OneDrive 1drv.ms links no longer serve raw bytes to headless clients after the SPO migration. The disk image now lives as a release asset on a private repo and is fetched via 'gh release download' using DISK_REPO + DISK_TAG vars and an IMAGES_REPO_TOKEN secret. Scripts fail fast on missing env, bad zip, or missing windows95.img.
Installs the Microsoft.Trusted.Signing.Client dlib via NuGet, locates signtool.exe from the Windows SDK, and passes AZURE_* secrets to the Make step. Removes the unused .pfx-based signing step.
The patch hardcoded a local Windows path, breaking Windows CI builds. Now resolves tools/resedit.js relative to process.cwd() and uses process.execPath instead of 'node'. Also drops the deb maker diagnostic step now that Linux builds pass.
The TEMP override in forge.config.js broke Windows builds on CI runners (mkdtemp ENOENT). The expanded diagnostic exercises require() from maker-base's own resolution context to surface the real Linux failure.
