ci: prepare for signpath

.github/workflows/deploy_github.yml

@@ -15,7 +15,7 @@ jobs:
     strategy:
       matrix:
         python-version: ["3.10"]
-        os: [macos-latest, windows-latest]
+        os: [macos-latest]
     steps:
     - name: Set env
       shell: bash
@@ -53,6 +53,8 @@ jobs:
         prerelease: false
         body: |
             ![](https://img.shields.io/github/downloads/DCOR-dev/DCOR-Aid/${{ env.RELEASE_VERSION }}/total.svg)
+
+            For signed installers, please read the [Code Signing Policy](https://dc.readthedocs.io/en/latest/sec_code_signing.html).
         files: |
           ./build-recipes/dist/*.dmg
           ./build-recipes/dist/*.pkg

.github/workflows/deploy_github_signed_windows.yml

@@ -0,0 +1,96 @@
+name: Deploy Signed Windows Installer to GitHub Releases
+
+on:
+  push:
+    tags:
+      - '*'
+
+env:
+  PYINSTALLER_COMPILE_BOOTLOADER: 1
+
+jobs:
+  build:
+    name: Create Release
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        python-version: ["3.10"]
+        os: [windows-latest]
+    steps:
+    - name: Set env
+      shell: bash
+      run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+    - uses: actions/checkout@main
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@main
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install Python dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install setuptools wheel twine
+        pip install .
+    - name: Build windows executable
+      working-directory: ./build-recipes
+      run: |
+        pip install -r win_build_requirements.txt
+        pyinstaller -y --log-level=WARN win_DCOR-Aid.spec
+        # Run the binary (the most simple test)
+        dist\\DCOR-Aid\\DCOR-Aid.exe --version
+    - name: Upload windows executable
+      id: uploadBinaryArtifact
+      uses: actions/upload-artifact@v4.4.3
+      with:
+        name: pyjibe-executable
+        path: ./build-recipes/dist/DCOR-Aid/DCOR-Aid.exe
+    - name: Remove unsigned windows binary
+      shell: bash
+      run: |
+        rm ./build-recipes/dist/DCOR-Aid/DCOR-Aid.exe
+    - name: Sign Windows executable
+      uses: signpath/github-action-submit-signing-request@v1
+      with:
+        api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+        organization-id: 'TODO'
+        project-slug: 'DCOR-Aid'
+        signing-policy-slug: 'test-signing'
+        github-artifact-id: '${{steps.uploadBinaryArtifact.outputs.artifact-id}}'
+        wait-for-completion: true
+        output-artifact-directory: 'build-recipes/dist/DCOR-Aid'
+        parameters: |
+          Version: "${{ env.RELEASE_VERSION }}"
+    - name: Create Windows installer
+      working-directory: ./build-recipes
+      run: |
+        python win_make_iss.py
+        ISCC.exe /Q win_pyjibe.iss
+    - name: Upload windows installer
+      id: uploadInstallerArtifact
+      uses: actions/upload-artifact@v4.4.3
+      with:
+        name: pyjibe-installer
+        path: ./build-recipes/Output/*.exe
+    - name: Remove unsigned windows installer
+      shell: bash
+      run: |
+        rm -rf ./build-recipes/Output/*.exe
+    - name: Sign Windows installer
+      uses: signpath/github-action-submit-signing-request@v1
+      with:
+        api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+        organization-id: 'TODO'
+        project-slug: 'DCOR-Aid'
+        signing-policy-slug: 'test-signing'
+        github-artifact-id: '${{steps.uploadInstallerArtifact.outputs.artifact-id}}'
+        wait-for-completion: true
+        output-artifact-directory: 'build-recipes/Output'
+        parameters: |
+          Version: "${{ env.RELEASE_VERSION }}"
+    - name: Release Assets
+      uses: softprops/action-gh-release@v1
+      with:
+        name: DCOR-Aid ${{ env.RELEASE_VERSION }}
+        draft: true
+        prerelease: false
+        files: |
+          ./build-recipes/Output/*.exe