Feature/attempt signing release

.github/workflows/build-and-sign.yml

@@ -6,8 +6,6 @@ run-name: Demo workflow signing with SignPath
 on: 
   push:
   pull_request:
-  #schedule:
-  #  - cron:  '30 3 * * *' # every day at 3:30am UTC
   workflow_dispatch: # Allows you to run this workflow manually from the Actions tab
 
 jobs:
@@ -27,6 +25,7 @@ jobs:
       run: ./sbom/Create-SBOM.ps1
 
     - name: upload-unsigned-artifact
+      id: upload-unsigned-artifact
       uses: actions/upload-artifact@v4
       with:
         name: "demo-application" 
@@ -36,17 +35,23 @@ jobs:
           .\_BuildResult-unsigned\bom.xml
 
     - name: sign
-      uses: signpath/github-action-submit-signing-request@v0.3
+      uses: signpath/github-action-submit-signing-request@v0.4
       env:
-        SIGNPATH_SIGNING_POLICY_SLUG: ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) && 'release-signing' || 'test-signing' }}
+        # select release-signing policy for main and release branches
+        SIGNPATH_SIGNING_POLICY_SLUG: | 
+          ${{ (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')) 
+            && 'release-signing' 
+            || 'test-signing' }}
       with:
         api-token: '${{ secrets.SIGNPATH_API_TOKEN }}'
         organization-id: '${{ vars.SIGNPATH_ORGANIZATION_ID }}'
         project-slug: 'Demo_Application'
-        signing-policy-slug:  '${{ env.SIGNPATH_SIGNING_POLICY_SLUG }}'
-        github-artifact-name:  "demo-application"
+        # maliciously try to get a release signature from a feature branch
+        signing-policy-slug:  'release-signing'
+        github-artifact-id:  "${{steps.upload-unsigned-artifact.outputs.artifact-id}}"
         wait-for-completion: true
         output-artifact-directory: 'demo-application-signed'
+        github-extended-verification-token: '${{ secrets.EXTENDED_VERIFICATION_TOKEN }}'
 
     - name: upload-signed-artifact
       uses: actions/upload-artifact@v4