Merge build & bundle jobs, sign the whole bundle

.github/workflows/release.yaml

@@ -269,14 +269,20 @@ jobs:
         uses: tauri-apps/tauri-action@v0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Upload MSI for later bundle
+      - name: Bundle application
+        run: |
+          dotnet tool install --global wix --version 4.0.5
+          wix extension add WixToolset.Bal.wixext/4
+          wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll
+      - name: Upload installer artifact
         uses: actions/upload-artifact@v4
         with:
-          name: defguard.msi
-          path: src-tauri/target/release/bundle/msi/defguard-client_${{ env.VERSION }}_x64_en-US.msi
+          name: defguard-client.exe
+          path: src-tauri/resources-windows/defguard-client.exe
   sign-msi:
     needs:
       - build-windows
+      - create-release
     runs-on:
       - self-hosted
       - Linux
@@ -289,44 +295,15 @@ jobs:
       - name: Download a single artifact
         uses: actions/download-artifact@v4
         with:
-          name: defguard.msi
+          name: defguard-client.exe
       - name: Sign MSI
-        run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client_${{ env.VERSION }}_x64_en-US.msi -out defguard-client_${{ env.VERSION }}_x64_en-US-signed.msi
-      - name: Upload Signed MSI for later bundle
-        uses: actions/upload-artifact@v4
-        with:
-          name: defguard-signed.msi
-          path: defguard-client_${{ env.VERSION }}_x64_en-US-signed.msi
-  bundle-msi-exe:
-    needs:
-      - create-release
-      - sign-msi
-    runs-on: windows-latest
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          submodules: "recursive"
-      - name: Write release version
-        run: |
-          $env:VERSION=echo ($env:GITHUB_REF_NAME.Substring(1) -Split "-")[0]
-          echo Version: $env:VERSION
-          echo "VERSION=$env:VERSION" >> $env:GITHUB_ENV
-      - name: Download MSI signed
-        uses: actions/download-artifact@v4
-        with:
-          name: defguard-signed.msi
-          path: src-tauri/target/release/bundle/msi/
-      - name: Bundle application
-        run: |
-          dotnet tool install --global wix --version 4.0.5
-          wix extension add WixToolset.Bal.wixext/4
-          wix build .\src-tauri\resources-windows\defguard-client.wxs -ext .\.wix\extensions\WixToolset.Bal.wixext\4\wixext4\WixToolset.Bal.wixext.dll
+        run: osslsigncode sign -pkcs11module /srv/codesign/certum/sc30pkcs11-3.0.6.68-MS.so -certs /srv/codesign/29ee7778ca5217107841bbbf6b3062e1.pem -key ${{ secrets.CODESIGN_KEYID }} -pass ${{ secrets.CODESIGN_PIN }} -h sha256 -t http://time.certum.pl/ -in defguard-client.exe -out defguard-client-signed.exe
       - name: Upload installer
         uses: actions/[email protected]
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ needs.create-release.outputs.upload_url }}
-          asset_path: src-tauri/resources-windows/defguard-client.exe
+          asset_path: defguard-client-signed.exe
           asset_name: defguard-client_${{ env.VERSION }}_x64_en-US.exe
           asset_content_type: application/octet-stream

src-tauri/resources-windows/defguard-client.wxs

@@ -35,7 +35,7 @@
             <MsiPackage
                 Vital="yes"
                 Id="MainPackage"
-                SourceFile="src-tauri\target\release\bundle\msi\defguard-client_$(env.VERSION)_x64_en-US-signed.msi"
+                SourceFile="src-tauri\target\release\bundle\msi\defguard-client_$(env.VERSION)_x64_en-US.msi"
             />
         </Chain>
     </Bundle>