Add action to sign .exe

Author: nneskildsf

.github/workflows/cd.yml

@@ -0,0 +1,56 @@
+name: Build and sign .exe
+
+on:
+  workflow_dispatch
+
+jobs:
+  build:
+    name: Build .exe
+    runs-on: windows-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.13"
+      - name: Install dependencies
+        run: python -m pip install --upgrade pip
+      - name: Install Open Pectus Engine Manager
+        run: pip install -e ".[development]"
+      - name: Build .exe
+        run: |
+          pyinstaller pyinstaller.spec
+          cd dist
+          move "Open Pectus Engine Manager.exe" ../
+      - name: Install DigiCert Client tools from Github Custom Actions marketplace
+        id: Digicert Code Signing Snippet
+        uses: digicert/ssm-code-signing@v1.0.0
+      - name: Set up certificate 
+        run: | 
+          echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 --decode > /d/Certificate_pkcs12.p12 
+        shell: bash  
+      - name: Set variables 
+        id: variables 
+        run: | 
+          echo "::set-output name=version::${GITHUB_REF#refs/tags/v}" 
+          echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV" 
+          echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV" 
+          echo "SM_CLIENT_CERT_FILE=D:\\Certificate_pkcs12.p12" >> "$GITHUB_ENV" 
+          echo "SM_CLIENT_CERT_PASSWORD=${{ secrets.SM_CLIENT_CERT_PASSWORD }}" >> "$GITHUB_ENV" 
+        shell: bash
+      - name: Signing using certificate fingerprint      
+        run: |
+           smctl sign --fingerprint ${{ secrets.SM_CODE_SIGNING_CERT_SHA1_HASH }} --input "Open Pectus Engine Manager.exe" --config-file C:\Users\RUNNER~1\AppData\Local\Temp\smtools-windows-x64\pkcs11properties.cfg
+        shell: cmd
+      - uses: ncipollo/release-action@v1
+        with:
+          artifacts: "Open Pectus Engine Manager.exe"
+          tag: release
+          body: "Download and run `Open Pectus Engine Manager.exe`."
+          allowUpdates: true
+          makeLatest: true
+          omitBodyDuringUpdate: true
+          removeArtifacts: true
+          replacesArtifacts: true

.github/workflows/build_exe.yml .github/workflows/ci.yml.github/workflows/build_exe.yml renamed to .github/workflows/ci.yml

@@ -31,13 +31,13 @@ jobs:
           pyinstaller pyinstaller.spec
           cd dist
           move "Open Pectus Engine Manager.exe" ../
-      - uses: ncipollo/release-action@v1
-        with:
-          artifacts: "Open Pectus Engine Manager.exe"
-          tag: release
-          body: "Download and run `Open Pectus Engine Manager.exe`."
-          allowUpdates: true
-          makeLatest: true
-          omitBodyDuringUpdate: true
-          removeArtifacts: true
-          replacesArtifacts: true
+#      - uses: ncipollo/release-action@v1
+#        with:
+#          artifacts: "Open Pectus Engine Manager.exe"
+#          tag: release
+#          body: "Download and run `Open Pectus Engine Manager.exe`."
+#          allowUpdates: true
+#          makeLatest: true
+#          omitBodyDuringUpdate: true
+#          removeArtifacts: true
+#          replacesArtifacts: true