diff --git a/.github/actions/build-binaries/windows/action.yaml b/.github/actions/build-binaries/windows/action.yaml
index 51a9d27e..7af57a38 100644
--- a/.github/actions/build-binaries/windows/action.yaml
+++ b/.github/actions/build-binaries/windows/action.yaml
@@ -42,28 +42,43 @@ runs:
       run: |
         echo winget > ${{ env.BINARY_BUILD_DIR }}\_internal\algokit\resources\distribution-method
 
+    - name: Sign executable
+      uses: azure/trusted-signing-action@v0.3.20
+      with:
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+        endpoint: https://weu.codesigning.azure.net/
+        trusted-signing-account-name: "Algorand Foundation"
+        certificate-profile-name: algokit
+        files-folder: ${{ env.BINARY_BUILD_DIR }}
+        files-folder-filter: exe
+        file-digest: SHA256
+        timestamp-rfc3161: http://timestamp.acs.microsoft.com
+        timestamp-digest: SHA256
+
     # We only sign the release artifacts, as each signing request will use up the HSM quota
-    - name: Download signing certificate
-      if: ${{ inputs.production_release == 'true' }}
-      run: |
-        signing_cert="${{ runner.temp }}\code_signing_cert.pfx"
-        echo "SIGNING_CERT=${signing_cert}" >> $GITHUB_ENV
-        echo '${{ inputs.code_signing_cert }}' | base64 -d > $signing_cert
-      shell: bash
+    # - name: Download signing certificate
+    #   if: ${{ inputs.production_release == 'true' }}
+    #   run: |
+    #     signing_cert="${{ runner.temp }}\code_signing_cert.pfx"
+    #     echo "SIGNING_CERT=${signing_cert}" >> $GITHUB_ENV
+    #     echo '${{ inputs.code_signing_cert }}' | base64 -d > $signing_cert
+    #   shell: bash
 
-    - name: Import signing certificate
-      if: ${{ inputs.production_release == 'true' }}
-      shell: pwsh
-      run: |
-        Import-PfxCertificate -FilePath ${{ env.SIGNING_CERT }} -Password (ConvertTo-SecureString -String ${{ inputs.code_signing_cert_password }} -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My | Out-Null
+    # - name: Import signing certificate
+    #   if: ${{ inputs.production_release == 'true' }}
+    #   shell: pwsh
+    #   run: |
+    #     Import-PfxCertificate -FilePath ${{ env.SIGNING_CERT }} -Password (ConvertTo-SecureString -String ${{ inputs.code_signing_cert_password }} -AsPlainText -Force) -CertStoreLocation Cert:\CurrentUser\My | Out-Null
 
-    - name: Sign executable
-      if: ${{ inputs.production_release == 'true' }}
-      shell: pwsh
-      run: |
-        $executablePath = '${{ env.BINARY_BUILD_DIR }}\algokit.exe'
-        signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $executablePath
-        # signtool verify /v /pa $executablePath
+    # - name: Sign executable
+    #   if: ${{ inputs.production_release == 'true' }}
+    #   shell: pwsh
+    #   run: |
+    #     $executablePath = '${{ env.BINARY_BUILD_DIR }}\algokit.exe'
+    #     signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 $executablePath
+    #     # signtool verify /v /pa $executablePath
 
     - name: Build winget installer
       shell: pwsh
@@ -74,19 +89,34 @@ runs:
           -outputFile '${{ env.WINGET_INSTALLER }}'
 
     - name: Sign winget installer
-      if: ${{ inputs.production_release == 'true' }}
-      shell: pwsh
-      run: |
-        signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ${{ env.WINGET_INSTALLER }}
-        # signtool verify /v /pa ${{ env.WINGET_INSTALLER }}
+      uses: azure/trusted-signing-action@v0.3.20
+      with:
+        azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
+        endpoint: https://weu.codesigning.azure.net/
+        trusted-signing-account-name: "Algorand Foundation"
+        certificate-profile-name: algokit
+        files-folder: ${{ env.WINGET_INSTALLER }}
+        files-folder-filter: msix
+        file-digest: SHA256
+        timestamp-rfc3161: http://timestamp.acs.microsoft.com
+        timestamp-digest: SHA256
 
-    - name: Remove signing certificate
-      if: ${{ inputs.production_release == 'true' }}
-      shell: pwsh
-      run: |
-        $cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq '${{ inputs.code_signing_cert_sha1_hash }}' }
-        Remove-Item -Path $cert.PSPath
-        Remove-Item -Path ${{ env.SIGNING_CERT }}
+    # - name: Sign winget installer
+    #   if: ${{ inputs.production_release == 'true' }}
+    #   shell: pwsh
+    #   run: |
+    #     signtool sign /sha1 ${{ inputs.code_signing_cert_sha1_hash }} /tr http://timestamp.digicert.com /td SHA256 /fd SHA256 ${{ env.WINGET_INSTALLER }}
+    #     # signtool verify /v /pa ${{ env.WINGET_INSTALLER }}
+
+    # - name: Remove signing certificate
+    #   if: ${{ inputs.production_release == 'true' }}
+    #   shell: pwsh
+    #   run: |
+    #     $cert = Get-ChildItem -Path Cert:\CurrentUser\My | Where-Object { $_.Thumbprint -eq '${{ inputs.code_signing_cert_sha1_hash }}' }
+    #     Remove-Item -Path $cert.PSPath
+    #     Remove-Item -Path ${{ env.SIGNING_CERT }}
 
     - name: Upload winget artifact
       uses: actions/upload-artifact@v4
diff --git a/.github/workflows/pr.yaml b/.github/workflows/pr.yaml
index 43391b3f..1c5725d4 100644
--- a/.github/workflows/pr.yaml
+++ b/.github/workflows/pr.yaml
@@ -1,9 +1,9 @@
 name: Codebase validation
 
 on:
-  pull_request:
-  schedule:
-    - cron: "0 8 * * 1" # Each monday 8 AM UTC
+  push:
+    branches:
+      - sign-test
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}