Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
169 changes: 135 additions & 34 deletions .github/workflows/publish-packages-1.0.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,7 @@ on:
schedule:
- cron: '0 0 * * *' # Once a day at 00:00 UTC

permissions:
contents: read
permissions: {}

concurrency:
group: ${{ github.workflow }}-${{ github.sha }}
Expand All @@ -27,25 +26,30 @@ jobs:
automation:
if: github.event_name != 'schedule' || (github.event_name == 'schedule' && github.event.repository.fork == false)
uses: ./.github/workflows/automation.yml
permissions:
contents: read
secrets:
OTELBOT_DOTNET_PRIVATE_KEY: ${{ secrets.OTELBOT_DOTNET_PRIVATE_KEY }}

build-pack-publish:
name: Build, pack, and publish
build-pack:
name: Build and pack
if: github.event_name != 'schedule' || (github.event_name == 'schedule' && github.event.repository.fork == false)
runs-on: windows-2025
permissions:
artifact-metadata: write # Publish artifact metadata for the uploaded packages
attestations: write # Create GitHub attestations for the build outputs
contents: read # Checkout the repository
id-token: write # Sign packages and attestations with GitHub OIDC

env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_YES: "yes"

outputs:
artifact-url: ${{ steps.upload-artifacts.outputs.artifact-url }}
artifact-id: ${{ steps.upload-artifacts.outputs.artifact-id }}
dotnet-sdk-version: ${{ steps.setup-dotnet.outputs.dotnet-version }}

permissions:
artifact-metadata: write # Publish artifact metadata for the uploaded packages
attestations: write # Create GitHub attestations for the build outputs
contents: read # Checkout the repository
id-token: write # Sign packages and attestations with GitHub OIDC

steps:
- name: Checkout code
Expand All @@ -60,6 +64,7 @@ jobs:

- name: Setup .NET
uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5.4.0
id: setup-dotnet

- name: Install Cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
Expand Down Expand Up @@ -99,22 +104,81 @@ jobs:
PACK_TAG: ${{ github.ref_type == 'tag' && github.ref_name || '' }}
run: dotnet pack ./build/OpenTelemetry.proj --configuration Release --no-restore --no-build -p:"PackTag=${env:PACK_TAG}"

- name: Create GitHub attestations for NuGet packages
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
with:
subject-path: |
./artifacts/package/release/OpenTelemetry*.*nupkg

- name: Generate SBOM
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
with:
output-file: ./artifacts/package/release/sbom.spdx.json
path: ./artifacts/bin
upload-artifact: false
upload-release-assets: false

- name: Create GitHub attestation for SBOM
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
with:
subject-path: |
./artifacts/package/release/sbom.spdx.json

- name: Publish Artifacts
id: upload-artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: ${{ github.ref_name }}-packages
path: ./artifacts/package/release
if-no-files-found: error

validate:
name: Validate NuGet packages
needs: [build-pack]
runs-on: windows-2025

permissions:
attestations: read # Verify GitHub attestations for the build outputs
contents: read # Download the published artifacts

steps:

- name: Setup .NET
uses: actions/setup-dotnet@9a946fdbd5fb07b82b2f5a4466058b876ab72bb2 # v5.3.0
with:
dotnet-version: ${{ needs.build-pack.outputs.dotnet-sdk-version }}

- name: Install Cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2

- name: Install NuGet package validation tools
env:
# renovate: datasource=nuget depName=dotnet-validate
DOTNET_VALIDATE_VERSION: '0.0.1-preview.582'
# renovate: datasource=nuget depName=Meziantou.Framework.NuGetPackageValidation.Tool
MEZIANTOU_VALIDATE_NUGET_PACKAGE_VERSION: '1.0.52'
shell: pwsh
run: |
dotnet tool install --global dotnet-validate --version ${env:DOTNET_VALIDATE_VERSION} --allow-roll-forward
dotnet tool install --global Meziantou.Framework.NuGetPackageValidation.Tool --version ${env:MEZIANTOU_VALIDATE_NUGET_PACKAGE_VERSION} --allow-roll-forward

- name: Download Artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
artifact-ids: ${{ needs.build-pack.outputs.artifact-id }}
github-token: ${{ secrets.GITHUB_TOKEN }}
path: ./artifacts

- name: Validate NuGet packages
shell: pwsh
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
$packages = Get-ChildItem -Path artifacts/package/release/*.nupkg -File | ForEach-Object { $_.FullName }
$packages = Get-ChildItem -Path "./artifacts/*.nupkg" -File | ForEach-Object { $_.FullName }
if (-not $packages) {
Write-Output "::error::No NuGet packages were found in the downloaded artifacts."
exit 1
}
$invalidPackages = 0
foreach ($package in $packages) {
$isValid = $true
Expand All @@ -139,8 +203,12 @@ jobs:

