Skip to content

Add support for Azure Artifact Signing#263

Merged
pierotofy merged 2 commits intoOpenDroneMap:masterfrom
sylveon:artifact-signing
Mar 13, 2026
Merged

Add support for Azure Artifact Signing#263
pierotofy merged 2 commits intoOpenDroneMap:masterfrom
sylveon:artifact-signing

Conversation

@sylveon
Copy link
Copy Markdown
Contributor

@sylveon sylveon commented Mar 13, 2026
edited
Loading

This one was tested locally, so it should work from the first go.

pierotofy
pierotofy reviewed Mar 13, 2026
View reviewed changes
Comment thread .github/workflows/publish-windows.yml
- name: Build bundle
run: |
npm run winbundle
npm run winbundle -- --signtool-path "C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" --azure-signing-metadata "%RUNNER_TEMP%\metadata.json"
Copy link
Copy Markdown
Contributor

@pierotofy pierotofy Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is fine, but note that this path will break very soon. Long term you'll want to find a more reliable way to invoke signtool.

Copy link
Copy Markdown
Contributor Author

@sylveon sylveon Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Windows SDK path is very consistent, it hasn't changed since the original release of Windows 10 besides the version number increment. Being more smart about this requires bringing a lot more tooling (e.g. VS developer cmd, not really documented registry reads, or installing the SDK at runtime), there isn't an easy environment variable documented unfortunately :(

Thankfully, this should only break when the SDK 26100 is removed from the CI image (which shouldn't happen anytime soon), and fixing it should be merely just updating this path. That's why I made it a parameter, to make that easier.

Copy link
Copy Markdown
Contributor

@pierotofy pierotofy Mar 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One simple idea, instead of an exact path to signtool, pass a path to C:\Program Files (x86)\Windows Kits\10\bin\ and recursively search for signtool.exe. Just a thought.

Copy link
Copy Markdown
Contributor Author

@sylveon sylveon Mar 13, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The artifact signing dlib requires at least SDK 19041, so a naive search could pick up a version that's too old. It could also pick up the ARM64 or x86 signtool, which we don't want.

@pierotofy pierotofy merged commit f24e9ee into OpenDroneMap:master Mar 13, 2026
1 check passed
sylveon added a commit to sylveon/NodeODM that referenced this pull request Mar 17, 2026
@sylveon
Change permissions from read to write for contents
fbf61c1 
OpenDroneMap#263 added granular permissions to grant `id-token: write` (which isn't granted by default). When doing this, I also added `contents: read` because granular permissions overwrite repo-level permissions, and not having it prevented the workflow from cloning its own repo.

However, the `svenstaro/upload-release-action` action requires `contents: write`, which the pipeline no longer had. Change `contents` to `write` (which implies `read`) to fix that.
@sylveon sylveon mentioned this pull request Mar 17, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@pierotofy pierotofy pierotofy left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sylveon @pierotofy