From 86920ae66d162c07095273070f76a758bccc99ec Mon Sep 17 00:00:00 2001 From: christian <6939810+chkr1011@users.noreply.github.com> Date: Thu, 16 May 2024 20:05:13 +0200 Subject: [PATCH] Enable nuget signing --- .github/workflows/ci.yml | 79 +++++++++++++++++++++++++++++++++------- 1 file changed, 66 insertions(+), 13 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 23bbcf213..524d37c06 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Setup .NET SDK - uses: actions/setup-dotnet@v4.0.0 + uses: actions/setup-dotnet@v4 with: dotnet-version: | 6.0.x @@ -20,22 +20,29 @@ jobs: 8.0.x - name: Checkout code - uses: actions/checkout@v4.1.4 + uses: actions/checkout@v4 - - name: Download code signing certificate - uses: timheuer/base64-to-file@v1.2 - with: - fileName: certificate.snk - fileDir: ${{ github.workspace }} - encodedString: ${{ secrets.SNC_BASE64 }} +# - name: Download code signing certificate +# uses: timheuer/base64-to-file@v1.2 +# with: +# fileName: certificate.snk +# fileDir: ${{ github.workspace }} +# encodedString: ${{ secrets.SNC_BASE64 }} + + - name: Build package + run: dotnet pack MQTTnet.sln --configuration Release /p:FileVersion=${{ env.VERSION }} /p:AssemblyVersion=${{ env.VERSION }} /p:PackageVersion=${{ env.VERSION }} + #run: dotnet pack MQTTnet.sln --configuration Release /p:FileVersion=${{ env.VERSION }} /p:AssemblyVersion=${{ env.VERSION }} /p:PackageVersion=${{ env.VERSION }} /p:SignAssembly=true /p:AssemblyOriginatorKeyFile=${{ github.workspace }}/certificate.snk - - name: Build solution - run: dotnet build MQTTnet.sln --configuration Release /p:FileVersion=${{ env.VERSION }} /p:AssemblyVersion=${{ env.VERSION }} /p:PackageVersion=${{ env.VERSION }} /p:SignAssembly=true /p:AssemblyOriginatorKeyFile=${{ github.workspace }}/certificate.snk + - name: Upload signing file list + uses: actions/upload-artifact@v3 + with: + name: config + path: config - - name: Collect nuget packages - uses: actions/upload-artifact@v2 + - name: Upload nuget packages + uses: actions/upload-artifact@v3 with: - name: nuget Packages + name: nugets path: | **/*.nupkg **/*.snupkg @@ -43,6 +50,52 @@ jobs: - name: Execute tests run: dotnet test --no-restore --framework net8.0 Source/MQTTnet.Tests/MQTTnet.Tests.csproj + sign: + needs: build + runs-on: windows-latest # Code signing must run on a Windows agent for Authenticode signing (dll/exe) + permissions: + id-token: write # Required for requesting the JWT + + steps: + - name: Setup .NET SDK + uses: actions/setup-dotnet@v4 + with: + dotnet-version: | + 6.0.x + + - name: Install sign CLI tool + run: dotnet tool install --tool-path . sign --version 0.9.0-beta.23127.3 + + - name: Download signing config + uses: actions/download-artifact@v3 + with: + name: config + path: config + + - name: Download build artifacts + uses: actions/download-artifact@v3 + with: + name: nugets + path: nugets + + + - name: Sign nugets + shell: pwsh + run: > + ./sign code azure-key-vault ` + **/*.nupkg ` + --base-directory "${{ github.workspace }}/nugets" ` + --file-list "${{ github.workspace }}/config/filelist.txt" ` + --publisher-name "MQTTnet" ` + --description "MQTTnet" ` + --description-url "https://github.com/dotnet/MQTTnet" ` + --azure-key-vault-managed-identity true ` + --azure-key-vault-url "${{ secrets.KEY_VAULT_URL }}" ` + --azure-key-vault-certificate "${{ secrets.KEY_VAULT_CERTIFICATE_ID }}" ` + --azure-key-vault-tenant-id "${{ secrets.AZURE_TENANT_ID }}" ` + --azure-key-vault-client-id "${{ secrets.AZURE_CLIENT_ID }}" ` + --azure-key-vault-client-secret "${{ secrets.AZURE_CLIENT_SECRET }}" ` + - name: Publish MyGet nugets if: ${{ github.event_name == 'push' }} run: dotnet nuget push **/*.nupkg -k ${{ secrets.MYGET_API_KEY }} -s https://www.myget.org/F/mqttnet/api/v3/index.json --skip-duplicate