - name: Recalculate latest.yml hash after signing
         shell: bash

packages/device-agent/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@comp/device-agent",
   "version": "1.0.0",
-  "description": "Comp AI Device Compliance Agent - Device Compliance Checks",
+  "description": "Comp AI Device Agent - Endpoint Compliance",
   "author": "Comp AI <hello@trycomp.ai>",
   "homepage": "https://trycomp.ai",
   "private": true,