idunno.Security.Ssrf/.github/workflows/release.yml at 04e817890018c222a0cf5cdbe2949ad56480bc7a · blowdart/idunno.Security.Ssrf · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
name: Release
on:
  push:
    tags:
      - 'v*.*.*'
env:
  DOTNET_NOLOGO: true
  DOTNET_GENERATE_ASPNET_CERTIFICATE: false
  DOTNET_SKIP_FIRST_TIME_EXPERIENCE: true
  DOTNET_CLI_TELEMETRY_OPTOUT: true
  BUILD_OUTPUT: ${{ github.workspace}}/nupkgs
  ATTESTATION_INPUT: ${{ github.workspace }}/attestation

permissions:
  contents: read

jobs:
  build:
    permissions:
      contents: read
      id-token: write

    name: Build release
    if: ${{ startsWith(github.ref, 'refs/tags/') }}
    runs-on: ubuntu-latest
    steps:
      ## Do not harden the runner in this workflow since it needs to run build and test tasks that may require network access and other permissions.

    - name: 'Checkout repository'
      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      with:
        fetch-depth: 0 # avoid shallow clone so nbgv can do its work.
        persist-credentials: false

    - name: "Validate pushed tag"
      uses: lfreleng-actions/tag-validate-action@461d187a53b5de27b068c2cea5af972c085a4a6a # v1.0.2
      with:
        require_type: semver
        require_signed: ssh
        require_owner: blowdart
        reject_development: true
        token: ${{ secrets.GITHUB_TOKEN }}

    - name: 'Setup .NET SDK'
      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0
      with:
        dotnet-version: |
          8.0.x
          9.0.x
          10.0.x

    - name: 'Build'
      run: dotnet build --configuration Release --property:PublicRelease=true

    - name: 'Test'
      run: dotnet test --configuration Release --no-restore --no-build --property:PublicRelease=true

    - name: 'Pack release'
      run: dotnet pack --configuration Release --no-restore --no-build --output ${BUILD_OUTPUT} --property:PublicRelease=true

    - name: 'List artifact directory'
      shell: pwsh
      run: >
        Get-ChildItem -Path ${env:BUILD_OUTPUT} -Recurse -Force

    - name: 'Extract SBOMs'
      shell: pwsh
      run: |
        Get-ChildItem -Path ${env:BUILD_OUTPUT} -Filter *.nupkg -Force | ForEach-Object {
          Expand-Archive $_.FullName "$($_.DirectoryName)/$($_.Basename)" -Force
          Copy-Item "$($_.DirectoryName)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json" -Destination "${env:BUILD_OUTPUT}/$($_.Basename).spdx.json"
          Copy-Item "$($_.DirectoryName)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json.sha256" -Destination "${env:BUILD_OUTPUT}/$($_.Basename).spdx.json.sha256"
          Remove-Item "$($_.DirectoryName)/$($_.Basename)" -Force -Recurse }

    - name: Upload unsigned nupkgs to artifacts
      id: upload
      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: build-artifacts
        path: ${{ env.BUILD_OUTPUT }}/*
        retention-days: 7

  sign:
    name: Sign
    needs: build
    runs-on: windows-latest
    environment: release
    permissions:
      attestations: write
      contents: read
      id-token: write

    steps:
    - name: 'Setup .NET SDK'
      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0

    - name: 'Install Sign CLI'
      run: dotnet tool install --tool-path ./sign sign --version 0.9.1-beta.25379.1

    - name: 'Gather nupkgs from build output'
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: build-artifacts
        path : ${{ env.BUILD_OUTPUT }}

    - name: Authenticate to Azure
      uses: azure/login@532459ea530d8321f2fb9bb10d1e0bcf23869a43 # v3.0.0
      with:
        allow-no-subscriptions : true
        client-id: ${{ secrets.AZURE_CLIENT_ID }}
        tenant-id: ${{ secrets.AZURE_TENANT_ID }}
        subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

    - name: Sign
      shell: pwsh
      run: >
        ./sign/sign code azure-key-vault *.nupkg --base-directory ${env:BUILD_OUTPUT} --azure-key-vault-url "${{ secrets.AZURE_KEY_VAULT_URL }}" --azure-key-vault-certificate "${{ secrets.AZURE_KEY_VAULT_CERTIFICATE }}"

    - name: Expand signed nupkg for attestation
      shell: pwsh
      run: |
        # Create the attestation directory, if it doesn't exist, then delete whatever is in it, just in case.
        New-Item -ItemType Directory -Force -Path ($env:ATTESTATION_INPUT) | Out-Null
        $attestationItems = Get-ChildItem -Path $env:ATTESTATION_INPUT -Force -ErrorAction SilentlyContinue
        if ($attestationItems)
        {
          Remove-Item -Path $attestationItems.FullName -Recurse -Force
        }

