Skip to content

feat: Migrate to espressif/release-sign action for signing Windows binaries#7

Merged
peterdragun merged 1 commit intomasterfrom
feat/signing_action
Dec 9, 2025
Merged

feat: Migrate to espressif/release-sign action for signing Windows binaries#7
peterdragun merged 1 commit intomasterfrom
feat/signing_action

Conversation

@peterdragun
Copy link
Copy Markdown
Collaborator

@peterdragun peterdragun commented Dec 8, 2025
edited
Loading

Description

Use https://github.com/espressif/release-sign for signing istead of custom powershell script. This will require follow-up MRs in case of esptool and esp-idf-monitor, as the names of the secrets has changed and cannot be defined globally in this repository.

Internal Tracker

  • Closes IDF-14933

Testing

@peterdragun peterdragun requested a review from Copilot December 8, 2025 15:22
@github-actions
Copy link
Copy Markdown

github-actions bot commented Dec 8, 2025
edited
Loading

Messages
📖 🎉 Good Job! All checks are passing!

👋 Hello peterdragun, we appreciate your contribution to this project!

📘 Please review the project's Contributions Guide for key guidelines on code, documentation, testing, and more.
Click to see more instructions ...


This automated output is generated by the PR linter DangerJS, which checks if your Pull Request meets the project's requirements and helps you fix potential issues.

DangerJS is triggered with each push event to a Pull Request and modify the contents of this comment.

Please consider the following:
- Danger mainly focuses on the PR structure and formatting and can't understand the meaning behind your code or changes.
- Danger is not a substitute for human code reviews; it's still important to request a code review from your colleagues.
- To manually retry these Danger checks, please navigate to the Actions tab and re-run last Danger workflow.

Review and merge process you can expect ...


We do welcome contributions in the form of bug reports, feature requests and pull requests via this public GitHub repository.

This GitHub project is public mirror of our internal git repository

1. An internal issue has been created for the PR, we assign it to the relevant engineer.
2. They review the PR and either approve it or ask you for changes or clarifications.
3. Once the GitHub PR is approved, we synchronize it into our internal git repository.
4. In the internal git repository we do the final review, collect approvals from core owners and make sure all the automated tests are passing.
- At this point we may do some adjustments to the proposed change, or extend it by adding tests or documentation.
5. If the change is approved and passes the tests it is merged into the default branch.
5. On next sync from the internal git repository merged change will appear in this public GitHub repository.

Generated by 🚫 dangerJS against 299924d

Copilot AI reviewed Dec 8, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates from a custom PowerShell script-based code signing solution to the espressif/release-sign GitHub Action for signing Windows binaries. The change replaces the direct certificate/password approach with Azure Key Vault-based signing using Azure service principal credentials.

Key Changes:

  • Replaced certificate and certificate-password inputs with five Azure-related inputs (azure-client-id, azure-client-secret, azure-tenant-id, azure-keyvault-uri, azure-keyvault-cert-name)
  • Removed the custom Sign-File.ps1 PowerShell script
  • Updated signing workflow to use espressif/release-sign@master action

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File Description
action.yml Updated input parameters from certificate-based to Azure Key Vault credentials; replaced custom PowerShell signing logic with espressif/release-sign action
Sign-File.ps1 Removed custom PowerShell signing script (no longer needed)
README.md Updated documentation to reflect new Azure-based signing approach with examples and parameter descriptions

Critical Issues Identified:

  • The default values for Azure credential inputs reference secrets context which is not accessible in composite actions, causing them to always be empty strings
  • The action uses @master branch reference which is not recommended for production stability
  • Documentation incorrectly states that defaults work automatically when they require explicit passing from workflows

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@peterdragun peterdragun requested a review from Copilot December 9, 2025 07:40

This comment was marked as outdated.

Sign in to view

@peterdragun peterdragun force-pushed the feat/signing_action branch 2 times, most recently from fa2def5 to ce238f5 Compare December 9, 2025 09:57
@peterdragun peterdragun self-assigned this Dec 9, 2025
@peterdragun peterdragun requested a review from Copilot December 9, 2025 09:58
Copilot AI reviewed Dec 9, 2025
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@peterdragun
Copy link
Copy Markdown
Collaborator Author

peterdragun commented Dec 9, 2025

@jakub-kocka PTAL

radimkarnis
radimkarnis approved these changes Dec 9, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@radimkarnis radimkarnis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks

jakub-kocka
jakub-kocka approved these changes Dec 9, 2025
View reviewed changes
Copy link
Copy Markdown

@jakub-kocka jakub-kocka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks, Peter, I have left just a thought.

dobairoland
dobairoland approved these changes Dec 9, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@dobairoland dobairoland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@peterdragun peterdragun merged commit 56b4d0b into master Dec 9, 2025
2 checks passed
@peterdragun peterdragun deleted the feat/signing_action branch December 9, 2025 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@dobairoland dobairoland dobairoland approved these changes

+2 more reviewers

@jakub-kocka jakub-kocka jakub-kocka approved these changes

@radimkarnis radimkarnis radimkarnis approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@peterdragun peterdragun

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@peterdragun @dobairoland @jakub-kocka @radimkarnis