Merge pull request #379 from chrisbra/arm-signpath

CI: Add Signpath signing step for ARM64 artifacts

Author: chrisbra

.github/workflows/windows-arm-build.yml

@@ -94,6 +94,22 @@ jobs:
           subject-name: arm64-windows-zip-archive.zip
           subject-digest: sha256:${{ steps.upload-zip.outputs.artifact-digest }}
 
+      - name: upload Zip File for Signpath
+        id:   upload-unsigned-zip
+        uses: actions/upload-artifact@v4
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          name: arm64-windows-unsigned-zip-archive.zip
+          path: |
+            unsigned*.zip
+
+      - name: Attest Zip File for Signpath
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: arm64-windows-zip-archive.zip
+          subject-digest: sha256:${{ steps.upload-unsigned-zip.outputs.artifact-digest }}
+
       # the release will be created by the appveyor CI, so we need to wait
       # until it exists before trying to push our release artifacts
       - name: Wait for Github Release
@@ -128,6 +144,15 @@ jobs:
             gh release upload "$GH_TAG_NAME" "$i" --clobber
           done
 
+      - name: SignPath code signing
+        uses: SignPath/[email protected]
+        with:
+          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
+          organization-id: 47c0047c-0c1d-42b2-a16c-4ea6907dc813
+          project-slug: vim-win32-installer
+          signing-policy-slug: release-signing
+          github-artifact-id: '${{ steps.upload-unsigned-zip.outputs.artifact-id }}'
+
       - name: Post Summary
         shell: bash
         run: |

appveyor.yml

@@ -102,10 +102,14 @@ deploy:
         Signed 32-bit installer (*If you don't know what to use, use this one*)
       * [![gvim_$(VIMVER)_x64_signed.exe](https://img.shields.io/github/downloads/$(APPVEYOR_REPO_NAME)/$(APPVEYOR_REPO_TAG_NAME)/gvim_$(VIMVER)_x64_signed.exe.svg?label=downloads&logo=vim)]($(URL)/$(APPVEYOR_REPO_TAG_NAME)/gvim_$(VIMVER)_x64_signed.exe)
         Signed 64-bit installer
+      * [![gvim_$(VIMVER)_arm64_signed.exe](https://img.shields.io/github/downloads/$(APPVEYOR_REPO_NAME)/$(APPVEYOR_REPO_TAG_NAME)/gvim_$(VIMVER)_arm64_signed.exe.svg?label=downloads&logo=vim)]($(URL)/$(APPVEYOR_REPO_TAG_NAME)/gvim_$(VIMVER)_arm64_signed.exe)
+        Signed ARM64-bit installer
       * [![gvim_$(VIMVER)_x86_signed.zip](https://img.shields.io/github/downloads/$(APPVEYOR_REPO_NAME)/$(APPVEYOR_REPO_TAG_NAME)/gvim_$(VIMVER)_x86_signed.zip.svg?label=downloads&logo=vim)]($(URL)/$(APPVEYOR_REPO_TAG_NAME)/gvim_$(VIMVER)_x86_signed.zip)
         Signed 32-bit zip archive
       * [![gvim_$(VIMVER)_x64_signed.zip](https://img.shields.io/github/downloads/$(APPVEYOR_REPO_NAME)/$(APPVEYOR_REPO_TAG_NAME)/gvim_$(VIMVER)_x64_signed.zip.svg?label=downloads&logo=vim)]($(URL)/$(APPVEYOR_REPO_TAG_NAME)/gvim_$(VIMVER)_x64_signed.zip)
         Signed 64-bit zip archive
+      * [![gvim_$(VIMVER)_arm64_signed.zip](https://img.shields.io/github/downloads/$(APPVEYOR_REPO_NAME)/$(APPVEYOR_REPO_TAG_NAME)/gvim_$(VIMVER)_arm64_signed.zip.svg?label=downloads&logo=vim)]($(URL)/$(APPVEYOR_REPO_TAG_NAME)/gvim_$(VIMVER)_arm64_signed.zip)
+        Signed ARM64-bit zip archive
       -->
       #### :unlock: Unsigned Files:
       * [![gvim_$(VIMVER)_x86.exe](https://img.shields.io/github/downloads/$(APPVEYOR_REPO_NAME)/$(APPVEYOR_REPO_TAG_NAME)/gvim_$(VIMVER)_x86.exe.svg?label=downloads&logo=vim)]($(URL)/$(APPVEYOR_REPO_TAG_NAME)/gvim_$(VIMVER)_x86.exe)