bundle signing requests as single zip to reduce artifact upload quota#8586
Merged
bundle signing requests as single zip to reduce artifact upload quota#8586
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the Windows signing flow to submit a single SignPath request by zipping all unsigned binaries, reducing the number of artifact uploads/requests and adding workflow controls to optionally skip signing on nightly builds.
Changes:
- Bundle Windows
.exe/.dllfiles into one zip for a single SignPath signing request, then extract signed files back into the build output. - Extend the signing PowerShell script to optionally pass a SignPath
ArtifactConfigurationSlugand to skip Authenticode verification for non-PE artifacts (e.g., zip bundles). - Add workflow inputs/flags (
sign_windows/skip_signing) to control whether Windows signing runs (especially for nightly builds).
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
scripts/ci/sign-windows.ps1 |
Adds optional ArtifactConfigurationSlug form field and skips Authenticode verification for non-PE artifacts. |
.signpath/artifact-configuration.xml |
Defines SignPath artifact configuration for signing PE files inside a zip bundle. |
.github/workflows/release.yml |
Introduces sign_windows input and passes skip_signing to the Windows workflow for nightlies. |
.github/workflows/build-windows.yml |
Reworks Windows signing step to stage binaries into a zip, sign once, and extract results; adds skip_signing gating. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
* Update radiance to latest main (idle timeout fix) (#8587) Picks up radiance with lantern-box v0.0.52, which fixes VPN losing all proxy routes after ~15min idle / wake from sleep (getlantern/engineering#3115). Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Update radiance to latest main (#8588) Picks up: - Fix: only remove old outbounds when new ones successfully load - Distributed tracing: bandit trace context extraction + url_tests_complete span - Config: populate all server locations for location picker - Bump common to latest (PollIntervalSeconds in ConfigResponse) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Migrate to xcode 26 (#8579) * Migrate to newer xcode version * code review updates * remove node setup on ios * Save user state (#8589) * chore: bump radiance to latest (public IP detection) (#8590) Updates radiance which now detects the client's public IP at startup using getlantern/publicip (STUN, HTTP, DNS, UPnP consensus) and sends it as X-Lantern-Config-Client-IP on all API requests. This ensures the server can determine the correct country and ASN for bandit route selection even when requests arrive via domain fronting. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Update radiance to latest main (nil idleTimer panic fix) (#8591) Picks up radiance with lantern-box v0.0.54, which fixes the nil pointer panic in keepAlive() introduced by #208's idle timeout fix. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Update radiance to latest (kindling rewrite) (#8593) Bumps radiance to v0.0.0-20260329145230-a19ebe6b9b4d and kindling to v0.0.0-20260329144042-b1825b9cb1bb. Key changes from upstream: - kindling race transport rewrite fixing deadlocks, response body leaks, and global mutable state (getlantern/kindling#30) - radiance updated for kindling's new error-returning API with nil transport guards and thread-safe HTTPClient (getlantern/radiance#387) Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Windows: suppress settings-triggered VPN notifications (#8582) * Fix remaining Windows issues * Fix remaining Windows issues * Bump radiance for smart-routing outbound fix * Skip Windows signing for nightly test runs * code review updates * code review updates * Update radiance to latest origin/main * Update radiance to merged outbound fix branch * Fix data cap reached ticker text colors * code review updates * Fix Android network blackout — call setUnderlyingNetworks on VPN start (#8594) * Fix Android "no available network interface" — call setUnderlyingNetworks On Android 10+, ConnectivityManager.getAllNetworks() may return only the VPN network when VpnService.setUnderlyingNetworks() hasn't been called. This causes sing-box's NetworkManager to see no physical interfaces, making the direct outbound fail with "no available network interface". With strict_route enabled, this creates a total network blackout — the device loses all connectivity. Three fixes: 1. Call setUnderlyingNetworks() after VPN start and on every default network change, so Android always reports physical networks alongside the VPN. 2. Add a network change callback from DefaultNetworkMonitor to the VPN service so setUnderlyingNetworks() is updated on WiFi/mobile switches. 3. Fix missing `return` in DefaultNetworkMonitor retry loop — the loop called updateDefaultInterface up to 10 times instead of stopping after the first success. Fixes getlantern/engineering#3117 (partial — Android-specific) Freshdesk tickets: - https://lantern.freshdesk.com/a/tickets/171589 (total blackout, Vivo Android 10) - https://lantern.freshdesk.com/a/tickets/171317 (connected but no data, Xiaomi Android 11) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Address PR review: prevent callback leak and fix KDoc 1. Clear networkChangeCallback in DefaultNetworkMonitor.stop() defensively, so the static singleton never holds a stale service reference. 2. Clear callback and stop monitor in the onFailure path of launchVPN, preventing leak when VPN start fails. 3. Fix KDoc link to use fully qualified android.net.VpnService. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Renewal flow (#8580) * Added support for renewal * fix card color issue on payment screen. * fix OAuth button color issue * code review updates * fix service edge case * fix syntax issue * Fix Android VPN teardown cleanup and IAP loading state (#8596) * code review updates * code review updates --------- Co-authored-by: atavism <paul@getlantern.org> Co-authored-by: atavism <atavism@users.noreply.github.com> * File watcher fix for IOS (#8597) * Fix ios 26.3 issue due to file watcher * code review updates * code review updates * update radiance to main (outbound creation error logging) (#8598) Updates radiance to include PR #388 which logs individual outbound creation errors. Previously these were silently swallowed, making it impossible to diagnose why new proxies fail to load on the client. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Added guard on stripe service and flag UI issue * Add AI-powered release notes generation (#8599) * Add AI-powered release notes generation via Claude API Uses Claude Haiku to generate categorized, human-readable release notes from the git log between the previous release and the current one. Runs in CI after builds complete, prepended to the existing download links. - New script: scripts/ci/generate-release-notes.sh - Finds previous tag by build type (production, beta, nightly) - Sends commit log to Claude API for summarization - Falls back gracefully to basic changelog if API unavailable - Uses Haiku for speed and cost-efficiency Requires ANTHROPIC_API_KEY repo secret. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Address PR review: tag matching, jq guard, shallow clone fix - Fix tag matching to include platform suffixes (e.g., v9.0.15-ios) - Use grep -Fvx for fixed-string tag exclusion (avoid regex metachar issues) - Add jq availability check with graceful fallback - Remove unused COMMIT_RANGE and PR_LIST variables - Add fetch-depth: 0 and fetch-tags: true to workflow checkout Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * update radiance: fix IPC JSON serialization for outbound options (#8600) Updates radiance to include PR #390 which fixes the root cause of "public_key must be 64 hex characters (32 bytes), got len=0" errors when bandit arms rotate. The IPC path between config fetcher and VPN tunnel used standard encoding/json which can't reconstruct typed sing-box outbound options. Now uses singjson.MarshalContext/UnmarshalExtendedContext with box.BaseContext() so custom types like SamizdatOutboundOptions survive the round-trip. Also includes lantern-box v0.0.55 (key validation diagnostics). Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * pull in smart routing empty tags sanity check (#8601) * Add dual-arch Linux release support (#8551) * Add Linux arm64 packaging and CI support * Fix Linux arch workflow input wiring * Fix Linux workflow matrix selection * Simplify Linux arch workflow selection * Fix Linux arch matrix expression * Fix release workflow input routing * Polish Linux arch release flow * Fix Flutter setup on Linux arm64 CI * Fix arm64 Flutter fallback PATH * Gate Linux smoke IP check by architecture * Update scripts/ci/publish-to-s3.sh Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Set explicit token permissions for Linux workflow * Fail fast Linux UI smoke test in CI * Clean up connect smoke failure path * code review updates --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * update radiance: honor server-recommended config poll interval (#8602) Includes radiance#392: client now uses the server's poll_interval_seconds instead of the hardcoded 10-minute default. The bandit server sends 60s for new ASNs and up to 900s when converged, enabling 10x faster learning. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Stripe updates (#8604) * update stripe payments * update radiance. * code review updates * Fix Windows installer cleanup (#8576) * Fix Windows installer cleanup * Fix Windows installer script syntax * code review updates * Fix Inno script compile error on ExecSc logging * code review updates * Harden uninstall string parsing --------- Co-authored-by: Myles Horton <afisk@getlantern.org> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: jigar-f <132374182+jigar-f@users.noreply.github.com> Co-authored-by: Jigar-f <jigar@getlantern.org> Co-authored-by: garmr-ulfr <104022054+garmr-ulfr@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
# Conflicts: # .github/workflows/release.yml
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
deliverables