CI: Rename and update windows-signing action

.github/actions/windows-signing/action.yaml

@@ -1,5 +1,5 @@
-name: Run bouf
-description: Generates signed OBS install files and updater files
+name: Run bouf Packaging
+description: Generates signed OBS install files
 inputs:
   gcpWorkloadIdentityProvider:
     description: GCP Identity Provider Pool ID
@@ -7,9 +7,6 @@ inputs:
   gcpServiceAccountName:
     description: Google service account name
     required: true
-  gcpManifestSigningKeyName:
-    description: Name of the manifest signing key in GCP KMS
-    required: false
   version:
     description: Version string (e.g., 30.0.0-rc1)
     required: true
@@ -30,9 +27,9 @@ runs:
     - name: Setup bouf
       shell: pwsh
       env:
-        BOUF_TAG: 'v0.6.2'
-        BOUF_HASH: '40ca34457a8ac60b9710a41b4cde2a0fc36d8740ab21b01d702069be2e1c5fb9'
-        BOUF_NSIS_HASH: '88958a9e4e0f3cb6f78e8359fdfa3343d050d5c2158e3ee77cb2cc4a8785ac61'
+        BOUF_TAG: 'v0.6.3'
+        BOUF_HASH: '7f1d266467620aa553a705391ee06128e8ee14af66129a0e64a282997fb6fd83'
+        BOUF_NSIS_HASH: 'a234126de89f122b6a552df3416de3eabcb4195217626c7f4eaec71b20fe36eb'
         GH_TOKEN: ${{ github.token }}
       run: |
         # Download bouf release
@@ -53,10 +50,10 @@ runs:
         Expand-Archive -Path $windows_zip -DestinationPath bin
         Expand-Archive -Path $nsis_zip -DestinationPath nsis
 
-    - name: Download Google CNG Provider
+    - name: Setup Google CNG Provider
       shell: pwsh
       env:
-        CNG_TAG: 'cng-v1.0'
+        CNG_TAG: 'cng-v1.1'
         GH_TOKEN: ${{ github.token }}
       run: |
         # Download Google CNG provider release from github
@@ -73,18 +70,10 @@ runs:
         # Finally, install the CNG provider
         Invoke-External msiexec /i $msiPath /qn /norestart
 
-    - name: Install pandoc and rclone
+    - name: Install rclone
       shell: pwsh
       run: |
         choco install rclone --version=1.64.2 -y --no-progress
-        choco install pandoc --version=3.1.9 -y --no-progress
-
-    - name: Prepare Release Notes
-      shell: pwsh
-      run: |
-        # Release notes are just the tag body on Windows
-        Set-Location repo
-        git tag -l --format='%(contents:body)' ${{ inputs.version }} > "${{ github.workspace }}/notes.rst"
     
     - name: 'Authenticate to Google Cloud'
       uses: 'google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363'
@@ -92,15 +81,21 @@ runs:
         workload_identity_provider: ${{ inputs.gcpWorkloadIdentityProvider }}
         service_account: ${{ inputs.gcpServiceAccountName }}
 
-    - name: 'Set up Cloud SDK'
-      uses: 'google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200'
-
-    - name: Download Old Builds
+    - name: Download Previous Build
       shell: pwsh
       env:
         RCLONE_GCS_ENV_AUTH: 'true'
       run: |
-        rclone copy --transfers 100 :gcs:obs-builds "${{ github.workspace }}/old_builds"
+        . ${env:GITHUB_ACTION_PATH}\Ensure-Location.ps1
+        Ensure-Location "${{ github.workspace }}/old_builds"
+        rclone copy --transfers 100 ":gcs:obs-latest/${{ inputs.channel }}" .
+
+    - name: Download Presigned Game Capture Files (REMOVE AFTER 30.2!!)
+      shell: pwsh
+      env:
+        RCLONE_GCS_ENV_AUTH: 'true'
+      run: |
+        rclone copy :gcs:obs-game-capture "${{ github.workspace }}/build/data/obs-plugins/win-capture"
 
     - name: Run bouf
       shell: pwsh
@@ -110,24 +105,26 @@ runs:
            "--config",     "${env:GITHUB_ACTION_PATH}/config.toml",
            "--version",    "${{ inputs.version }}"
            "--branch",     "${{ inputs.channel }}"
-           "--notes-file", "${{ github.workspace }}/notes.rst"
            "-i",           "${{ github.workspace }}/build"
            "-p",           "${{ github.workspace }}/old_builds"
            "-o",           "${{ github.workspace }}/output"
+           "--packaging-only"
         )
         Invoke-External "${{ github.workspace }}\bouf\bin\bouf.exe" @boufArgs
 
