enh: windows code-signing

.github/workflows/build.yaml

@@ -24,50 +24,50 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
-
       - name: Setup Node.js
         uses: actions/setup-node@v3
         with:
           node-version: 22
           cache: 'npm'
           architecture: ${{ matrix.arch }}
-
       - name: Install Dependencies
         run: npm ci
-
       - name: Setup Miniconda
         uses: conda-incubator/setup-miniconda@v3
         with:
           auto-activate-base: true
-
       - name: Install conda-lock and conda-pack
         shell: bash -l {0}
         run: |
           conda install -n base -c conda-forge conda-lock conda-pack
-
       - name: Create Packaged Python
         shell: bash -l {0}
         run: |
           conda activate base
           npm run create:python-tar
-
       - name: Create Builds
         run: npm run make
-
-      - name: Get Short SHA
-        id: slug
-        run: echo "sha8=$(echo ${GITHUB_SHA} | cut -c1-8)" >> $GITHUB_OUTPUT
-
+      - name: Azure Trusted Signing (Windows Only)
+        if: ${{ matrix.os == 'windows-latest' }}
+        uses: azure/trusted-signing-action@v0.3.16
+        with:
+          azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+          endpoint: ${{ secrets.AZURE_ENDPOINT }}
+          trusted-signing-account-name: ${{ secrets.AZURE_CODE_SIGNING_NAME }}
+          certificate-profile-name: ${{ secrets.AZURE_CERT_PROFILE_NAME }}
+          # Sign all .exe files in the output folder
+          files-folder: ./out/make
+          files-folder-filter: exe  
       - name: Zip Artifacts
         run: |
-          7z a -tzip ${{ matrix.os }}-${{ matrix.arch }}-${{ steps.slug.outputs.sha8 }}.zip ./out/make/*
-
+          7z a -tzip ${{ matrix.os }}-${{ matrix.arch }}.zip ./out/make/*
       - name: Upload Artifacts
         uses: actions/upload-artifact@v3
         with:
-          name: ${{ matrix.os }}-${{ matrix.arch }}-${{ steps.slug.outputs.sha8 }}
-          path: ${{ matrix.os }}-${{ matrix.arch }}-${{ steps.slug.outputs.sha8 }}.zip
-
+          name: ${{ matrix.os }}-${{ matrix.arch }}
+          path: ${{ matrix.os }}-${{ matrix.arch }}.zip
   release:
     needs: build
     runs-on: ubuntu-latest
@@ -75,14 +75,16 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
-
       - name: Get Short SHA
         id: slug
         run: echo "sha8=$(echo ${GITHUB_SHA} | cut -c1-8)" >> $GITHUB_OUTPUT
-
       - name: Download Artifacts
         uses: actions/download-artifact@v3
-
+      - name: Rename Artifacts with SHA
+        run: |
+          for file in *.zip; do
+            mv "$file" "${file%.zip}-${{ steps.slug.outputs.sha8 }}.zip"
+          done
       - name: Create Release
         id: create_release
         uses: softprops/action-gh-release@v1