feat: sign Windows glab.exe

Stan Hurequested to merge
sh-add-windows-signing-part2 into main

Description

  • chore: refactor CI pipeline to sign all Windows .exe files

Previously a specialized CI job was used to build the Windows .exe file, but then this meant the binaries built with goreleaser were left unsigned.

This commit refactors the pipeline:

  1. release_build -> builds all binaries with goreleaser Output: {id}_{goos}_{goarch}_{variant}/bin/glab[.exe]
  2. sign_goreleaser_binaries -> signs Windows and macOS binaries using glob patterns
  3. windows_installer -> extracts Windows amd64 exe and creates installer (amd64 only)
  4. sign_windows_installer -> signs the amd64 installer
  5. release_test/release -> packages and releases with signed binaries

  • chore: enable signing for MRs (test)

  • chore: list files in bin/ dir

  • feat: sign Windows installer

Both glab.exe and the Windows installer need to be signed.

  • feat: sign Windows glab.exe

This depends on the CLI project gaining OIDC access to the signing project: gitlab-com/gl-infra/production-engineering#27583 (closed)

Relates to #1143 (closed)

Related Issues

Resolves #[issue_number]

How has this been tested?

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation
  • Chore (Related to CI or Packaging to platforms)
  • Test gap

Merge request reports