-    - name: Sign Updater Manifest
+    - name: Sync Latest Build
       shell: pwsh
-      if: inputs.gcpManifestSigningKeyName != ''
+      env:
+        RCLONE_INCLUDE: '**/${{ inputs.version }}/**'
+        RCLONE_GCS_ENV_AUTH: 'true'
+        RCLONE_GCS_BUCKET_POLICY_ONLY: 'true'
       run: |
-        $gcloudArgs = @(
-           "--input-file",       "${{ github.workspace }}/output/manifest.json"
-           "--signature-file",   "${{ github.workspace }}/output/manifest.json.sig"
-           "--digest-algorithm", "sha512"
-           "--location",         "global"
-           "--keyring",          "production"
-           "--key",              "${{ inputs.gcpManifestSigningKeyName }}"
-           "--version",          "1"
-        )
-        gcloud kms asymmetric-sign @gcloudArgs
+        rclone sync --delete-excluded --transfers 100 "${{ github.workspace }}/old_builds" ":gcs:obs-latest/${{ inputs.channel }}"
+
+    - name: Upload Build to Archive
+      shell: pwsh
+      env:
+        RCLONE_GCS_ENV_AUTH: 'true'
+        RCLONE_GCS_BUCKET_POLICY_ONLY: 'true'
+      run: |
+        rclone copy --transfers 100 "${{ github.workspace }}/old_builds" ":gcs:obs-builds"

.github/actions/windows-signing/config.toml

@@ -19,11 +19,13 @@ never_copy = [
 ]
 
 [prepare.codesign]
-sign_cert_file = "repo/.github/actions/bouf/prod.crt"
+sign_cert_file = "repo/.github/actions/windows-signing/prod.crt"
 sign_kms_key_id = "projects/ci-signing/locations/global/keyRings/production/cryptoKeys/release-sign-hsm/cryptoKeyVersions/1"
 sign_digest = "sha384"
 sign_ts_serv = "http://timestamp.digicert.com"
 sign_exts = ['exe', 'dll', 'pyd']
+sign_append = true
+sign_ts_algo = "sha256"
 
 [prepare.strip_pdbs]
 # PDBs to not strip
@@ -47,8 +49,7 @@ exclude_from_parallel = [
 nsis_script = "bouf/nsis/mp-installer.nsi"
 
 [package.zip]
-skip = true
-name = "OBS-Studio-{version}.zip"
+name = "OBS-Studio-{version}-x64.zip"
 pdb_name = "OBS-Studio-{version}-pdbs.zip"
 
 [package.updater]

.github/workflows/sign-windows.yaml

@@ -45,7 +45,7 @@ jobs:
           path: ${{ github.workspace }}/build
 
       - name: Run bouf 🥩
-        uses: ./repo/.github/actions/bouf
+        uses: ./repo/.github/actions/windows-signing
         with:
           gcpWorkloadIdentityProvider: ${{ secrets.GCP_IDENTITY_POOL }}
           gcpServiceAccountName: ${{ secrets.GCP_SERVICE_ACCOUNT_NAME }}
@@ -56,15 +56,15 @@ jobs:
         uses: actions/upload-artifact@v4
         with:
           name: obs-studio-windows-x64-${{ github.ref_name }}-signed
-          compression-level: 6
-          path: ${{ github.workspace }}/output/install
+          compression-level: 0
+          path: ${{ github.workspace }}/output/*-x64.zip
 
       - name: Upload PDBs
         uses: actions/upload-artifact@v4
         with:
           name: obs-studio-windows-x64-${{ github.ref_name }}-pdbs
-          compression-level: 9
-          path: ${{ github.workspace }}/output/pdbs
+          compression-level: 0
+          path: ${{ github.workspace }}/output/*-pdbs.zip
 
       - name: Upload Installer
         uses: actions/upload-artifact@v4
@@ -72,15 +72,3 @@ jobs:
           name: obs-studio-windows-x64-${{ github.ref_name }}-installer
           compression-level: 0
           path: ${{ github.workspace }}/output/*.exe
-
-      - name: Upload Updater Files
-        uses: actions/upload-artifact@v4
-        with:
-          name: obs-studio-windows-x64-${{ github.ref_name }}-patches
-          compression-level: 0
-          path: |
-            ${{ github.workspace }}/output/updater
-            ${{ github.workspace }}/output/*.json
-            ${{ github.workspace }}/output/*.sig
-            ${{ github.workspace }}/output/*.txt
-            ${{ github.workspace }}/output/*.rst