braintrustdata · Abhijeet Prasad (AbhiPrasad) · Jun 15, 2026 · Jun 10, 2026 · Jun 12, 2026 · Jun 12, 2026
diff --git a/.github/actions/sign-windows-artifacts/action.yml b/.github/actions/sign-windows-artifacts/action.yml
@@ -33,7 +33,7 @@ runs:
     - uses: azure/artifact-signing-action@c7ab2a863ab5f9a846ddb8265964877ef296ee82 # v2.0.0
       with:
         endpoint: ${{ inputs.endpoint }}
-        trusted-signing-account-name: ${{ inputs.account-name }}
+        signing-account-name: ${{ inputs.account-name }}
         certificate-profile-name: ${{ inputs.cert-profile }}
         files-folder: target/distrib
         files-folder-filter: exe

diff --git a/.github/actions/verify-windows-signature/action.yml b/.github/actions/verify-windows-signature/action.yml
@@ -0,0 +1,61 @@
+name: Verify Windows signature
+description: Check that bt.exe binaries are validly Authenticode-signed; if not, post a neutral check run so the unsigned build is surfaced without failing the job. Stops being necessary once GitHub supports https://github.com/actions/runner/issues/2347 (opened 1st April 2020, 1500 reactions, still not done so we'll probably have to wait a few more years)
+
+inputs:
+  sign-outcome:
+    required: true
+    description: Outcome of the signing step (e.g. success/failure/skipped).
+  targets:
+    required: true
+    description: Human-readable build targets, used in the check-run name.
+  github-token:
+    required: true
+    description: Token with checks:write used to create the check run.
+
+runs:
+  using: composite
+  steps:
+    - name: Verify signature and report
+      shell: pwsh
+      env:
+        GH_TOKEN: ${{ inputs.github-token }}
+        SIGN_OUTCOME: ${{ inputs.sign-outcome }}
+        TARGETS: ${{ inputs.targets }}
+      run: |
+        $exes = Get-ChildItem -Path "target/distrib" -Filter "bt.exe" -Recurse -ErrorAction SilentlyContinue
+        $unsigned = @()
+        foreach ($exe in $exes) {
+          $sig = Get-AuthenticodeSignature $exe.FullName
+          if ($sig.Status -ne 'Valid') {
+            $unsigned += "$($exe.FullName) [$($sig.Status)]"
+          }
+        }
+
+        if ($SIGN_OUTCOME -eq 'success' -and $unsigned.Count -eq 0) {
+          Write-Host "All bt.exe binaries are validly signed."
+          exit 0
+        }
+
+        $summary = if ($unsigned.Count -gt 0) {
+          "Code signing did not produce valid Authenticode signatures. The following binaries are unsigned and were shipped as-is:`n`n" + (($unsigned | ForEach-Object { "- $_" }) -join "`n")
+        } else {
+          "The Windows signing step failed (outcome: $SIGN_OUTCOME). Binaries were shipped unsigned."
+        }
+
+        $body = @{
+          name       = "windows-signing ($env:TARGETS)"
+          head_sha   = $env:GITHUB_SHA
+          status     = "completed"
+          conclusion = "neutral"
+          output     = @{
+            title   = "Windows binaries shipped unsigned"
+            summary = $summary
+          }
+        } | ConvertTo-Json -Depth 5
+
+        $body | gh api "repos/$env:GITHUB_REPOSITORY/check-runs" `
+          --method POST `
+          -H "Accept: application/vnd.github+json" `
+          --input -
+
+        Write-Host "::warning::$summary"
diff --git a/.github/workflows/release-canary.yml b/.github/workflows/release-canary.yml
@@ -16,6 +16,7 @@ permissions:
   id-token: write
   issues: write
   pull-requests: write
+  checks: write
 
 env:
   CARGO_NET_GIT_FETCH_WITH_CLI: true
@@ -186,7 +187,9 @@ jobs:
           echo "dist ran successfully"
 
       - name: Sign Windows artifacts
+        id: sign
         if: ${{ runner.os == 'Windows' && env.HAS_AZURE_SIGNING == 'true' }}
+        continue-on-error: true
         uses: ./.github/actions/sign-windows-artifacts
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
@@ -196,6 +199,14 @@ jobs:
           account-name: ${{ vars.AZURE_SIGNING_ACCOUNT_NAME }}
           cert-profile: ${{ vars.AZURE_SIGNING_CERT_PROFILE }}
 
+      - name: Verify Windows signature and report
+        if: ${{ runner.os == 'Windows' && env.HAS_AZURE_SIGNING == 'true' && always() }}
+        uses: ./.github/actions/verify-windows-signature
+        with:
+          sign-outcome: ${{ steps.sign.outcome }}
+          targets: ${{ join(matrix.targets, ', ') }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
       - id: dist-files
         name: Post-build
         shell: bash

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,6 +20,7 @@ concurrency:
 permissions:
   contents: write
   id-token: write
+  checks: write
 
 env:
   CARGO_NET_GIT_FETCH_WITH_CLI: true
@@ -221,7 +222,9 @@ jobs:
           echo "dist ran successfully"
 
       - name: Sign Windows artifacts
+        id: sign
         if: ${{ runner.os == 'Windows' && env.HAS_AZURE_SIGNING == 'true' }}
+        continue-on-error: true
         uses: ./.github/actions/sign-windows-artifacts
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
@@ -231,6 +234,14 @@ jobs:
           account-name: ${{ vars.AZURE_SIGNING_ACCOUNT_NAME }}
           cert-profile: ${{ vars.AZURE_SIGNING_CERT_PROFILE }}
 
+      - name: Verify Windows signature and report
+        if: ${{ runner.os == 'Windows' && env.HAS_AZURE_SIGNING == 'true' && always() }}
+        uses: ./.github/actions/verify-windows-signature
+        with:
+          sign-outcome: ${{ steps.sign.outcome }}
+          targets: ${{ join(matrix.targets, ', ') }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
       - id: dist-files
         name: Post-build
         shell: bash

diff --git a/.github/workflows/test-azure-oidc.yml b/.github/workflows/test-azure-oidc.yml