diff --git a/.github/workflows/deployment-hsm-testing.yml b/.github/workflows/deployment-hsm-testing.yml
new file mode 100644
index 000000000..ba1e97c3f
--- /dev/null
+++ b/.github/workflows/deployment-hsm-testing.yml
@@ -0,0 +1,151 @@
+name: Deployment
+run-name: ${{ inputs.tag_name }} / go ${{ inputs.go_version }}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+
+permissions:
+  contents: write
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        required: true
+        type: string
+      go_version:
+        default: "1.21"
+        type: string
+
+jobs:
+  windows:
+    runs-on: windows-latest
+    environment: production
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ inputs.go_version }}
+      - name: Install GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          version: "~1.17.1"
+          install-only: true
+      - name: Install Azure Code Signing Client
+        shell: pwsh
+        env:
+          ACS_DIR: ${{ runner.temp }}\acs
+          ACS_ZIP: ${{ runner.temp }}\acs.zip
+          CORRELATION_ID: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
+        run: |
+          Invoke-WebRequest -Uri https://www.nuget.org/api/v2/package/Azure.CodeSigning.Client/1.0.38 -OutFile $Env:ACS_ZIP -Verbose
+          Expand-Archive $acsZip -Destination $Env:ACS_DIR acsDir -Force -Verbose
+
+          # Replace ancient signtool in scripts with one that supports ACS
+          Copy-Item -Path "C:\Program Files (x86)\Windows Kits\10\bin\10.0.22621.0\x64\*" -Include signtool.exe,signtool.exe.manifest,Microsoft.Windows.Build.Signing.mssign32.dll.manifest,mssign32.dll,Microsoft.Windows.Build.Signing.wintrust.dll.manifest,wintrust.dll,Microsoft.Windows.Build.Appx.AppxSip.dll.manifest,AppxSip.dll,Microsoft.Windows.Build.Appx.AppxPackaging.dll.manifest,AppxPackaging.dll,Microsoft.Windows.Build.Appx.OpcServices.dll.manifest,OpcServices.dll -Destination scripts -Verbose
+
+          # Generate metadata file for signtool
+          @{
+            CertificateProfileName = "GitHubInc"
+            CodeSigningAccountName = "GitHubInc"
+            CorrelationId = $Env:CORRELATION_ID
+            Description = "GitHub CLI"
+            Endpoint =  "https://wus.codesigning.azure.net/
+
+            # Unused metadata configuration:
+            # AppendSignature
+            # DescriptionUrl
+            # EnhancedKeyUsage
+            # ExcludeAzureCliCredential
+            # ExcludeAzurePowerShellCredential
+            # ExcludeEnvironmentCredential
+            # ExcludeInteractiveBrowserCredential
+            # ExcludeManagedIdentityCredential
+            # ExcludeSharedTokenCacheCredential
+            # ExcludeVisualStudioCodeCredential
+            # ExcludeVisualStudioCredential
+            # FileDigest
+            # FilesCatalog
+            # FilesFolder
+            # FilesFolderDepth
+            # FilesFolderFilter
+            # FilesFolderRecurse
+            # GenerateDigestPath
+            # GenerateDigestXml
+            # GeneratePageHashes
+            # GeneratePkcs7
+            # IngestDigestPath
+            # Pkcs7Oid
+            # Pkcs7Options
+            # SignDigest
+            # SuppressPageHashes
+            # Timeout
+            # TimestampDigest
+            # TimestampRfc3161
+          } | ConvertTo-Json | Out-File -FilePath $Env:METADATA_PATH
+      - name: Build release binaries
+        shell: bash
+        env:
+          DLIB_PATH: ${{ runner.temp }}\acs\bin/x64/Azure.CodeSigning.Dlib.dll
+          METADATA_PATH: ${{ runner.temp }}\acs\metadata.json
+          TAG_NAME: ${{ inputs.tag_name }}
