CI: Support signed ARM builds

.github/actions/windows-signing/action.yaml

@@ -14,6 +14,10 @@ inputs:
     description: Update channel
     required: false
     default: 'stable'
+  architecture:
+    description: OBS build architecture
+    required: false
+    default: 'x64'
 
 runs:
   using: composite
@@ -71,6 +75,7 @@ runs:
         Invoke-External msiexec /i $msiPath /qn /norestart
 
     - name: Install rclone
+      if: inputs.architecture == 'x64'
       shell: pwsh
       run: |
         choco install rclone --version=1.64.2 -y --no-progress
@@ -81,7 +86,15 @@ runs:
         workload_identity_provider: ${{ inputs.gcpWorkloadIdentityProvider }}
         service_account: ${{ inputs.gcpServiceAccountName }}
 
+    - name: Ensure previous build directory exists
+      if: inputs.architecture != 'x64'
+      shell: pwsh
+      run: |
+        . ${env:GITHUB_ACTION_PATH}\Ensure-Location.ps1
+        Ensure-Location "${{ github.workspace }}/old_builds"
+
     - name: Download Previous Build
+      if: inputs.architecture == 'x64'
       shell: pwsh
       env:
         RCLONE_GCS_ENV_AUTH: 'true'
@@ -111,7 +124,7 @@ runs:
       run: |
         . ${env:GITHUB_ACTION_PATH}\Invoke-External.ps1
         $boufArgs = @(
-           "--config",     "${env:GITHUB_ACTION_PATH}/config.toml",
+           "--config",     "${env:GITHUB_ACTION_PATH}/config_${{ inputs.architecture }}.toml"
            "--version",    "${{ inputs.version }}"
            "--branch",     "${{ inputs.channel }}"
            "-i",           "${{ github.workspace }}/build"
@@ -122,6 +135,7 @@ runs:
         Invoke-External "${{ github.workspace }}\bouf\bin\bouf.exe" @boufArgs
 
     - name: Sync Latest Build
+      if: inputs.architecture == 'x64'
       shell: pwsh
       env:
         RCLONE_INCLUDE: '**/${{ inputs.version }}/**'
@@ -131,6 +145,7 @@ runs:
         rclone sync --delete-excluded --transfers 100 "${{ github.workspace }}/old_builds" ":gcs:obs-latest/${{ inputs.channel }}"
 
     - name: Upload Build to Archive
+      if: inputs.architecture == 'x64'
       shell: pwsh
       env:
         RCLONE_GCS_ENV_AUTH: 'true'

.github/actions/windows-signing/config_arm64.toml

@@ -0,0 +1,47 @@
+[general]
+log_level = "trace"
+
+[env]
+# On CI these should be in %PATH%
+sevenzip_path = "7z"
+makensis_path = "makensis"
+pandoc_path = "pandoc"
+pdbcopy_path = "C:/Program Files (x86)/Windows Kits/10/Debuggers/x64/pdbcopy.exe"
+
+## Preparation steps
+[prepare]
+
+[prepare.copy]
+never_copy = [
+    "bin/32bit",
+    "obs-plugins/32bit",
+    ".keepme",
+]
+
+[prepare.codesign]
+sign_cert_file = "repo/.github/actions/windows-signing/prod.crt"
+sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/release-sign-hsm/cryptoKeyVersions/1"
+sign_digest = "sha384"
+sign_ts_serv = "http://timestamp.digicert.com"
+sign_ts_algo = "sha256"
+sign_exts = ['exe', 'dll', 'pyd']
+sign_append = true
+
+[prepare.strip_pdbs]
+# PDBs to not strip
+exclude = [
+    "obs-frontend-api.pdb",
+    "obs64.pdb",
+    "obs.pdb",
+]
+
+[package]
+[package.installer]
+skip = true
+
+[package.zip]
+name = "OBS-Studio-{version}-arm64.zip"
+pdb_name = "OBS-Studio-{version}-arm64-pdbs.zip"
+
+[package.updater]
+skip_sign = true

.github/actions/windows-signing/config.toml → .github/actions/windows-signing/config_x64.toml

@@ -35,15 +35,6 @@ exclude = [
     "obs.pdb",
 ]
 
-## Delta patch generation
-[generate]
-patch_type = "zstd"
-compress_files = true
-
-exclude_from_parallel = [
-    "libcef.dll"
-]
-
 [package]
 [package.installer]
 nsis_script = "bouf/nsis/mp-installer.nsi"
@@ -53,5 +44,4 @@ name = "OBS-Studio-{version}-x64.zip"
 pdb_name = "OBS-Studio-{version}-pdbs.zip"
 
 [package.updater]
-vc_redist_path = "bouf/nsis/VC_redist.x64.exe"
 skip_sign = true

.github/workflows/sign-windows.yaml

@@ -4,6 +4,9 @@ on:
 jobs:
   create-windows-update:
     name: Sign Windows Build 🥩
+    strategy:
+      matrix:
+        architecture: [x64, arm64]
     runs-on: windows-2022
     environment:
       name: bouf
@@ -41,7 +44,7 @@ jobs:
       - name: Download Artifact 📥
         uses: actions/download-artifact@v4
         with:
-          name: obs-studio-windows-x64-${{ steps.setup.outputs.commitHash }}
+          name: obs-studio-windows-${{ matrix.architecture }}-${{ steps.setup.outputs.commitHash }}
           path: ${{ github.workspace }}/build
 
       - name: Run bouf 🥩
@@ -51,29 +54,31 @@ jobs:
           gcpServiceAccountName: ${{ secrets.GCP_SERVICE_ACCOUNT_NAME }}
           version: ${{ github.ref_name }}
           channel: ${{ steps.setup.outputs.channel }}
+          architecture: ${{ matrix.architecture }}
 
       - name: Generate artifact attestation
         uses: actions/attest-build-provenance@v1
         with:
-          subject-path: ${{ github.workspace }}/output/*-x64.zip
+          subject-path: ${{ github.workspace }}/output/*-${{ matrix.architecture }}.zip
 
       - name: Upload Signed Build
         uses: actions/upload-artifact@v4
         with:
-          name: obs-studio-windows-x64-${{ github.ref_name }}-signed
+          name: obs-studio-windows-${{ matrix.architecture }}-${{ github.ref_name }}-signed
           compression-level: 0
-          path: ${{ github.workspace }}/output/*-x64.zip
+          path: ${{ github.workspace }}/output/*-${{ matrix.architecture }}.zip
 
       - name: Upload PDBs
         uses: actions/upload-artifact@v4
         with:
-          name: obs-studio-windows-x64-${{ github.ref_name }}-pdbs
+          name: obs-studio-windows-${{ matrix.architecture }}-${{ github.ref_name }}-pdbs
           compression-level: 0
           path: ${{ github.workspace }}/output/*-pdbs.zip
 
       - name: Upload Installer
         uses: actions/upload-artifact@v4
+        if: matrix.architecture == 'x64'
         with:
-          name: obs-studio-windows-x64-${{ github.ref_name }}-installer
+          name: obs-studio-windows-${{ matrix.architecture }}-${{ github.ref_name }}-installer
           compression-level: 0
           path: ${{ github.workspace }}/output/*.exe