Use Azure Trusted Signing

[martincostello]

What?

Use Azure Trusted Signing to sign the Windows artifacts instead of the existing code-signing certificate.

The k6.exe file itself is now also signed.

I suggest this is merged as-is to complete the rotation of the certificate, then I can do a follow-up PR to refactor this to use a shared re-usable action for signing once that's implemented and merged (see grafana/shared-workflows#1290).

Before

After

Why?

The existing certificate expires on Thursday 2nd October 2025.

Checklist

• I have performed a self-review of my code.
• I have commented on my code, particularly in hard-to-understand areas.
• I have added tests for my changes.
• I have run linter and tests locally (make check) and all pass.

Checklist: Documentation (only for k6 maintainers and if relevant)

• I have added the correct milestone and labels to the PR.
• I have updated the release notes: link
• I have updated or added an issue to the k6-documentation: grafana/k6-docs#NUMBER if applicable
• I have updated or added an issue to the TypeScript definitions: grafana/k6-DefinitelyTyped#NUMBER if applicable

Related PR(s)/Issue(s)

None.

[martincostello]

Verified artifacts from this workflow run:

• Have a .zip that contains the signed Windows binary
• Have a signed .msi
• The .msi contains the signed Windows binary

[martincostello]

Verified artifacts from this workflow run:

• Skip all signing-related steps
• signed-windows-binary contains an unsigned version of k6.exe
• binaries-signed contains an unsigned version of k6.exe
• binaries-windows-signed contains an unsigned .msi.

[Copilot]

Pull Request Overview

This PR migrates from traditional certificate-based code signing to Azure Trusted Signing for Windows artifacts in the GitHub Actions build workflow. The change adds signing for the k6.exe binary itself and replaces the existing MSI installer signing process.

• Implements Azure Trusted Signing using Microsoft's Sign CLI tool and Azure authentication
• Adds conditional signing logic that only signs artifacts from the default branch, version tags, or manual dispatches
• Restructures the Windows packaging workflow to separate binary signing, installer creation, and installer signing into distinct jobs

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[martincostello]

Addressed various review comments:

• Shared action now used for signing
• Refactored artifact naming to flow between jobs
• Renamed new jobs
• More steps are skipped when signing isn't being used
• Reduced the number of artifacts produced by unsigned builds

[mstoykov]

LGTM!

I have a comment around naming, that is not blocking, and would be nice if we can it run the signing again before we merge it.

Thank you for all the work 🙇

[mstoykov]

So we are uploading this before so the workflow can download it?

If so can we ranem it to windows-binary-to-sign to again be something that is more obvious

[martincostello]

No, it's also needed for when the workflow runs when signing is disabled (e.g. in a PR) (see 69ba0db).

Although that does mean as the artifact has to exist anyway I can just delete the comment.

[martincostello]

would be nice if we can it run the signing again before we merge it.

I think we're good as-is. To run it again with signing, as this is a PR, I would have to re-edit the PR force it on and ensure there isn't an accidental real publish, then revert those changes again before it can be merged. The edits since the last run with signing are trivial enough that I think there's enough confidence it works for both unsigned and signed builds.