From 66165a5c8e92c6a5c9cd5bee4cd6504da7504fc0 Mon Sep 17 00:00:00 2001
From: Philipp Wolfer <ph.wolfer@gmail.com>
Date: Sat, 7 Dec 2024 14:25:15 +0100
Subject: [PATCH] Code sign Windows build with Azure Trusted Signing

---
 .github/workflows/build.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 161ad42..3a2f1c0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -40,6 +40,8 @@ jobs:
   windows-portable:
     name: Build Windows portable
     runs-on: windows-latest
+    env:
+      CODESIGN: ${{ !!secrets.AZURE_CERT_PROFILE_NAME }}
     steps:
       - uses: actions/checkout@v4
       - name: Set up Python
@@ -92,6 +94,19 @@ jobs:
           mv dist\MusicBrainz-Picard-*.exe dist\MusicBrainz-Picard-daily.exe
         env:
           PICARD_BUILD_PORTABLE: 1
+      - name: Code signing
+        uses: azure/trusted-signing-action@v0.5.0
+        if: env.CODESIGN == 'true'
+        with:
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+          endpoint: ${{ secrets.AZURE_ENDPOINT }}
+          trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
+          certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
+          files: ${{ github.workspace }}\source\dist\MusicBrainz-Picard-daily.exe
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
       - name: Archive artifacts
         uses: actions/upload-artifact@v4
         with: