Refactor ci/cd to use new signing action

Author: jasonleenaylor

.github/workflows/ci-cd.yml

@@ -113,75 +113,25 @@ jobs:
 
       # All the following are used only when building an installer after a merge
       - name: Build Msi
+        if: github.event_name != 'pull_request'
         id: build_msi
         shell: cmd
         run: |
           msbuild build/FLExBridge.proj /t:CleanMasterOutputDir;PreparePublishingArtifactsInternal;BuildProductBaseMsi /p:UploadFolder=${{ inputs.environment || 'Alpha' }}
-        if: github.event_name != 'pull_request'
-
-      # REVIEW: The .msi file is named with the version, there is probably a cleaner way to generate the correct filename
-      # and after completing the work to do signing of the bundles it became clear that capturing the files in the signtool wasn't necessary
-      - name: Prepare for msi signing
-        shell: bash
-        run: |
-          echo "FILES_TO_SIGN=$(cat $FILESTOSIGNLATER)" >> $GITHUB_OUTPUT
-        id: gathered_files
-        if: github.event_name != 'pull_request'
 
-      - name: upload-msi
-        id: upload
-        uses: actions/upload-artifact@v4
-        with:
-          name: FlexBridge.msi
-          path: ${{ steps.gathered_files.outputs.FILES_TO_SIGN }}
-          if-no-files-found: error
-          overwrite: true
+      - name: Sign FlexBridge msi
+        uses: sillsdev/codesign/trusted-signing-action@v3
         if: github.event_name != 'pull_request'
-
-  sign-msi:
-    name: Sign FlexBridge Installer
-    needs: build_and_test
-    if: github.event_name != 'pull_request'
-    uses: sillsdev/codesign/.github/workflows/[email protected]
-    with:
-      artifact: FlexBridge.msi
-      description: 'FLEx Bridge Installer'
-    secrets:
-      certificate: ${{ secrets.CODESIGN_LSDEVSECTIGOEV }}
-
-  build-bundles:
-    name: Build Installer Bundles
-    needs: sign-msi
-    if: github.event_name != 'pull_request'
-    runs-on: windows-latest
-    env:
-      FILESTOSIGNLATER: "${{ github.workspace }}\\filesToSign"
-    steps:
-      - name: Checkout Files
-        uses: actions/checkout@v4
-        id: checkout
         with:
-          fetch-depth: 0
-          submodules: true
-
-      - name: Downgrade Wix Toolset - remove when runner has 3.14.2
-      # See: https://github.com/actions/runner-images/issues/9667
-        run: |
-          choco uninstall wixtoolset
-          choco install wixtoolset --version 3.11.2 --allow-downgrade --force
-          echo "C:\Program Files (x86)\WiX Toolset v3.11\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-
-      - name: Add msbuild to PATH
-        uses: microsoft/setup-msbuild@v2
-
-      - name: Download FlexBridge artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: FlexBridge.msi
-          path: src/WiXInstaller/BaseInstallerBuild  # Target directory for the downloaded artifact
+          credentials: ${{ secrets.TRUSTED_SIGNING_CREDENTIALS }}
+          files-folder: src/WiXInstaller/BaseInstallerBuild
+          files-folder-filter: FlexBridge*.msi
+          description:  'FLExBridge installer - SIL Global'
+          description-url: 'https://software.sil.org/fieldworks/help/using-sendreceive/flex-bridge/'
 
       - name: Build Bundles
         id: build_bundles
+        if: github.event_name != 'pull_request'
         working-directory: build
         shell: cmd
         run: |
@@ -190,156 +140,56 @@ jobs:
 
       - name: Extract burn engines
         id: extract_engines
+        if: github.event_name != 'pull_request'
         working-directory: BuildDir
         shell: cmd
         run: |
           insignia -ib FlexBridge_Offline.exe -o offline-engine.exe
           insignia -ib FlexBridge_Online.exe -o online-engine.exe
 
