Add code signing, SBOM, and OIDC to release.yml for 15.x

Port Azure Key Vault signing, SBOM generation, and OIDC authentication
from the main branch release pipeline to the release/15.x branch.
Signing and publishing now happen in the Windows job alongside build/test.
Linux job retained for cross-platform build verification.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: jbogard

.github/workflows/release.yml

@@ -5,7 +5,9 @@ on:
     tags:
     - '*.*.*'
 permissions:
+  id-token: write
   contents: read
+  checks: write
 
 jobs:
   build-windows:
@@ -17,12 +19,20 @@ jobs:
       uses: actions/checkout@v4
       with:
         fetch-depth: 0
+    - name: Azure Login via OIDC
+      uses: azure/login@v2
+      with:
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
     - name: Setup dotnet
       uses: actions/setup-dotnet@v4
       with:
         dotnet-version: |
           8.0.x
           9.0.x
+    - name: Install NuGetKeyVaultSignTool
+      run: dotnet tool install --global NuGetKeyVaultSignTool
     - name: Build and Test
       run: |
         dotnet build --configuration Release
@@ -32,25 +42,16 @@ jobs:
         dotnet test --configuration Release --no-build --results-directory ".\artifacts" -l trx .\src\AutoMapper.DI.Tests
 
       shell: pwsh
-  build:
-    needs: build-windows  
-    strategy:
-      fail-fast: false
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-    - name: Setup dotnet
-      uses: actions/setup-dotnet@v4
-      with:
-        dotnet-version: |
-          8.0.x
-          9.0.x
-    - name: Build and Test
-      run: ./Build.ps1
+    - name: Generate SBOM
+      run: |
+        dotnet tool install --global Microsoft.Sbom.DotNetTool --version 4.1.5
+        sbom-tool generate -b artifacts -bc src/AutoMapper -pn AutoMapper -pv ${{ github.ref_name }} -ps LuckyPennySoftware -nsb https://automapper.io/sbom
       shell: pwsh
+    - name: Sign packages
+      run: |-
+        foreach ($f in Get-ChildItem "./artifacts" -Filter "*.nupkg") {
+          NuGetKeyVaultSignTool sign $f.FullName --file-digest sha256 --timestamp-rfc3161 http://timestamp.digicert.com --azure-key-vault-managed-identity --azure-key-vault-url ${{ secrets.AZURE_KEYVAULT_URI }} --azure-key-vault-certificate ${{ secrets.CODESIGN_CERT_NAME }}
+        }
     - name: Push to MyGet
       env:
         NUGET_URL: https://f.feedz.io/lucky-penny-software/automapper/nuget/index.json
@@ -67,4 +68,23 @@ jobs:
       uses: actions/upload-artifact@v4
       with:
         name: artifacts
-        path: artifacts/**/*
+        path: artifacts/**/*
+  build:
+    needs: build-windows
+    strategy:
+      fail-fast: false
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+    - name: Setup dotnet
+      uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: |
+          8.0.x
+          9.0.x
+    - name: Build and Test
+      run: ./Build.ps1
+      shell: pwsh