- name: Verify package DLL Cosign Keyless signatures
shell: pwsh
env:
CERTIFICATE_IDENTITY: "${{ github.server_url }}/${{ github.repository }}/.github/workflows/publish-packages-1.0.yml@${{ github.ref }}"
CERTIFICATE_OIDC_ISSUER: "https://token.actions.githubusercontent.com"
COSIGN_YES: "yes"
run: |
$nupkgFiles = Get-ChildItem -Path artifacts/package/release/*.nupkg -File
$nupkgFiles = Get-ChildItem -Path "./artifacts/*.nupkg" -File

# Copy the NuGet packages to a temporary directory and extract them
$tempDir = New-Item -ItemType Directory -Path (Join-Path -Path ${env:RUNNER_TEMP} -ChildPath ([System.Guid]::NewGuid().ToString()))
Expand All @@ -158,8 +226,8 @@ jobs:
Write-Output "Verifying $dllFilePath"
cosign.exe verify-blob `
--bundle "$dllFilePath.sigstore.json" `
--certificate-identity "${env:GITHUB_SERVER_URL}/${env:GITHUB_REPOSITORY}/.github/workflows/publish-packages-1.0.yml@${env:GITHUB_REF}" `
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" `
--certificate-identity ${env:CERTIFICATE_IDENTITY} `
--certificate-oidc-issuer ${env:CERTIFICATE_OIDC_ISSUER} `
--use-signed-timestamps `
$dllFilePath
if ($LASTEXITCODE -ne 0) {
Expand All @@ -169,27 +237,58 @@ jobs:
Write-Output "Signature verification succeeded for $dllFilePath"
}

- name: Generate SBOM
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
with:
output-file: ./artifacts/package/release/sbom.spdx.json
path: ./artifacts/bin
upload-artifact: false
upload-release-assets: false
- name: Verify artifact attestations
shell: pwsh
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
Get-ChildItem -Path (Join-Path ${env:GITHUB_WORKSPACE} "artifacts") -Recurse -File | ForEach-Object {
$target = $_.FullName
gh attestation verify --repo ${env:GITHUB_REPOSITORY} $target
if ($LASTEXITCODE -ne 0) {
Write-Output "::error::Attestation verification failed for ${target}."
exit 1
}
Write-Output "Attestation verification succeeded for ${target}"
}

- name: Create GitHub attestation for SBOM
uses: actions/attest@a1948c3f048ba23858d222213b7c278aabede763 # v4.1.1
publish:
name: Publish
needs: [build-pack, validate]
runs-on: ubuntu-24.04

permissions:
attestations: read # Read GitHub attestations for the NuGet packages
contents: read # Download the published artifacts

steps:

- name: Setup .NET
uses: actions/setup-dotnet@26b0ec14cb23fa6904739307f278c14f94c95bf1 # v5.4.0
with:
subject-path: |
./artifacts/package/release/sbom.spdx.json
dotnet-version: ${{ needs.build-pack.outputs.dotnet-sdk-version }}

- name: Publish Artifacts
id: upload-artifacts
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
- name: Download Artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: ${{ github.ref_name }}-packages
path: ./artifacts/package/release
if-no-files-found: error
artifact-ids: ${{ needs.build-pack.outputs.artifact-id }}
github-token: ${{ secrets.GITHUB_TOKEN }}
path: ./artifacts
Comment thread
martincostello marked this conversation as resolved.

- name: Verify artifact attestations
shell: pwsh
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
Get-ChildItem -Path (Join-Path ${env:GITHUB_WORKSPACE} "artifacts") -Recurse -File | ForEach-Object {
$target = $_.FullName
gh attestation verify --repo ${env:GITHUB_REPOSITORY} $target
if ($LASTEXITCODE -ne 0) {
Write-Output "::error::Attestation verification failed for ${target}."
exit 1
}
Write-Output "Attestation verification succeeded for ${target}"
}

- name: Publish MyGet
working-directory: ./artifacts/package/release
Expand All @@ -207,7 +306,9 @@ jobs:

needs:
- automation
- build-pack-publish
- build-pack
- publish
- validate
Comment thread
martincostello marked this conversation as resolved.

if: needs.automation.outputs.enabled && github.event_name == 'push'

Expand All @@ -231,8 +332,8 @@ jobs:
- name: Download Artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
artifact-ids: ${{ needs.build-pack-publish.outputs.artifact-id }}
github-token: ${{ secrets.GITHUB_TOKEN }}
artifact-ids: ${{ needs.build-pack.outputs.artifact-id }}
github-token: ${{ steps.otelbot-token.outputs.token }}
path: ./artifacts
Comment thread
martincostello marked this conversation as resolved.

- name: Create GitHub Release draft
Expand All @@ -253,7 +354,7 @@ jobs:
GH_TOKEN: ${{ steps.otelbot-token.outputs.token }}
EXPECTED_PR_AUTHOR_USER_NAME: ${{ needs.automation.outputs.application-name }}
EXPECTED_COMMENT_AUTHOR_USER_NAME: ${{ needs.automation.outputs.application-login }}
PACKAGES_URL: ${{ needs.build-pack-publish.outputs.artifact-url }}
PACKAGES_URL: ${{ needs.build-pack.outputs.artifact-url }}
run: |
Import-Module .\build\scripts\post-release.psm1

Expand Down