Avoid building dlls twice due to signing postAction

[michaelDCurran]

Link to issue number:

Fixes #20033

Summary of the issue:

Signing of dlls and executables during NVDA build was implemented in SCons as post actions, as in once the dll or exe target was fully created, then a separate post-action for signing was run. The problems with this approach are:

• when building with multiple processor cores, further actions that depend on a dll (such as packaging, might start running before the dll or exe is actually signed, as SCons thinks the source already exists.
• When building as separate steps (E.g. source, then launcher) it is possible in environments such as Github actions, that the second running of SCons may think that some DLLs or EXEs are outdated because the signing postAction changed them, so therefore they are re-build and re-signed. This is especially problematic as collecting of these dls and exes for debug symbols may have archived the copies from the first build, rather than the second. (See #22033).

Description of user facing changes:

Description of developer facing changes:

Description of development approach:

• Rather than using AddPostAction to sign files, make a new copyAndSign builder that copies a source file to the target, and then signs the target all in the same action, thus Scons treats the target as complete once signed.
• Replace any usage of env.AddPostAction and then env.Install with env.copyAndSign.
• When building the launcher and uninstaller, optionally add the signing step as one of the actions, rather than running a post action later.
• Github CI again tells Scons to build with all cores. This should be safe enough now.

Testing strategy:

• Build locally with and without signing info. Ensure builds succeeed. For a build with signing info, ensure each of the dlls and exes are really signed.
• Make a try build and verify that dlls and exes are correctly signed.
• Check try build log Create Launcher job to ensure that dlls are no longer copied and signed.

Known issues with pull request:

None known.

Code Review Checklist:

• Documentation:
  • Change log entry
  • User Documentation
  • Developer / Technical Documentation
  • Context sensitive help for GUI changes
• Testing:
  • Unit tests
  • System (end to end) tests
  • Manual testing
• UX of all users considered:
  • Speech
  • Braille
  • Low Vision
  • Different web browsers
  • Localization in other languages / culture than English
• API is compatible with existing add-ons.
• Security precautions taken.

[Copilot]

Pull request overview

This PR aims to prevent redundant rebuilds (and related symbol mismatches) caused by code-signing implemented as SCons post-actions, by moving signing into the primary build/copy actions so targets are considered “complete” only after signing.

Changes:

• Introduces an env.copyAndSign helper to copy outputs into their install locations and sign them within the same SCons action sequence.
• Replaces several AddPostAction(...sign...) + Install(...) patterns in nvdaHelper/third-party builds with copyAndSign.
• Updates CI SCons invocation to build with --all-cores (supported via custom option in sconstruct).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File	Description
sconstruct	Adds copyAndSign, moves launcher/uninstaller signing into main actions, and includes a minor comment tweak.
nvdaHelper/liblouis/sconscript	Switches liblouis install/sign flow to use env.copyAndSign.
nvdaHelper/archBuild_sconscript	Switches multiple helper library install/sign flows to use env.copyAndSign.
ci/scripts/setSconsArgs.ps1	Changes CI to pass --all-cores instead of -j1.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

[michaelDCurran]

Unfortunately even with these changes scons launcher still wants to again copy and sign all dlls and exes as it thinks they are missing or the timestamp is bad in the cache.
See https://github.com/nvaccess/nvda/actions/runs/25652575422/job/75320041651#step:8:40

[hwf1324]

Is it possible to determine the reason for rebuilding these files by using --debug=explain?

Perhaps it is also possible to decide whether to build files by using a custom env.Decider function?

[michaelDCurran]

Closing in favor of #20129.
Local testing proves that SCons does correctly track env.AddPostAction. and the real issue was that Github CI was not setting the API signing token when running scons source therefore files were never even signed during scons source and therefore scons launcher was needing to do it as a dependency.