Right now, Linux releases are done in GitHub Actions CI. We then have a script that downloads the release artifacts, code signs them, adds them to the .deb and .rpm repos, and uploads them to the releases bucket.
Windows and Mac releases are a different beast (especially Windows releases). For Windows, to support x86-64 and arm64, I need two separate computers (a Linux laptop with a Windows VM, and an Apple Silicon Mac with a Windows VM), sharing one smart card for code signing.
Instead, I want the unsigned builds to happen in CI. Then there should be a simple script to run that finishes the releases: downloads the unsigned artifacts, signs them, and uploads them to the release bucket.
Right now, Linux releases are done in GitHub Actions CI. We then have a script that downloads the release artifacts, code signs them, adds them to the .deb and .rpm repos, and uploads them to the releases bucket.
Windows and Mac releases are a different beast (especially Windows releases). For Windows, to support x86-64 and arm64, I need two separate computers (a Linux laptop with a Windows VM, and an Apple Silicon Mac with a Windows VM), sharing one smart card for code signing.
Instead, I want the unsigned builds to happen in CI. Then there should be a simple script to run that finishes the releases: downloads the unsigned artifacts, signs them, and uploads them to the release bucket.