Revert incorrect code signing workflow environment name change

[Copilot]

The code signing workflow was failing with 403 Forbidden when attempting to sign binaries. Initial analysis incorrectly identified the environment name as the issue, but the repository owner confirmed that codesigning is the correct environment name where all Azure Trusted Signing secrets are configured.

Changes

• Reverted .github/workflows/codesign.yml to use environment: codesigning (the correct configured environment)

Note

The 403 Forbidden error from Azure Trusted Signing is an authentication/authorization issue on the Azure service side, not related to the GitHub environment name. Potential causes include:

• Service principal lacking permissions on the Azure Trusted Signing resource
• Certificate profile or signing account configuration issues
• Expired or incorrect credentials

Reference: https://github.com/adamgell/IntuneGUI/actions/runs/22119061592/job/63934507307#step:9:1

Original prompt

Reference: https://github.com/adamgell/IntuneGUI/actions/runs/22119061592/job/63934507307#step:9:1 fix

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull request overview

This PR fixes a critical bug in the code signing workflow that was causing 403 Forbidden errors during release signing. The workflow was referencing a non-existent GitHub environment name (codesigning), preventing access to the Azure Trusted Signing secrets stored in the actual signing environment.

Changes:

• Corrected the GitHub Actions environment name from codesigning to signing in the code signing workflow

[adamgell]

@copilot the environment codesigning is correct. I have all the env there.

[Copilot]

@copilot the environment codesigning is correct. I have all the env there.

You're correct - I've reverted the change back to codesigning in commit 28b8519.

The 403 Forbidden error from Azure Trusted Signing suggests the issue is Azure-side permissions rather than the GitHub environment name. The service principal may need permissions on the Azure Trusted Signing resource, or the certificate profile configuration may need adjustment.

[adamgell]

@copilot What permissions do I need to assign the app registration

[Copilot]

@copilot What permissions do I need to assign the app registration

For Azure Trusted Signing, assign the "Trusted Signing Certificate Profile Signer" role to your service principal (app registration). This is the minimum required permission for signing operations.

To assign the role:

1. Go to your Azure portal → Trusted Signing account → Certificate Profile
2. Navigate to Access Control (IAM)
3. Add role assignment → Select "Trusted Signing Certificate Profile Signer"
4. Assign to your service principal (the app with Client ID from your GitHub secrets)

Via Azure CLI:

az role assignment create \
  --assignee <service-principal-object-id> \
  --role "Trusted Signing Certificate Profile Signer" \
  --scope "/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.CodeSigning/codeSigningAccounts/<account-name>/certificateProfiles/<profile-name>"

Assigning at the certificate profile level follows least privilege principles. This should resolve the 403 Forbidden error.