From ca0f375498be7de671a32ad3a0590780d8490e0c Mon Sep 17 00:00:00 2001
From: John MacFarlane <jgm@berkeley.edu>
Date: Mon, 12 Jan 2026 22:11:01 +0100
Subject: release-candidate: sign Windows artifacts with SignPath cert.

---
 .github/workflows/release-candidate.yml | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release-candidate.yml b/.github/workflows/release-candidate.yml
index d5d4d9d27..3ab35a0ca 100644
--- a/.github/workflows/release-candidate.yml
+++ b/.github/workflows/release-candidate.yml
@@ -63,31 +63,39 @@ jobs:
           %WIXBIN%\candle -arch ${{ matrix.versions.arch }} -dVERSION=%VERSION% -dBINPATH=%RELEASE% *.wxs -out wixobj\
           if %errorlevel% neq 0 exit /b %errorlevel%
           echo Running light...
-          %WIXBIN%\light -sw1076 -ext WixUIExtension -ext WixUtilExtension -cultures:en-us -loc Pandoc-en-us.wxl -out %WORKDIR%\pandoc-%VERSION%-${{ matrix.versions.osarch }}-UNSIGNED.msi wixobj\*.wixobj
+          %WIXBIN%\light -sw1076 -ext WixUIExtension -ext WixUtilExtension -cultures:en-us -loc Pandoc-en-us.wxl -out %WORKDIR%\pandoc-%VERSION%-${{ matrix.versions.osarch }}.msi wixobj\*.wixobj
           7z a "pandoc-%VERSION%-${{ matrix.versions.osarch }}.zip" pandoc-%VERSION%
           cd ..
           mkdir windows-release-candidate
-          copy windows\pandoc-%VERSION%-${{ matrix.versions.osarch }}-UNSIGNED.msi windows-release-candidate
+          copy windows\pandoc-%VERSION%-${{ matrix.versions.osarch }}.msi windows-release-candidate
           copy windows\pandoc-%VERSION%-${{ matrix.versions.osarch }}.zip windows-release-candidate
-          copy windows\Makefile windows-release-candidate
-    - name: upload-unsigned-artifact
+    - name: Upload unsigned artifact
       id: upload-unsigned-artifact
       uses: actions/upload-artifact@v6
       with:
+        name: windows-release-candidate-unsigned
         path: windows-release-candidate
 
-    - name: sign-artifact
+    - name: Sign artifact
       id: sign-artifact
       uses: signpath/github-action-submit-signing-request@v2
       with:
         api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
         organization-id: 'd330f023-29aa-44e4-b90b-ae1c570f4a25'
         project-slug: 'pandoc'
-        signing-policy-slug: 'pandoc-msi-in-zip-artifact'
+        signing-policy-slug: 'test-signing'
+        artifact-configuration-slug: 'pandoc-msi-and-zip'
         github-artifact-id: '${{ steps.upload-unsigned-artifact.outputs.artifact-id }}'
         wait-for-completion: true
         output-artifact-directory: 'windows-release-candidate'
 
+    - name: upload-signed-artifact
+      id: upload-signed-artifact
+      uses: actions/upload-artifact@v6
+      with:
+        name: windows-release-candidate-signed
+        path: windows-release-candidate
+
   macos:
 
     runs-on: macos-15-intel
-- 
cgit v1.2.3