Release Build, Test, Sign, Publish #3

Workflow file for this run

.github/workflows/release-build.yml at f316c10

	name: Release Build, Test, Sign, Publish
	on:
	workflow_dispatch:
	inputs:
	public_release:
	description: 'Public Release'
	type: boolean
	required: true
	default: true
	perform_sign:
	description: 'Sign'
	type: boolean
	required: true
	default: true
	perform_publish:
	description: 'nuget publish'
	type: boolean
	required: true
	default: false

	env:
	DOTNET_NOLOGO: true
	DOTNET_GENERATE_ASPNET_CERTIFICATE: false
	DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
	DOTNET_CLI_TELEMETRY_OPTOUT: true
	NUPKG_DIRECTORY: ${{ github.workspace}}/nupkgs

	permissions:
	contents: read

	jobs:
	build:
	permissions:
	contents: read

	name: Build release
	runs-on: ubuntu-latest
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
	with:
	egress-policy: audit

	- name: 'Checkout repository'
	uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
	with:
	fetch-depth: 0 # avoid shallow clone so nbgv can do its work.
	persist-credentials: false

	- name: 'Setup .NET SDK'
	uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
	with:
	dotnet-version: \|
	8.0.x
	9.0.x

	- name: 'Build'
	run: dotnet build --configuration Release --property:PublicRelease=${{ inputs.public_release }}

	- name: 'Test'
	run: dotnet test --configuration Release --no-restore --no-build --property:PublicRelease=${{ inputs.public_release }}

	- name: 'Pack release'
	run: dotnet pack --configuration Release --no-restore --no-build --output ${NUPKG_DIRECTORY} --property:PublicRelease=${{ inputs.public_release }}

	- name: 'List artifact directory'
	shell: pwsh
	run: >
	Get-ChildItem -Path ${env:NUPKG_DIRECTORY} -Recurse -Force

	- name: 'Extract SBOMs'
	shell: pwsh
	run: >
	Get-ChildItem -Path ${env:NUPKG_DIRECTORY} -Filter *.nupkg -Force \| ForEach-Object {
	Expand-Archive $_.FullName "$($_.DirectoryName)/$($_.Basename)" -Force
	Copy-Item "$($_.DirectoryName)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json" -Destination "${env:NUPKG_DIRECTORY}/$($_.Basename).spdx.json"
	Copy-Item "$($_.DirectoryName)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json.sha256" -Destination "${env:NUPKG_DIRECTORY}/$($_.Basename).spdx.json.sha256"
	Remove-Item "$($_.DirectoryName)/$($_.Basename)" -Force -Recurse }

	- name: 'List artifact directory'
	shell: pwsh
	run: >
	Get-ChildItem -Path ${env:NUPKG_DIRECTORY} -Recurse -Force

	- name: Upload unsigned nupkgs to artifacts
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: build-artifacts
	path: ${{ env.NUPKG_DIRECTORY }}/*
	retention-days: 7

	sign:
	name: Sign
	needs: build
	runs-on: windows-latest
	if: ${{ inputs.perform_sign }}
	environment: release
	permissions:
	contents: read
	id-token: write
	steps:
	- name: 'Setup .NET SDK'
	uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0

	- name: 'Install Sign CLI'
	run: dotnet tool install --tool-path ./sign sign --version 0.9.1-beta.25169.2

	- name: 'Gather nupkgs from build output'
	uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
	with:
	name: build-artifacts
	path : ${{ env.NUPKG_DIRECTORY }}

	- name: List assets to be signed
	shell: pwsh
	run: >
	Get-ChildItem -Path ${env:NUPKG_DIRECTORY} -Include *.nupkg -Recurse -Force

	- name: Authenticate to Azure
	uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # 2.3.0
	with:
	allow-no-subscriptions : true
	client-id: ${{ secrets.AZURE_CLIENT_ID }}
	tenant-id: ${{ secrets.AZURE_TENANT_ID }}
	subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

	- name: Sign
	shell: pwsh
	run: >
	./sign/sign code azure-key-vault *.nupkg --base-directory ${env:NUPKG_DIRECTORY} --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}" --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE }}"

	- name: Upload signed nupkgs to artifacts
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: signed-artifacts
	path: ${{env.NUPKG_DIRECTORY}}/*
	retention-days: 7

	publish:
	name: Publish to nuget
	needs: sign
	runs-on: ubuntu-latest
	if: ${{ inputs.perform_publish }}
	environment: release
	permissions:
	id-token: write
	steps:
	- name: 'Harden Runner'
	uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
	with:
	egress-policy: audit

	- name: 'Setup .NET SDK'
	uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0

	- name: 'Gather nupkgs from signing output'
	uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
	with:
	name: signed-artifacts
	path : ${{ env.NUPKG_DIRECTORY }}

	- name: List assets to be published
	shell: pwsh
	run: >
	Get-ChildItem -Path ${env:NUPKG_DIRECTORY} -Filter *.nupkg -Recurse -Force

	- name: Authenticate to nuget
	uses: NuGet/login@d883674c922ba7e5cc0370927b10a33b67d54677 # v1.0.0
	id: nugetlogin
	with:
	user: ${{secrets.NUGET_USERNAME}}

	# Use --skip-duplicate to prevent errors if a package with the same version already exists.
	# This allows a retory of a failed workflow, already published packages will be skipped without error.
	- name: Publish NuGet packages
	shell: pwsh
	run: >
	foreach($file in (Get-ChildItem "${env:NUPKG_DIRECTORY}" -Recurse -Filter *.nupkg)) {
	dotnet nuget push $file --api-key "${{ steps.nugetlogin.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Release Build, Test, Sign, Publish #3

Workflow file

Release Build, Test, Sign, Publish #3

Uh oh!

Workflow file for this run