Windows Production

main is the production branch. Every push to main that touches the Windows app or shared Everything design system runs .github/workflows/windows-production.yml. The production pipeline has two default outputs:
  1. A GitHub-hosted App Installer package/feed for direct Windows installation.
  2. A Microsoft Store .msixupload package artifact for Partner Center.
Automatic Store API submission is opt-in. Set WINDOWS_STORE_API_PUBLISH_ENABLED=true only after Partner Center API credentials are confirmed to work; otherwise the workflow builds and uploads the Store candidate artifact without making main red. The App Installer feed is the pre-Store internal channel. It does not wait for Partner Center screenshots, certification, or package flights. After the first install, Windows checks the same feed for updates on app launch. The first automated Store publish targets a Private audience submission. After an internal package flight exists, setting WINDOWS_STORE_FLIGHT_ID switches the same workflow to the flight, which is the ongoing Windows equivalent of the Google Play internal testing track.

Workflow

The workflow regenerates the shared design-system outputs, builds apps/windows/Everything.Windows.csproj with .NET 10 and Windows App SDK, then packages the app twice without production signing or Store credentials in the build job:
  • windows:package shape: an MSIX/MSIX bundle candidate for the App Installer feed.
  • windows:store-package shape: an .msixupload candidate for Microsoft Partner Center.
The App Installer package is signed later in a separate no-checkout job. Microsoft Store publishing also runs from a separate publish-only job that downloads the .msixupload artifact, but only when WINDOWS_STORE_API_PUBLISH_ENABLED=true. The package version is set from the GitHub run: 
1.0.<github.run_number>.0
This keeps Store submissions monotonically increasing while satisfying the Microsoft Store requirement that MSIX package revision is 0.

Required Store setup

Microsoft Store publishing requires a Partner Center app record and Microsoft Store Developer CLI credentials. Internal testing starts with a Private audience known user group, then can move to a package flight after the first private-audience submission is published. See Microsoft Store testing for the setup checklist and GitHub secret names. The Store owner/root administrative Microsoft account is avrahamiyaniv@gmail.com. Customer-facing Store fields should stay on Sapientic branding and support addresses; do not expose the owner account in public support, privacy, or marketing surfaces.

App Installer feed

When the signing secrets are configured, the workflow publishes the production App Installer feed here: 
https://github.com/sapientic/sapientic/releases/download/everything-windows-production/Everything.appinstaller
Windows checks that feed on app launch and can install the newest signed MSIX bundle from the same production release. The website Windows button points at the same stable App Installer feed. The release assets are:
  • Everything.appinstaller: stable install/update feed.
  • Everything.Windows.msixbundle or Everything.Windows.msix: signed app package.
  • Everything.Windows.SigningCertificate.cer: public certificate for the current internal signing key.
  • Install-Everything-Windows.ps1: first-time install helper for internal testers.
Run this once to create the internal signing certificate and configure the GitHub Actions secrets used by the feed: 
npm run windows:appinstaller-setup
Check direct-feed readiness without printing secrets: 
npm run windows:appinstaller-status
For a first internal install from the private GitHub release, run: 
npm run windows:appinstaller-install
The first install trusts the internal signing certificate. Later app changes arrive through the App Installer update feed.

Microsoft Store publish

The workflow publishes the generated .msixupload package with: 
WINDOWS_STORE_API_PUBLISH_ENABLED=true
WINDOWS_STORE_PRODUCT_ID
WINDOWS_STORE_PRIVATE_AUDIENCE_READY
WINDOWS_STORE_PRIVATE_AUDIENCE_READY must be true before the workflow is allowed to publish without a flight ID. After the internal package flight exists, configure: 
WINDOWS_STORE_FLIGHT_ID
The current reserved Microsoft Store product name is Sapientic Everything, with product ID 9NRZB5HT5XSX. The Store package manifest display name must use this reserved name; Partner Center rejects Everything because that exact name is not available for this product. Store API publishing must use an Entra application from a tenant associated with the avrahamiyaniv@gmail.com Partner Center developer account. The previously configured Sapientic Entra tenant authenticates but cannot see this Store product until Microsoft allows or fixes that tenant association. The Partner Center package identity is: 
Package/Identity/Name: Sapientic.SapienticEverything
Package/Identity/Publisher: CN=AE2A8521-D497-42C4-A51E-12D95B9FDC39
Partner Center still runs certification on Store submissions. After certification succeeds, testers in the configured audience or package flight receive the Store build through Microsoft Store.