Skip to content
Release

Revert signtool version #15

Sign in to view logs

Revert signtool version

Revert signtool version #15

Workflow file for this run

.github/workflows/release.yml at 04e8178
name: Release
on:
push:
tags:
- 'v*.*.*'
env:
DOTNET_NOLOGO: true
DOTNET_GENERATE_ASPNET_CERTIFICATE: false
DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
DOTNET_CLI_TELEMETRY_OPTOUT: true
BUILD_OUTPUT: ${{ github.workspace}}/nupkgs
ATTESTATION_INPUT: ${{ github.workspace }}/attestation
permissions:
contents: read
jobs:
build:
permissions:
contents: read
id-token: write
name: Build release
if: ${{ startsWith(github.ref, 'refs/tags/') }}
runs-on: ubuntu-latest
steps:
## Do not harden the runner in this workflow since it needs to run build and test tasks that may require network access and other permissions.
- name: 'Checkout repository'
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0 # avoid shallow clone so nbgv can do its work.
persist-credentials: false
- name: "Validate pushed tag"
uses: lfreleng-actions/tag-validate-action@461d187a53b5de27b068c2cea5af972c085a4a6a # v1.0.2
with:
require_type: semver
require_signed: ssh
require_owner: blowdart
reject_development: true
token: ${{ secrets.GITHUB_TOKEN }}
- name: 'Setup .NET SDK'
uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
with:
dotnet-version: |
8.0.x
9.0.x
10.0.x
- name: 'Build'
run: dotnet build --configuration Release --property:PublicRelease=true
- name: 'Test'
run: dotnet test --configuration Release --no-restore --no-build --property:PublicRelease=true
- name: 'Pack release'
run: dotnet pack --configuration Release --no-restore --no-build --output ${BUILD_OUTPUT} --property:PublicRelease=true
- name: 'List artifact directory'
shell: pwsh
run: >
Get-ChildItem -Path ${env:BUILD_OUTPUT} -Recurse -Force
- name: 'Extract SBOMs'
shell: pwsh
run: |
Get-ChildItem -Path ${env:BUILD_OUTPUT} -Filter *.nupkg -Force | ForEach-Object {
Expand-Archive $_.FullName "$($_.DirectoryName)/$($_.Basename)" -Force
Copy-Item "$($_.DirectoryName)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json" -Destination "${env:BUILD_OUTPUT}/$($_.Basename).spdx.json"
Copy-Item "$($_.DirectoryName)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json.sha256" -Destination "${env:BUILD_OUTPUT}/$($_.Basename).spdx.json.sha256"
Remove-Item "$($_.DirectoryName)/$($_.Basename)" -Force -Recurse }
- name: Upload unsigned nupkgs to artifacts
id: upload
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: build-artifacts
path: ${{ env.BUILD_OUTPUT }}/*
retention-days: 7
sign:
name: Sign
needs: build
runs-on: windows-latest
environment: release
permissions:
attestations: write
contents: read
id-token: write
steps:
- name: 'Setup .NET SDK'
uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
- name: 'Install Sign CLI'
run: dotnet tool install --tool-path ./sign sign --version 0.9.1-beta.25379.1
- name: 'Gather nupkgs from build output'
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: build-artifacts
path : ${{ env.BUILD_OUTPUT }}
- name: Authenticate to Azure
uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
with:
allow-no-subscriptions : true
client-id: ${{ secrets.AZURE_CLIENT_ID }}
tenant-id: ${{ secrets.AZURE_TENANT_ID }}
subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
- name: Sign
shell: pwsh
run: >
./sign/sign code azure-key-vault *.nupkg --base-directory ${env:BUILD_OUTPUT} --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}" --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE }}"
- name: Expand signed nupkg for attestation
shell: pwsh
run: |
