Skip to content

chore: migrate digicert signing action to Node.js 24 successor - BED-8168 #196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
StranDutton merged 7 commits into from
Jun 4, 2026
+21 −39
Merged

chore: migrate digicert signing action to Node.js 24 successor - BED-8168 #196

Changes from 5 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
be00a7d
chore: migrate digicert signing action to Node.js 24 successor - BED-…
StranDutton May 13, 2026
d8d13d5
chore: migrate digicert signing action to Node.js 24 successor - BED-…
StranDutton May 13, 2026
b8de6c9
cd: align signing action with recommended setup
ddlees May 28, 2026
51c8208
Merge remote-tracking branch 'origin/BED-8168-upgrade-actions-to-node…
StranDutton Jun 4, 2026
e263452
temp adjust workflow for testing sign job, update cert cleanup
StranDutton Jun 4, 2026
7c26880
test rig
StranDutton Jun 4, 2026
6996ef9
remove temp publish flag
StranDutton Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 25 additions & 39 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ on:
push:
tags:
- v*.*.*
workflow_dispatch:
Comment thread
StranDutton marked this conversation as resolved.
Outdated
env:
AZUREHOUND_VERSION: ${{ github.ref_name }}
jobs:
Expand Down Expand Up @@ -59,6 +60,7 @@ jobs:
run: sha256sum ${{ env.FILE_NAME }}.zip > ${{ env.FILE_NAME }}.zip.sha256

- name: Upload Release
if: github.event_name != 'workflow_dispatch'
uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # ratchet:softprops/action-gh-release@v3
with:
files: |
Expand Down Expand Up @@ -91,56 +93,38 @@ jobs:
name: azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}
path: unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}

- name: Install osslsigncode & pkcs11 engine
run: |
sudo apt-get update
sudo apt-get install -y osslsigncode libengine-pkcs11-openssl

- name: Install DigiCert Client Tools
id: digicert
uses: digicert/ssm-code-signing@1d820463733701cf1484c7eb5d7d24a15ca2c454 # ratchet:digicert/ssm-code-signing@v1.2.1

- name: Set PKCS#11 Paths
id: pkcs11
run: |
SM_TOOLS_DIR=$(dirname "$(realpath '${{ steps.digicert.outputs.PKCS11_CONFIG }}')")
echo "module=${SM_TOOLS_DIR}/smpkcs11.so" >> "$GITHUB_OUTPUT"
LIB_PKCS11="$(dpkg -L libengine-pkcs11-openssl | grep "libpkcs11.so")"
echo "engine=$LIB_PKCS11" >> "$GITHUB_OUTPUT"

- name: Sign Artifacts via DigiCert Signing Manager
- name: Setup SM_CLIENT_CERT_FILE
shell: bash
env:
SM_HOST: ${{ secrets.SM_HOST }}
SM_API_KEY: ${{ secrets.SM_API_KEY }}
SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
shell: bash
run: |
export SM_CLIENT_CERT_FILE=$(mktemp)
SM_CLIENT_CERT_FILE="${RUNNER_TEMP}/Certificate_pkcs12.p12"
printenv SM_CLIENT_CERT_FILE_B64 | base64 --decode > "$SM_CLIENT_CERT_FILE"
trap 'rm $SM_CLIENT_CERT_FILE' EXIT
Comment thread
definitelynotagoblin marked this conversation as resolved.
echo "SM_CLIENT_CERT_FILE=${SM_CLIENT_CERT_FILE}" >> "$GITHUB_ENV"

mkdir signed
artifact=unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe
smctl sign --keypair-alias "${{ secrets.SM_KEYPAIR_ALIAS }}" --input "$artifact" --openssl-pkcs11-engine "${{ steps.pkcs11.outputs.engine }}" --pkcs11-module "${{ steps.pkcs11.outputs.module }}" --tool osslsigncode --verbose
mv "$artifact" "signed/azurehound.exe"

- name: Verify Signed Artifacts
- name: Setup Software Trust Manager & Sign
id: digicert
uses: digicert/code-signing-software-trust-action@fae23a455ba4bde62b64fd7cb2f81ade788f5a95 # ratchet:digicert/code-signing-software-trust-action@v1.2.1
with:
simple-signing-mode: true
input: unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe
keypair-alias: ${{ secrets.SM_KEYPAIR_ALIAS }}
env:
SM_HOST: ${{ secrets.SM_HOST }}
SM_API_KEY: ${{ secrets.SM_API_KEY }}
SM_CLIENT_CERT_FILE_B64: ${{ secrets.SM_CLIENT_CERT_FILE_B64 }}
SM_CLIENT_CERT_FILE: ${{ env.SM_CLIENT_CERT_FILE}}
SM_CLIENT_CERT_PASSWORD: ${{ secrets.SM_CLIENT_CERT_PASSWORD }}
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: Cleanup cert file
if: always()
shell: bash
run: |
export SM_CLIENT_CERT_FILE=$(mktemp)
printenv SM_CLIENT_CERT_FILE_B64 | base64 --decode > "$SM_CLIENT_CERT_FILE"
smctl certificate download --keypair-alias "${{ secrets.SM_KEYPAIR_ALIAS }}" --format pem --chain --name cert-chain.pem
trap 'rm $SM_CLIENT_CERT_FILE cert-chain.pem' EXIT
run: rm -f "${{ env.SM_CLIENT_CERT_FILE }}"

for artifact in signed/*; do
osslsigncode verify -CAfile cert-chain.pem "$artifact"
done
- name: Move Signed Artifacts
shell: bash
run: |
mkdir signed
mv unsigned/azurehound-bin-${{ matrix.os }}-${{ matrix.arch }}/azurehound.exe signed/azurehound.exe
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: Zip Signed Executables
run: |
Expand All @@ -152,10 +136,12 @@ jobs:
sha256sum zipped/${{ env.FILE_NAME }}.zip > zipped/${{ env.FILE_NAME }}.zip.sha256

- name: Upload Artifacts to S3
if: github.event_name != 'workflow_dispatch'
Comment thread
StranDutton marked this conversation as resolved.
Outdated
run: |
aws s3 cp --recursive zipped/ s3://${{ secrets.BHE_AWS_BUCKET }}

containerize:
if: github.event_name != 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
packages: write
Expand Down
Loading