Move to GitHub actions.

maximovicd · maximovicd · commit 9bd8eb5a8295 · 2025-10-01T19:55:05.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,88 @@
+name: Package and publish nupkg
+
+on:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build app
+    runs-on: windows-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup MSBuild
+        uses: microsoft/setup-msbuild@v1
+
+      - name: Restore NuGet packages
+        run: cd src && nuget restore && cd ..
+
+      - name: Build
+        run: msbuild .\src\Org.Openfeed.Client\Org.Openfeed.Client.csproj /t:Pack /p:Configuration=Release /p:PackageOutputPath=..\..\publish
+
+      - name: List files in publish directory
+        run: dir .\publish
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: BuildArtifacts
+          path: ./publish/*.nupkg
+
+  sign:
+    name: Sign files with Trusted Signing
+    needs: build
+    runs-on: windows-latest
+    permissions:
+      id-token: write # Required for requesting the JWT
+
+    steps:
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: BuildArtifacts
+          path: BuildArtifacts
+
+      # .NET is required on the agent for the tool to run
+      - name: Setup .NET
+        uses: actions/setup-dotnet@v3
+        with:
+          dotnet-version: "9.x"
+
+      # Install the code signing tool
+      - name: Install Sign CLI tool
+        run: dotnet tool install --tool-path . --prerelease sign
+
+      # Login to Azure using a ServicePrincipal configured to authenticate agaist a GitHub Action
+      - name: "Az CLI login"
+        uses: azure/login@v1
+        with:
+          allow-no-subscriptions: true
+          enable-AzPSSession: true
+          creds: ${{ secrets.AZURE_CREDS }}
+
+      # Run the signing command
+      - name: Sign artifacts
+        uses: azure/powershell@v1
+        with:
+          azPSVersion: "latest"
+          inlineScript: |
+            ./sign code trusted-signing *.nupkg -tse ${{ secrets.AZURE_ENDPOINT }} -tsa ${{secrets.AZURE_CODE_SIGNING_NAME}} -tscp ${{secrets.AZURE_CERT_PROFILE_NAME}} -act azure-powershell --base-directory "./BuildArtifacts"
+
+      - name: Extract Certificates For NuGet
+        run: |
+          $files = Get-ChildItem -Path ./BuildArtifacts -Filter *.nupkg
+          if ($files.Count -ne 1) {
+              Write-Error "Expected exactly one .nupkg file, but found $($files.Count)."
+              exit 1
+          }
+          dotnet tool install Knapcode.CertificateExtractor --global
+          $file = $files[0].FullName
+          nuget-cert-extractor --file $file --output ./BuildArtifacts --author --code-signing --leaf
+
+      # Publish the signed packages
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: NugetReleaseArtifacts
+          path: ./BuildArtifacts/*.nupkg
diff --git a/README.md b/README.md
@@ -27,3 +27,7 @@ To update the protobuf auto-generated files, follow the steps:
 ## User Guide
 
 The User Guide for this project can be found in the [documentation](DOCUMENTATION.md) page.
+
+## Release Guide
+
+Since we moved to GitHub actions, releasing to NuGet will require additional steps as seen [here](RELEASE_GUIDE.md).
diff --git a/RELEASE_GUIDE.md b/RELEASE_GUIDE.md
@@ -0,0 +1,12 @@
+## Release
+
+We use GitHub Actions for the release process. It is a manual action that can be triggered in the repository.
+
+### Steps:
+
+1. Trigger the GitHub Action to build, sign, and package the `.nupkg` file.
+2. Download the `NugetReleaseArtifacts` files from the workflow artifacts.
+3. Log in to [NuGet.org](https://www.nuget.org/):
+   - Go to **Account > Manage Organizations > Barchart > Edit Icon > Certificates** and upload the `.cer` file (if not already registered).
+   - Go to **Account > Manage Packages** and upload the `.nupkg` file.
+4. Verify that the package is published successfully.
diff --git a/src/Org.Openfeed.Client/Org.Openfeed.Client.csproj b/src/Org.Openfeed.Client/Org.Openfeed.Client.csproj
@@ -46,21 +46,4 @@
       <PackagePath></PackagePath>
     </None>
   </ItemGroup>
-
-  <PropertyGroup>
-    <TargetsTriggeredByCompilation>Sign</TargetsTriggeredByCompilation>
-  </PropertyGroup>
-
-  <Target Name="Sign" Condition="'$(Configuration)' == 'Publish'">
-    <SignFile CertificateThumbprint="$(CertificateThumbprint)" SigningTarget="@(IntermediateAssembly)" TimestampUrl="$(TimestampUrl)" />
-  </Target>
-
-  <Target Name="SignAfterPack" DependsOnTargets="Pack" Condition="'$(Configuration)' == 'Publish'">
-    <Exec Command="nuget sign $(OutputPath)..\$(PackageId).$(PackageVersion).nupkg -CertificateFingerprint $(CertificateThumbprint) -Timestamper $(TimestampUrl)" />
-    <Exec Command="nuget sign $(OutputPath)..\$(PackageId).$(PackageVersion).snupkg -CertificateFingerprint $(CertificateThumbprint) -Timestamper $(TimestampUrl)" />
-  </Target>
-
-  <Target Name="PublishToNuGet" DependsOnTargets="SignAfterPack" Condition="'$(Configuration)' == 'Publish'">
-    <Exec Command="nuget push $(OutputPath)..\$(PackageId).$(PackageVersion).nupkg -ApiKey $(NuGetApiKey) -Source https://api.nuget.org/v3/index.json" />
-  </Target>
 </Project>
