Skip to content

P2: Code signing for exe + installer (CI integration) #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Kinin-Code-Offical merged 2 commits into from
Dec 22, 2025
Merged

P2: Code signing for exe + installer (CI integration) #43

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2e6a7bd
feat(p2): add optional signing to release workflow
Kinin-Code-Offical Dec 22, 2025
8f8c8ad
chore(p2): refresh commands docs
Kinin-Code-Offical Dec 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,21 @@ jobs:
with:
ref: ${{ env.RELEASE_TAG }}

- name: Prepare signing certificate
shell: pwsh
env:
CLOUDSQLCTL_SIGN_CERT_B64: ${{ secrets.CLOUDSQLCTL_SIGN_CERT_B64 }}
CLOUDSQLCTL_SIGN_PWD: ${{ secrets.CLOUDSQLCTL_SIGN_PWD }}
run: |
if (-not $env:CLOUDSQLCTL_SIGN_CERT_B64) {
Write-Host "Signing cert not provided; skipping signing setup."
exit 0
}
$certPath = Join-Path $env:RUNNER_TEMP "cloudsqlctl-signing.pfx"
[IO.File]::WriteAllBytes($certPath, [Convert]::FromBase64String($env:CLOUDSQLCTL_SIGN_CERT_B64))
"CLOUDSQLCTL_SIGN_CERT=$certPath" | Out-File -FilePath $env:GITHUB_ENV -Append
"CLOUDSQLCTL_SIGN_PWD=$env:CLOUDSQLCTL_SIGN_PWD" | Out-File -FilePath $env:GITHUB_ENV -Append
Copy link

@sourcery-ai sourcery-ai bot Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚨 suggestion (security): Avoid broadening the exposure of the signing password by putting it into GITHUB_ENV.

Writing CLOUDSQLCTL_SIGN_PWD to GITHUB_ENV makes it available to all later steps in the job, unnecessarily widening exposure if any of those steps are compromised or misconfigured. Since the secret is already available in this step’s environment, prefer passing it only to the signing step (e.g., via env: on that step or as an argument to the signing script) instead of promoting it to a job-wide variable.

Suggested implementation:

          $certPath = Join-Path $env:RUNNER_TEMP "cloudsqlctl-signing.pfx"
          [IO.File]::WriteAllBytes($certPath, [Convert]::FromBase64String($env:CLOUDSQLCTL_SIGN_CERT_B64))
          "CLOUDSQLCTL_SIGN_CERT=$certPath" | Out-File -FilePath $env:GITHUB_ENV -Append


      - name: Sign artifacts
        if: ${{ env.CLOUDSQLCTL_SIGN_CERT != '' }}
        env:
          CLOUDSQLCTL_SIGN_PWD: ${{ secrets.CLOUDSQLCTL_SIGN_PWD }}
        shell: pwsh
        run: |
          powershell -ExecutionPolicy Bypass -File tools/sign-exe.ps1 -ExePath "bin/cloudsqlctl.exe"


- name: Use Node.js 22.x
uses: actions/setup-node@v4
with:
Expand Down Expand Up @@ -54,6 +69,13 @@ jobs:
- name: Build Installer
run: npm run installer

- name: Sign artifacts
if: ${{ env.CLOUDSQLCTL_SIGN_CERT != '' }}
shell: pwsh
run: |
powershell -ExecutionPolicy Bypass -File tools/sign-exe.ps1 -ExePath "bin/cloudsqlctl.exe"
powershell -ExecutionPolicy Bypass -File tools/sign-exe.ps1 -ExePath "dist/cloudsqlctl-setup.exe"
Comment on lines +76 to +77
Copy link

Copilot AI Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Redundant PowerShell invocation. Since this step already uses shell: pwsh (line 74), the commands are already running in PowerShell. The powershell -ExecutionPolicy Bypass -File wrapper spawns an unnecessary nested PowerShell process.

The commands should be called directly using dot-sourcing or by invoking the script file with &. For example:

  • Change to: & tools/sign-exe.ps1 -ExePath "bin/cloudsqlctl.exe"

This pattern is consistent with lines 33-40 and 97-120 in the same workflow, where PowerShell commands are executed directly when using shell: pwsh.

Suggested change
powershell -ExecutionPolicy Bypass -File tools/sign-exe.ps1 -ExePath "bin/cloudsqlctl.exe"
powershell -ExecutionPolicy Bypass -File tools/sign-exe.ps1 -ExePath "dist/cloudsqlctl-setup.exe"
& tools/sign-exe.ps1 -ExePath "bin/cloudsqlctl.exe"
& tools/sign-exe.ps1 -ExePath "dist/cloudsqlctl-setup.exe"

Copilot uses AI. Check for mistakes.

Copy link

Copilot AI Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The certificate file should be explicitly deleted after signing completes to minimize the time sensitive credentials exist on disk. While RUNNER_TEMP is automatically cleaned up after the job finishes, explicitly removing the certificate immediately after use follows security best practices for credential handling.

Consider adding cleanup after the signing step, either:

  1. Add a cleanup command at the end of the "Sign artifacts" step
  2. Add a separate cleanup step with if: always() to ensure cleanup even if signing fails

For example, at the end of the signing step:

Remove-Item -Path $env:CLOUDSQLCTL_SIGN_CERT -Force -ErrorAction SilentlyContinue
Suggested change
- name: Cleanup signing certificate
if: ${{ always() && env.CLOUDSQLCTL_SIGN_CERT != '' }}
shell: pwsh
run: |
Remove-Item -Path $env:CLOUDSQLCTL_SIGN_CERT -Force -ErrorAction SilentlyContinue

Copilot uses AI. Check for mistakes.
- name: Generate Docs
run: npm run docs:generate

Expand Down
2 changes: 1 addition & 1 deletion docs/commands.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Cloud SQL Proxy CLI Reference

**Version:** 0.4.14
**Version:** 0.4.15
**Generated:** 2025-12-22

## Overview
Expand Down