Moved the action from the .github repository to it's own repository.

Author: dlemstra

.config/dotnet-tools.json

@@ -0,0 +1,12 @@
+{
+  "version": 1,
+  "isRoot": true,
+  "tools": {
+    "sign": {
+      "version": "0.9.1-beta.26102.1",
+      "commands": [
+        "sign"
+      ]
+    }
+  }
+}

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "nuget"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/main.yml

@@ -0,0 +1,37 @@
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+
+permissions:
+  contents: read
+
+name: main
+jobs:
+  test-signing:
+    name: Test code-signing action
+    runs-on: windows-2025
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Prepare files to sign
+        shell: cmd
+        run: |
+          mkdir files-to-sign
+          copy %WINDIR%\system32\kernel32.dll files-to-sign
+
+      - name: Sign files
+        uses: ./actions/code-signing
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          directory: ${{ github.workspace }}\files-to-sign

action.yml

@@ -0,0 +1,67 @@
+name: Code Signing
+description: Sign files using Azure Trusted Signing
+inputs:
+  client-id:
+    description: Azure Client ID
+  tenant-id:
+    description: Azure Tenant ID
+  subscription-id:
+    description: Azure Subscription ID
+  directory:
+    description: Directory containing files to sign
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Check if signing should be performed
+      id: should_sign
+      shell: pwsh
+      run: |
+        $shouldSign = $true
+
+        if ("${{inputs.client-id}}" -eq "") {
+          echo "Missing required value: client-id"
+          $shouldSign = $false
+        }
+
+        if ("${{inputs.tenant-id}}" -eq "") {
+          echo "Missing required value: tenant-id"
+          $shouldSign = $false
+        }
+
+        if ("${{inputs.subscription-id}}" -eq "") {
+          echo "Missing required value: subscription-id"
+          $shouldSign = $false
+        }
+
+        echo "should_sign=$shouldSign" >> $env:GITHUB_OUTPUT
+        echo "Should sign: $shouldSign"
+
+    - name: Azure CLI login with federated credential
+      if: steps.should_sign.outputs.should_sign == 'true'
+      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0
+      with:
+        client-id: ${{ inputs.client-id }}
+        tenant-id: ${{ inputs.tenant-id }}
+        subscription-id: ${{ inputs.subscription-id }}
+
+    - name: Install sign cli
+      if: steps.should_sign.outputs.should_sign == 'true'
+      shell: cmd
+      run: dotnet tool restore
+      working-directory: ${{ github.action_path }}
+
+    - name: Sign executables and libraries
+      if: steps.should_sign.outputs.should_sign == 'true'
+      shell: pwsh
+      run: |
+        dotnet tool run sign code trusted-signing `
+          --base-directory ${{ inputs.directory }} `
+          --trusted-signing-account ImageMagick `
+          --trusted-signing-certificate-profile ImageMagick2028 `
+          --trusted-signing-endpoint https://wus2.codesigning.azure.net `
+          --azure-credential-type azure-cli `
+          --verbosity information `
+          *.exe *.dll
+      working-directory: ${{ github.action_path }}