How to Set Up Code Signing for Windows Apps in GitHub Actions CI/CD Pipelines

Overview When distributing Windows applications via installers, it is standard practice to code sign the binaries before distribution. Code signing proves that the binary has not been tampered with and verifies the identity of the publisher. With that in mind, I investigated what kind of architecture is needed to code sign Windows apps within a CI/CD pipeline on GitHub Actions. The Big Picture The overall architecture of the system built on GitHub Actions looks roughly like the diagram below. When integrating a code signing process into a CI/CD pipeline on GitHub Actions, the code signing private key must be stored in a cloud-based HSM (Hardware Security Module) that is accessible from the Windows machine running on GitHub Actions. 1 There are two types of cloud-based HSMs: those provided by a Certificate Authority (CA), and those running in your own cloud environment. With the former, you may be charged based on the annual number of code signing operations, and those costs can be quit