gh-9836: Finish the MAR signing workflow (gh-13216)

.github/workflows/build.yml

@@ -126,7 +126,7 @@ jobs:
     permissions:
       contents: write
     name: Generate build data
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    runs-on: ubuntu-latest
     needs: buildid
     outputs:
       build_date: ${{ steps.data.outputs.builddate }}
@@ -359,7 +359,7 @@ jobs:
     name: AppImage build - Linux ${{ matrix.arch }}
     permissions:
       contents: write
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    runs-on: ubuntu-latest
     strategy:
       matrix:
         arch: [x86_64, aarch64]
@@ -439,7 +439,7 @@ jobs:
           path: ./dist/zen-${{ matrix.arch }}.AppImage.zsync
 
   stop-self-hosted:
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    runs-on: ubuntu-latest
     needs: [windows-step-3, linux]
     if: always()
     steps:
@@ -505,10 +505,22 @@ jobs:
         run: |
           git clone https://github.com/zen-browser/windows-binaries.git .github/workflows/object --depth 1
 
+      - name: Sign MAR files
+        env:
+          SIGNMAR: ${{ github.workspace }}/linux-bin-x86_64/signmar
+          ZEN_MAR_SIGNING_PASSWORD: ${{ secrets.ZEN_MAR_SIGNING_PASSWORD }}
+          ZEN_SIGNING_CERT_PEM_BASE64: ${{ secrets.ZEN_SIGNING_CERT_PEM_BASE64 }}
+          ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64: ${{ secrets.ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64 }}
+        run: |
+          bash scripts/mar_sign.sh -s
+
       - name: Copy update manifests
         env:
           RELEASE_BRANCH: ${{ inputs.update_branch }}
         run: |
+          # IMPORTANT: If changing any of these names,
+          # make sure to also update the paths in the mar_sign.sh script
+
           cd updates-server
           mkdir -p updates
           cp -a ../linux_update_manifest_x86_64/.  updates/
@@ -602,7 +614,7 @@ jobs:
     permissions: write-all
     name: Prepare Flatpak
     needs: [release, linux, build-data]
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    runs-on: ubuntu-latest
 
     steps:
       - name: Checkout Flatpak repository
@@ -661,7 +673,7 @@ jobs:
     permissions: write-all
     name: Release Flatpak
     needs: [prepare-flatpak, build-data]
-    runs-on: blacksmith-2vcpu-ubuntu-2404
+    runs-on: ubuntu-latest
 
     steps:
       - name: Checkout Flatpak repository

.github/workflows/linux-release-build.yml

@@ -153,15 +153,6 @@ jobs:
           mv dist/zen-*.tar.xz "zen.linux-${{ matrix.arch }}.tar.xz"
           mv dist/output.mar linux${{ matrix.arch == 'aarch64' && '-aarch64' || '' }}.mar
 
-      - name: Sign MAR
-        env:
-          SIGNMAR: engine/obj-${{ matrix.arch == 'aarch64' && 'aarch64-unknown' || 'x86_64-pc' }}-linux-gnu/dist/bin/signmar
-          ZEN_MAR_SIGNING_PASSWORD: ${{ secrets.ZEN_MAR_SIGNING_PASSWORD }}
-          ZEN_SIGNING_CERT_PEM_BASE64: ${{ secrets.ZEN_SIGNING_CERT_PEM_BASE64 }}
-          ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64: ${{ secrets.ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64 }}
-        run: |
-          bash scripts/mar_sign.sh -s ./linux${{ matrix.arch == 'aarch64' && '-aarch64' || '' }}.mar
-
       - name: Upload build artifact (binary)
         uses: actions/upload-artifact@v4
         with:
@@ -182,3 +173,11 @@ jobs:
           retention-days: 5
           name: linux_update_manifest_${{ matrix.arch }}
           path: ./dist/update
+
+      - name: Upload linux bin
+        if: ${{ matrix.arch == 'x86_64' }}
+        uses: actions/upload-artifact@v4
+        with:
+          retention-days: 2
+          name: linux-bin-x86_64
+          path: engine/obj-x86_64-pc-linux-gnu/dist/bin/

.github/workflows/macos-universal-release-build.yml

@@ -247,15 +247,6 @@ jobs:
           npm run package -- --verbose
           mv ./dist/output.mar ./macos.mar
 
-      - name: Sign MAR
-        env:
-          SIGNMAR: engine/obj-x86_64-apple-darwin/dist/bin/signmar
-          ZEN_MAR_SIGNING_PASSWORD: ${{ secrets.ZEN_MAR_SIGNING_PASSWORD }}
-          ZEN_SIGNING_CERT_PEM_BASE64: ${{ secrets.ZEN_SIGNING_CERT_PEM_BASE64 }}
-          ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64: ${{ secrets.ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64 }}
-        run: |
-          bash scripts/mar_sign.sh -s ./macos.mar
-
       - name: Upload build artifact (.mar)
         uses: actions/upload-artifact@v4
         with:

.github/workflows/windows-release-build.yml

@@ -281,21 +281,11 @@ jobs:
           mv ./dist/output.mar windows${{ matrix.arch == 'aarch64' && '-arm64' || '' }}.mar
           mv ./dist/zen.installer.exe ./zen.installer${{ matrix.arch == 'aarch64' && '-arm64' || '' }}.exe
 
-      - name: Sign MAR
-        if: ${{ !inputs.generate-gpo }}
-        env:
-          SIGNMAR: engine/obj-${{ matrix.arch }}-pc-windows-msvc/dist/bin/signmar
-          ZEN_MAR_SIGNING_PASSWORD: ${{ secrets.ZEN_MAR_SIGNING_PASSWORD }}
-          ZEN_SIGNING_CERT_PEM_BASE64: ${{ secrets.ZEN_SIGNING_CERT_PEM_BASE64 }}
-          ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64: ${{ secrets.ZEN_SIGNING_PRIVATE_KEY_PEM_BASE64 }}
-        run: |
-          bash scripts/mar_sign.sh -s ./windows${{ matrix.arch == 'aarch64' && '-arm64' || '' }}.mar
-
       - name: Upload artifact (PGO)
         uses: actions/upload-artifact@v4
         if: ${{ inputs.generate-gpo && matrix.arch == 'x86_64' }}
         with:
-          retention-days: 5
+          retention-days: 2
           name: ${{ matrix.arch == 'aarch64' && 'arm64' || matrix.arch }}-${{ inputs.profile-data-path-archive }}
           path: ./zen.win64-pgo-stage-1.zip
 
@@ -322,14 +312,6 @@ jobs:
           name: windows-x64-obj-${{ matrix.arch == 'aarch64' && 'arm64' || matrix.arch }}
           path: obj-${{ matrix.arch }}-pc-windows-msvc
 
-      - name: Upload artifact (if Twilight branch, binary)
-        if: ${{ inputs.release-branch == 'twilight' && !inputs.generate-gpo }}
-        uses: actions/upload-artifact@v4
-        with:
-          retention-days: 5
-          name: zen.win-${{ matrix.arch == 'aarch64' && 'arm64' || matrix.arch }}.zip
-          path: ./zen.win-${{ matrix.arch == 'aarch64' && 'arm64' || matrix.arch }}.zip
-
       - name: Upload artifact (if Twilight branch, installer)
         if: ${{ inputs.release-branch == 'twilight' && !inputs.generate-gpo }}
         uses: actions/upload-artifact@v4