Create a pre-release build that will push to Github Artifacts

blowdart · blowdart · commit e78c138051af · 2025-09-18T11:48:21.000-07:00
diff --git a/.github/workflows/prerelease-build.yml b/.github/workflows/prerelease-build.yml
@@ -0,0 +1,178 @@
+name: Pre-release Build, Test, Sign, Publish
+on:
+  workflow_dispatch:
+    inputs:
+      perform_sign:
+        description: 'Sign'
+        type: boolean
+        required: true
+        default: true
+      perform_publish:
+        description: 'GitHub Packages publish'
+        type: boolean
+        required: true
+        default: true
+
+env:
+  DOTNET_NOLOGO: true
+  DOTNET_GENERATE_ASPNET_CERTIFICATE: false
+  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
+  DOTNET_CLI_TELEMETRY_OPTOUT: true
+  NUPKG_DIRECTORY: ${{ github.workspace}}/nupkgs
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    permissions:
+      contents: read
+
+    name: Build release
+    runs-on: ubuntu-latest
+    steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
+    - name: 'Checkout repository'
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        fetch-depth: 0 # avoid shallow clone so nbgv can do its work.
+        persist-credentials: false
+ 
+    - name: 'Setup .NET SDK'
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+      with:
+        dotnet-version: | 
+          8.0.x
+          9.0.x
+
+    - name: 'Build'
+      run: dotnet build --configuration Release --property:PublicRelease=false
+
+    - name: 'Test'
+      run: dotnet test --configuration Release --no-restore --no-build --property:PublicRelease=false
+
+    - name: 'Pack release'
+      run: dotnet pack --configuration Release --no-restore  --no-build --output ${NUPKG_DIRECTORY} --property:PublicRelease=false
+
+    - name: 'List artifact directory'
+      shell: pwsh
+      run: >
+        Get-ChildItem -Path ${env:NUPKG_DIRECTORY} -Recurse -Force
+
+    - name: 'Extract SBOMs'
+      shell: pwsh
+      run: > 
+        Get-ChildItem -Path ${env:NUPKG_DIRECTORY} -Filter *.nupkg -Force | ForEach-Object { 
+          Expand-Archive $_.FullName "$($_.DirectoryName)/$($_.Basename)" -Force 
+          Copy-Item "$($_.DirectoryName)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json" -Destination "${env:NUPKG_DIRECTORY}/$($_.Basename).spdx.json"
+          Copy-Item "$($_.DirectoryName)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json.sha256" -Destination "${env:NUPKG_DIRECTORY}/$($_.Basename).spdx.json.sha256"
+          Remove-Item "$($_.DirectoryName)/$($_.Basename)" -Force -Recurse }
+
+    - name: 'List artifact directory'
+      shell: pwsh
+      run: >
+        Get-ChildItem -Path ${env:NUPKG_DIRECTORY} -Recurse -Force
+
+    - name: Upload unsigned nupkgs to artifacts
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      with:
+        name: build-artifacts
+        path: ${{ env.NUPKG_DIRECTORY }}/*
+        retention-days: 7
+
+  sign:
+    name: Sign
+    needs: build
+    runs-on: windows-latest
+    if:  ${{ inputs.perform_sign }} 
+    environment: nightly
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+    - name: 'Setup .NET SDK'
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+
+    - name: 'Install Sign CLI'
+      run: dotnet tool install --tool-path ./sign --prerelease sign
+
+    - name: 'Gather nupkgs from build output'
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      with:
+        name: build-artifacts
+        path : ${{ env.NUPKG_DIRECTORY }}
+
+    - name: List assets to be signed
+      shell: pwsh
+      run: >
+        Get-ChildItem -Path ${env:NUPKG_DIRECTORY} -Include *.nupkg -Recurse -Force
+
+    - name: Authenticate to Azure
+      uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # 2.3.0
+      with:
+        allow-no-subscriptions : true
+        client-id: ${{ secrets.AZURE_CLIENT_ID }}
+        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+    - name: Sign
+      shell: pwsh
+      run: >
+        ./sign/sign code trusted-signing *.nupkg --base-directory ${env:NUPKG_DIRECTORY} -tse "${{ secrets.AZURE_TRUSTEDSIGNING_ENDPOINT }}" -tsa "${{ secrets.AZURE_TRUSTEDSIGNING_ACCOUNT }}" -tscp "${{ secrets.AZURE_TRUSTEDSIGNING_CERTIFICATEPROFILE }}"
+
+    - name: Upload signed nupkgs to artifacts
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      with:
+        name: signed-artifacts
+        path: ${{env.NUPKG_DIRECTORY}}/*
+        retention-days: 7
+
+  publish:
+    name: Publish to nuget
+    needs: sign
+    runs-on: ubuntu-latest
+    if:  ${{ inputs.perform_publish }}
+    environment: nightly
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    steps:
+    - name: 'Harden Runner'
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
+    - name: 'Setup .NET SDK'
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
+
+    - name: 'Gather nupkgs from signing artifacts'
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      with:
+        name: signed-artifacts
+        path : ${{ env.NUPKG_DIRECTORY }}
+
+    - name: List assets to be published
+      shell: pwsh
+      run: >
+        Get-ChildItem -Path ${env:NUPKG_DIRECTORY} -Filter *.nupkg -Recurse -Force
+
+    - name: Setup GitHub Packages as NuGet Source
+      shell: pwsh
+      run: >
+        dotnet new nugetconfig
+        dotnet nuget remove source nuget
+        dotnet nuget add source https://nuget.pkg.github.com/blowdart/index.json --name github
+
+      # Use --skip-duplicate to prevent errors if a package with the same version already exists.
+      # This allows a retory of a failed workflow, already published packages will be skipped without error.
+    - name: Publish NuGet packages
+      shell: pwsh
+      run: >
+        foreach($file in (Get-ChildItem "${env:NUPKG_DIRECTORY}" -Recurse -Filter *.nupkg)) {
+          dotnet nuget push $file --api-key "${{ secrets.PUBLISH_PACKAGES_PAT }}" --source "github"
+        }
diff --git a/idunno.Bluesky.sln b/idunno.Bluesky.sln
@@ -22,6 +22,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution
 		LICENSE = LICENSE
 		minisign.pub = minisign.pub
 		nuget.config = nuget.config
+		nuget.config.github = nuget.config.github
 		purge.ps1 = purge.ps1
 		readme.md = readme.md
 		SECURITY.md = SECURITY.md
@@ -77,6 +78,7 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "workflows", "workflows", "{
 		.github\workflows\dependency-review.yml = .github\workflows\dependency-review.yml
 		.github\workflows\generate-publish-docs.yml = .github\workflows\generate-publish-docs.yml
 		.github\workflows\openssf-scorecard.yml = .github\workflows\openssf-scorecard.yml
+		.github\workflows\prerelease-build.yml = .github\workflows\prerelease-build.yml
 		.github\workflows\release-build.yml = .github\workflows\release-build.yml
 	EndProjectSection
 EndProject
