fix(publish): verify-windows-signatures resilient under errexit

[ChiragAgg5k]

Re-release of 21.0.0 with the verify-signature fix from appwrite/sdk-generator 1.29.5 (PR #1542).

Previous pipeline failed at the "Verify Windows signatures" step because the command substitution output=$(osslsigncode verify ...) propagated osslsigncode's non-zero exit under GHA's default bash -e, killing the script before the warning path could run.

Changes

• .github/workflows/publish.yml: use || rc=$? so the verify command's exit code is captured without tripping errexit

No version bump or changelog changes — same 21.0.0 release.

[greptile-apps]

Greptile Summary

This PR makes a single-line change to the verify_signature helper in .github/workflows/publish.yml: it pre-initialises rc=0 and switches from unconditionally capturing $? to using the || rc=$? pattern to capture the exit code only on failure.

• The two forms are functionally equivalent in this context (set -uo pipefail, no -e); both correctly propagate a non-zero exit code from osslsigncode verify.
• The verify_signature function intentionally never fails the workflow step — it emits a ::warning:: annotation so that publishing proceeds even when a Windows binary's signature cannot be confirmed.

Confidence Score: 4/5

The workflow change is mechanically correct and does not alter observable behaviour; the only callout is the pre-existing non-blocking verification path that could allow unsigned Windows binaries to be published if signing fails.

The two-line refactor is equivalent to the code it replaces, and all other workflow steps (pinned action SHAs, secret handling, release gating) remain unchanged. The only ongoing concern is the intentionally non-blocking signature check: if osslsigncode verify fails for any reason, the release proceeds without a hard stop.

.github/workflows/publish.yml — specifically the verify_signature function and the ::warning:: path that bypasses a hard failure on signing errors.

Important Files Changed

Filename	Overview
.github/workflows/publish.yml	Refactors exit-code capture in verify_signature from rc=$? to `rc=0; output=$(…)

Comments Outside Diff (1)

1. .github/workflows/publish.yml, line 107-109 (link)

   Signature failures are non-blocking — unsigned binaries can reach npm/GitHub Releases

   The function emits ::warning:: instead of ::error:: and never returns a non-zero exit code, so a completely unsigned or tampered Windows binary will silently pass through and be published. The inline comment says this is intentional while the signing policy is being enabled, but that caveat is easy to miss. Once Windows signing is fully rolled out, the ::warning:: should become a hard exit 1 so regressions in the signing pipeline don’t ship unsigned binaries to end users. A TODO or issue reference would make the intent easier to track.

_{Reviews (1): Last reviewed commit: "chore: update Command Line SDK to 21.0.0" | Re-trigger Greptile}