Moved the signing to a single step.

Author: dlemstra

.github/workflows/main.yml

@@ -160,11 +160,6 @@ jobs:
     name: Windows (${{matrix.quantumName}}, ${{matrix.platformName}})
     runs-on: windows-2022
 
-    permissions:
-      id-token: write
-      contents: read
-      packages: read
-
     strategy:
       fail-fast: false
       matrix:
@@ -222,24 +217,6 @@ jobs:
         run: ./publish.cmd ${{ matrix.quantumName }} "${{ matrix.platformName }}"
         working-directory: publish
 
-      - name: Azure CLI login with federated credential
-        if: github.event_name != 'pull_request'
-        uses: azure/login@v2
-        with:
-          client-id: ${{ secrets.AZURE_CLIENT_ID }}
-          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
-      - name: Sign NuGet package
-        if: ${{ github.event_name != 'pull_request' }}
-        run: sign code trusted-signing *.nupkg `
-          --trusted-signing-account ImageMagick `
-          --trusted-signing-certificate-profile ImageMagick `
-          --trusted-signing-endpoint https://eus.codesigning.azure.net `
-          --azure-credential-type azure-cli `
-          --verbosity information
-        working-directory: publish/output
-
       - name: Upload library
         uses: actions/upload-artifact@v5
         with:
@@ -251,11 +228,6 @@ jobs:
     #runs-on: windows-11-arm
     runs-on: windows-2022
 
-    permissions:
-      id-token: write
-      contents: read
-      packages: read
-
     strategy:
       fail-fast: false
       matrix:
@@ -300,25 +272,6 @@ jobs:
       run: ./publish.cmd ${{ matrix.quantumName }} "${{ matrix.platformName }}"
       working-directory: publish
 
-    - name: Azure CLI login with federated credential
-      if: github.event_name != 'pull_request'
-      uses: azure/login@v2
-      with:
-        client-id: ${{ secrets.AZURE_CLIENT_ID }}
-        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
-        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-
-    - name: Sign NuGet package
-      if: ${{ github.event_name != 'pull_request' }}
-      run: sign code trusted-signing `
-        --trusted-signing-account ImageMagick `
-        --trusted-signing-certificate-profile ImageMagick `
-        --trusted-signing-endpoint https://eus.codesigning.azure.net `
-        --azure-credential-type azure-cli `
-        --verbosity information `
-        *.nupkg
-      working-directory: publish/output
-
     - name: Upload library
       uses: actions/upload-artifact@v5
       with:
@@ -329,11 +282,6 @@ jobs:
     name: Library
     runs-on: windows-2022
 
-    permissions:
-      id-token: write
-      contents: read
-      packages: read
-
     strategy:
       fail-fast: false
       matrix:
@@ -369,27 +317,46 @@ jobs:
         run: ./publish.library.cmd "Magick.NET.${{ matrix.libraryName }}"
         working-directory: publish
 
+      - name: Upload library
+        uses: actions/upload-artifact@v5
+        with:
+          name: Magick.NET.${{ matrix.libraryName }}
+          path: publish/output
+
+  sign:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    name: Sign NuGet packages
+    needs:
+      - windows
+      - windows_arm64
+      - libraries
+    runs-on: windows-2022
+
+    permissions:
+      id-token: write
+      contents: read
+      packages: read
+
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v6
+        with:
+          path: packages
+          merge-multiple: true
+
       - name: Azure CLI login with federated credential
-        if: github.event_name != 'pull_request'
         uses: azure/login@v2
         with:
           client-id: ${{ secrets.AZURE_CLIENT_ID }}
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
       - name: Sign NuGet package
-        if: ${{ github.event_name != 'pull_request' }}
         run: sign code trusted-signing `
           --trusted-signing-account ImageMagick `
           --trusted-signing-certificate-profile ImageMagick `
           --trusted-signing-endpoint https://eus.codesigning.azure.net `
           --azure-credential-type azure-cli `
           --verbosity information `
           *.nupkg
-        working-directory: publish/output
-
-      - name: Upload library
-        uses: actions/upload-artifact@v5
-        with:
-          name: Magick.NET.${{ matrix.libraryName }}
-          path: publish/output
+        working-directory: packages