From 22a4ae661c647d5f8a965b8996507f40f881c74b Mon Sep 17 00:00:00 2001
From: Jonathan Peppers <jonathan.peppers@microsoft.com>
Date: Thu, 18 Jun 2026 15:36:14 -0500
Subject: [PATCH 1/2] Enable real signing on main branch

Real signing previously only triggered for release/* branches. Add main to the condition so non-PR builds of main also produce signed artifacts, enabling shipping directly from main.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 build/ci/stage-sign-artifacts.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/ci/stage-sign-artifacts.yml b/build/ci/stage-sign-artifacts.yml
index 34180c7c5..e9476ae10 100644
--- a/build/ci/stage-sign-artifacts.yml
+++ b/build/ci/stage-sign-artifacts.yml
@@ -14,7 +14,7 @@ stages:
       artifactName: output-windows
       usePipelineArtifactTasks: true
       checkoutType: self
-      ${{ if and(startsWith(variables['Build.SourceBranch'], 'refs/heads/release/'), not(eq(variables['Build.Reason'], 'PullRequest'))) }}:
+      ${{ if and(or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')), not(eq(variables['Build.Reason'], 'PullRequest'))) }}:
         signType: Real
       ${{ else }}:
         signType: Test

From f5f7bcdedecab9bf1ab59ba03baf229c8d381e8c Mon Sep 17 00:00:00 2001
From: Jonathan Peppers <jonathan.peppers@microsoft.com>
Date: Thu, 18 Jun 2026 15:41:44 -0500
Subject: [PATCH 2/2] Address review: exclude nightly schedule, update header
 comment

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 build/ci/stage-sign-artifacts.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/build/ci/stage-sign-artifacts.yml b/build/ci/stage-sign-artifacts.yml
index e9476ae10..680e94aeb 100644
--- a/build/ci/stage-sign-artifacts.yml
+++ b/build/ci/stage-sign-artifacts.yml
@@ -1,5 +1,5 @@
-# Signs artifacts on tags built for release
-  
+# Signs artifacts on release/* branches and non-scheduled main builds
+
 stages:
 - stage: sign_artifacts
   displayName: Sign Artifacts
@@ -14,7 +14,7 @@ stages:
       artifactName: output-windows
       usePipelineArtifactTasks: true
       checkoutType: self
-      ${{ if and(or(eq(variables['Build.SourceBranch'], 'refs/heads/main'), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')), not(eq(variables['Build.Reason'], 'PullRequest'))) }}:
+      ${{ if and(or(and(eq(variables['Build.SourceBranch'], 'refs/heads/main'), ne(variables['Build.Reason'], 'Schedule')), startsWith(variables['Build.SourceBranch'], 'refs/heads/release/')), not(eq(variables['Build.Reason'], 'PullRequest'))) }}:
         signType: Real
       ${{ else }}:
         signType: Test