Summary
Move the Chocolatey packaging and publishing steps out of the main release.yml workflow and into the ossign-poll.yml workflow so the Chocolatey package is built from, and published with, the signed Windows binaries.
At the moment the release workflow creates and pushes the Chocolatey package before the OSSign process has completed. The ossign-poll workflow already waits for OSSign, replaces the GitHub release assets with the signed files, and then publishes the WinGet package. Chocolatey should follow the same pattern.
Current behaviour
release.yml runs GoReleaser and creates the GitHub release assets.release.yml then replaces the version in rmstale.nuspec, packs the Chocolatey package, and pushes it to chocolatey.org.release.yml then requests OSSign signing.ossign-poll.yml later detects the signed artifacts, replaces the release assets, and publishes the WinGet package.
This means Chocolatey is currently published before the signed release assets are available, unlike WinGet.
Desired behaviour
release.yml should keep building the release and requesting OSSign signing.- Chocolatey packaging/publishing should run from
ossign-poll.yml only after poll reports signing_complete == 'true'.
- Chocolatey should use the signed release artifacts that have already replaced the original release assets.
- The flow should mirror the existing WinGet publish step where possible.
Proposed implementation
- Remove these steps from the
release job in .github/workflows/release.yml:
Replace version in NuSpec fileCreate directory for chocolaty packagePackage chocolaty binaryPush package to chocolatey.org
- Add a new Chocolatey publishing job to
.github/workflows/ossign-poll.yml that:
- depends on the
poll job;
- only runs when
needs.poll.outputs.signing_complete == 'true';
- checks out the repository so
rmstale.nuspec is available;
- determines the release version from
vars.OSSIGN_RELEASE_TAG before it is cleared, or another reliable output from the poll job;
- updates
rmstale.nuspec with the signed release version;
- downloads/uses the signed Windows release assets if needed by the Chocolatey package layout;
- packs the
.nupkg; and
- pushes it to
https://push.chocolatey.org/ using secrets.CHOCO_KEY.
Important implementation note
ossign-poll.yml currently clears OSSIGN_RELEASE_TAG in the poll job after signed artifacts are detected. If the Chocolatey job needs the release tag/version, capture it as a poll job output before clearing the repository variable, or move the clear step until after dependent publishing jobs have completed.
Acceptance criteria
- Chocolatey package creation/publishing no longer happens in
release.yml before signing completes.
- Chocolatey publishing runs from
ossign-poll.yml after signed artifacts are available.
- Chocolatey receives the signed Windows binaries/release assets, consistent with the WinGet publishing flow.
- WinGet publishing continues to work as it does today.
- Pending OSSign state is still cleared after successful signing/publishing flow.
- Manual
workflow_dispatch of ossign-poll.yml still supports completing a pending signing request and publishing downstream packages.
Why
This keeps all downstream Windows package publishing aligned behind the OSSign completion gate. It avoids publishing a Chocolatey package with unsigned binaries while WinGet is already correctly delayed until the signed assets have replaced the original release assets.
Summary
Move the Chocolatey packaging and publishing steps out of the main
release.ymlworkflow and into theossign-poll.ymlworkflow so the Chocolatey package is built from, and published with, the signed Windows binaries.At the moment the release workflow creates and pushes the Chocolatey package before the OSSign process has completed. The
ossign-pollworkflow already waits for OSSign, replaces the GitHub release assets with the signed files, and then publishes the WinGet package. Chocolatey should follow the same pattern.Current behaviour
release.ymlruns GoReleaser and creates the GitHub release assets.release.ymlthen replaces the version inrmstale.nuspec, packs the Chocolatey package, and pushes it to chocolatey.org.release.ymlthen requests OSSign signing.ossign-poll.ymllater detects the signed artifacts, replaces the release assets, and publishes the WinGet package.This means Chocolatey is currently published before the signed release assets are available, unlike WinGet.
Desired behaviour
release.ymlshould keep building the release and requesting OSSign signing.ossign-poll.ymlonly afterpollreportssigning_complete == 'true'.Proposed implementation
releasejob in.github/workflows/release.yml:Replace version in NuSpec fileCreate directory for chocolaty packagePackage chocolaty binaryPush package to chocolatey.org.github/workflows/ossign-poll.ymlthat:polljob;needs.poll.outputs.signing_complete == 'true';rmstale.nuspecis available;vars.OSSIGN_RELEASE_TAGbefore it is cleared, or another reliable output from the poll job;rmstale.nuspecwith the signed release version;.nupkg; andhttps://push.chocolatey.org/usingsecrets.CHOCO_KEY.Important implementation note
ossign-poll.ymlcurrently clearsOSSIGN_RELEASE_TAGin thepolljob after signed artifacts are detected. If the Chocolatey job needs the release tag/version, capture it as apolljob output before clearing the repository variable, or move the clear step until after dependent publishing jobs have completed.Acceptance criteria
release.ymlbefore signing completes.ossign-poll.ymlafter signed artifacts are available.workflow_dispatchofossign-poll.ymlstill supports completing a pending signing request and publishing downstream packages.Why
This keeps all downstream Windows package publishing aligned behind the OSSign completion gate. It avoids publishing a Chocolatey package with unsigned binaries while WinGet is already correctly delayed until the signed assets have replaced the original release assets.