# Create the attestation directory, if it doesn't exist, then delete whatever is in it, just in case.
New-Item -ItemType Directory -Force -Path ($env:ATTESTATION_INPUT) | Out-Null
$attestationItems = Get-ChildItem -Path $env:ATTESTATION_INPUT -Force -ErrorAction SilentlyContinue
if ($attestationItems)
{
Remove-Item -Path $attestationItems.FullName -Recurse -Force
}
# Build the bits to attest
Get-ChildItem -Path $env:BUILD_OUTPUT -Filter *.nupkg -Force | ForEach-Object {
Copy-Item $_.FullName $($env:ATTESTATION_INPUT)
Expand-Archive $_.FullName "$($env:ATTESTATION_INPUT)/$($_.Basename)" -Force
# Place SBOM from the nupkg alongside the nupkg for attestation
Copy-Item "$($env:ATTESTATION_INPUT)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json" -Destination "$($env:ATTESTATION_INPUT)/$($_.Basename).spdx.json"
Copy-Item "$($env:ATTESTATION_INPUT)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json.sha256" -Destination "$($env:ATTESTATION_INPUT)/$($_.Basename).spdx.json.sha256"
# Remove the extraneous files from the nupkg extraction
Remove-Item "$($env:ATTESTATION_INPUT)/$($_.Basename)/_rels" -Recurse -Force
Remove-Item "$($env:ATTESTATION_INPUT)/$($_.Basename)/package" -Recurse -Force
# Need to special case [Content_Types].xml because of those pesky [] characters
$contentTypes=Join-Path "$($env:ATTESTATION_INPUT)/$($_.Basename)" -ChildPath "[Content_Types].xml"
Remove-Item -LiteralPath $contentTypes -Force
}
- name: 'List attestation artifacts'
shell: pwsh
run: >
Get-ChildItem -Path ${env:ATTESTATION_INPUT} -Recurse -Force
- name: 'Attest artifacts'
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
with:
subject-path: ${{env.ATTESTATION_INPUT}}
- name: Upload signed nupkgs to artifacts
id: upload
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: signed-artifacts
path: ${{env.BUILD_OUTPUT}}/*
retention-days: 7
publish:
name: Publish
needs: sign
runs-on: ubuntu-latest
environment: release
permissions:
contents: read
id-token: write
steps:
- name: 'Harden Runner'
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: 'Setup .NET SDK'
uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
- name: 'Gather nupkgs from signing output'
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: signed-artifacts
path : ${{ env.BUILD_OUTPUT }}
- name: Authenticate to nuget
uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1.2.0
id: nugetlogin
with:
user: ${{secrets.NUGET_USERNAME}}
# Use --skip-duplicate to prevent errors if a package with the same version already exists.
# This allows a retory of a failed workflow, already published packages will be skipped without error.
- name: Publish NuGet packages
shell: pwsh
run: >
foreach($file in (Get-ChildItem "${env:BUILD_OUTPUT}" -Recurse -Filter *.nupkg)) {
dotnet nuget push $file --api-key "${{ steps.nugetlogin.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
}
- name: Setup MyGet and GitHub Packages as NuGet Sources
shell: pwsh
run: |
dotnet new nugetconfig
dotnet nuget remove source nuget
dotnet nuget add source https://nuget.pkg.github.com/blowdart/index.json --name github
dotnet nuget add source https://www.myget.org/F/blowdart/api/v3/index.json --name myget
- name: Publish NuGet packages to GitHub packages
shell: pwsh
run: >
foreach($file in (Get-ChildItem "${env:BUILD_OUTPUT}" -Recurse -Filter *.nupkg)) {
dotnet nuget push $file --api-key "${{ secrets.PUBLISH_PACKAGES_PAT }}" --source "github" --skip-duplicate
}
- name: Publish NuGet packages to myget
shell: pwsh
run: >
foreach($file in (Get-ChildItem "${env:BUILD_OUTPUT}" -Recurse -Filter *.nupkg)) {
dotnet nuget push $file --api-key "${{ secrets.MYGET_APIKEY }}" --source "https://www.myget.org/F/blowdart/api/v2/package" --skip-duplicate
}