        # Build the bits to attest
        Get-ChildItem -Path $env:BUILD_OUTPUT -Filter *.nupkg -Force | ForEach-Object {
          Copy-Item $_.FullName $($env:ATTESTATION_INPUT)
          Expand-Archive $_.FullName "$($env:ATTESTATION_INPUT)/$($_.Basename)" -Force

          # Place SBOM from the nupkg alongside the nupkg for attestation
          Copy-Item "$($env:ATTESTATION_INPUT)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json" -Destination "$($env:ATTESTATION_INPUT)/$($_.Basename).spdx.json"
          Copy-Item "$($env:ATTESTATION_INPUT)/$($_.Basename)/_manifest/spdx_2.2/manifest.spdx.json.sha256" -Destination "$($env:ATTESTATION_INPUT)/$($_.Basename).spdx.json.sha256"

          # Remove the extraneous files from the nupkg extraction
          Remove-Item "$($env:ATTESTATION_INPUT)/$($_.Basename)/_rels" -Recurse -Force
          Remove-Item "$($env:ATTESTATION_INPUT)/$($_.Basename)/package" -Recurse -Force
          # Need to special case [Content_Types].xml because of those pesky [] characters
          $contentTypes=Join-Path "$($env:ATTESTATION_INPUT)/$($_.Basename)" -ChildPath "[Content_Types].xml"
          Remove-Item -LiteralPath $contentTypes -Force
        }

    - name: 'List attestation artifacts'
      shell: pwsh
      run: >
        Get-ChildItem -Path ${env:ATTESTATION_INPUT} -Recurse -Force

    - name: 'Attest artifacts'
      uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
      with:
        subject-path: ${{env.ATTESTATION_INPUT}}

    - name: Upload signed nupkgs to artifacts
      id: upload
      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
      with:
        name: signed-artifacts
        path: ${{env.BUILD_OUTPUT}}/*
        retention-days: 7

  publish:
    name: Publish
    needs: sign
    runs-on: ubuntu-latest
    environment: release
    permissions:
      contents: read
      id-token: write
    steps:
    - name: 'Harden Runner'
      uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
      with:
        egress-policy: audit

    - name: 'Setup .NET SDK'
      uses: actions/setup-dotnet@c2fa09f4bde5ebb9d1777cf28262a3eb3db3ced7 # v5.2.0

    - name: 'Gather nupkgs from signing output'
      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
      with:
        name: signed-artifacts
        path : ${{ env.BUILD_OUTPUT }}

    - name: Authenticate to nuget
      uses: NuGet/login@8d196754b4036150537f80ac539e15c2f1028841 # v1.2.0
      id: nugetlogin
      with:
        user: ${{secrets.NUGET_USERNAME}}

      # Use --skip-duplicate to prevent errors if a package with the same version already exists.
      # This allows a retory of a failed workflow, already published packages will be skipped without error.
    - name: Publish NuGet packages
      shell: pwsh
      run: >
        foreach($file in (Get-ChildItem "${env:BUILD_OUTPUT}" -Recurse -Filter *.nupkg)) {
          dotnet nuget push $file --api-key "${{ steps.nugetlogin.outputs.NUGET_API_KEY }}" --source https://api.nuget.org/v3/index.json --skip-duplicate
        }

    - name: Setup MyGet and GitHub Packages as NuGet Sources
      shell: pwsh
      run: |
        dotnet new nugetconfig
        dotnet nuget remove source nuget
        dotnet nuget add source https://nuget.pkg.github.com/blowdart/index.json --name github
        dotnet nuget add source https://www.myget.org/F/blowdart/api/v3/index.json --name myget

    - name: Publish NuGet packages to GitHub packages
      shell: pwsh
      run: >
        foreach($file in (Get-ChildItem "${env:BUILD_OUTPUT}" -Recurse -Filter *.nupkg)) {
          dotnet nuget push $file --api-key "${{ secrets.PUBLISH_PACKAGES_PAT }}" --source "github" --skip-duplicate
        }

    - name: Publish NuGet packages to myget
      shell: pwsh
      run: >
        foreach($file in (Get-ChildItem "${env:BUILD_OUTPUT}" -Recurse -Filter *.nupkg)) {
          dotnet nuget push $file --api-key "${{ secrets.MYGET_APIKEY }}" --source "https://www.myget.org/F/blowdart/api/v2/package" --skip-duplicate
        }