From 53fea08e999a3ffeba63a0810df014288cacb577 Mon Sep 17 00:00:00 2001
From: ducminh02 <ducminh3210@gmail.com>
Date: Wed, 6 May 2026 22:01:44 +0200
Subject: [PATCH 1/2] feat: add MSI signing process to release workflow using
 SignPath

---
 .github/workflows/release.yml | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 45a21ca719..5ab389b3ff 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,10 @@ name: Release
 on:
   workflow_dispatch
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
 
   # Adjusts the revision to the latest version, builds images for each OS type/architecture using matrix:os and uploads each binary as a separate artifact
@@ -55,12 +59,31 @@ jobs:
           wix extension add WixToolset.UI.wixext/5.0.2
           wix extension add WixToolset.Util.wixext/5.0.2
           wix build Package.wxs WixUI_IDEasySetup.wxs -loc Package.en-us.wxl -ext WixToolset.UI.wixext -ext WixToolset.Util.wixext -o ideasy.msi
+      - name: Upload unsigned MSI
+        if: runner.os == 'Windows'
+        id: upload-msi
+        uses: actions/upload-artifact@v4
+        with:
+          name: msi-unsigned
+          path: windows-installer/ideasy.msi
+      - name: Sign MSI
+        if: runner.os == 'Windows'
+        uses: signpath/github-action-submit-signing-request@v2
+        with:
+          api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
+          organization-id: '428e13ed-ca0c-47ca-8a73-63b76cabb59b'
+          project-slug: 'IDEasy'
+          signing-policy-slug: 'release-signing'
+          artifact-configuration-slug: 'IDEasy'
+          github-artifact-id: '${{ steps.upload-msi.outputs.artifact-id }}'
+          wait-for-completion: true
+          output-artifact-directory: 'windows-installer/signed'
       - name: Upload MSI
         if: runner.os == 'Windows'
         uses: actions/upload-artifact@v4
         with:
           name: msi
-          path: windows-installer/ideasy.msi
+          path: windows-installer/signed/ideasy.msi
 
   # Downloads all native image artifacts to cli/target and builds the project using assemblies for final deployment to Maven Central.
   # The version number for the next build will be incremented automatically.

From b848d1a51a6b8356478a055edc5f31aaef6072ec Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Hohwiller?= <hohwille@users.noreply.github.com>
Date: Fri, 22 May 2026 12:02:47 +0200
Subject: [PATCH 2/2] Apply suggestion from @hohwille

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5ab389b3ff..1bf1e0cfc2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -73,7 +73,7 @@ jobs:
           api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
           organization-id: '428e13ed-ca0c-47ca-8a73-63b76cabb59b'
           project-slug: 'IDEasy'
-          signing-policy-slug: 'release-signing'
+          signing-policy-slug: 'test-signing'
           artifact-configuration-slug: 'IDEasy'
           github-artifact-id: '${{ steps.upload-msi.outputs.artifact-id }}'
           wait-for-completion: true