+        run: script/release-hsm --local "$TAG_NAME" --platform windows --config .goreleaser-hsm.yml
+      - name: Set up MSBuild
+        id: setupmsbuild
+        uses: microsoft/setup-msbuild@v1.3.1
+      - name: Build MSI
+        shell: bash
+        env:
+          MSBUILD_PATH: ${{ steps.setupmsbuild.outputs.msbuildPath }}
+        run: |
+          for ZIP_FILE in dist/gh_*_windows_*.zip; do
+            MSI_NAME="$(basename "$ZIP_FILE" ".zip")"
+            MSI_VERSION="$(cut -d_ -f2 <<<"$MSI_NAME" | cut -d- -f1)"
+            case "$MSI_NAME" in
+            *_386 )
+              source_dir="$PWD/dist/windows_windows_386"
+              platform="x86"
+              ;;
+            *_amd64 )
+              source_dir="$PWD/dist/windows_windows_amd64_v1"
+              platform="x64"
+              ;;
+            *_arm64 )
+              echo "skipping building MSI for arm64 because WiX 3.11 doesn't support it: https://github.com/wixtoolset/issues/issues/6141" >&2
+              continue
+              #source_dir="$PWD/dist/windows_windows_arm64"
+              #platform="arm64"
+              ;;
+            * )
+              printf "unsupported architecture: %s\n" "$MSI_NAME" >&2
+              exit 1
+              ;;
+            esac
+            "${MSBUILD_PATH}\MSBuild.exe" ./build/windows/gh.wixproj -p:SourceDir="$source_dir" -p:OutputPath="$PWD/dist" -p:OutputName="$MSI_NAME" -p:ProductVersion="${MSI_VERSION#v}" -p:Platform="$platform"
+          done
+      - name: Sign .msi release binaries
+        uses: azure/azure-code-signing-action@6c86237186b7eed50c9e8a3a6e42131bcc5e4601
+        with:
+            azure-tenant-id: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO_TENANT_ID }}
+            azure-client-id: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO_CLIENT_ID }}
+            azure-client-secret: ${{ secrets.SPN_SPN_AZURE_CODE_SIGNING_DEMO }}
+            endpoint: https://wus.codesigning.azure.net/
+            code-signing-account-name: GitHubInc
+            certificate-profile-name: GitHubInc
+            files-folder: ${{ github.workspace }}/dist
+            files-folder-filter: msi
+            file-digest: SHA256
+            timestamp-rfc3161: http://timestamp.acs.microsoft.com
+            timestamp-digest: SHA256
+      - uses: actions/upload-artifact@v3
+        with:
+          name: windows
+          if-no-files-found: error
+          retention-days: 7
+          path: |
+            dist/*.zip
+            dist/*.msi
\ No newline at end of file
diff --git a/.goreleaser-hsm.yml b/.goreleaser-hsm.yml
index 7d3b975a5..a48de4c7a 100644
--- a/.goreleaser-hsm.yml
+++ b/.goreleaser-hsm.yml
@@ -38,6 +38,11 @@ builds:
   - id: windows #build:windows
     goos: [windows]
     goarch: [386, amd64, arm64]
+    hooks:
+      post:
+        - cmd: >-
+            {{ if eq .Runtime.Goos "windows" }}.\script\sign-hsm{{ else }}./script/sign{{ end }} '{{ .Path }}'
+          output: true
     binary: bin/gh
     main: ./cmd/gh
     ldflags:
diff --git a/script/sign-hsm.bat b/script/sign-hsm.bat
new file mode 100644
index 000000000..0b3512710
--- /dev/null
+++ b/script/sign-hsm.bat
@@ -0,0 +1,14 @@
+@echo off
+
+if "%DLIB_PATH%" == "" (
+    echo skipping Windows code-signing; DLIB_PATH not set
+    exit /b
+)
+
+if "%METADATA_PATH%" == "" (
+    echo skipping Windows code-signing; METADATA_PATH not set
+    exit /b
+)
+
+REM For more information on signtool, see https://learn.microsoft.com/en-us/windows/win32/seccrypto/signtool
+.\script\signtool sign /d "GitHub CLI" /fd sha256 /td sha256 /tr http://timestamp.acs.microsoft.com /v /dlib "%DLIB_PATH%" /dmdf "%METADATA_PATH%" "%1"
\ No newline at end of file