chore: migrate digicert signing action to Node.js 24 successor - BED-8168#196
Merged
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
💤 Files with no reviewable changes (1)
WalkthroughReplaces the ChangesPublish workflow updates
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…8168 digicert/ssm-code-signing has been deprecated by the upstream maintainer and will not receive further updates, including a Node.js 24 runtime upgrade. Per the maintainer's guidance, migrate to the successor action digicert/code-signing-software-trust-action@v1.2.1, which runs on Node.js 24 and preserves the PKCS11_CONFIG output our sign job consumes. Upstream notice: digicert/ssm-code-signing#60
StranDutton
force-pushed
the
BED-8168-upgrade-actions-to-node24
branch
from
8f741ad to
be00a7d
Compare
Contributor
Author
|
Pushed a temporary commit to confirm that the signing step still works as expected with the update! Link to workflow run (successful sign steps are evidence): https://github.com/SpecterOps/AzureHound/actions/runs/26586418645 (EDIT: link updated 6/3/2026) |
…8168 digicert/ssm-code-signing has been deprecated by the upstream maintainer and will not receive further updates, including a Node.js 24 runtime upgrade. Per the maintainer's guidance, migrate to the successor action digicert/code-signing-software-trust-action@v1.2.1, which runs on Node.js 24 and preserves the PKCS11_CONFIG output our sign job consumes. Upstream notice: digicert/ssm-code-signing#60
StranDutton
force-pushed
the
BED-8168-upgrade-actions-to-node24
branch
from
be00a7d to
d8d13d5
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish.yml:
- Around line 114-117: The "Move Signed Artifacts" job step runs mv to place the
built binary into signed/ but the signed/ directory is not created, causing mv
to fail; update that step (the line containing mv unsigned/azurehound-bin-${{
matrix.os }}-${{ matrix.arch }}/azurehound.exe signed/azurehound.exe) to ensure
the destination directory exists first (e.g., create signed/ with mkdir -p
signed/ or equivalent) before running mv so the move succeeds reliably.
- Around line 100-112: The workflow step with id "digicert" incorrectly includes
a step-level "shell: bash" (only valid for run steps) and a broken env variable
reference; remove the "shell: bash" line from the Digicert action step and
replace the SM_CLIENT_CERT_FILE env value that currently uses shell expansion
(${SM_CLIENT_CERT_FILE}) with a proper GitHub Actions expression such as ${{
env.SM_CLIENT_CERT_FILE }} (if you set it via GITHUB_ENV earlier) or reference a
secret directly like ${{ secrets.SM_CLIENT_CERT_FILE }} so the env block uses
valid Actions syntax.
- Around line 94-98: Fix the certificate setup step: correct the temp variable
to RUNNER_TEMP, fix the filename typo to "Certificate", and replace the failing
export-with-pipe by echoing the secret (use echo "${{
secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > "$SM_CLIENT_CERT_FILE"
or equivalent). Also ensure SM_CLIENT_CERT_FILE is exported for later steps by
writing the path into $GITHUB_ENV (e.g., echo "SM_CLIENT_CERT_FILE=/path" >>
$GITHUB_ENV) or by providing the path via the step/action env block so
downstream steps can access it; update references to SM_CLIENT_CERT_FILE and
SM_CLIENT_CERT_FILE_B64 accordingly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: f16a108f-16b2-4673-beb0-ec250b7efdfa
📒 Files selected for processing (1)
.github/workflows/publish.yml
ddlees
force-pushed
the
BED-8168-upgrade-actions-to-node24
branch
2 times, most recently
from
71d52f6 to
019385d
Compare
ddlees
force-pushed
the
BED-8168-upgrade-actions-to-node24
branch
from
019385d to
b8de6c9
Compare
…' into BED-8168-upgrade-actions-to-node24 # Conflicts: # .github/workflows/publish.yml
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish.yml:
- Line 7: Sanitize github.ref_name before using it in FILE_NAME by replacing
path characters so branch names like feature/foo don't create nested paths:
update the FILE_NAME assignment (and any places that reference it for 7z and
sha256sum) to use the GitHub Actions expression replace(github.ref_name, '/',
'-') (or a similar replace for other unsafe chars) e.g. set FILE_NAME to ${{
replace(github.ref_name, '/', '-') }} so archives created by 7z and sha256sum
use a safe flat filename.
- Line 139: The workflow currently gates an AWS-dependent job with "if:
github.event_name != 'workflow_dispatch'" but still runs the
aws-actions/configure-aws-credentials step (the step using
aws-actions/configure-aws-credentials around Lines 85-89), causing manual
workflow_dispatch runs to depend on AWS secrets; fix by applying the same gating
to that step (or add an equivalent if conditional to the
configure-aws-credentials step) so configure-aws-credentials only executes when
github.event_name != 'workflow_dispatch', ensuring manual sign-only runs don't
require AWS secrets.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 2f263d63-9c15-4619-9ae7-c2337e3f28bf
📒 Files selected for processing (1)
.github/workflows/publish.yml
definitelynotagoblin
approved these changes
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
digicert/ssm-code-signing has been deprecated by the upstream maintainer and will not receive further updates, including a Node.js 24 runtime upgrade. Per the maintainer's post, migrate to the successor action
digicert/code-signing-software-trust-action@v1.2.1, which runs on Node.js 24. Needed because our runners will stop being able to run node20 dependencies later this yearSummary by CodeRabbit