From d1313cbd2dacb4d985b6d24a20c014106c052b74 Mon Sep 17 00:00:00 2001
From: Seth Flynn <getchoo@tuta.io>
Date: Tue, 30 Dec 2025 19:32:09 -0500
Subject: [PATCH 1/2] ci: use Release env for releases

This ensures we have access to Azure on CI runs for tags

Signed-off-by: Seth Flynn <getchoo@tuta.io>
---
 .github/workflows/build.yml   | 5 +++++
 .github/workflows/release.yml | 1 +
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0e81fd5a1..cfefb84ed 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -62,6 +62,9 @@ on:
         description: Type of build (Debug or Release)
         type: string
         default: Debug
+      environment:
+        description: Deployment environment to run under
+        type: string
   workflow_dispatch:
     inputs:
       build-type:
@@ -73,6 +76,8 @@ jobs:
   build:
     name: Build (${{ matrix.artifact-name }})
 
+    environment: ${{ inputs.environment || '' }}
+
     permissions:
       # Required for Azure Trusted Signing
       id-token: write
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9e5445c66..36cc972b3 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,7 @@ jobs:
     uses: ./.github/workflows/build.yml
     with:
       build-type: Release
+      environment: Release
     secrets: inherit
 
   create_release:

From 44e927a69ea547cfdbb24ffd7698fdcdf5ebbb31 Mon Sep 17 00:00:00 2001
From: Seth Flynn <getchoo@tuta.io>
Date: Tue, 30 Dec 2025 19:35:30 -0500
Subject: [PATCH 2/2] ci: only sign windows artifacts in Release environment

`CI_HAS_ACCESS_TO_AZURE` is only set in our Release env

Signed-off-by: Seth Flynn <getchoo@tuta.io>
---
 .github/actions/package/windows/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/package/windows/action.yml b/.github/actions/package/windows/action.yml
index f49f6b9c9..49dfbd545 100644
--- a/.github/actions/package/windows/action.yml
+++ b/.github/actions/package/windows/action.yml
@@ -140,7 +140,7 @@ runs:
         makensis -NOCD "${{ github.workspace }}/${{ env.BUILD_DIR }}/program_info/win_install.nsi"
 
     - name: Sign installer
-      if: ${{ github.ref_name == 'develop' && inputs.azure-client-id != '' }}
+      if: ${{ env.CI_HAS_ACCESS_TO_AZURE != '' && inputs.azure-client-id != '' }}
       uses: azure/trusted-signing-action@v0
       with:
         endpoint: https://eus.codesigning.azure.net/