From 3ec8bca178c4f51f921ca297240cff2ed11fb645 Mon Sep 17 00:00:00 2001
From: Niklas Fiekas <niklas.fiekas@backscattering.de>
Date: Sat, 7 Sep 2024 13:10:33 +0200
Subject: [PATCH] try github actions environments for signpath

---
 .github/workflows/build.yml | 39 ++++++++++++++++++++++---------------
 1 file changed, 23 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index be847f3..fd6c9cb 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -101,21 +101,6 @@ jobs:
         with:
           name: fishnet-x86_64-pc-windows-gnu-unsigned
           path: fishnet-x86_64-pc-windows-gnu-unsigned.exe
-      - uses: signpath/github-action-submit-signing-request@v0.4
-        with:
-          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
-          organization-id: ${{ vars.SIGNPATH_ORGANIZATION_ID }}
-          project-slug: 'fishnet'
-          signing-policy-slug: ${{ startsWith(github.ref, 'refs/tags/v') && 'release-signing' || 'test-signing' }}
-          github-artifact-id: ${{ steps.upload-unsigned-artifact.outputs.artifact-id }}
-          wait-for-completion: true
-          wait-for-completion-timeout-in-seconds: 7200
-          output-artifact-directory: signed
-      - run: mv signed/fishnet-x86_64-pc-windows-gnu-unsigned.exe signed/fishnet-x86_64-pc-windows-gnu.exe
-      - uses: actions/upload-artifact@v4
-        with:
-          name: fishnet-x86_64-pc-windows-gnu
-          path: signed
   macos-x86-64:
     runs-on: macos-13
     steps:
@@ -148,13 +133,35 @@ jobs:
         with:
           name: fishnet-aarch64-apple-darwin
           path: fishnet-aarch64-apple-darwin
+  windows-x86-64_signed:
+    runs-on: ubuntu-latest
+    environment:
+      name: ${{ startsWith(github.ref, 'refs/tags/v') && 'signpath_release' || 'signpath_test' }}
+    needs:
+      - windows-x86-64
+    steps:
+      - uses: signpath/github-action-submit-signing-request@v0.4
+        with:
+          api-token: ${{ secrets.SIGNPATH_API_TOKEN }}
+          organization-id: ${{ vars.SIGNPATH_ORGANIZATION_ID }}
+          project-slug: 'fishnet'
+          signing-policy-slug: ${{ vars.SIGNPATH_SIGNING_POLICY_SLUG }}
+          github-artifact-id: ${{ needs.windows-x86-64.upload-unsigned-artifact.outputs.artifact-id }}
+          wait-for-completion: true
+          wait-for-completion-timeout-in-seconds: 7200
+          output-artifact-directory: signed
+      - run: mv signed/fishnet-x86_64-pc-windows-gnu-unsigned.exe signed/fishnet-x86_64-pc-windows-gnu.exe
+      - uses: actions/upload-artifact@v4
+        with:
+          name: fishnet-x86_64-pc-windows-gnu
+          path: signed
   github_release:
     runs-on: ubuntu-latest
     permissions:
       contents: write
     needs:
       - linux
-      - windows-x86-64
+      - windows-x86-64_signed
       - macos-x86-64
       - macos-aarch64
     if: startsWith(github.ref, 'refs/tags/v')