-      - name: Upload Offline Engine
-        id: upload-offline-engine
-        uses: actions/upload-artifact@v4
-        with:
-          name: offline-engine
-          path: BuildDir/offline-engine.exe
-          if-no-files-found: error
-          overwrite: true
+      - name: Sign Engines
         if: github.event_name != 'pull_request'
-
-      - name: Upload Offline Bundle(detatched)
-        id: upload-offline-bundle
-        uses: actions/upload-artifact@v4
-        with:
-          name: FlexBridge_Offline.exe
-          path: BuildDir/FlexBridge_Offline.exe
-          if-no-files-found: error
-          overwrite: true
-        if: github.event_name != 'pull_request'
-
-      - name: Upload Online Engine
-        id: upload-online-engine
-        uses: actions/upload-artifact@v4
-        with:
-          name: online-engine
-          path: BuildDir/online-engine.exe
-          if-no-files-found: error
-          overwrite: true
-        if: github.event_name != 'pull_request'
-
-      - name: Upload Online Bundle(detached)
-        id: upload-online-bundle
-        uses: actions/upload-artifact@v4
-        with:
-          name: FlexBridge_Online.exe
-          path: BuildDir/FlexBridge_Online.exe
-          if-no-files-found: error
-          overwrite: true
-        if: github.event_name != 'pull_request'
-
-  sign-offline-engine:
-    name: Sign Offline Engine
-    needs: build-bundles
-    if: github.event_name != 'pull_request'
-    uses: sillsdev/codesign/.github/workflows/[email protected]
-    with:
-      artifact: offline-engine
-      description: 'FLEx Bridge Installer'
-    secrets:
-      certificate: ${{ secrets.CODESIGN_LSDEVSECTIGOEV }}
-
-  sign-online-engine:
-    name: Sign Online Engine
-    needs: build-bundles
-    if: github.event_name != 'pull_request'
-    uses: sillsdev/codesign/.github/workflows/[email protected]
-    with:
-      artifact: online-engine
-      description: 'FLEx Bridge Installer'
-    secrets:
-      certificate: ${{ secrets.CODESIGN_LSDEVSECTIGOEV }}
-
-  reattach-engines:
-    runs-on: windows-latest
-    needs: [sign-offline-engine, sign-online-engine]
-    steps:
-      - name: Downgrade Wix Toolset - remove when runner has 3.14.2
-        run: |
-          choco uninstall wixtoolset
-          choco install wixtoolset --version 3.11.2 --allow-downgrade --force
-          echo "C:\Program Files (x86)\WiX Toolset v3.11\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
-
-      - name: Download signed online engine
-        uses: actions/download-artifact@v4
-        with:
-          name: online-engine
-      - name: Download signed offline engine
-        uses: actions/download-artifact@v4
-        with:
-          name: offline-engine
-      - name: Download Online Bundle
-        uses: actions/download-artifact@v4
-        with:
-          name: FlexBridge_Online.exe
-      - name: Download Offline Bundle
-        uses: actions/download-artifact@v4
-        with:
-          name: FlexBridge_Offline.exe
-
+        uses: sillsdev/codesign/trusted-signing-action@v3
+        with:
+          credentials: ${{ secrets.TRUSTED_SIGNING_CREDENTIALS }}
+          files-folder: BuildDir
+          files-folder-filter: '*-engine.exe'
+          description:  'FLExBridge installer burn engine - SIL Global'
+          description-url: 'https://software.sil.org/fieldworks/help/using-sendreceive/flex-bridge/'
+        
       - name: Reattach Engines
+        if: github.event_name != 'pull_request'
+        working-directory: BuildDir
         shell: cmd
         run: |
           insignia -ab online-engine.exe FlexBridge_Online.exe -o FlexBridge_Online.exe
           insignia -ab offline-engine.exe FlexBridge_Offline.exe -o FlexBridge_Offline.exe
 
-      - name: Upload Online Bundle(attached)
-        id: upload-online-bundle
-        uses: actions/upload-artifact@v4
-        with:
-          name: FlexBridge_Online.exe
-          path: FlexBridge_Online.exe
-          if-no-files-found: error
-          overwrite: true
+      - name: Sign Offline Bundle
         if: github.event_name != 'pull_request'
-
-      - name: Upload Offline Bundle(attached)
-        id: upload-offline-bundle
+        uses: sillsdev/codesign/trusted-signing-action@v3
+        with:
+          credentials: ${{ secrets.TRUSTED_SIGNING_CREDENTIALS }}
+          files-folder: src/WiXInstaller/BaseInstallerBuild
+          files-folder-filter: FlexBridge_*.exe
+          description:  'FLExBridge installer - SIL Global'
+          description-url: 'https://software.sil.org/fieldworks/help/using-sendreceive/flex-bridge/'
+          
+      - name: Sign Offline Bundle
+        needs: reattach-engines
+        if: github.event_name != 'pull_request'
+        uses: sillsdev/codesign/.github/workflows/[email protected]
+        with:
+          artifact: FlexBridge_Offline.exe
+          description: 'FLEx Bridge Installer'
+        secrets:
+          certificate: ${{ secrets.CODESIGN_LSDEVSECTIGOEV }}
+          
+      - name: Upload Signed Installers
         uses: actions/upload-artifact@v4
-        with:
-          name: FlexBridge_Offline.exe
-          path: FlexBridge_Offline.exe
-          if-no-files-found: error
-          overwrite: true
         if: github.event_name != 'pull_request'
-
-      - name: Cleanup Offline Engine
-        uses: geekyeggo/delete-artifact@v5
         with:
-          name: offline-engine
-
-      - name: Cleanup Online Engine
-        uses: geekyeggo/delete-artifact@v5
-        with:
-          name: online-engine
-
-  sign-offline-bundle:
-    name: Sign Offline Bundle
-    needs: reattach-engines
-    if: github.event_name != 'pull_request'
-    uses: sillsdev/codesign/.github/workflows/[email protected]
-    with:
-      artifact: FlexBridge_Offline.exe
-      description: 'FLEx Bridge Installer'
-    secrets:
-      certificate: ${{ secrets.CODESIGN_LSDEVSECTIGOEV }}
-
-  sign-online-bundle:
-    name: Sign Online Bundle
-    needs: reattach-engines
-    if: github.event_name != 'pull_request'
-    uses: sillsdev/codesign/.github/workflows/[email protected]
-    with:
-      artifact: FlexBridge_Online.exe
-      description: 'FLEx Bridge Installer'
-    secrets:
-      certificate: ${{ secrets.CODESIGN_LSDEVSECTIGOEV }}
+          name: nuget-packages
+          path: output/*nupkg
+          if-no-files-found: warn