From bb85a928337a4c5b2a5bca4d26017119fda84c79 Mon Sep 17 00:00:00 2001
From: Michael Suchacz <203725896+ibetitsmike@users.noreply.github.com>
Date: Fri, 5 Dec 2025 07:34:30 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=A4=96=20ci:=20add=20Windows=20build=20to?=
 =?UTF-8?q?=20PR/merge=20queue=20and=20code=20signing=20to=20releases?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add Windows build job to build.yml (runs on PRs and merge queue)
- Add Windows code signing setup to release.yml (mirrors Mac signing pattern)
- Uses WINDOWS_CERTIFICATE and WINDOWS_CERTIFICATE_PWD secrets

_Generated with `mux`_
---
 .github/workflows/build.yml   | 36 +++++++++++++++++++++++++++++++++++
 .github/workflows/release.yml | 16 ++++++++++++++++
 2 files changed, 52 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 6b3a3e33d7..d54c31d246 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -64,6 +64,42 @@ jobs:
           retention-days: 30
           if-no-files-found: error
 
+  build-windows:
+    name: Build Windows
+    runs-on: windows-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Required for git describe to find tags
+
+      - uses: ./.github/actions/setup-mux
+
+      - name: Install GNU Make (for build)
+        run: choco install -y make
+
+      - name: Verify tools
+        shell: bash
+        run: |
+          make --version
+          bun --version
+          magick --version | head -1
+
+      - name: Build application
+        run: bun run build
+
+      # No code signing - releases use release.yml (triggered by tag publish).
+      - name: Package for Windows
+        run: make dist-win
+
+      - name: Upload Windows exe
+        uses: actions/upload-artifact@v4
+        with:
+          name: windows-exe
+          path: release/*.exe
+          retention-days: 30
+          if-no-files-found: error
+
   build-vscode-extension:
     name: Build VS Code Extension
     runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c05401b040..ea4fb13093 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -168,6 +168,22 @@ jobs:
       - name: Build application
         run: bun run build
 
+      - name: Setup code signing
+        shell: bash
+        run: |
+          if [ -n "$WINDOWS_CERTIFICATE" ]; then
+            echo "Setting up Windows code signing certificate..."
+            echo "$WINDOWS_CERTIFICATE" | base64 -d > /tmp/certificate.pfx
+            echo "CSC_LINK=/tmp/certificate.pfx" >> "$GITHUB_ENV"
+            echo "CSC_KEY_PASSWORD=$WINDOWS_CERTIFICATE_PWD" >> "$GITHUB_ENV"
+            echo "✅ Windows code signing configured"
+          else
+            echo "⚠️ No Windows code signing certificate provided - building unsigned"
+          fi
+        env:
+          WINDOWS_CERTIFICATE: ${{ secrets.WINDOWS_CERTIFICATE }}
+          WINDOWS_CERTIFICATE_PWD: ${{ secrets.WINDOWS_CERTIFICATE_PWD }}
+
       - name: Package and publish for Windows (.exe)
         run: bun x electron-builder --win --publish always
         env: